Thread: [sqlmap-users] use blind SQL injection without some charactares due to a WAF

Brought to you by: inquisb

sqlmap-users

[sqlmap-users] use blind SQL injection without some charactares due to a WAF

From: <wh...@po...> - 2013-01-18 12:19:15

Hi all,

my current test is a web application that redirects me to a generic page,
whenever < or > is present in a parameter - before the query gets to the
application logic.
The application is injectable with a blind injection (MSSQL, proven by manual
checking and also found by sqlmap). But if I try e.g. --current-user, sqlmap
uses a query
with greater than ">" in the where clause :-(

Is it possible to use other queries  (like only "=" or "!=" or contains)?
I'm to lazy to program this myself - or try to understand the perl - programs I
used ages ago ;-)


Kind regards,

Chris

Re: [sqlmap-users] use blind SQL injection without some charactares due to a WAF

From: Miroslav S. <mir...@gm...> - 2013-01-18 12:28:29

Hi.

Try with --tamper=between.

Kind regards,
Miroslav Stampar

p.s. It's actually a Python, not Perl
Dana 18.1.2013. 13:19 "wh...@po..." <wh...@po...> je napisao/la:

> **
>  Hi all,
>
>  my current test is a web application that redirects me to a generic page,
> whenever < or > is present in a parameter - before the query gets to the
> application logic.
>  The application is injectable with a blind injection (MSSQL, proven by
> manual checking and also found by sqlmap). But if I try e.g.
> --current-user, sqlmap uses a query
>  with greater than ">" in the where clause :-(
>
>  Is it possible to use other queries  (like only "=" or "!=" or contains)?
>  I'm to lazy to program this myself - or try to understand the perl -
> programs I used ages ago ;-)
>
>
>  Kind regards,
>
>  Chris
>
>
> ------------------------------------------------------------------------------
> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
> much more. Get web development skills now with LearnDevNow -
> 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
> SALE $99.99 this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122812
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

Re: [sqlmap-users] use blind SQL injection without some charactares due to a WAF

From: <wh...@po...> - 2013-01-18 12:32:44

Hi Miroslav

RTFM ;-) that did the trick, thanks!

Chris


Miroslav Stampar <mir...@gm...> hat am 18. Januar 2013 um 13:28
geschrieben:

> 
>  Hi.
> 
>  Try with --tamper=between.
> 
>  Kind regards,
>  Miroslav Stampar
> 
>  p.s. It's actually a Python, not Perl
> 
>  Dana 18.1.2013. 13:19 " wh...@po... <mailto:wh...@po...> " <
> wh...@po... <mailto:wh...@po...> > je napisao/la:
>    > >    Hi all,
> > 
> >    my current test is a web application that redirects me to a generic page,
> > whenever < or > is present in a parameter - before the query gets to the
> > application logic.
> >    The application is injectable with a blind injection (MSSQL, proven by
> > manual checking and also found by sqlmap). But if I try e.g. --current-user,
> > sqlmap uses a query
> >    with greater than ">" in the where clause :-(
> > 
> >    Is it possible to use other queries  (like only "=" or "!=" or contains)?
> >    I'm to lazy to program this myself - or try to understand the perl -
> > programs I used ages ago ;-)
> > 
> > 
> >    Kind regards,
> > 
> >    Chris
> > 
> > 
> >   ------------------------------------------------------------------------------
> >    Master HTML5, CSS3, ASP.NET <http://ASP.NET> , MVC, AJAX, Knockout.js,
> > Web API and
> >    much more. Get web development skills now with LearnDevNow -
> >    350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
> >    SALE $99.99 this month only -- learn more at:
> >    http://p.sf.net/sfu/learnmore_122812
> > <http://p.sf.net/sfu/learnmore_122812>
> >    _______________________________________________
> >    sqlmap-users mailing list
> >    sql...@li...
> > <mailto:sql...@li...>
> >    https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> > <https://lists.sourceforge.net/lists/listinfo/sqlmap-users>
> >  >

Re: [sqlmap-users] use blind SQL injection without some charactares due to a WAF

From: Dennis <kor...@ya...> - 2013-01-18 13:28:50

Damn, I was too slow :)


Am 18.01.2013 13:28, schrieb Miroslav Stampar:
>
> Hi.
>
> Try with --tamper=between.
>
> Kind regards,
> Miroslav Stampar
>
> p.s. It's actually a Python, not Perl
>
> Dana 18.1.2013. 13:19 "wh...@po... <mailto:wh...@po...>"
> <wh...@po... <mailto:wh...@po...>> je napisao/la:
>
>     Hi all,
>      
>     my current test is a web application that redirects me to a
>     generic page, whenever < or > is present in a parameter - before
>     the query gets to the application logic.
>     The application is injectable with a blind injection (MSSQL,
>     proven by manual checking and also found by sqlmap). But if I try
>     e.g. --current-user, sqlmap uses a query
>     with greater than ">" in the where clause :-(
>      
>     Is it possible to use other queries  (like only "=" or "!=" or
>     contains)?
>     I'm to lazy to program this myself - or try to understand the perl
>     - programs I used ages ago ;-)
>      
>      
>     Kind regards,
>      
>     Chris
>
>     ------------------------------------------------------------------------------
>     Master HTML5, CSS3, ASP.NET <http://ASP.NET>, MVC, AJAX,
>     Knockout.js, Web API and
>     much more. Get web development skills now with LearnDevNow -
>     350+ hours of step-by-step video tutorials by Microsoft MVPs and
>     experts.
>     SALE $99.99 this month only -- learn more at:
>     http://p.sf.net/sfu/learnmore_122812
>     _______________________________________________
>     sqlmap-users mailing list
>     sql...@li...
>     <mailto:sql...@li...>
>     https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
> ------------------------------------------------------------------------------
> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
> much more. Get web development skills now with LearnDevNow -
> 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
> SALE $99.99 this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122812
>
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-

Re: [sqlmap-users] use blind SQL injection without some charactares due to a WAF

From: Dennis <kor...@ya...> - 2013-01-18 12:34:58

use tamper scripts. --tamper=between should do the trick if I'm not
mistaken.

Cheers,
Dennis


Am 18.01.2013 12:54, schrieb wh...@po...:
> Hi all,
>  
> my current test is a web application that redirects me to a generic
> page, whenever < or > is present in a parameter - before the query
> gets to the application logic.
> The application is injectable with a blind injection (MSSQL, proven by
> manual checking and also found by sqlmap). But if I try e.g.
> --current-user, sqlmap uses a query
> with greater than ">" in the where clause :-(
>  
> Is it possible to use other queries  (like only "=" or "!=" or contains)?
> I'm to lazy to program this myself - or try to understand the perl -
> programs I used ages ago ;-)
>  
>  
> Kind regards,
>  
> Chris
>
>
> ------------------------------------------------------------------------------
> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
> much more. Get web development skills now with LearnDevNow -
> 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
> SALE $99.99 this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122812
>
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users