So I did a little test on my site where I simply filtered out "." (period) in incoming GET parameters that were vulnerable to SQLi. sqlmap then failed to list databases, tables and columns. Since INFORMATION_SCHEMA.TABLES would become INFORMATION_SCHEMATABLES and fail with a "Table testdb.INFORMATION_SCHEMATABLES doesn't exist". Can sqlmap bypass this somehow? I have played around with tamper a bit, but haven't bypassed it yet (haven't tried all tamper scripts though, only some that sounded logical to try).
Note: I don't see this as a means to protect my sites in the future. It's just a little late Sunday night sqlmap fun :) Cheers! ------------------------------------------------------------------------------ _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
