cyber-security-resources/web_application_testing/sqli_evasion.md

88 lines
3.8 KiB
Markdown
Raw Normal View History

2024-07-26 13:57:38 -04:00
# SQL Injection (SQLi) Evasion Techniques
### 1. **Obfuscation Techniques**
#### **1.1 Comment Insertion**
- **Definition:** Use SQL comments to break up or hide parts of the SQL query.
- **Example:** `1' OR 1=1--` can be obfuscated as `1' OR 1=1 /* comment */--`.
- **Purpose:** Hide the true intent of the injected SQL code from detection mechanisms.
#### **1.2 Encoding**
- **Definition:** Encode the payload using various encoding schemes to evade detection.
- **Types:**
- **URL Encoding:** Convert characters to their URL-encoded equivalents (e.g., `%27` for `'`).
- **Hex Encoding:** Use hexadecimal values (e.g., `0x27` for `'`).
- **Base64 Encoding:** Encode payloads in Base64 (e.g., `JTIxPTElM0El` for `1=1`).
- **Example:** `1' OR 1=1--` can be encoded as `1%27%20OR%201%3D1--`.
#### **1.3 Case Manipulation**
- **Definition:** Alter the case of SQL keywords and operators.
- **Example:** `SELECT` can be written as `sElEcT` or `SeLeCt`.
- **Purpose:** Bypass simple pattern-matching filters.
#### **1.4 String Concatenation**
- **Definition:** Break up SQL keywords or payloads using string concatenation functions.
- **Example:** `SELECT` can be broken as `CONCAT('SE', 'LECT')`.
- **Purpose:** Avoid detection by breaking up recognizable patterns.
### 2. **Advanced Evasion Techniques**
#### **2.1 Dynamic SQL Injection**
- **Definition:** Exploit SQL queries that are dynamically constructed at runtime.
- **Example:** Attacking a query that builds SQL commands using user input.
- **Purpose:** Bypass static query detection and filtering.
#### **2.2 Blind SQL Injection**
- **Definition:** Use techniques that do not return error messages but still manipulate the database.
- **Types:**
- **Boolean-Based Blind SQLi:** Infer information based on changes in the response (e.g., `AND 1=1` vs. `AND 1=2`).
- **Time-Based Blind SQLi:** Measure the time taken for responses to infer data (e.g., `SLEEP()` function).
- **Purpose:** Extract information without visible data or errors.
#### **2.3 Out-of-Band SQL Injection**
- **Definition:** Use alternative channels (e.g., DNS or HTTP requests) to extract data.
- **Example:** Using functions like `xp_cmdshell` to make the database server contact an attackers server.
- **Purpose:** Bypass direct response-based filtering and detection.
#### **2.4 Using Built-in Functions**
- **Definition:** Exploit SQL built-in functions to gather information or manipulate queries.
- **Example:** Using `UNION ALL SELECT` to combine results from multiple queries or `@@version` to get database version.
- **Purpose:** Extract information without directly triggering detection mechanisms.
### 3. **Other Evasion Techniques**
#### **3.1 Character Substitution**
- **Definition:** Replace SQL keywords or special characters with alternative representations.
- **Example:** Replacing `AND` with `+AND+` or using `CHAR()` function for character substitution.
- **Purpose:** Bypass keyword-based filters.
#### **3.2 Using Alternative Syntax**
- **Definition:** Exploit alternative SQL syntax or functions that achieve the same result.
- **Example:** Using `SELECT * FROM INFORMATION_SCHEMA.TABLES` instead of `SELECT * FROM sysobjects`.
- **Purpose:** Avoid detection by using less common SQL syntax or functions.
#### **3.3 HTTP Parameter Pollution**
- **Definition:** Inject malicious parameters into HTTP requests to alter the query.
- **Example:** Adding extra parameters to a URL or POST request to manipulate the SQL query.
- **Purpose:** Bypass input validation and filtering mechanisms.
#### **3.4 Advanced Encoding Techniques**
- **Definition:** Use more sophisticated encoding schemes to obscure payloads.
- **Types:**
- **Double Encoding:** Encode the payload twice (e.g., `%2527` for `'`).
- **Unicode Encoding:** Use Unicode representations to obfuscate SQL keywords.
- **Purpose:** Evade detection by making the payload less recognizable.