p.s.:
https://github.com/sqlmapproject/sqlmap/issues/298
On Wed, Feb 20, 2013 at 3:16 PM, Miroslav Stampar <
miroslav.stam...@gmail.com> wrote:
> Andres.
>
> On Wed, Feb 20, 2013 at 3:11 PM, Andres Riancho
> <andres.rian...@gmail.com>wrote:
>
>> Miroslav,
>>
>> On Wed, Feb 20, 2013 at 4:15 AM, Miroslav Stampar
>> <miroslav.stam...@gmail.com> wrote:
>> > Hi.
>> >
>> > In theory this works, in practice it doesn't. We already overturned 2-3
>> guys
>> > proposing this. Today's pages are too dynamic (banners, promos, etc.).
>>
>> But sqlmap already supports comparing pages with minor differences
>> (using difflib, correct?)
>>
> Yes, and it does the best among all tools.
>
>>
>> > Also,
>> > you would need a parameter value with a big covering range (lots of
>> > different values).
>>
>> 256 different rows for a table doesn't seem to be something difficult
>> to find; while not possible in all cases I agree.
>>
> It's a difficult to find, trust me. Also, how to "differentiate" 256
> different cases when you have 256 different cases of BANNERs in plain
> refresh of pages.
>
>>
>> > Also, whoever wrote this don't have a clue about this subject: ' The
>> > attacker would then take a checksum of the returned html data'. This is
>> > being done in kiddish scripts. Real SQLi tool knows that checksum is
>> faaar
>> > from reliable.
>>
>> See difflib above.
>>
> Seen
>
>>
>> > Anyway, answer is no.
>>
>> I think you're disregarding a good idea (if correctly implemented it
>> provides a 8-times performance improvement) way too fast.
>> Implementation is going to be difficult, but the benefits are great,
>>
> I am not disregarding a good idea. It's good in THEORY, but not in
> practice (THEORY != PRACTICE). You can make a tool your own and try it
> yourself on real life web sites. I am sure that you'll
> be disappointed really quickly.
>
> Anyway, it's not a practical idea at all. Cold fusion is also a great
> idea. Maybe that would be smarter to implement than this one.
>
> Bye
>
>>
>> > Kind regards,
>> > Miroslav Stampar
>> >
>> > On Feb 20, 2013 2:11 AM, "Julius Kivimäki" <julius.kivim...@gmail.com>
>> > wrote:
>> >>
>> >> Should probably look into adding this,
>> >>
>> http://www.blackhatlibrary.net/SQL_injection/Blind/Comparative_precomputation
>> >>
>> >>
>> ------------------------------------------------------------------------------
>> >> Everyone hates slow websites. So do we.
>> >> Make your web apps faster with AppDynamics
>> >> Download AppDynamics Lite for free today:
>> >> http://p.sf.net/sfu/appdyn_d2d_feb
>> >> _______________________________________________
>> >> sqlmap-users mailing list
>> >> sqlmap-users@lists.sourceforge.net
>> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >>
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Everyone hates slow websites. So do we.
>> > Make your web apps faster with AppDynamics
>> > Download AppDynamics Lite for free today:
>> > http://p.sf.net/sfu/appdyn_d2d_feb
>> > _______________________________________________
>> > sqlmap-users mailing list
>> > sqlmap-users@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
