DVWA medium dificulty filter evasion question

Viewing 3 reply threads
  • Author
    Posts
    • #6640
      jinwald12
      Participant

      hi i am new to web app testing and am practicing with Damn Vulnerable Web App. i am focusing on SQL injection because that seems to be the most common attack vector these days. i was able to handle the easy difficulty setting no problem now i set it to medium and it seems that now it tacks a to the end of the user input to filter out SQL injection. what is the best way to bypass such filters i saw a article on this on http://ha.ckers.org/ but it did not make sense to me. can some one help?

    • #41269
      MaXe
      Participant

      There are numerous ways to bypass filters. Most of them are encoding, such as hexadicmal or unicode entities. (ie. %XX or %u00XX)

      Also, sometimes you can use double-byte characters. Where two characters may not filtered such as ‘? (there’s a special character like this, it only works with mysql_escape_string(), and there’s also some tricks to bypass addslashes too. Google for them!  😉 )

      So, these are pretty common, however it also depends on the implementation of the “security”. For example, a pseudo query like this would be insecure: SELECT lolcats FROM hats WHERE (id=$USERINPUT);

      This is because the attacker, even if ‘ and ” has a backslash appended, can just end the parentheses and inject his own code like this: ) UNION SELECT 0x41414141 FROM blah and so forth.

      There’s a lot of tricks, and a good book to read besides numerous articles you can find on google by searching for “encoding”, “bypass”, etc., is The Web Application Hackers Handbook. It will probably help you a lot  😉

    • #41270
      manoj9372
      Participant

      I found this for you


      http://yehg.net/encoding/

      i am not at all good at these ,but i feel it would be handy for u 🙂

    • #41271
      jinwald12
      Participant

      i found an easier way if it appends a

       '

      to the beginning naturally make your input

       1 UNION SELECT user, password FROM users -- 

      so that way it is executed as a query because it automatically apends the open quote at the beginning  at least that works in this particular situation  now the issue i am having with the hard setting is it returns no error message even though it is not blind SQL injection so i am guessing the SQL ORDER BY query is the way to go maybe that will return a error i will keep playing around with it OWASP did a great job with this VM alot of fun stuff

Viewing 3 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?