I'm trying to exploit an SQL injection on a website (in the name of Science, of course). After some tests I found how the back-end works. The SQL query is formed like this:

$query = 'SELECT * FROM TABLE WHERE ID ='.$segment

where $segment is the second path segment from the URL. In case of http://vict.im/menu/10 it equals 10. Symbols /, # and everything after them is ignored, so the previous link, http://vict.im/menu/10/blah-blah and http://vict.im/menu/10#blah-blah give the same result.

The problem here is that the segment-parser doesn't URLdecode() the segment. If I send .../menu/30 ; it will be encoded to .../menu/30%20;, and MySQL will interpret it as remainder of division, returning us result where ID = 10. By the same reason + is not replaced for whitespace, it works as an operator.

So, it's needed to make an injection that doesn't contain any symbols usually encoded by web browsers. For example, .../menu/(10)or(1=1), boolean-based injection .../menu/9+(USER()='Smith') and .../menu/CONCAT('1','0') work fine.

How can I explain this situation to Sqlmap? Is there a tamper script for this? Are there any other ways to bypass this "protection"?

P.S. It seems following symbols can be used: ! $ & ' ( ) * + , : ; = ? @ [ ] plus mixalpha-numeric.

  • You should realize that readers have no way to confirm you're doing this as a white hat, and most of us are not interested in helping a black hat. Apr 5, 2018 at 22:01
  • 1
    I'm voting to close this question as off-topic because it's a how to hack a site topic. Apr 5, 2018 at 22:03
  • 1
    Even if the OP is a "white hat", another, aspiring "black hat" could use the info. Apr 5, 2018 at 22:05
  • 3
    There is too much information in the "white Internet" useful for black hats. Even the site of my university has some articles about hacking (though, it may be specific for Ukrainian universities only :D). But as I'm new here, I hope I haven't violated rules of the site.
    – Max
    Apr 5, 2018 at 22:36
  • Does --skip-urlencode work?
    – vlp
    Oct 18, 2018 at 8:03


Your Answer

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Browse other questions tagged or ask your own question.