Hello !!
as everyone will have spent some time trying to make an injection for GET in a page and appears
appears the famous announcement of Mod_Security that does not let you inject.
But if you thought that was the end of the game is very wrong, there will always be SQLMAP to the rescue with its 47 Tampers (which are the ones that come by default in the latest version) which will get you out of more of a hurry ;).
For this example we will use "modsecurityversioned.py" (which only works with MySQL).
If you want more information about each one you have to go to sqlmap / tamper /, where you will find all available and within each file there is an explanation of its functionality
To use a Tamper in SQLMAP is very simple you should only add the option
Code:
-- tamper name
The example of injection we will do with a Peruvian page of sale of electronic articles (I hope do not bother them) D.
URL : https://impulso.com.pe
Tool : SQLMAP Tamper : modsecurityzeroversioned.py
Xploit :
Code:
sqlmap.py -u "https://impulso.com.pe/detalle_marca.php?marca_id=24&cat_id=5" --dbms "MySQL" -p "marca_id" --tamper "modsecurityzeroversioned.py" --batch
result
REPORTED : NO
Be the First to Respond
Share Your Thoughts