Re: [sqlmap-users] sqlmap ubuntu quote
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] sqlmap ubuntu quote
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-04-03 14:34:03
|
Hi Joe, On Thu, Mar 26, 2009 at 13:36, Pragmatk <pra...@gm...> wrote: > ... > Depending on the charset of the schema, you can on some of the more exotic > multi-byte charset ones. From my personal cheatsheet: > ... This is very uncommon, but it is well detailed on Chris Shiflett blog and sla.ckers.org forum. > Also interesting, I'll keep that in mind. Do you have any examples / links > to posts about that? sla.ckers.org forum and OWASP double encoding attack page. >> If the parameter is an integer so not between single quote you can >> bypass magic_quotes_gpc by casting to CHAR(), or similar dbms >> function, all the 'strings' in your injected SQL statement: sqlmap >> does it automatically. > > I normally use hex notation as that takes up less bytes. > ie 0x4142434445 == 'ABCDE' This does not work on the majority of database softwares, good to mention thus. Regards, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobiles: +447788962949 (UK), +393493821385 (IT) PGP Key ID: 0x05F5A30F |
