《Beyond_SQLi_Obfuscate_and_Bypass》.pdf资源-CSDN文库

版权申诉

122 浏览量 2021-11-28 16:00:43 上传评论收藏 1.24MB PDF 举报

资源推荐

资源详情

资源评论

2016/9/5 Vulnerability analysis, Security Papers, Exploit Tutorials - Part 17934

https://www.exploit-db.com/papers/17934/ 1/20

Beyond SQLi: Obfuscate and Bypass

Archived security papers and articles in various languages.

|=---------------------------------------------

-----------------------=|

|=--------------=[ Beyond SQLi: Obfuscate and

Bypass ]=---------------=|

|=-------------------------=[ 6 October 2011

]=-----------------------=|

|=----------------------=[ By CWH Underground

]=--------------------=|

|=---------------------------------------------

-----------------------=|

######

Info

######

Title : Beyond SQLi: Obfuscate and Bypass

Author : "ZeQ3uL" (Prathan Phongthiproek) and "Suphot

Boonchamnan"

Team : CWH Underground [http://www.exploit-db.com/author/?

a=1275]

Date : 2011-10-06

##########

Contents

##########

[0x00] - Introduction

[0x01] - Filter Evasion (Mysql)

[0x01a] - Bypass Functions and Keywords

Filtering

[0x01b] - Bypass Regular Expression Filtering

[0x02] - Normally Bypassing Techniques

[0x03] - Advanced Bypassing Techniques

[0x03a] - HTTP Parameter Pollution: Split and

2016/9/5 Vulnerability analysis, Security Papers, Exploit Tutorials - Part 17934

https://www.exploit-db.com/papers/17934/ 3/20

This means that filter evasion relies heavily upon how storing

a black list or regular expression is. If the black list or

regular expression does not cover every injection scenario, the

web application is still vulnerable to SQL Injection attacks.

+++++++++++++++++++++++++++++++++++++++++++++++++++

[0x01a] - Bypass Functions and Keywords Filtering

+++++++++++++++++++++++++++++++++++++++++++++++++++

Functions and keywords filtering prevents web

applications from being attacked by using a functions and

keywords black list. If an attackers submits an injection code

containing a keyword or SQL function in the black list, the

injection will be unsuccessful.

However, if the attacker is able to manipulate the

injection by using another keyword or function, the black list

will fail to prevent the attack. In order to prevent attacks, a

number of keywords and functions has to be put into the black

list. However, this affects users

when the users want to submit input with a word in the

black list. They will be unable to submit the input because it

is being filtered by the black list. The following scenarios

show cases of using functions and keywords filtering and

bypassing techniques.

Keyword filer: and, or

-----------------------------------------------

-----------------------

PHP filter code:

preg_match('/(and|or)/i', $id)

THe keywords and, or are usually used as a

simple test to determine whether a web application is

vulnerable to SQL Injection attacks. Here is a simple bypass

using &&, || instead of and, or respectively.

Filtered injection: 1 or 1 = 1

1 and 1 = 1

Bypassed injection: 1 || 1 = 1

1 && 1 = 1

-----------------------------------------------

-----------------------

Keyword filer: and, or, union

-----------------------------------------------

-----------------------

PHP filter code:

preg_match('/(and|or|union)/i', $id)

The keyword union is generally used to generate

剩余19页未读，继续阅读

评论收藏

内容反馈

版权申诉

陆小马

粉丝: 732
资源: 2051

《Beyond_SQLi_Obfuscate_and_Bypass》.pdf

Dedecms_20150618_member_sqli (2).py

SQLi Dumper v.8.3_sqli_

Vega_sqli_源码

sqli-labs-master.zip

SQLi Dumper v.8.0(国外SQL网站注入工具)

arm_linux_sqlite.rar_compiler for linux_cross compile_linux sqli

thinkphp 一键漏洞检测

sqlilabs过关手册注入天书.pdf

home_system.zip_Home Home_QT 无线_boa sqlite_boa sqlite_qt sqli

Sqli_Edited_Version.zip

SQLi-CTF-master.zip

SQLi Dumper v.10.2_sqlidumper_

在Django框架中伪造捕捉到的URLconf值的方法

sqlilabs过关手册注入天书，过关sqlliabs的绝佳手册

sqli-bypass靶场

sqli_1-10_My.py

新版PHPStudy可用sqli_labs 靶机.zip

pikachu+dvwa+sqli.zip

最新版ISO/IEC 27001:2022、ISO 27002:2022中英文合集

Goby红队版-win-x64-2.4.7版本

Chrome Header Editor 插件

ISO SAE 21434-2021 中文版.pdf

OpenVAS GVM 中文翻译补丁

安全认证cisp教材全套

现代永磁同步电机控制原理及MATLAB仿真__袁雷编著1

全面的安全基线核查清单

OpenVAS离线资源

最新资源