h4cker/web_application_testing/sqli_evasion.md
2024-07-26 13:57:38 -04:00

88 lines
3.8 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# SQL Injection (SQLi) Evasion Techniques
### 1. **Obfuscation Techniques**
#### **1.1 Comment Insertion**
- **Definition:** Use SQL comments to break up or hide parts of the SQL query.
- **Example:** `1' OR 1=1--` can be obfuscated as `1' OR 1=1 /* comment */--`.
- **Purpose:** Hide the true intent of the injected SQL code from detection mechanisms.
#### **1.2 Encoding**
- **Definition:** Encode the payload using various encoding schemes to evade detection.
- **Types:**
- **URL Encoding:** Convert characters to their URL-encoded equivalents (e.g., `%27` for `'`).
- **Hex Encoding:** Use hexadecimal values (e.g., `0x27` for `'`).
- **Base64 Encoding:** Encode payloads in Base64 (e.g., `JTIxPTElM0El` for `1=1`).
- **Example:** `1' OR 1=1--` can be encoded as `1%27%20OR%201%3D1--`.
#### **1.3 Case Manipulation**
- **Definition:** Alter the case of SQL keywords and operators.
- **Example:** `SELECT` can be written as `sElEcT` or `SeLeCt`.
- **Purpose:** Bypass simple pattern-matching filters.
#### **1.4 String Concatenation**
- **Definition:** Break up SQL keywords or payloads using string concatenation functions.
- **Example:** `SELECT` can be broken as `CONCAT('SE', 'LECT')`.
- **Purpose:** Avoid detection by breaking up recognizable patterns.
### 2. **Advanced Evasion Techniques**
#### **2.1 Dynamic SQL Injection**
- **Definition:** Exploit SQL queries that are dynamically constructed at runtime.
- **Example:** Attacking a query that builds SQL commands using user input.
- **Purpose:** Bypass static query detection and filtering.
#### **2.2 Blind SQL Injection**
- **Definition:** Use techniques that do not return error messages but still manipulate the database.
- **Types:**
- **Boolean-Based Blind SQLi:** Infer information based on changes in the response (e.g., `AND 1=1` vs. `AND 1=2`).
- **Time-Based Blind SQLi:** Measure the time taken for responses to infer data (e.g., `SLEEP()` function).
- **Purpose:** Extract information without visible data or errors.
#### **2.3 Out-of-Band SQL Injection**
- **Definition:** Use alternative channels (e.g., DNS or HTTP requests) to extract data.
- **Example:** Using functions like `xp_cmdshell` to make the database server contact an attackers server.
- **Purpose:** Bypass direct response-based filtering and detection.
#### **2.4 Using Built-in Functions**
- **Definition:** Exploit SQL built-in functions to gather information or manipulate queries.
- **Example:** Using `UNION ALL SELECT` to combine results from multiple queries or `@@version` to get database version.
- **Purpose:** Extract information without directly triggering detection mechanisms.
### 3. **Other Evasion Techniques**
#### **3.1 Character Substitution**
- **Definition:** Replace SQL keywords or special characters with alternative representations.
- **Example:** Replacing `AND` with `+AND+` or using `CHAR()` function for character substitution.
- **Purpose:** Bypass keyword-based filters.
#### **3.2 Using Alternative Syntax**
- **Definition:** Exploit alternative SQL syntax or functions that achieve the same result.
- **Example:** Using `SELECT * FROM INFORMATION_SCHEMA.TABLES` instead of `SELECT * FROM sysobjects`.
- **Purpose:** Avoid detection by using less common SQL syntax or functions.
#### **3.3 HTTP Parameter Pollution**
- **Definition:** Inject malicious parameters into HTTP requests to alter the query.
- **Example:** Adding extra parameters to a URL or POST request to manipulate the SQL query.
- **Purpose:** Bypass input validation and filtering mechanisms.
#### **3.4 Advanced Encoding Techniques**
- **Definition:** Use more sophisticated encoding schemes to obscure payloads.
- **Types:**
- **Double Encoding:** Encode the payload twice (e.g., `%2527` for `'`).
- **Unicode Encoding:** Use Unicode representations to obfuscate SQL keywords.
- **Purpose:** Evade detection by making the payload less recognizable.