This is my first post here, sorry for my english.
Im making some test around, because i want to learn more about sql injection. Im not really good as manual sql injection, so im using sqlmap.
what im know from my target is: Asp.net application Mysql database Powered by plesk and probably ModSecurity Waf. There is a Waf, not sure is modsecurity but Plesk use it.
Im sure some url are vulnerable. But you can reach vulnerable url only as logged user. And when i try to use sqlmap, my asp. session get istantly killed.
What i have tested and work better:
–skip-waf, because the sqlmap waf test, trigger the waf and my session was killed.
–delay 7/8 second
–tamper=”modsecurityversioned,randomcomments,between” make the test during more, but on last test crash on paylod with = character.
Can i have some suggestion? What is the most undetected method ? BLind, time, error? Tamper suggestion?