Re: [sqlmap-users] sqlmap ubuntu quote
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] sqlmap ubuntu quote
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-03-26 00:39:22
|
Hi Alfonso, If the parameter where you are trying to inject is a string (e.g. url.com/page.php?parameter=value, value is a string) you basically can not on MySQL/PostgreSQL, but I found and documented on my blog (bernardodamele.blogspot.com) a technique to do that on Oracle and MSSQL. There are a few techniques to do that by double-encoding or utf-7 encoding the single quote, but they often do not do the trick. If the parameter is an integer so not between single quote you can bypass magic_quotes_gpc by casting to CHAR(), or similar dbms function, all the 'strings' in your injected SQL statement: sqlmap does it automatically. Cheers, Bernardo On Fri, Mar 6, 2009 at 11:15, alfonso caponi <alf...@gm...> wrote: > Hi, > > I'm trying sqlmap against a website (Apache/2.2.8 (Ubuntu) > PHP/5.2.4-2ubuntu5.5 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g + mysql > 14.12) vulnerable, written ad-hoc to test sql scanners. Sqlmap works very > fine (with magic_quotes_gpc off), but I've a question: how can I use it (or > others tecniques) to bypass magic_quotes_gpc check? I read from Internet > (slides, doc, http://www.securityfocus.com/bid/32673/info ecc.) that > magic_quotes is deprecated and not very safe... but I can't able to bypass > it with encoding strings ecc. > > Have you any hints or idea? > > Thank you very much for your time, > AL > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobiles: +447788962949 (UK), +393493821385 (IT) PGP Key ID: 0x05F5A30F |
