There are many bypass inject a lot, the basic principle is similar, in my opinion there is a filter function and character filtering two kinds. (Because more vegetables, we now talk about what a good character filtering)
Here I chose to explain (more suitable for white) according to the example (will be summarized in the final, are listed the various ways of)
0x01 (look next door here with the wind)
Character filtering, as the name suggests, is to filter out some characters may appear in order to prevent implantation in implantation.
So the question is, how he is to see what kind of character to filter out?
- Before, I thought it was judged only by error, contact implant after bypass, found unrealistic, since only tell you what is wrong in the position they will not tell you specific things, then how should judge it?
The method is simple, build a logically correct certain statements, then you would suspect characters into the query structure, scientific name is called exclusive or injection
Injection or different: two identical conditions (with the same true or false) that is false, or symbols are not exclusive ^, two conditions is 1 and the following statements. Here we give an example.
1. 27%, 23% are url encoded here, there is no error of
2. Here there have been mistakes, combined with the beginning of the text analysis, is not to understand. This is behind the content id ^ behind the first and exclusive content or because different id or later becomes zero, the database can not find the information, it generates an error.
All in all brackets is obtained if the content is really an error occurs, false is run properly, we can use this to judge which characters are filtered out.
3. In this way the filter is determined, of course, does not exclude the filter is greater than the number of single quotation marks, spaces, parentheses, and the like comment symbol, then repeat those
4. Next bypassing is taken together with a union in the union, i.e. uniunionin this (scientific name double the keyword bypass ), another union which filters out just after leaving a union (of course, does not rule out the kind of frenzied developers such as next to a continuous filtration, filter content that is found, then put the filter After the data back to the beginning and then filtered, so not easy to use), shown in FIG.
In fact, it can also make use of sensitive, hexadecimal, inline comments, etc. way around another day go into detail.
0x02
- Look at the code, if found and, or, sleep, direct stop, then a space and then deleted. (This is the most misunderstood begin with writing, because the topics directly to the source code so simple, in reality, does not exist)
- Here we first try to use the old method and found not
- To be noted that the order be modified according to the log information feedback, where the first is to replace the space / ** / then replaced and, or, sleep
0x03
Of course, these are very simple, then there will be a lot of supplements.
sql injection bypasses the summary:
0x01, single quotes bypass (some say no solution, but that only specific to white)
The vast majority will have a single or double quotes, of course, also filter out a single quote does not prevent implantation
Single quotation marks filtering principle: Most single quotes are filtered by single quotation marks converted to other characters
1. apostrophes into coded form
Although as long as a normal person it would be encoded for this filter, but whatever the outcome is a way, if it is encountered fool it.
2. assignment (from the network code examples)
代码示例1:
http://www./show.asp?id=1;exec master.dbo.xp_cmdshell 'net user angel pass /add';--
代码示例2:
http://www./show.asp?id=1;declare%20@a%20sysname%20select%20@a=
0x6e006500740020007500730065007200200061006e0067
0065006c002000700061007300730020002f006100640064
00%20exec%20master.dbo.xp_cmdshell%20@a;--
Both sql statement exactly the same effect.
0x6e006500740020007500730065007200200061006e00670065006c002000700061007300730020002f00610064006400 is "net user angel pass / add" hexadecimal format.
Declare a variable a, then the command assigned to a, and then call a variable final execution ordered us to enter. A variable can be any command. Code Example For example:
declare @a sysname
select @a=
exec master.dbo.xp_cmdshell @a
Of course, do not rule out some crazed developer to input data limitations, can only enter a specific character or numeric data type (which is just awful, though, is the fact that)
3. Avoid using single quotation marks, instead of using a function (this is the great God who usual way)
As simple as where xtype = 'U', the character U corresponding ASCII code is 85, it is possible char (85) is replaced with where xtype =; if the character is in Chinese, such as where name = 'user', can be used where name = nchar (29992) + nchar (25143) instead.
Complex statements can be replaced by a function command, of course, there will also be a function of the filter
Because I am more vegetables, so and so to that extent during the contact to add it.
4. The escape character (code from the network)
id=replace(trim(request("id")),"'","")
or
name=name.replaceAll("'", "xxx");
password=password.replaceAll("'", "xxx");
String sql="select * from user_table where username='"+name+"' and password='"+password+"'";
After replacing or cut off single quotes in single quotes but no other restrictions.
If this is written, it can (\ '), hex code, byte wide bypassed by a method such as the escape character (another specifically speaking)
0x02
To be continued. . .
ord=’"+password+"’";`
After replacing or cut off single quotes in single quotes but no other restrictions.
If this is written, it can (\ '), hex code, byte wide bypassed by a method such as the escape character (another specifically speaking)
0x02
To be continued. . .
