Sqlmap: Tamper for Kona

Created on 19 Aug 2016  路  4Comments  路  Source: sqlmapproject/sqlmap

Hello,
which is the best tamper to bypass this kind of firewall?
KONA Security Solutions (Akamai Technologies)

I'm searching on G, but nothing.
Thanks

Most helpful comment

Sorry, --common-tables and/or --common-columns

All 4 comments

Currently none. It is based on ModSecurity and there are no usable tamper scripts for effectively bypass it. You should assess the target manually

This topic is closed, but for those that come afterwards, I recently received this error when pen-testing a site with the KONA Security Solutions WAF.

I haven't been able to enumerate the database names, but using the --common-names switch, I was able to see some of the tables present on the current database.

Sorry, --common-tables and/or --common-columns

Hey @TNierman
Would you elaborate.
I found a Kona firewall which allow the following query and showing blind sqli exisit, but blocking = sign and some other function to extract information.
email=admin'+AND+1=1 -- true (customize page)
email=admin'+AND+1=0 -- normal page
email=admin'+OR+1=1 -- true (customize page)
email=admin'+OR+1=0 -- normal page
email=admin'+HAVING+1=1 -- true (customize page)
email=admin'+OR+1=0 -- normal page

Was this page helpful?
0 / 5 - 0 ratings

Related issues

dispater13 picture dispater13  路  7Comments

engrhaider22 picture engrhaider22  路  3Comments

phobosgroup picture phobosgroup  路  4Comments

GeoffreyVDB picture GeoffreyVDB  路  3Comments

pajoda picture pajoda  路  7Comments