Hi David,
On 8 November 2011 13:13, David Alvarez <[email protected]> wrote:
> ...
> The problem is that sqlmap is not able to detect differences because when
> sqlmap execute A) the value will be locked, so the following requests won't
> modify the results in the database, the item is locked, and all responses
> will be equal.
> To unlock the item, you have to execute another functionality.So, how does
> sqlmap deal in these situations?
What do you mean by "execute another functionality"? If you just need
to perform a certain GET request, then fine, sqlmap can do it. Use
switches:
--safe-url=SAFURL Url address to visit frequently during testing
--safe-freq=SAFREQ Test requests between two visits to a given safe url
Refer to the user's manual for details.
> A solution could be provide the unlock request and execute that funcionality
> after every request made by sqlmap, in order to unlock the item and detect
> changes in the responses. However, this duplicates the number of requests
> needed.
At the moment --safe-url only supports a GET request, we can think of
making it able to get the raw request from a text file instead so it
would also support POST (like for -r).
Cheers,
Bernardo
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: Unavailable
------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
sqlmap-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
