I'm trying to exploit an SQL injection on a website (in the name of Science, of course). After some tests I found how the back-end works. The SQL query is formed like this:
$query = 'SELECT * FROM TABLE WHERE ID ='.$segment
$segment is the second path segment from the URL. In case of
http://vict.im/menu/10 it equals 10. Symbols
# and everything after them is ignored, so the previous link,
http://vict.im/menu/10#blah-blah give the same result.
The problem here is that the segment-parser doesn't
URLdecode() the segment. If I send
.../menu/30 ; it will be encoded to
.../menu/30%20;, and MySQL will interpret it as remainder of division, returning us result where ID = 10. By the same reason
+ is not replaced for whitespace, it works as an operator.
So, it's needed to make an injection that doesn't contain any symbols usually encoded by web browsers. For example,
.../menu/(10)or(1=1), boolean-based injection
.../menu/CONCAT('1','0') work fine.
How can I explain this situation to Sqlmap? Is there a tamper script for this? Are there any other ways to bypass this "protection"?
P.S. It seems following symbols can be used:
! $ & ' ( ) * + , : ; = ? @ [ ] plus mixalpha-numeric.