11 defense against Injection

Kindles blog

1. Use the encoding technology to bypass
Such as URLEncode and ASCII code bypass. For example, if or 1 = 1, % 6f % 72% 20% 31% 3d % 31, and Test can also be CHAR (101) + CHAR (97) + CHAR (115) + CHAR (116 ).

2. Bypass with spaces
For example, if two spaces replace one space, use Tab instead of space, or delete all spaces, such
Or swords = 'swords. Due to the loose nature of mssql, we can remove spaces between or swords without affecting the operation.

3. Use string judgment instead
Use the classic or 1 = 1 judgment bypass, such as or swords = swords. This method is discussed online.

4. Bypass by type conversion modifier N
It can be said that this is a good idea. In addition to bypassing the restrictions to some extent, it also has other functions. Let's think about it. For exploitation, such as or swords = N swords, the capital N tells mssql server that the string is used as the nvarchar type, which plays the role of type conversion and does not affect the injection statement itself, however, the knowledge-based pattern matching IDS can be avoided.

5. disassemble the string by the plus sign to bypass
The results are worthy of research, but after all, they are a method. For example, or swords = 'sw + ords; EXEC ('in + sert into + ..... )

6. bypass through LIKE
Why didn't you think of it before? Such as orswords LIKE sw !!! Obviously, you can easily bypass the "=" ">" restriction ......

7. bypass through IN
Similar to the above LIKE idea, such as or swords IN (swords)

8. bypass through
For example, or swords BETWEEN rw AND tw

9. Pass> or <Bypass
Or swords> sw
Or swords <tw
Or 1 <3
......

10. Use the comment statement to bypass
Use/**/instead of space, such as UNION/**/Select/**/user, pwd, from tbluser
Use/**/to separate sensitive words, such as: U/**/NION/**/SE/**/LECT/**/user, pwd from tbluser

11. Bypass with HEX. Generally, IDS cannot be detected.
0x730079007300610064006D0069006E00 = hex (sysadmin)
0x640062005F006F0077006E0065007200 = hex (db_owner)