Bypassing SQL Injection Filters

G5 Cyber Security

2 weeks ago

TL;DR

SQL injection filters often block obvious attempts to inject malicious code. This guide shows how to bypass common whitespace and wildcard (*) filtering techniques used in web application firewalls (WAFs) and input validation.

Bypassing SQL Injection Filters: A Step-by-Step Guide

Understand the Filter

Before attempting a bypass, try to understand what the filter is blocking. Common techniques include:

Blocking specific keywords (e.g., SELECT, UNION).
Removing or encoding whitespace characters.
Disallowing wildcard (*) characters.

Use simple test payloads to identify the filter’s behaviour.

Whitespace Bypass Techniques

Filters often remove single spaces, but may not handle multiple spaces, tabs, newlines, or comments effectively.

Multiple Spaces: Replace single spaces with multiple spaces.

SELECT   name FROM users WHERE id = 1

Tabs and Newlines: Use tab characters (t) or newlines (%0a or n).

SELECT	table_name FROM information_schema.tables

Comments: Use SQL comments to break up keywords and bypass filtering. Common comment styles include:

-- (double dash): Comments out the rest of the line.
/* ... */: Multi-line comment.
#: Comment (often used in MySQL).

SELECT /*!30001*/ name FROM users WHERE id = 1; -- Comment

Mixed Whitespace and Comments: Combine techniques for greater effectiveness.

SELECT  /* comment */ name FROM users WHERE id=1-- rest of query

Wildcard (*) Bypass Techniques

Filters often block the wildcard character (*). Try these alternatives:

Concatenation: Use string concatenation to build the wildcard pattern. This is database-specific.

SELECT name FROM users WHERE username LIKE 'a%' + 'b%'; -- MySQL example

Character Ranges: Use character ranges to achieve a similar effect as wildcards.

SELECT name FROM users WHERE username LIKE '[a-z]%'; -- PostgreSQL example

Substrings: Use substring functions if available in the database.

SELECT SUBSTRING(name, 1, LENGTH(name)) FROM users; -- Generic SQL example

Case Sensitivity Bypass

Some filters are case-sensitive. Try different casing combinations.

Mixed Case: Use a mix of uppercase and lowercase letters.

SeLeCt NaMe FrOm UsErS

Encoding Bypass

URL encoding can sometimes bypass filters.

URL Encoding: Encode special characters using URL encoding (e.g., space becomes %20).

http://example.com/page?param=SELECT%20name%20FROM%20users

Database-Specific Techniques

Different databases have different functions and syntax that can be exploited.

MySQL: Use /*!50000 ... */ conditional comments.

SELECT /*!50000UNION*/ SELECT name FROM users;

PostgreSQL: Use double quotes for identifiers and string concatenation (||).

SELECT "name" FROM users WHERE id = 1;

Important Considerations

Error Messages: Pay attention to error messages. They can provide valuable clues about the filter’s behaviour and database type.
Blind SQL Injection: If direct output is blocked, consider using blind SQL injection techniques (time-based or boolean-based).
Ethical Hacking: Only attempt these techniques on systems you have permission to test. Unauthorized access is illegal.