July 25, 2011 at 11:01 pm #6640jinwald12Participant
hi i am new to web app testing and am practicing with Damn Vulnerable Web App. i am focusing on SQL injection because that seems to be the most common attack vector these days. i was able to handle the easy difficulty setting no problem now i set it to medium and it seems that now it tacks a to the end of the user input to filter out SQL injection. what is the best way to bypass such filters i saw a article on this on http://ha.ckers.org/ but it did not make sense to me. can some one help?
July 26, 2011 at 4:55 pm #41269MaXeParticipant
There are numerous ways to bypass filters. Most of them are encoding, such as hexadicmal or unicode entities. (ie. %XX or %u00XX)
Also, sometimes you can use double-byte characters. Where two characters may not filtered such as ‘? (there’s a special character like this, it only works with mysql_escape_string(), and there’s also some tricks to bypass addslashes too. Google for them! 😉 )
So, these are pretty common, however it also depends on the implementation of the “security”. For example, a pseudo query like this would be insecure: SELECT lolcats FROM hats WHERE (id=$USERINPUT);
This is because the attacker, even if ‘ and ” has a backslash appended, can just end the parentheses and inject his own code like this: ) UNION SELECT 0x41414141 FROM blah and so forth.
There’s a lot of tricks, and a good book to read besides numerous articles you can find on google by searching for “encoding”, “bypass”, etc., is The Web Application Hackers Handbook. It will probably help you a lot 😉
August 22, 2011 at 4:00 pm #41270manoj9372Participant
I found this for you
i am not at all good at these ,but i feel it would be handy for u 🙂
October 7, 2011 at 6:23 am #41271jinwald12Participant
i found an easier way if it appends a
to the beginning naturally make your input
1 UNION SELECT user, password FROM users --
so that way it is executed as a query because it automatically apends the open quote at the beginning at least that works in this particular situation now the issue i am having with the hard setting is it returns no error message even though it is not blind SQL injection so i am guessing the SQL ORDER BY query is the way to go maybe that will return a error i will keep playing around with it OWASP did a great job with this VM alot of fun stuff
- You must be logged in to reply to this topic.