Hi, testing —randomize for the first time. I have an injection that is certainly boolean-injectable as I can exploit by hand, but the content of the response can change if the url requested seems to have been hit before.
For instance, if I do GET /fdsa/1%20or%201=1, 100 bytes are returned. If I do it again, I get 150 bytes back from now on. If I append a garbage HTTP parameter and randomize the value in the parameter, I always get 100 bytes back. It’s a weird injection, but sqlmap seems to think that the page contents is changing during warm-up, even if I append a garbage parameter and tell —randomize to randomize it. [16:20:14] [WARNING] target URL is not stable. sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on I have verified by hand that changing the HTTP parameter value each request results in the same data from the injection being returned from the server. It seems —randomize isn’t being respected in the very beginning. Any thoughts? Hopefully this makes sense.
signature.asc
Description: Message signed with OpenPGP
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
