Thankyou for pointing it out, but the post is more aimed to explain which part of SQL to modify to change the logic. It was just an example, I felt into things like need of hex encodings or other stuff... in addition the preliminary checks may not work and block you wither
Giorgio 2011/5/28 Miroslav Stampar <miroslav.stam...@gmail.com>: > hi. > > now after last commit (added ./tamper/equaltolike.py tampering script) > you can avoid filtering of >, < and = chars with: > > --tamper="between,equaltolike" > > kr > > On Sat, May 28, 2011 at 1:28 PM, Miroslav Stampar > <miroslav.stam...@gmail.com> wrote: >> hi Georgio. >> >> we have a mechanism called "tampering" for doing this kind of things. >> >> e.g. for dealing with characters > and < you can try to use >> --tamper=between which will replace standard greater/lesser than >> characters in inference by BETWEEN operator >> >> kr >> >> On Sat, May 28, 2011 at 1:02 PM, Giorgio Fedon <giorgio.fe...@gmail.com> >> wrote: >>> Dear List, >>> >>> A tool cannot deal automatically with particular contexts and situations. >>> A common reason of failure for SQL injection tools is the fact that >>> some field are vulnerable but somehow sanitized. >>> >>> If fields are sanitized the Penetration tester must: >>> 1) Understand which characters are filtered and how >>> 2) Find how to make the blind SQL logic to work even if there are >>> restrictions in place >>> 3) Use a tool that can be customized with your new logic >>> >>> SQL is the best tool available for me (I am a strong SQLmap supporter >>> :D) because it's yet powerful, but also fully customizable and meets >>> perfectly these requirements. >>> >>> You can find the post here: >>> http://blog.mindedsecurity.com/2011/05/customizing-sqlmap-to-bypass-weak-but.html >>> >>> Thank you, >>> >>> Giorgio Fedon >>> >>> ------------------------------------------------------------------------------ >>> vRanger cuts backup time in half-while increasing security. >>> With the market-leading solution for virtual backup and recovery, >>> you get blazing-fast, flexible, and affordable data protection. >>> Download your free trial now. >>> http://p.sf.net/sfu/quest-d2dcopy1 >>> _______________________________________________ >>> sqlmap-users mailing list >>> sqlmap-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail: miroslav.stampar (at) gmail.com >> PGP Key ID: 0xB5397B1B >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B > ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1 _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
