Re: [sqlmap-users] sqlmap ubuntu quote
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] sqlmap ubuntu quote
|
From: Pragmatk <pra...@gm...> - 2009-03-26 11:40:27
|
Bernardo Damele A. G. wrote: > Hi Alfonso, > > If the parameter where you are trying to inject is a string (e.g. > url.com/page.php?parameter=value, value is a string) you basically can > not on MySQL/PostgreSQL, but I found and documented on my blog Depending on the charset of the schema, you can on some of the more exotic multi-byte charset ones. From my personal cheatsheet: big5 [A1-F9] sjis [81-9F], [E0-FC] gbk [81-FE] cp932 [81-9F], [E0-FC] ^-- vulnerable charsets for addslashes & others. ie big5: %a1%5c > (bernardodamele.blogspot.com) a technique to do that on Oracle and > MSSQL. Interesting! Thank you for the link! > There are a few techniques to do that by double-encoding or utf-7 > encoding the single quote, but they often do not do the trick. Also interesting, I'll keep that in mind. Do you have any examples / links to posts about that? > If the parameter is an integer so not between single quote you can > bypass magic_quotes_gpc by casting to CHAR(), or similar dbms > function, all the 'strings' in your injected SQL statement: sqlmap > does it automatically. I normally use hex notation as that takes up less bytes. ie 0x4142434445 == 'ABCDE' It also has the bonus that it's castable to int columns. Joe "Pragmatk" |
