Re: [sqlmap-users] use blind SQL injection without some charactares due to a WAF
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] use blind SQL injection without some charactares due to a WAF
|
From: Dennis <kor...@ya...> - 2013-01-18 12:34:58
|
use tamper scripts. --tamper=between should do the trick if I'm not mistaken. Cheers, Dennis Am 18.01.2013 12:54, schrieb wh...@po...: > Hi all, > > my current test is a web application that redirects me to a generic > page, whenever < or > is present in a parameter - before the query > gets to the application logic. > The application is injectable with a blind injection (MSSQL, proven by > manual checking and also found by sqlmap). But if I try e.g. > --current-user, sqlmap uses a query > with greater than ">" in the where clause :-( > > Is it possible to use other queries (like only "=" or "!=" or contains)? > I'm to lazy to program this myself - or try to understand the perl - > programs I used ages ago ;-) > > > Kind regards, > > Chris > > > ------------------------------------------------------------------------------ > Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and > much more. Get web development skills now with LearnDevNow - > 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. > SALE $99.99 this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122812 > > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
