Hi.
It goes like this. Parameter is randomized, BUT, the parameter value holds
the original form. This means that if your parameter is single digit, the
following request will be a random value chosen from the [0-9]. This
basically means that there is a chance that the following "random" value
could be the same as the last one AND that you'll soon be left without any
new values (after avg. 8-9 requests).
Hence, use some larger "original" value for that same parameter you want to
randomize :)
Bye
On Tue, Feb 28, 2017 at 12:32 AM, Brandon Perry <bperry.volat...@gmail.com>
wrote:
>
> > On Feb 27, 2017, at 4:28 PM, Brandon Perry <bperry.volat...@gmail.com>
> wrote:
> >
> > Hi, testing —randomize for the first time.
> >
> > I have an injection that is certainly boolean-injectable as I can
> exploit by hand, but the content of the response can change if the url
> requested seems to have been hit before.
> >
> > For instance, if I do GET /fdsa/1%20or%201=1, 100 bytes are returned. If
> I do it again, I get 150 bytes back from now on.
> >
> > If I append a garbage HTTP parameter and randomize the value in the
> parameter, I always get 100 bytes back.
> >
> > It’s a weird injection, but sqlmap seems to think that the page contents
> is changing during warm-up, even if I append a garbage parameter and tell
> —randomize to randomize it.
> >
> > [16:20:14] [WARNING] target URL is not stable. sqlmap will base the page
> comparison on a sequence matcher. If no dynamic nor injectable parameters
> are detected, or in case of junk results, refer to user's manual paragraph
> 'Page comparison' and provide a string or regular expression to match on
> >
> > I have verified by hand that changing the HTTP parameter value each
> request results in the same data from the injection being returned from the
> server. It seems —randomize isn’t being respected in the very beginning.
> >
> > Any thoughts? Hopefully this makes sense.
>
> Doing testing through burp suite, I see that the HTTP parameter is indeed
> randomized, so I am not sure what’s up yet.
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
