> On Feb 27, 2017, at 4:28 PM, Brandon Perry <bperry.volat...@gmail.com> wrote: > > Hi, testing —randomize for the first time. > > I have an injection that is certainly boolean-injectable as I can exploit by > hand, but the content of the response can change if the url requested seems > to have been hit before. > > For instance, if I do GET /fdsa/1%20or%201=1, 100 bytes are returned. If I do > it again, I get 150 bytes back from now on. > > If I append a garbage HTTP parameter and randomize the value in the > parameter, I always get 100 bytes back. > > It’s a weird injection, but sqlmap seems to think that the page contents is > changing during warm-up, even if I append a garbage parameter and tell > —randomize to randomize it. > > [16:20:14] [WARNING] target URL is not stable. sqlmap will base the page > comparison on a sequence matcher. If no dynamic nor injectable parameters are > detected, or in case of junk results, refer to user's manual paragraph 'Page > comparison' and provide a string or regular expression to match on > > I have verified by hand that changing the HTTP parameter value each request > results in the same data from the injection being returned from the server. > It seems —randomize isn’t being respected in the very beginning. > > Any thoughts? Hopefully this makes sense.
Doing testing through burp suite, I see that the HTTP parameter is indeed randomized, so I am not sure what’s up yet.
signature.asc
Description: Message signed with OpenPGP
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
