Miroslav Stampar
|
0eabca9fd4
|
update for a previous update (putting conf.dataEncoding in getUnicode wherever we know that data won't be 'touched' or 'used' in anyway related to the current web page - if not sure, just leave it as it is)
|
2011-01-03 22:31:29 +00:00 |
|
Miroslav Stampar
|
08ccbf2c1e
|
important fix for a bug reported by x <deep_freeze@mail.ru> (along with normal fixes, getUnicode now uses kb.pageEncoding)
|
2011-01-03 22:02:58 +00:00 |
|
Miroslav Stampar
|
07129371bf
|
bug fix for time based injections with keepalive (keepalive module has timeout argument which screwed tbMsg); also, bug fix for cases when remote hosts forcefully disconnects the user on some tests (instead of retrying and critically going out, continue with further tests)
|
2011-01-03 13:04:20 +00:00 |
|
Miroslav Stampar
|
da138c46c1
|
added support for displaying HTTP error codes (particularly interesting ones are 403 and 406 which screw up data retrieval and DBMS fingerprinting badly)
|
2011-01-02 07:37:47 +00:00 |
|
Miroslav Stampar
|
ef27fd5ea1
|
there is a huge problem with urllib2 connections that sockets are left opened causing problems with lots of disposable connections used (like in --threads) (http://mail.python.org/pipermail/python-bugs-list/2007-January/036873.html, http://mail.python.org/pipermail/python-bugs-list/2007-January/036873.html)
|
2011-01-01 15:20:29 +00:00 |
|
Miroslav Stampar
|
281d124fa6
|
minor bug fix
|
2010-12-31 12:04:39 +00:00 |
|
Miroslav Stampar
|
d1f5c1d7b7
|
now when we "decode page" based on a charset, sanitizeAsciiString only brings unneeded filtering
|
2010-12-29 15:10:42 +00:00 |
|
Miroslav Stampar
|
93838fb155
|
"patch" for a problem reported by black zero (v = self._sslobj.write(data)...UnicodeError)
|
2010-12-28 14:40:34 +00:00 |
|
Miroslav Stampar
|
c0423761e8
|
minor update
|
2010-12-27 18:27:42 +00:00 |
|
Miroslav Stampar
|
9fb0e0fc85
|
resume of brute forced data is now available
|
2010-12-27 14:17:20 +00:00 |
|
Miroslav Stampar
|
f2373121d0
|
noticed little DoS behavior and lots of connections in netstat (best way to deal with zombie connections is to explicitly close them if not needed any more)
|
2010-12-26 14:36:51 +00:00 |
|
Miroslav Stampar
|
569e060aab
|
important improvement
|
2010-12-26 13:20:52 +00:00 |
|
Miroslav Stampar
|
cd337d9f39
|
minor fix
|
2010-12-26 09:46:09 +00:00 |
|
Miroslav Stampar
|
562a6440d1
|
fix for a bug reported by nightman (same as http://bugs.python.org/issue8797)
|
2010-12-26 09:33:04 +00:00 |
|
Miroslav Stampar
|
b472b96f92
|
bug fix, refactoring and improved extractErrorMessage capabilities
|
2010-12-25 10:16:20 +00:00 |
|
Miroslav Stampar
|
2c23a59ba5
|
fix for one of those more complex bugs (comparison was returning None while original page and/or page template were already had already DBMS error inside)
|
2010-12-24 12:13:48 +00:00 |
|
Miroslav Stampar
|
aab14fa2d3
|
minor refactoring/cosmetics
|
2010-12-24 11:06:57 +00:00 |
|
Miroslav Stampar
|
a09716a701
|
minor update
|
2010-12-24 10:07:56 +00:00 |
|
Miroslav Stampar
|
d5eebb1cbf
|
fix for a fundamentally bad presumtion (ratio should be > 0.6 in stable pages), especially today when we have stuff like where=2; also, just imagine 500s which could just say something like FALSE, while on ratio level it would be far below 0.6
|
2010-12-24 09:49:19 +00:00 |
|
Miroslav Stampar
|
cb17e61f35
|
bug fix (UnicodeDecodeError: 'ascii' codec can't decode byte 0xa9 in position 959)
|
2010-12-24 02:54:26 +00:00 |
|
Miroslav Stampar
|
8470de7b76
|
bug fix for boolean proxy when using time based payloads
|
2010-12-23 23:46:08 +00:00 |
|
Miroslav Stampar
|
017ea9e686
|
update
|
2010-12-23 14:06:22 +00:00 |
|
Miroslav Stampar
|
8fc60215ed
|
lol. this was a pesky bug. heuristic wasn't working on one mssql test site and i couldn't find why. at end the problem was that when the HTTP code was raised (like 500) no parseResponse was called.
|
2010-12-22 19:12:46 +00:00 |
|
Bernardo Damele
|
250608660d
|
Minor bug fix to always show HTTP request and response when verbose is set accordingly to 4, 5 or 6 regardless of the HTTP response code (error or not)
|
2010-12-22 13:41:36 +00:00 |
|
Miroslav Stampar
|
5be9c04e44
|
update regarding Sybase syntax
|
2010-12-22 10:39:56 +00:00 |
|
Miroslav Stampar
|
7a525f28d4
|
cosmetics
|
2010-12-21 15:26:23 +00:00 |
|
Miroslav Stampar
|
b2e7f9484d
|
minor tuning (2 techniques MAX per value used)
|
2010-12-21 15:24:14 +00:00 |
|
Miroslav Stampar
|
385e208f38
|
code refactoring regarding standard output suppression and some threading issues
|
2010-12-21 14:21:24 +00:00 |
|
Miroslav Stampar
|
6b37ddada4
|
removed some blank trailing spaces (with extra/shutils/blanks.sh)
|
2010-12-21 10:31:56 +00:00 |
|
Miroslav Stampar
|
d554460aec
|
minor fix
|
2010-12-21 01:09:39 +00:00 |
|
Miroslav Stampar
|
416755c0b7
|
minor adjustments
|
2010-12-21 00:25:03 +00:00 |
|
Miroslav Stampar
|
29001a4fce
|
minor update
|
2010-12-20 23:21:01 +00:00 |
|
Miroslav Stampar
|
8fd3e7ba1f
|
thread based data added
|
2010-12-20 22:45:01 +00:00 |
|
Miroslav Stampar
|
5852bad963
|
some refactoring
|
2010-12-20 18:56:06 +00:00 |
|
Miroslav Stampar
|
c948bced61
|
should solve the problem with timeout problems in time-based payloads
|
2010-12-20 16:45:41 +00:00 |
|
Miroslav Stampar
|
eaf8929085
|
more minor updates
|
2010-12-20 10:48:53 +00:00 |
|
Miroslav Stampar
|
fe67d3827c
|
code refactoring and some fixes
|
2010-12-18 09:51:34 +00:00 |
|
Miroslav Stampar
|
108a96c6b4
|
some fixes
|
2010-12-17 21:45:20 +00:00 |
|
Miroslav Stampar
|
b4450c6ddd
|
added one more level of MSSQL version check (if first fails for some reason)
|
2010-12-17 21:01:14 +00:00 |
|
Miroslav Stampar
|
95b2c0803b
|
minor fix
|
2010-12-15 20:51:29 +00:00 |
|
Miroslav Stampar
|
cda00c7501
|
code refactoring
|
2010-12-15 12:43:56 +00:00 |
|
Miroslav Stampar
|
3f34b06a24
|
minor cosmetics
|
2010-12-15 12:34:14 +00:00 |
|
Miroslav Stampar
|
445cc3bf3c
|
minor cosmetics
|
2010-12-15 12:15:43 +00:00 |
|
Miroslav Stampar
|
c1c525aaea
|
quick fix of a fix
|
2010-12-15 12:10:33 +00:00 |
|
Miroslav Stampar
|
270ae0f080
|
just in case as maybe there will be some boolean expression to check where we won't expect None, but explicitly True/False
|
2010-12-14 09:05:00 +00:00 |
|
Bernardo Damele
|
a02dd6b55b
|
Minor enhancement to speedup active dbms fingerprint (-f).
Code cleanup and refactoring.
|
2010-12-13 21:33:42 +00:00 |
|
Miroslav Stampar
|
6a3c4485e6
|
minor update (removing extra ())
|
2010-12-12 14:44:39 +00:00 |
|
Miroslav Stampar
|
f7344a5fc3
|
update
|
2010-12-11 21:28:11 +00:00 |
|
Miroslav Stampar
|
e6c66fa37c
|
update regarding expectingNone in fingerprinting mode to cancel drop down to other techniques available
|
2010-12-11 17:55:28 +00:00 |
|
Miroslav Stampar
|
e32fa9df43
|
further update regarding bugtrace's report
|
2010-12-11 17:32:15 +00:00 |
|
Miroslav Stampar
|
5d18c98ec2
|
quick fix for a bug reported by bugtrace (not using __goBooleanProxy because we don't have a proper vector this moment)
|
2010-12-11 17:20:39 +00:00 |
|
Miroslav Stampar
|
03447acc1d
|
avoiding some trashy match ratios
|
2010-12-11 17:12:19 +00:00 |
|
Miroslav Stampar
|
3dc0a51d34
|
major bug fix with boolean expressions
|
2010-12-11 08:46:19 +00:00 |
|
Miroslav Stampar
|
ac9080c07b
|
update
|
2010-12-11 08:24:29 +00:00 |
|
Miroslav Stampar
|
66db80804d
|
fix
|
2010-12-10 16:03:32 +00:00 |
|
Miroslav Stampar
|
435f48b8cc
|
polite cosmetics
|
2010-12-10 15:28:56 +00:00 |
|
Miroslav Stampar
|
977988c0ab
|
cosmetics
|
2010-12-10 15:24:25 +00:00 |
|
Miroslav Stampar
|
fa8d378e80
|
another update
|
2010-12-10 15:18:15 +00:00 |
|
Miroslav Stampar
|
1ef44cfe60
|
fix
|
2010-12-10 15:06:53 +00:00 |
|
Miroslav Stampar
|
fe186cde55
|
proper fix
|
2010-12-10 13:26:31 +00:00 |
|
Miroslav Stampar
|
9957881040
|
you won't believe commit
|
2010-12-10 13:20:59 +00:00 |
|
Miroslav Stampar
|
1fc9ed10a8
|
minor refactoring
|
2010-12-10 12:30:36 +00:00 |
|
Miroslav Stampar
|
4d8628e8fb
|
fix for booleans
|
2010-12-10 12:26:01 +00:00 |
|
Miroslav Stampar
|
471d9ccd65
|
another fix of my lala
|
2010-12-10 10:11:25 +00:00 |
|
Miroslav Stampar
|
029a6abba2
|
quick fix
|
2010-12-10 09:54:25 +00:00 |
|
Miroslav Stampar
|
441fc8dbd9
|
update regarding boolean based expressions
|
2010-12-09 21:15:18 +00:00 |
|
Miroslav Stampar
|
1492823de0
|
it wasn't pretty, now it's pretty
|
2010-12-09 20:06:20 +00:00 |
|
Bernardo Damele
|
9230877d98
|
cosmetics
|
2010-12-09 13:57:38 +00:00 |
|
Miroslav Stampar
|
196131bbca
|
minor cosmetics
|
2010-12-09 10:42:00 +00:00 |
|
Miroslav Stampar
|
3fd1c37d53
|
update
|
2010-12-09 07:49:18 +00:00 |
|
Bernardo Damele
|
b5c6527c72
|
Minor fix
|
2010-12-09 00:25:48 +00:00 |
|
Bernardo Damele
|
f5ce739bdf
|
Added support for time-based blind SQL injection via stacked queries too. Need to add vectors for some DBMS yet.
|
2010-12-08 23:52:31 +00:00 |
|
Miroslav Stampar
|
54f6673609
|
update
|
2010-12-08 22:38:26 +00:00 |
|
Miroslav Stampar
|
d6077273e0
|
update
|
2010-12-08 22:14:42 +00:00 |
|
Miroslav Stampar
|
40fadf2f35
|
minor update
|
2010-12-08 14:33:10 +00:00 |
|
Miroslav Stampar
|
01cf1394a4
|
code refactoring
|
2010-12-08 14:26:40 +00:00 |
|
Miroslav Stampar
|
6223f25dd9
|
code beautification
|
2010-12-08 13:04:48 +00:00 |
|
Miroslav Stampar
|
64cc2588f1
|
now resume is available for time-based blinds too
|
2010-12-08 12:49:26 +00:00 |
|
Miroslav Stampar
|
537b619165
|
removing junk
|
2010-12-08 12:30:25 +00:00 |
|
Miroslav Stampar
|
b5e45939e3
|
sqlmap premiere of blind time based query/bisection
|
2010-12-08 12:28:54 +00:00 |
|
Miroslav Stampar
|
47bb31fb47
|
code refactoring
|
2010-12-08 11:30:25 +00:00 |
|
Miroslav Stampar
|
1ae2fa7f1a
|
update regarding time based payloads
|
2010-12-08 11:26:54 +00:00 |
|
Miroslav Stampar
|
bdff4aba6a
|
switching to quick_ratio
|
2010-12-07 23:57:43 +00:00 |
|
Miroslav Stampar
|
c1b82cf09c
|
ratio() gives a considerable lag on real life cases, as real_quick_ratio() gives almost as good results
|
2010-12-07 23:53:44 +00:00 |
|
Miroslav Stampar
|
a4a63f5b1e
|
minor update
|
2010-12-07 23:49:00 +00:00 |
|
Miroslav Stampar
|
293ce18fed
|
two major bug fixes regarding time calculation (previously comparison was also a part of "delta", which screwed results in cases with large pages; other was a standard distribution based one)
|
2010-12-07 23:32:33 +00:00 |
|
Miroslav Stampar
|
dc651d59ec
|
little mathematics here and there (used "Rules for normally distributed data")
|
2010-12-07 19:19:12 +00:00 |
|
Bernardo Damele
|
81e7465ed2
|
Cosmetics
|
2010-12-07 17:16:21 +00:00 |
|
Miroslav Stampar
|
294119d2ec
|
more advanced time technique(s)
|
2010-12-07 16:04:53 +00:00 |
|
Miroslav Stampar
|
e53fef546e
|
update regarding session page templates
|
2010-12-07 14:35:31 +00:00 |
|
Miroslav Stampar
|
add6235b16
|
removed pageTemplate from injection(s), it's not longer stored in session, and it's reloaded when resuming from session
|
2010-12-07 14:06:54 +00:00 |
|
Miroslav Stampar
|
0dc630203f
|
code refactoring
|
2010-12-07 13:34:06 +00:00 |
|
Miroslav Stampar
|
d77ddbee47
|
OR based inference works for the first time in history and fingerprint of 4 major DBMSes is now injection based (instead of AND)
|
2010-12-06 18:20:57 +00:00 |
|
Bernardo Damele
|
17449754fe
|
Got rid of UNION false cond
|
2010-12-05 16:16:15 +00:00 |
|
Miroslav Stampar
|
9e5f933ace
|
some updates
|
2010-12-04 15:47:02 +00:00 |
|
Miroslav Stampar
|
eeb199375b
|
usage of compiled regexes in case of dynamic markings and other refactoring
|
2010-12-04 13:23:28 +00:00 |
|
Miroslav Stampar
|
0fc7a8f9e8
|
code refactoring
|
2010-12-04 10:13:18 +00:00 |
|
Miroslav Stampar
|
04714374f9
|
now you can use kb.pageTemplate to set a page which will be used as a template in comparison process (at least in '-[RANDNUM] OR' cases we'll need to use different template(s))
|
2010-12-04 10:05:18 +00:00 |
|
Miroslav Stampar
|
5764816891
|
minor cosmetics
|
2010-12-03 22:28:09 +00:00 |
|
Bernardo Damele
|
5d37df6104
|
Ugly code to set the cookies when got them from a 302 redirect too
|
2010-12-03 17:41:10 +00:00 |
|