I understand your point. But this will be a good thing. This was not the
first time that I have problem with it.
Because I only have X calls before the server crash, obvious I can't dump
long data with it. But there are a lot of userful things like try to know
if I can read/write file. I just need one (or some) call.
Just to point one thing: You forget the human side. I can set a big
--time-sec and I can, myself, see if it is true or false-positive.
Thanks for this change, anyway. Will be userful.
2017-02-14 10:17 GMT-02:00 Miroslav Stampar <miroslav.stam...@gmail.com>:
> Hi.
>
> Obviously, don't use --threads in those kind of situations. Also,
> --keep-alive could be a good choice together with (hidden) switch
> --disable-precon.
>
> As of time-based SQLi. Well, without the (as Brandon mentioned)
> statistical model, sqlmap will have a problem. Also, if application is
> doing "sporadic" timeouts I am not sure how in the first place are you
> expecting sqlmap to detect whether there was a deliberate delay or not.
>
> Anyway, I've pushed this moment a change where you can now use
> --disable-stats just for this one thing you are looking for. As of whether
> the sqlmap will now correctly perform tests (by using this option it is
> strictly looking into the response times and doing a dumb delay inference -
> if response time more than one given by --time-sec) I kind of doubt it.
>
> Bye
>
> On Mon, Feb 13, 2017 at 5:47 PM, Rodrigo Zanatta Silva <
> rodrigozanattasi...@gmail.com> wrote:
>
>> Yes, because every call I create an error in the server. So, I can only
>> make X call before the pool of connections was full. Than I need to wait
>> the server close this connections and try again.
>>
>> 2017-02-13 14:43 GMT-02:00 Brandon Perry <bperry.volat...@gmail.com>:
>>
>>>
>>> > On Feb 13, 2017, at 10:39 AM, Rodrigo Zanatta Silva <
>>> rodrigozanattasi...@gmail.com> wrote:
>>> >
>>> > How can I disable the sqlmap doing 30 connections before start doing
>>> time attack?
>>>
>>> You have to build a statistical model of how quickly the requests
>>> generally return to ensure accuracy during a timing attack. You can’t get
>>> around this. A boolean-based timing attack is going to take a whole lot of
>>> requests anyway, are you really worried about an extra 30?
>>>
>>> >
>>> > There is a options or I need to find it in code? And where is this set?
>>> > ------------------------------------------------------------
>>> ------------------
>>> > Check out the vibrant tech community on one of the world's most
>>> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot______
>>> _________________________________________
>>> > sqlmap-users mailing list
>>> > sqlmap-users@lists.sourceforge.net
>>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> sqlmap-users mailing list
>> sqlmap-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
