Bypassing SQL Injection Filters

TL;DR

SQL injection filters often block obvious attempts to inject malicious code. This guide shows how to bypass common whitespace and wildcard (*) filtering techniques used in web application firewalls (WAFs) and input validation.

Bypassing SQL Injection Filters: A Step-by-Step Guide

1. Understand the Filter

Before attempting a bypass, try to understand what the filter is blocking. Common techniques include:

• Blocking specific keywords (e.g., SELECT, UNION).
• Removing or encoding whitespace characters.
• Disallowing wildcard (*) characters.

Use simple test payloads to identify the filter’s behaviour.

2. Whitespace Bypass Techniques

Filters often remove single spaces, but may not handle multiple spaces, tabs, newlines, or comments effectively.

• Multiple Spaces: Replace single spaces with multiple spaces.

SELECT   name FROM users WHERE id = 1

• Tabs and Newlines: Use tab characters (t) or newlines (%0a or n).

SELECT	table_name FROM information_schema.tables

• Comments: Use SQL comments to break up keywords and bypass filtering. Common comment styles include:
  • -- (double dash): Comments out the rest of the line.
  • /* ... */: Multi-line comment.
  • #: Comment (often used in MySQL).

  SELECT /*!30001*/ name FROM users WHERE id = 1; -- Comment

• Mixed Whitespace and Comments: Combine techniques for greater effectiveness.

SELECT  /* comment */ name FROM users WHERE id=1-- rest of query

3. Wildcard (*) Bypass Techniques

Filters often block the wildcard character (*). Try these alternatives:

• Concatenation: Use string concatenation to build the wildcard pattern. This is database-specific.

SELECT name FROM users WHERE username LIKE 'a%' + 'b%'; -- MySQL example

• Character Ranges: Use character ranges to achieve a similar effect as wildcards.

SELECT name FROM users WHERE username LIKE '[a-z]%'; -- PostgreSQL example

• Substrings: Use substring functions if available in the database.

SELECT SUBSTRING(name, 1, LENGTH(name)) FROM users; -- Generic SQL example

4. Case Sensitivity Bypass

Some filters are case-sensitive. Try different casing combinations.

• Mixed Case: Use a mix of uppercase and lowercase letters.

SeLeCt NaMe FrOm UsErS

5. Encoding Bypass

URL encoding can sometimes bypass filters.

• URL Encoding: Encode special characters using URL encoding (e.g., space becomes %20).

http://example.com/page?param=SELECT%20name%20FROM%20users

6. Database-Specific Techniques

Different databases have different functions and syntax that can be exploited.

• MySQL: Use /*!50000 ... */ conditional comments.

SELECT /*!50000UNION*/ SELECT name FROM users;

• PostgreSQL: Use double quotes for identifiers and string concatenation (||).

SELECT "name" FROM users WHERE id = 1;

7. Important Considerations
• Error Messages: Pay attention to error messages. They can provide valuable clues about the filter’s behaviour and database type.
• Blind SQL Injection: If direct output is blocked, consider using blind SQL injection techniques (time-based or boolean-based).
• Ethical Hacking: Only attempt these techniques on systems you have permission to test. Unauthorized access is illegal.