Andres.
On Wed, Feb 20, 2013 at 3:11 PM, Andres Riancho <andres.rian...@gmail.com>wrote:
> Miroslav,
>
> On Wed, Feb 20, 2013 at 4:15 AM, Miroslav Stampar
> <miroslav.stam...@gmail.com> wrote:
> > Hi.
> >
> > In theory this works, in practice it doesn't. We already overturned 2-3
> guys
> > proposing this. Today's pages are too dynamic (banners, promos, etc.).
>
> But sqlmap already supports comparing pages with minor differences
> (using difflib, correct?)
>
Yes, and it does the best among all tools.
>
> > Also,
> > you would need a parameter value with a big covering range (lots of
> > different values).
>
> 256 different rows for a table doesn't seem to be something difficult
> to find; while not possible in all cases I agree.
>
It's a difficult to find, trust me. Also, how to "differentiate" 256
different cases when you have 256 different cases of BANNERs in plain
refresh of pages.
>
> > Also, whoever wrote this don't have a clue about this subject: ' The
> > attacker would then take a checksum of the returned html data'. This is
> > being done in kiddish scripts. Real SQLi tool knows that checksum is
> faaar
> > from reliable.
>
> See difflib above.
>
Seen
>
> > Anyway, answer is no.
>
> I think you're disregarding a good idea (if correctly implemented it
> provides a 8-times performance improvement) way too fast.
> Implementation is going to be difficult, but the benefits are great,
>
I am not disregarding a good idea. It's good in THEORY, but not in practice
(THEORY != PRACTICE). You can make a tool your own and try it yourself on
real life web sites. I am sure that you'll be disappointed really quickly.
Anyway, it's not a practical idea at all. Cold fusion is also a great idea.
Maybe that would be smarter to implement than this one.
Bye
>
> > Kind regards,
> > Miroslav Stampar
> >
> > On Feb 20, 2013 2:11 AM, "Julius Kivimäki" <julius.kivim...@gmail.com>
> > wrote:
> >>
> >> Should probably look into adding this,
> >>
> http://www.blackhatlibrary.net/SQL_injection/Blind/Comparative_precomputation
> >>
> >>
> ------------------------------------------------------------------------------
> >> Everyone hates slow websites. So do we.
> >> Make your web apps faster with AppDynamics
> >> Download AppDynamics Lite for free today:
> >> http://p.sf.net/sfu/appdyn_d2d_feb
> >> _______________________________________________
> >> sqlmap-users mailing list
> >> sqlmap-users@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >>
> >
> >
> ------------------------------------------------------------------------------
> > Everyone hates slow websites. So do we.
> > Make your web apps faster with AppDynamics
> > Download AppDynamics Lite for free today:
> > http://p.sf.net/sfu/appdyn_d2d_feb
> > _______________________________________________
> > sqlmap-users mailing list
> > sqlmap-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
