hi.

now after last commit (added ./tamper/equaltolike.py tampering script)
you can avoid filtering of >, < and = chars with:

--tamper="between,equaltolike"

kr

On Sat, May 28, 2011 at 1:28 PM, Miroslav Stampar
<miroslav.stam...@gmail.com> wrote:
> hi Georgio.
>
> we have a mechanism called "tampering" for doing this kind of things.
>
> e.g. for dealing with characters > and < you can try to use
> --tamper=between which will replace standard greater/lesser than
> characters in inference by BETWEEN operator
>
> kr
>
> On Sat, May 28, 2011 at 1:02 PM, Giorgio Fedon <giorgio.fe...@gmail.com> 
> wrote:
>> Dear List,
>>
>> A tool cannot deal automatically with particular contexts and situations.
>> A common reason of failure for SQL injection tools is the fact that
>> some field are vulnerable but somehow sanitized.
>>
>> If fields are sanitized the Penetration tester must:
>> 1) Understand which characters are filtered and how
>> 2) Find how to make the blind SQL logic to work even if there are
>> restrictions in place
>> 3) Use a tool that can be customized with your new logic
>>
>> SQL is the best tool available for me (I am a strong SQLmap supporter
>> :D) because it's yet powerful, but also fully customizable and meets
>> perfectly these requirements.
>>
>> You can find the post here:
>> http://blog.mindedsecurity.com/2011/05/customizing-sqlmap-to-bypass-weak-but.html
>>
>> Thank you,
>>
>> Giorgio Fedon
>>
>> ------------------------------------------------------------------------------
>> vRanger cuts backup time in half-while increasing security.
>> With the market-leading solution for virtual backup and recovery,
>> you get blazing-fast, flexible, and affordable data protection.
>> Download your free trial now.
>> http://p.sf.net/sfu/quest-d2dcopy1
>> _______________________________________________
>> sqlmap-users mailing list
>> sqlmap-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> Miroslav Stampar
>
> E-mail: miroslav.stampar (at) gmail.com
> PGP Key ID: 0xB5397B1B
>



-- 
Miroslav Stampar

E-mail: miroslav.stampar (at) gmail.com
PGP Key ID: 0xB5397B1B

------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to