From 74b2ea7b8178a762207c4fcc314b94877d2aaf54 Mon Sep 17 00:00:00 2001 From: Omar Santos Date: Fri, 26 Jul 2024 13:57:38 -0400 Subject: [PATCH] Create sqli_evasion.md --- web_application_testing/sqli_evasion.md | 87 +++++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 web_application_testing/sqli_evasion.md diff --git a/web_application_testing/sqli_evasion.md b/web_application_testing/sqli_evasion.md new file mode 100644 index 0000000..11247b0 --- /dev/null +++ b/web_application_testing/sqli_evasion.md @@ -0,0 +1,87 @@ +# SQL Injection (SQLi) Evasion Techniques + +### 1. **Obfuscation Techniques** + +#### **1.1 Comment Insertion** + +- **Definition:** Use SQL comments to break up or hide parts of the SQL query. +- **Example:** `1' OR 1=1--` can be obfuscated as `1' OR 1=1 /* comment */--`. +- **Purpose:** Hide the true intent of the injected SQL code from detection mechanisms. + +#### **1.2 Encoding** + +- **Definition:** Encode the payload using various encoding schemes to evade detection. +- **Types:** + - **URL Encoding:** Convert characters to their URL-encoded equivalents (e.g., `%27` for `'`). + - **Hex Encoding:** Use hexadecimal values (e.g., `0x27` for `'`). + - **Base64 Encoding:** Encode payloads in Base64 (e.g., `JTIxPTElM0El` for `1=1`). +- **Example:** `1' OR 1=1--` can be encoded as `1%27%20OR%201%3D1--`. + +#### **1.3 Case Manipulation** + +- **Definition:** Alter the case of SQL keywords and operators. +- **Example:** `SELECT` can be written as `sElEcT` or `SeLeCt`. +- **Purpose:** Bypass simple pattern-matching filters. + +#### **1.4 String Concatenation** + +- **Definition:** Break up SQL keywords or payloads using string concatenation functions. +- **Example:** `SELECT` can be broken as `CONCAT('SE', 'LECT')`. +- **Purpose:** Avoid detection by breaking up recognizable patterns. + +### 2. **Advanced Evasion Techniques** + +#### **2.1 Dynamic SQL Injection** + +- **Definition:** Exploit SQL queries that are dynamically constructed at runtime. +- **Example:** Attacking a query that builds SQL commands using user input. +- **Purpose:** Bypass static query detection and filtering. + +#### **2.2 Blind SQL Injection** + +- **Definition:** Use techniques that do not return error messages but still manipulate the database. +- **Types:** + - **Boolean-Based Blind SQLi:** Infer information based on changes in the response (e.g., `AND 1=1` vs. `AND 1=2`). + - **Time-Based Blind SQLi:** Measure the time taken for responses to infer data (e.g., `SLEEP()` function). +- **Purpose:** Extract information without visible data or errors. + +#### **2.3 Out-of-Band SQL Injection** + +- **Definition:** Use alternative channels (e.g., DNS or HTTP requests) to extract data. +- **Example:** Using functions like `xp_cmdshell` to make the database server contact an attacker’s server. +- **Purpose:** Bypass direct response-based filtering and detection. + +#### **2.4 Using Built-in Functions** + +- **Definition:** Exploit SQL built-in functions to gather information or manipulate queries. +- **Example:** Using `UNION ALL SELECT` to combine results from multiple queries or `@@version` to get database version. +- **Purpose:** Extract information without directly triggering detection mechanisms. + +### 3. **Other Evasion Techniques** + +#### **3.1 Character Substitution** + +- **Definition:** Replace SQL keywords or special characters with alternative representations. +- **Example:** Replacing `AND` with `+AND+` or using `CHAR()` function for character substitution. +- **Purpose:** Bypass keyword-based filters. + +#### **3.2 Using Alternative Syntax** + +- **Definition:** Exploit alternative SQL syntax or functions that achieve the same result. +- **Example:** Using `SELECT * FROM INFORMATION_SCHEMA.TABLES` instead of `SELECT * FROM sysobjects`. +- **Purpose:** Avoid detection by using less common SQL syntax or functions. + +#### **3.3 HTTP Parameter Pollution** + +- **Definition:** Inject malicious parameters into HTTP requests to alter the query. +- **Example:** Adding extra parameters to a URL or POST request to manipulate the SQL query. +- **Purpose:** Bypass input validation and filtering mechanisms. + +#### **3.4 Advanced Encoding Techniques** + +- **Definition:** Use more sophisticated encoding schemes to obscure payloads. +- **Types:** + - **Double Encoding:** Encode the payload twice (e.g., `%2527` for `'`). + - **Unicode Encoding:** Use Unicode representations to obfuscate SQL keywords. +- **Purpose:** Evade detection by making the payload less recognizable. +