From fe60a20b5a24b2342f4bbbfb9da6529663bc1c45 Mon Sep 17 00:00:00 2001 From: jzy2000 Date: Mon, 28 Mar 2016 23:43:07 -0400 Subject: [PATCH] Fix for MySQL, MSSQL whitespace evasion Quick fix for http://www.websec.ca/blog/view/Bypassing_WAFs_with_SQLMap#sthash.uNJMATB3.dpuf%27= where it states: "MySQL allows characters 09, 0A-0D, A0 to be used as whitespaces while MSSQL allows a much wider range, from 01-1F.". --- src/libinjection_sqli.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libinjection_sqli.c b/src/libinjection_sqli.c index f369e4f1..44943402 100644 --- a/src/libinjection_sqli.c +++ b/src/libinjection_sqli.c @@ -177,7 +177,7 @@ strlencspn(const char *s, size_t len, const char *accept) /* likely we can do better by inlining this function * but this works for now */ - if (strchr(accept, s[i]) != NULL) { + if (s[i]<32 || strchr(accept, s[i]) != NULL) { return i; } }