client9
commented
8 years ago hello, thanks for you report.
libinjection doesn't know about external encodings. base64, hex, query/url, html. You have to normalize it first before making the call.
Open jzy2000 opened 8 years ago
client9
commented
8 years ago hello, thanks for you report.
libinjection doesn't know about external encodings. base64, hex, query/url, html. You have to normalize it first before making the call.
jzy2000
commented
8 years ago Hi Nick, yes, I already Url decoded the sample before sending it to Libinjection.
Have you seen a SQLi attack(in Url decoded form) contains binary bytes like 0x05, 0x06, that were acceptable by MS-SQL. E.g. is SQLi below valid on MS-SQL? t' 0x06 WHERE0x082322=23220x05AND0x092403=2112
Note: Sqlmap generates this kind of payload for MS-SQL.
Hey Nick,
From recent Sqlmap test, saw lots of Url-encoded payloads contains non-printable Ascii code(%05, %09...). If I convert those non-printable code all to space(%20), libinjection detects them correctly. Would you please share insight on: if these Sqlmap generated payloads aforesaid valid MSSQL attack? If so, how can I address them using Libinjection. Thank you.
Example: t%27%06WHERE%082322%3D2322%05AND%092403%3D2112
Jzy