Re: [sqlmap-users] How to avoid union filter?

[Ignacio H. <nac...@gm...>]

Some times you can bypass some bad implemented IDS/WAF who looks for
specific words like "union", "select" or "from" like David sais in other
ways, for example:
http://www.site.com/vuln.php?id=323/**/union/**/all/**/select/**/...
(replacing spaces by /**/)
or:
http://www.site.com/vuln.php?id=323 UnIoN aLl SeLeCt... (randomly
uppercase/lowercase key words, some ids/waf only looks for "union" or
"UNION" but not for "UnIoN")

Also i think the sqlmap developpers are working on more sophisticated bypass
techniques.

2010/4/22 David Guimaraes <sk...@gm...>

> What type of filter is used? It removes certain words and executes the
> query, or simply does not run anything at all?
>
> I've came across a filter that removed certain words of parameters passed
> by users, such as UNION, SELECT, DROP, ALTER, UPDATE, and comments like "--"
> or "/*".
>
> To get around, I used this:
>
> http://www.site.com/vuln.php?id=323 UN--ION A--LL SELE--CT 1,2,3 FRO--M
> table
>
> The query was filtered 1x and resulted in the following expression:
>
> http://www.site.com/vuln.php?id=323 UNION ALL SELECT 1,2,3 FROM table
>
>
> Hope this help. =)
>
>
> On Thu, Apr 22, 2010 at 2:01 PM, Pagera <pag...@gm...> wrote:
>
>> hello
>>
>> is there anyway to avoid server filter ? like filtering union or select
>> in the URL?
>>
>> coz sqlmap seems doesnt work when there is a filtering
>>
>> thankx
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> David Gomes Guimarães
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>