[sqlmap-users] tamper script 'between' needs improvement on quotes
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] tamper script 'between' needs improvement on quotes
|
From: Stiefenhofer, M. <M.S...@r-...> - 2012-01-18 22:29:16
|
Dear all, The between tamper script replaces the greater-than sign, but not if it is part of a string enclosed in quotes or double quotes. Unfortunately this is the reason why it fails on many boolean based injections like: Payload: PARAM=dummystring' AND [COMPARISON INCLUDING GREATER THAN] AND 'bla'='bla Quick fix was to remove the quote checks, but a more sophisticated solution would be great. Best regards, -marek |
