Re: [sqlmap-users] Filter on period
Brought to you by:
inquisb
From: Brandon P. <bpe...@gm...> - 2014-08-10 21:39:16
|
I am not sure if sqlmap is capable of this, but I have found inserting the filtered character in the middle of its hex-encoded counterpart (in your case %2.E for instance) can bypass similar filters. This only works if the param is url-decoded after the filter is performed on the string. On Sun, Aug 10, 2014 at 3:57 PM, <du...@al...> wrote: > So I did a little test on my site where I simply filtered out "." > (period) in incoming GET parameters that were vulnerable to SQLi. > sqlmap then failed to list databases, tables and columns. > Since INFORMATION_SCHEMA.TABLES would become INFORMATION_SCHEMATABLES > and fail with a "Table testdb.INFORMATION_SCHEMATABLES doesn't exist". > Can sqlmap bypass this somehow? I have played around with tamper a bit, > but haven't bypassed it yet (haven't tried all tamper scripts though, > only some that sounded logical to try). > > Note: I don't see this as a means to protect my sites in the future. > It's just a little late Sunday night sqlmap fun :) > > Cheers! > > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |