Re: [sqlmap-users] End string DB2

Mon, 30 Jan 2012 02:07:44 -0800 

Hi David.

Fact is that we rely that DBMS won't return a proper character on a request
for "substring" on non-valid index and that works ok for most of today's
DBMSes.

But, also we do have a check for these kind of cases. If there is more than
some predefined number of spaces at the end of the retrieved value we just
abruptly abort with that value, trim spaces from the end and continue on
with the next item.

Thing is that that "breaking" value is currently (r4692) set to 10 and if
you think that's too high for your case you are more than welcome to adjust
it to your needs. Just go to the lib/core/settings.py and change line:

INFERENCE_BLANK_BREAK = 10

to something more appropriate for your needs (e.g. 3)

Kind regards,
Miroslav Stampar

On Fri, Jan 27, 2012 at 6:53 PM, David Alvarez <david.alvare...@gmail.com>wrote:

> Hello,
>
> There is a sql injection in an IBM DB2 9.1. I'm using an AND boolean-based
> blind injection. The problem is that sqlmap doesn't check properly the end
> of the string and go in loop getting space chars as result.
>
> I'm using the latest version of sqlmap (r4690).
>
> How could I resolve it?
>
> Regards,
> David Alvarez
>
>
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to