mirror of
https://github.com/The-Art-of-Hacking/h4cker
synced 2024-11-21 18:33:03 +00:00
3.8 KiB
3.8 KiB
SQL Injection (SQLi) Evasion Techniques
1. Obfuscation Techniques
1.1 Comment Insertion
- Definition: Use SQL comments to break up or hide parts of the SQL query.
- Example:
1' OR 1=1--
can be obfuscated as1' OR 1=1 /* comment */--
. - Purpose: Hide the true intent of the injected SQL code from detection mechanisms.
1.2 Encoding
- Definition: Encode the payload using various encoding schemes to evade detection.
- Types:
- URL Encoding: Convert characters to their URL-encoded equivalents (e.g.,
%27
for'
). - Hex Encoding: Use hexadecimal values (e.g.,
0x27
for'
). - Base64 Encoding: Encode payloads in Base64 (e.g.,
JTIxPTElM0El
for1=1
).
- URL Encoding: Convert characters to their URL-encoded equivalents (e.g.,
- Example:
1' OR 1=1--
can be encoded as1%27%20OR%201%3D1--
.
1.3 Case Manipulation
- Definition: Alter the case of SQL keywords and operators.
- Example:
SELECT
can be written assElEcT
orSeLeCt
. - Purpose: Bypass simple pattern-matching filters.
1.4 String Concatenation
- Definition: Break up SQL keywords or payloads using string concatenation functions.
- Example:
SELECT
can be broken asCONCAT('SE', 'LECT')
. - Purpose: Avoid detection by breaking up recognizable patterns.
2. Advanced Evasion Techniques
2.1 Dynamic SQL Injection
- Definition: Exploit SQL queries that are dynamically constructed at runtime.
- Example: Attacking a query that builds SQL commands using user input.
- Purpose: Bypass static query detection and filtering.
2.2 Blind SQL Injection
- Definition: Use techniques that do not return error messages but still manipulate the database.
- Types:
- Boolean-Based Blind SQLi: Infer information based on changes in the response (e.g.,
AND 1=1
vs.AND 1=2
). - Time-Based Blind SQLi: Measure the time taken for responses to infer data (e.g.,
SLEEP()
function).
- Boolean-Based Blind SQLi: Infer information based on changes in the response (e.g.,
- Purpose: Extract information without visible data or errors.
2.3 Out-of-Band SQL Injection
- Definition: Use alternative channels (e.g., DNS or HTTP requests) to extract data.
- Example: Using functions like
xp_cmdshell
to make the database server contact an attacker’s server. - Purpose: Bypass direct response-based filtering and detection.
2.4 Using Built-in Functions
- Definition: Exploit SQL built-in functions to gather information or manipulate queries.
- Example: Using
UNION ALL SELECT
to combine results from multiple queries or@@version
to get database version. - Purpose: Extract information without directly triggering detection mechanisms.
3. Other Evasion Techniques
3.1 Character Substitution
- Definition: Replace SQL keywords or special characters with alternative representations.
- Example: Replacing
AND
with+AND+
or usingCHAR()
function for character substitution. - Purpose: Bypass keyword-based filters.
3.2 Using Alternative Syntax
- Definition: Exploit alternative SQL syntax or functions that achieve the same result.
- Example: Using
SELECT * FROM INFORMATION_SCHEMA.TABLES
instead ofSELECT * FROM sysobjects
. - Purpose: Avoid detection by using less common SQL syntax or functions.
3.3 HTTP Parameter Pollution
- Definition: Inject malicious parameters into HTTP requests to alter the query.
- Example: Adding extra parameters to a URL or POST request to manipulate the SQL query.
- Purpose: Bypass input validation and filtering mechanisms.
3.4 Advanced Encoding Techniques
- Definition: Use more sophisticated encoding schemes to obscure payloads.
- Types:
- Double Encoding: Encode the payload twice (e.g.,
%2527
for'
). - Unicode Encoding: Use Unicode representations to obfuscate SQL keywords.
- Double Encoding: Encode the payload twice (e.g.,
- Purpose: Evade detection by making the payload less recognizable.