I'm using sqlmap to get a website's DB and found out that the site is time-based boolean vulnerable; but the target is showing SQL errors, which made me think that it would be an injection error.
I was curious, so I turned on the --parse-errors option which showed that some SQL reserved words are filtered; something like:
AND became A_N_D, SELECT became S_E_LE_C_T ...
and so on...
Is there a way to bypass this with sqlmap? Some tamper option?
I had a similar situation with a test, the applicationn used SQL server, there was a WAF filtering the data input, then I couldn't use reserved words, because the WAF was blocking the reserved words. The solution was double encoding, you just need to apply double encoding to one letter, for example, you want to inject AND, if you encode letter A using URL encoding, you will have something like this: %41ND; the WAF will interpret those characters as A, then it will not work, then you have to apply a second encoding on the %, then you will have something like this: %2541ND; the WAF will interpret the %25 as % and the database will receive the %41ND, it will do a canonicalization process and execute the command AND. I exploited this SQL injection manually, I'm not sure if SQLmap has this bypass technique, I recommend you to review the tamper options, maybe there are something similar.
Good luck.
Hmmmnnn.... It sounds like something bypassable. Maybe you can try things like this:
replace('S_E_LE_C_T', '_', '')
replace('A_N_D', '_', '')
Is a wild guess... but maybe could work. The best is to try! then you must adapt this idea into sqlmap.
I saw some pages talking about sqlmap tampering. Maybe nonrecursivereplacement tampering could work for you.
Good luck
