Advanced Exploitation and Defense Bypass Techniques of SQL Injection in Detail
Topic Description
SQL injection is an attack technique that interferes with backend SQL queries by manipulating user input. Advanced exploitation involves more complex scenarios, such as injection techniques when UNION queries are restricted, error messages are suppressed, or a WAF (Web Application Firewall) is present. Defense bypass aims to break through security measures already deployed by developers (e.g., input filtering, misuse of parameterized queries).
Detailed Explanation of Knowledge
1. Review of Basic SQL Injection
- Principle: User input is directly concatenated into the SQL statement, for example:
If the input isSELECT * FROM users WHERE username = 'input' AND password = '...';admin' OR '1'='1, the query becomes:
thereby bypassing authentication.SELECT * FROM users WHERE username = 'admin' OR '1'='1' AND password = '...'; - Key Point: Interfering with the original query structure by closing quotes, using comment symbols (e.g.,
--,#), or logical operators.
2. Advanced Exploitation Scenarios and Techniques
Scenario 1: UNION Query is Restricted
- Problem: The page only returns the first result, or the UNION keyword is filtered.
- Bypass Methods:
- Subquery Alternative: Use subqueries to extract data piece by piece, for example:
Determine characters through Boolean-based blind injection (page true/false differences) or time-based blind injection (e.g.,' OR (SELECT substring(password,1,1) FROM users WHERE username='admin')='a' --SLEEP(2)). - Stacked Queries: Some databases (e.g., MySQL) support multiple statements separated by semicolons, but backend permission is required.
- Subquery Alternative: Use subqueries to extract data piece by piece, for example:
Scenario 2: Error Messages are Suppressed (Blind Injection)
- Boolean-based Blind Injection: Infer data based on differences in page responses.
- Steps:
- Determine database length:
' AND (SELECT LENGTH(database()))=5 -- - Guess characters one by one:
' AND (SELECT ASCII(SUBSTR(database(),1,1)))=97 --(97 is the ASCII code for 'a')
- Determine database length:
- Steps:
- Time-based Blind Injection: Use delay functions when there is no difference in page responses.
- Example (MySQL):
If the response is delayed, it indicates the database name starts with 'a'.' AND IF((SELECT database() LIKE 'a%'), SLEEP(2), 0) --
- Example (MySQL):
Scenario 3: WAF/Filter Rule Bypass
- Encoding Obfuscation:
- URL Encoding:
'→%27,OR→%4f%52 - Double Encoding:
%2527(server automatically decodes twice) - Unicode Encoding:
'→%u0027(some WAFs might ignore)
- URL Encoding:
- Keyword Splitting/Substitution:
- Split with Comments:
SEL/**/ECTinstead ofSELECT - Mixed Case:
UnIoN sElEcT - Synonym Replacement:
OR→||(in some databases)
- Split with Comments:
- Special Character Insertion:
SEL%E1%80%80ECT(using uncommon whitespace characters)
3. Defense Mechanism Bypass Cases
- Case 1: Incomplete Input Filtering
- If
SELECTis filtered butSELSELECTECTis allowed, bypass can be achieved via recursive replacement: inputSELSELECTECT→ after filtering becomesSELECT.
- If
- Case 2: Misuse of Parameterized Queries
- Incorrect Example: Using parameterization for table/column names (e.g.,
... ORDER BY ?), but parameterization is only suitable for values, not structure. Attackers can manipulate input afterORDER BYfor injection.
- Incorrect Example: Using parameterization for table/column names (e.g.,
- Case 3: Weak WAF Rule Detection
- Use uncommon HTTP methods (e.g.,
PUT) orContent-Type: application/jsonto deliver payloads; some WAFs might not inspect malicious content within JSON.
- Use uncommon HTTP methods (e.g.,
4. Defense Recommendations
- Strict Parameterized Queries: Ensure all user inputs are passed as parameters, not concatenated.
- Principle of Least Privilege: Database accounts should have only necessary permissions (e.g., prohibit execution of system commands).
- Multi-layer Filtering: Combine allowlist validation (e.g., input only allows alphanumeric characters) and escaping special characters.
- Deep WAF Configuration: Update rule libraries to address obfuscation techniques and monitor abnormal request patterns.
Summary
The core of advanced SQL injection exploitation lies in flexibly adapting to environmental constraints (e.g., blind injection, encoding obfuscation), while defense requires in-depth protection from the code layer, architecture layer, to the network layer.