Re: [sqlmap-users] Customizing SQLMap to bypass weak (but effective) input filters
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Customizing SQLMap to bypass weak (but effective) input filters
|
From: Miroslav S. <mir...@gm...> - 2011-05-28 16:03:29
|
hi. now after last commit (added ./tamper/equaltolike.py tampering script) you can avoid filtering of >, < and = chars with: --tamper="between,equaltolike" kr On Sat, May 28, 2011 at 1:28 PM, Miroslav Stampar <mir...@gm...> wrote: > hi Georgio. > > we have a mechanism called "tampering" for doing this kind of things. > > e.g. for dealing with characters > and < you can try to use > --tamper=between which will replace standard greater/lesser than > characters in inference by BETWEEN operator > > kr > > On Sat, May 28, 2011 at 1:02 PM, Giorgio Fedon <gio...@gm...> wrote: >> Dear List, >> >> A tool cannot deal automatically with particular contexts and situations. >> A common reason of failure for SQL injection tools is the fact that >> some field are vulnerable but somehow sanitized. >> >> If fields are sanitized the Penetration tester must: >> 1) Understand which characters are filtered and how >> 2) Find how to make the blind SQL logic to work even if there are >> restrictions in place >> 3) Use a tool that can be customized with your new logic >> >> SQL is the best tool available for me (I am a strong SQLmap supporter >> :D) because it's yet powerful, but also fully customizable and meets >> perfectly these requirements. >> >> You can find the post here: >> http://blog.mindedsecurity.com/2011/05/customizing-sqlmap-to-bypass-weak-but.html >> >> Thank you, >> >> Giorgio Fedon >> >> ------------------------------------------------------------------------------ >> vRanger cuts backup time in half-while increasing security. >> With the market-leading solution for virtual backup and recovery, >> you get blazing-fast, flexible, and affordable data protection. >> Download your free trial now. >> http://p.sf.net/sfu/quest-d2dcopy1 >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
