hi buawig. find it "patched" in the latest commit.
kind regards On Sun, Jun 19, 2011 at 1:33 AM, <bua...@gmail.com> wrote: > Miroslav Stampar wrote: >> quote from that same paragraph: >> >> " >> 10.5.5 504 Gateway Timeout >> >> The server, while acting as a gateway or proxy, did not receive a >> timely response from the upstream server specified by the URI (e.g. >> HTTP, FTP, LDAP) or some other auxiliary server (e.g. DNS) it needed >> to access in attempting to complete the request. >> " >> >> it clearly says that 504 is a general timeout without specific >> "cause". it says that it can be caused by remote server, DNS,... > > Yes I read the paragraph that I linked. ;) > > >> thing is that we don't know what's causing it (neither that 504 says >> the source as stated from that paragraph) and we need to treat it as >> any other timeout. also, i don't see any problems with that approach. > > You probably misunderstood me or I was not clear enough. > The important thing was > "the response came not from the upstream target specified in -u and > should not interpreted as such" > > If sqlmap would treat 504 'as any other timeout' then I wouldn't have > posted the link because that is what I'm expecting - sqlmap should treat > 504 like timeouts, but it does not seam to treat it as a timeout at all: > > test on a _non_ existing domain with proxy while the proxy returns 504 > +html page (status page): > > [INFO] testing connection to the target url > [INFO] heuristics detected web page charset 'ascii' > [WARNING] the web server responded with an HTTP error code which could > interfere with the results of the tests > [INFO] testing if the url is stable, wait a few seconds > [WARNING] url is not stable, sqlmap will base the page comparison on a > sequence matcher. If no dynamic nor injectable parameters are detected, > or in case of junk results, refer to user's manual paragraph 'Page > comparison' and provide a string or regular expression to match on > how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] > > >From this output I guess sqlmap interprets the html page from the proxy > (504 status page) as if it were the page from the target and starts > testing. The question is, why does it start testing when it doesn't > reach the target? > > It probably should look like this: > > [INFO] testing connection to the target url > [CRITICAL] unable to connect to the target url (504 - Gateway Timeout), > sqlmap is going to retry the request > [CRITICAL] unable to connect to the target url (504 - Gateway Timeout, > sqlmap is going to retry the request > > [*] shutting down... > > sqlmap should not interpret the html page from the proxy as an html page > from a target if the proxy returns 504 (the reason does not really matter). > > > In future everyone will return 504 to avoid sqlmap scans ;) > > > ------------------------------------------------------------------------------ > EditLive Enterprise is the world's most technically advanced content > authoring tool. Experience the power of Track Changes, Inline Image > Editing and ensure content is compliant with Accessibility Checking. > http://p.sf.net/sfu/ephox-dev2dev > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
