Advanced Exploitation and Defense Bypass Techniques of SQL Injection Attacks

Advanced Exploitation and Defense Bypass Techniques of SQL Injection Attacks

Description
SQL injection is an attack technique that involves inserting malicious SQL code into an application's input parameters to manipulate the execution of the backend database. Building upon basic SQL injection, attackers have developed various advanced techniques to bypass defensive measures, such as union-based injection, boolean-based blind injection, time-based blind injection, error-based injection, and stacked queries. These techniques enable attackers to exfiltrate data even under stricter filtering conditions.

Exploitation Process

  1. Union-based Injection

    • Principle: Leverages the SQL UNION operator to merge the results of a malicious query with the original query results, thereby directly displaying data in the application's response.
    • Steps:
      1. Determine the number of columns: Incrementally test using the ORDER BY clause (e.g., ORDER BY 1, 2, 3) until an error occurs, confirming the number of columns in the query.
      2. Identify display points: Use UNION SELECT 1, 2, 3 to observe where numbers appear on the page, identifying the data echo points.
      3. Extract data: Replace the numbers at the echo points with the target query, e.g., UNION SELECT username, password, 3 FROM users.
    • Key Point: The UNION query must have the same number of columns as the original query and compatible data types.

  2. Boolean-based Blind Injection

    • Applicable Scenario: The page has no direct data echo, but returns different page states (e.g., "exists/does not exist") based on SQL logic.
    • Principle: Constructs conditional statements (e.g., AND 1=1, AND 1=2) and observes differences in page responses to infer data bit by bit.
    • Steps:
      1. Confirm vulnerability: Inject ' AND 1=1-- and ' AND 1=2--, comparing page differences to confirm the vulnerability.
      2. Bit-by-bit inference:
        • Guess database name length: ' AND LENGTH(database())=1--, incrementally testing.
        • Guess character content: ' AND SUBSTRING(database(),1,1)='a'--, iterating through a character set.
    • Tool Assistance: Use tools like SQLMap for automated inference to reduce manual effort.

  3. Time-based Blind Injection

    • Applicable Scenario: The page response shows no variation whatsoever, making it impossible to judge results via boolean conditions.
    • Principle: Utilizes database delay functions (e.g., MySQL's SLEEP()), judging the truth of conditions based on differences in response time.
    • Steps:
      1. Trigger delay: Inject ' AND SLEEP(5)--. If the page response is delayed by 5 seconds, injection is successful.
      2. Conditional judgment: Combine with IF statements, e.g., ' AND IF(LENGTH(database())=1, SLEEP(5), 0)--. Infer the condition's result based on whether a delay occurs.
    • Note: Time-based injection is inefficient, requires a large number of requests, and typically relies on automation tools.

  4. Error-based Injection

    • Principle: Deliberately triggers database errors so that the error message contains the query result.
    • Common Functions:
      • MySQL: extractvalue(), updatexml() exploit XPATH syntax errors to leak data.
        • Example: ' AND extractvalue(1, concat(0x7e, (SELECT database())))--.
      • SQL Server: convert() type conversion errors.
    • Advantage: Does not rely on page echo points; data is obtained directly from error messages.

  5. Stacked Queries

    • Principle: Uses semicolons to separate and execute multiple SQL statements, enabling insert, delete, and update operations.
    • Example: '; DROP TABLE users; --.
    • Limitation: Not all database drivers support execution of multiple statements (e.g., PHP's mysql_query() forbids it by default).

  6. Defense Bypass Techniques

    • Encoding Bypass: Uses URL encoding, hexadecimal encoding to evade keyword filtering (e.g., OR%4f%52).
    • Comment Obfuscation: Uses /**/, /*!*/ (MySQL-specific) to split keywords, e.g., SEL/**/ECT.
    • Case Variation: Uses mixed case, e.g., UnIoN SeLeCT, to bypass case-sensitive filters.
    • Double Encoding: When the application layer decodes multiple times, encodes the single quote as %2527 (%25 is the encoding of %).
    • Unconventional Functions: Uses LIKE instead of =, MID() instead of SUBSTRING().

Summary
Advanced SQL injection techniques break through basic filtering mechanisms by flexibly combining query methods, exploiting database features, and employing encoding obfuscation. Defense requires adopting parameterized queries, the principle of least privilege, multi-layered input validation (whitelisting + filtering), and combining dynamic detection rules from WAFs.