mirror of
https://github.com/The-Art-of-Hacking/h4cker
synced 2024-11-21 18:33:03 +00:00
Merge pull request #205 from The-Art-of-Hacking/santosomar-patch-13
Create sqli_evasion.md
This commit is contained in:
Omar Santos
GitHub
commit
07fbb494f5
1 changed files with 87 additions and 0 deletions
87
web_application_testing/sqli_evasion.md
Normal file
87
web_application_testing/sqli_evasion.md
Normal file
|
|
@ -0,0 +1,87 @@
|
|||
# SQL Injection (SQLi) Evasion Techniques
|
||||
|
||||
### 1. **Obfuscation Techniques**
|
||||
|
||||
#### **1.1 Comment Insertion**
|
||||
|
||||
- **Definition:** Use SQL comments to break up or hide parts of the SQL query.
|
||||
- **Example:** `1' OR 1=1--` can be obfuscated as `1' OR 1=1 /* comment */--`.
|
||||
- **Purpose:** Hide the true intent of the injected SQL code from detection mechanisms.
|
||||
|
||||
#### **1.2 Encoding**
|
||||
|
||||
- **Definition:** Encode the payload using various encoding schemes to evade detection.
|
||||
- **Types:**
|
||||
- **URL Encoding:** Convert characters to their URL-encoded equivalents (e.g., `%27` for `'`).
|
||||
- **Hex Encoding:** Use hexadecimal values (e.g., `0x27` for `'`).
|
||||
- **Base64 Encoding:** Encode payloads in Base64 (e.g., `JTIxPTElM0El` for `1=1`).
|
||||
- **Example:** `1' OR 1=1--` can be encoded as `1%27%20OR%201%3D1--`.
|
||||
|
||||
#### **1.3 Case Manipulation**
|
||||
|
||||
- **Definition:** Alter the case of SQL keywords and operators.
|
||||
- **Example:** `SELECT` can be written as `sElEcT` or `SeLeCt`.
|
||||
- **Purpose:** Bypass simple pattern-matching filters.
|
||||
|
||||
#### **1.4 String Concatenation**
|
||||
|
||||
- **Definition:** Break up SQL keywords or payloads using string concatenation functions.
|
||||
- **Example:** `SELECT` can be broken as `CONCAT('SE', 'LECT')`.
|
||||
- **Purpose:** Avoid detection by breaking up recognizable patterns.
|
||||
|
||||
### 2. **Advanced Evasion Techniques**
|
||||
|
||||
#### **2.1 Dynamic SQL Injection**
|
||||
|
||||
- **Definition:** Exploit SQL queries that are dynamically constructed at runtime.
|
||||
- **Example:** Attacking a query that builds SQL commands using user input.
|
||||
- **Purpose:** Bypass static query detection and filtering.
|
||||
|
||||
#### **2.2 Blind SQL Injection**
|
||||
|
||||
- **Definition:** Use techniques that do not return error messages but still manipulate the database.
|
||||
- **Types:**
|
||||
- **Boolean-Based Blind SQLi:** Infer information based on changes in the response (e.g., `AND 1=1` vs. `AND 1=2`).
|
||||
- **Time-Based Blind SQLi:** Measure the time taken for responses to infer data (e.g., `SLEEP()` function).
|
||||
- **Purpose:** Extract information without visible data or errors.
|
||||
|
||||
#### **2.3 Out-of-Band SQL Injection**
|
||||
|
||||
- **Definition:** Use alternative channels (e.g., DNS or HTTP requests) to extract data.
|
||||
- **Example:** Using functions like `xp_cmdshell` to make the database server contact an attacker’s server.
|
||||
- **Purpose:** Bypass direct response-based filtering and detection.
|
||||
|
||||
#### **2.4 Using Built-in Functions**
|
||||
|
||||
- **Definition:** Exploit SQL built-in functions to gather information or manipulate queries.
|
||||
- **Example:** Using `UNION ALL SELECT` to combine results from multiple queries or `@@version` to get database version.
|
||||
- **Purpose:** Extract information without directly triggering detection mechanisms.
|
||||
|
||||
### 3. **Other Evasion Techniques**
|
||||
|
||||
#### **3.1 Character Substitution**
|
||||
|
||||
- **Definition:** Replace SQL keywords or special characters with alternative representations.
|
||||
- **Example:** Replacing `AND` with `+AND+` or using `CHAR()` function for character substitution.
|
||||
- **Purpose:** Bypass keyword-based filters.
|
||||
|
||||
#### **3.2 Using Alternative Syntax**
|
||||
|
||||
- **Definition:** Exploit alternative SQL syntax or functions that achieve the same result.
|
||||
- **Example:** Using `SELECT * FROM INFORMATION_SCHEMA.TABLES` instead of `SELECT * FROM sysobjects`.
|
||||
- **Purpose:** Avoid detection by using less common SQL syntax or functions.
|
||||
|
||||
#### **3.3 HTTP Parameter Pollution**
|
||||
|
||||
- **Definition:** Inject malicious parameters into HTTP requests to alter the query.
|
||||
- **Example:** Adding extra parameters to a URL or POST request to manipulate the SQL query.
|
||||
- **Purpose:** Bypass input validation and filtering mechanisms.
|
||||
|
||||
#### **3.4 Advanced Encoding Techniques**
|
||||
|
||||
- **Definition:** Use more sophisticated encoding schemes to obscure payloads.
|
||||
- **Types:**
|
||||
- **Double Encoding:** Encode the payload twice (e.g., `%2527` for `'`).
|
||||
- **Unicode Encoding:** Use Unicode representations to obfuscate SQL keywords.
|
||||
- **Purpose:** Evade detection by making the payload less recognizable.
|
||||
|
||||
Loading…
Reference in a new issue