After learning SQL Injection principle 、SQL The type of Injection Then you can say SQL Inject I've got a general idea , But the fact is that in reality, developers can't let you attack the database so easily , They usually make certain restrictions on the data that has been entered or can be entered , This article is mainly about SQL Injected code or waf Make a summary of the filter bypass .

Case around

This is the simplest and most difficult way to bypass , There are two reasons to take advantage of ：SQL sentence Case insensitive 、 The blacklist filtering done by developers is too simple .

Double writing bypasses

The principle of double write bypass is that the background uses regular matching to replace sensitive words with empty words . That is, if you filter select, We type in 123select456 Sensitive words will be detected , The last replaced string is composed of 123select456 ---> 123456. The bypass of this filter is also very simple, that is, double write select that will do , Such as ：selselectect  ---> select , One such filter will double write , Write three times twice, and so on . Here's an example ：

You can clearly see the wrong information here ,or It should be filtered , We use the above bypass method ,

  succeed , This is the same. Double writing bypasses Methods , Pretty simple .

Space filtering

If spaces are filtered , The main ideas are to find a substitute , There are several that can replace the blank space ：

Note bypassing   /**/ : Under normal circumstances, as long as this is not filtered, it can be replaced .

Bracket filtering () ： All keywords are enclosed in parentheses to replace space separation, as follows ,

normal ：select * from user

Brackets ：(select)*(from)(user)

url code ： You can try this kind of encounter . use %20 Instead of a space or something else url code

%09、%0a、%0b、%0c、%0d 、%a0、%00

Enter to replace ： Carriage return and line feed can also be used as a separation function instead of spaces .

Tab replace ：Tab It can be used as a separation function .

Comment filtering

When we come across something we usually use --+ Comment filtering , We can substitute the following notes for ：

#、;%00、-- ( Two minus signs and a space )

Close with other data ：

select * from user where id='1'

                        ||

                        V

select * from user where id='1' or '1' ='1'

Quote filtering

There are two full versions of quote filtering , One is that quotation marks cannot appear 、 One is that it will be escaped , The escape processing method has been mentioned in the previous article, which is the bypass of wide byte injection , If you can't use quotation marks, you have to use quotation marks , You can bind the value of a parameter with single or double quotation marks and convert it to 16 At last, the decimal number is added before the input 0x*****.

Comma filter

There are functions or instructions that require commas , Therefore, the method of bypassing commas varies from function to function or instruction .

substring()

Don't worry about functions ,substr And substring almost . You can see that the comma is used directly from the above to the following from……for Instead of .

If you need to use mid() function , There are also comma bypass methods and substring() identical , use from……for Replace commas .

limit 0,1

limit 0,1 Comma in , So if the comma is filtered, our alternative is to use offset, namely

Pay attention here , If used offset, The data before and after the comma should be exchanged with each other .

union

In joint injection, we need select 1,2,3,4……, And if you filter commas, how do you go around here ？ This is actually quite interesting , The joint query select 1,2,3,4…… After testing, it can be written separately as follows

After parentheses a、b、c It is casually named and omitted as Writing , Why should I write this ？ In this way, you can filter commas , We use offset Instead, you can get ,

So the comma bypass of joint query is to use join Instead of .

Equal sign filter

If only the equals sign is filtered, the following can be used instead

<> : Not equal to !=

regexp、like、rlike

Logical operator filtering

It's filtered out or、and、xor、not The corresponding characters can be used instead of ：&&、||、| 、!

If you can't use it, you can consider using The cartesian product (^),

This can be used directly and or These connectors .

Code bypass

Coding bypasses the tradition of telling the truth and is rarely used , But sometimes his use is really unexpected , So let's find out .

Hexadecimal bypass

Substitution of similar functions

1）sleep() <-->benchmark()

2）ascii() <-–>hex()、bin(), After substitution, use the corresponding base conversion string that will do

3）group_concat() <–->concat_ws()

4）substr() <--> substring() <--> mid()

5）user() <--> @@user、datadir–>@@datadir

6）ord() <-–> ascii(): These two functions have the same effect when dealing with English , But the processing time of Chinese is inconsistent .
 

Reference resources ：SQL Inject a bypass pose _ Really strong ！ The blog of -CSDN Blog _sql Inject from Bypass

SQL When injected and、or What if the characters are filtered _litchi125 The blog of -CSDN Blog _sql Injection filtration and

SQL Bypass of injection filtration _12622800 Technology blog _51CTO Blog

SQL Injection bypass - redglare - Blog Garden

https://www.csdn.net/tags/MtTaEgwsMTY0OTk1LWJsb2cO0O0O.html#2_12