I am not sure if sqlmap is capable of this, but I have found inserting the filtered character in the middle of its hex-encoded counterpart (in your case %2.E for instance) can bypass similar filters.
This only works if the param is url-decoded after the filter is performed on the string. On Sun, Aug 10, 2014 at 3:57 PM, <d...@alcor.se> wrote: > So I did a little test on my site where I simply filtered out "." > (period) in incoming GET parameters that were vulnerable to SQLi. > sqlmap then failed to list databases, tables and columns. > Since INFORMATION_SCHEMA.TABLES would become INFORMATION_SCHEMATABLES > and fail with a "Table testdb.INFORMATION_SCHEMATABLES doesn't exist". > Can sqlmap bypass this somehow? I have played around with tamper a bit, > but haven't bypassed it yet (haven't tried all tamper scripts though, > only some that sounded logical to try). > > Note: I don't see this as a means to protect my sites in the future. > It's just a little late Sunday night sqlmap fun :) > > Cheers! > > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
