This tutorial will explain the filters available on The Mole. Filters can be used when there is some kind of IDS/IPS on the target server which is preventing us from successfully exploiting an injection. When this situation happens, you may want to apply one or more filters in order to try to bypass the filtering performed by the server.
Filters are separated into 3 categories:
These are applied to the SQL query being performed. There are several Query Filters:
This filter can be used when the target server applies some kind of XSS filtering, which as a consequence removes the greater(>) and lower(<) characters. When this happens, blind exploitation will most certainly fail, since this technique uses queries that contain these characters to guess the information available on the database. This filter converts expressions like '.... and 1 < (select length(user()))' to '.... and 1 between 0 and (select length(user())) - 1'. To enable this filter, execute:
qfilter add between
This filter randomizes the query's case. The case filter can be used to bypass some simple IPS which detects strings like "select" or "union" and exits the script whenever it finds one. By using this filter, queries like "... union all select 1,2,username,4 from blah.users" will be converted to "... UNioN alL seLEcT 1,2,uSErNaME,4 FrOM blah.users", which will bypass that simple filter. To enable this filter, execute:
qfilter add case
This filter is not intended to bypass an IPS. On SQL Server, sometimes when you try to perform an union and the involved tables contain different collations, the resulting query will fail due to a mix of collations. This filter enables the user to perform these kinds of queries successfully. When you use this filter, queries like ".... select cast(blah as varchar(100)) from foo" will be converted to ".... select (cast(blah as varchar(100)) COLLATE __COLLATION__) from foo", where __COLLATION__ is the selected collation. By default, __COLLATION__ is DATABASE_DEFAULT, but you can change it when adding the filter, or after is has been added using the "config" parameter. To enable this filter, execute:
qfilter add mssqlcollation
To set the collation when adding the filter, execute:
qfilter add mssqlcollation THE_COLLATION
If you want to change the collation after the filter has been added, use the config parameter:
qfilter config mssqlcollation collation THE_COLLATION
Sometimes, while you need to use the COLLATE clause, some fields involved in an union statement must not contain the COLLATE clause, otherwise the query fails. In this cases, you can add those special fields to the mssqlcollation filter blacklist. Fields included in this blacklist will be skipped when adding the COLLATE clause to the query.
In order to add fields to the blacklist, execute(after the filter has been enabled):
qfilter config mssqlcollation blacklist add field1 field2 field3
In order to remove a field from the blacklist, execute:
qfilter config mssqlcollation blacklist del field
This is a pretty dump filter. Sometimes, the target server filters queries that contain an asterisk. This filter replaces the asterisk character with a "1" character. This is very unusual, but once in a whil, it can be useful. To enable this filter, execute:
qfilter add noasterisk
Sometimes, the target server filters the queries in such a way that whenever it finds a space character and some SQL keywords like 'and' or '=' around it, it drops the query. This can sometimes be bypassed by using parenthesis around spaces. When enabling this filter, queries like "...and 1=0 union all select 1,username from users" will be converted to "...and(1)=(0)union all select 1,username from users". To enable this filter, execute:
qfilter add parenthesis
This filter recieves a regular expression and a replacement as arguments and executes the regular expression, and replaces the matched text with the replacement given. This can be used to bypass some specific filters, which may not be as common as others. To enable this filter, execute:
qfilter add regex REGULAR_EXPRESSION REPLACEMENT
Note that you might want to use quotes around the regular expression or the replacement if they contain spaces:
qfilter add regex 'union all' union
This will replace the string "union all" with the word "union".
This filter can be used when an IPS rule detecs strings like "union all select" ignoring their case. In this case, the "case" filter will not work, since "UnION AlL selECt" will be also detected. The space2comment filter replaces spaces with the string "/**/". This will be useful only under certain dbms, like Mysql and SQL Server. This filter will convert queries like "... and 1=0 union all select username,1 from users" to "... and/**/1=0/**/union/**/all/**/select/**/username,1/**/from/**/users". To enable this filter, execute:
qfilter add space2comment
This filter serves the same purpose as space2comment. space2newline converts queries like "... and 1=0 union all select username,1 from users" to "... and\n1=0\nunion\nall\nselect\nusername,1\nfrom\nusers" where "\n" is the newline character(note that this will be urlencoded to "%0a". To enable this filter, execute:
qfilter add space2newline
These are applied to the whole request(including URL, headers, method, etc), before sending it. So far there is only one request filter, the "uri_changer" filter. You can read about it in the article "How to write a mole request filter", which explains how to create a filter, and as an example, creates and explains the uri_changer filter.
These are applied to the response provided by the server. Sometimes The Mole requires that the html returned by the server contains certain properties, like being pseudo-well-formed, that is, that for example the html or body tags are not closed in the middle of the html. In this case, if the needle is located after the html or body tags are closed, The Mole will fail to exploit the SQL Injection. Therefore, response filters try to sanitize the html so that it fits The Mole's requirements.
There are several response filters:
This filter does exacly what was mentioned above, removes the "", "", "" and "" tags in order to fix those malformed html files. In order to enable it, execute:
responsefilter add html_pretifier
This filter removes the next matched by a given regular expression. This might be usefull if the html is highly malformed(note that The Mole supports injections that return malformed html, but sometimes, they're just way too malformed. In order to enable it, execute:
responsefilter add regex_rem REGULAR_EXPRESSION
Remember that you can quote the regular expression if it contains spaces.
This filter serves the same purpose as the "regex_rem", but receives a string that will be used as a replacement for the matched strings. In order to enable it, execute:
responsefilter add regex_rem REGULAR_EXPRESSION REPLACEMENT
This filter is enabled by default. Sometimes when the target server's scripts are configured in such a way that when they have errors, an error message is echoed(for example, the "Warning: blabla on line 222" warning echoed by PHP). These strings make The Mole miss some injections. Therefore, this filter removes those error strings(at least some of them, we will be adding more as we step with them. So far only PHP errors are filtered).
Note that to remove a filter, execute the corresponding command(qfilter, responsefilter or request filter), using the "del" argument and the name of the filter to remove. For example:
qfilter del between