Daniel,
On Sun, May 6, 2012 at 3:06 PM, Daniel Zulla
<daniel.zu...@googlemail.com> wrote:
> Hi,
> I provided a little SQLMap patch today, that we should integrate to the w3af
> too.
>
> Sometimes, a original query like
> SELECT [...] WHERE date = '12-07-2012' AND userid='12121212';
>
> may result in something like
>
> SELECT [...] WHERE date = '12-07-2012' [INJECTION]-- 1AND userid='12121212';
>
> after an injection. This may result in a really bad timeout. (100.000+ users
> or so)
>
> I attached the patch to this email. It adds a "LIMIT 10" in an appropriate
> position where it doesn't even hurt, if the case I described above is not >
> the case.
Thanks for the patch, but I won't apply it :( We have a deeper
issue with sqlmap integration today, which is that because of the way
I integrated them (a lot of time ago - that's why our sqlmap is SO
old) it has become very difficult to update the sqlmap that lives in
w3af without breaking the integration. What needs to be done is to
define a clear API in sqlmap and have w3af consume it.
I'll send an email to Bernardo from sqlmap to see how we can achieve this.
Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
