Methods for continuing injection by bypassing the injection Restriction

I suddenly wondered if we could use any method to bypass the restrictions of SQL injection? I checked on the Internet AND found that most of the methods mentioned are aimed at AND "" AND "=" filtering breakthroughs. Although there are some improvements, there are still some keywords not bypassed, I do not dare to comment on the effect of the above filter because I do not often intrude into the website, but it is certain that the effect will not be very good ......

After my collection, most anti-injection programs filter the following keywords:

And | select | update | chr | delete | % 20 from |; | insert | mid | master. | set | =

The most difficult thing to handle here is the select keyword. How can we break through them? Although the problem has not been completely solved, I 'd like to share it with you.

For keyword filtering, the following are my collected and my personal ideas.

1. Use the encoding technology to bypass

Such as URLEncode and ASCII code bypass. For example, if or 1 = 1, % 6f % 72% 20% 31% 3d % 31, and Test can also be CHAR (101) + CHAR (97) + CHAR (115) + CHAR (116 ).

2. Bypass with spaces

For example, if two spaces are used to replace one space, and tabs are used to replace spaces, or all spaces are deleted, such as or swords = 'swords. Due to the loose nature of mssql, we can remove spaces between or swords, it does not affect the operation.

3. Use string judgment instead

Use the classic or 1 = 1 judgment bypass, such as or swords = swords. This method is discussed online.

4. Bypass by type conversion modifier N

It can be said that this is a good idea. In addition to bypassing the restrictions to some extent, it also has other functions. Let's think about it. For exploitation, such as or swords = N swords, the capital N tells mssql server that the string is used as the nvarchar type, which plays the role of type conversion and does not affect the injection statement itself, however, the knowledge-based pattern matching IDS can be avoided.

5. disassemble the string by the plus sign to bypass

The results are worthy of research, but after all, they are a method. For example, or swords = 'sw + ords; EXEC ('in + sert into + ..... )

6. bypass through LIKE

Why didn't you think of it before? For example, or swords LIKE sw !!! Obviously, you can easily bypass the "=" ">" restriction ......

7. bypass through IN

Similar to the above LIKE idea, such as or swords IN (swords)

8. bypass through

For example, or swords BETWEEN rw AND tw

9. Pass> or <Bypass

Or swords> sw

Or swords <tw

Or 1 <3

......

10. Use the comment statement to bypass

Use/**/instead of space, such as UNION/**/Select/**/user, pwd, from tbluser

Use/**/to separate sensitive words, such as: U/**/NION/**/SE/**/LECT/**/user, pwd from tbluser

11. Bypass with HEX. Generally, IDS cannot be detected.

0x730079007300610064006D0069006E00 = hex (sysadmin)

0x640062005F006F0077006E0065007200 = hex (db_owner)

In addition, we can consider using the value Assignment Method for the filtering method of common points. For example, we can declare a variable a first, and then assign the value of our command to, then, call variable a to execute the input command. Variable a can be any command. As follows:

Declare @ a sysname

Select @ a =

Exec master. dbo. xp_mongoshell @

Effects http://www.ilikeplmm.com/show.asp? Id = 1; declare % 20 @ a % 20 sysname


% 20 select % 20 @ a = Success

610064006400% 20 exec % 20master. dbo. xp_mongoshell % 20 @ ;--
Region

"Net user angel pass/add" means 006400.
12. When the anti-injection system blocks injection, you can try to use the request. cookie Method for injection! Generally, the website anti-injection system does not filter the data submitted in this way! (It seems that this is not detailed enough. I will add it below)
Bytes --------------------------------------------------------------------------------------------
Other methods:
1. Some anti-injection systems have defects and cannot provide good anti-injection functions, which can be easily bypassed. For example, this parameter asp? Id = 123 you can convert the id to % 69% 64 and enter the address in the injection tool to continue the injection.
2. Some anti-injection systems will record illegally submitted parameters and write them into asp files. This will cause a Trojan to be written into a sentence, this leaves New security risks.
Cookie injection is a good way to bypass Injection Protection and continue injection. The principle is request. generally, the data submitted by cookies is not filtered. You can perform it manually (there are many online tutorials and you can search for them if you do not understand them). Of course, it is troublesome. You can also use tools. For example, some browsers that support cookie modification, SQL statement injection, and the little tool written by the lonely Hedgehog (ps: You can leave a message, the latest version) indirect Injection Through the injection tool. In addition, the tool that supports cookie injection written by someone in PHP is actually a PHP script (available on my website ). In addition, blade 1.5 also supports cookie injection. I don't know how to use it, and I don't feel very useful. I didn't test the actual effect.