Idea: better SQLi filter

Hi smitka, that sounds like a good idea, can you provide us with an example or documentation showing how either of those terms would be used for SQL injection?

Of course ??

Assume unsanitized input parameter “p”:

https://www.example.com/?p=1

SELECT * FROM table WHERE id=$_GET[‘p’]

You can use blind SQL injection with this parameter – something like:

p= 1 – IF(SUBSTRING( password, 1, 1) = ‘p’, SLEEP(10), 0)

(you can also use AND/OR,…)

If the first char of password is ‘p’ the response of the database will take 10 seconds. If not it will be immediate.

You can also use BENCHMARK instead of SLEEP(x):

BENCHMARK(100000000, rand())

White chars are allowed between command and bracket – SLEEP (10)

Good regexp may be e.g. sleep\s*\(

More info: https://www.owasp.org/index.php/Blind_SQL_Injection

smitka, thanks. Will get this added next update.

More info about sql injection techniques: https://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet