[sqlmap-users] Filter on period
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] Filter on period
|
From: <du...@al...> - 2014-08-10 21:16:01
|
So I did a little test on my site where I simply filtered out "." (period) in incoming GET parameters that were vulnerable to SQLi. sqlmap then failed to list databases, tables and columns. Since INFORMATION_SCHEMA.TABLES would become INFORMATION_SCHEMATABLES and fail with a "Table testdb.INFORMATION_SCHEMATABLES doesn't exist". Can sqlmap bypass this somehow? I have played around with tamper a bit, but haven't bypassed it yet (haven't tried all tamper scripts though, only some that sounded logical to try). Note: I don't see this as a means to protect my sites in the future. It's just a little late Sunday night sqlmap fun :) Cheers! |
