diff --git a/Usage.md b/Usage.md index f54706f51..bc2dbaeff 100644 --- a/Usage.md +++ b/Usage.md @@ -1595,6 +1595,12 @@ Switch: `--beep` In case that user uses switch `--beep` he'll be warned with a beep sound immediately when SQL injection is found. This is especially useful when there is a large bulk list (option `-m`) of target URLs to be tested. +# Heuristically check for WAF/IPS/IDS protection + +Switch: `--check-waf` + +WAF/IPS/IDS protection mechanisms can deal a lot of trouble to sqlmap. In case that user suspects that one such mechanism is protecting the target he can use this switch to make a dummy heuristic check. sqlmap will send inside the original request a dummy parameter value containing a "suspicious" SQL injection payload (e.g. `...&foobar=AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1`). In case that target responds differently there is a high possibility that it's under such protection. + ### Cleanup the DBMS from sqlmap specific UDF(s) and table(s) Switch: `--cleanup` @@ -1613,6 +1619,12 @@ Option: `--gpage` Default sqlmap behavior with option `-g` is to do a Google search and use the first 100 resulting URLs for further SQL injection testing. However, in combination with this option you can specify with this switch, `--gpage`, some page other than the first one to retrieve target URLs from. +### Use HTTP parameter pollution + +Switch: `--hpp` + +HTTP parameter pollution (HPP) is a method for bypassing WAF/IPS/IDS protection mechanisms (explained [here](http://www.imperva.com/resources/glossary/http_parameter_pollution_hpp.html)) that is particularly effective against ASP/IIS and ASP.NET/IIS platforms. If you suspect that the target is behind such protection, you can try to bypass it by using this switch. + ### Imitate smartphone Switch: `--mobile`