.

SQL injection string encoding

<<

bigapple

Newbie
Newbie

Posts: 8

Joined: Thu Aug 18, 2011 12:07 pm

Post Sat Aug 20, 2011 1:54 pm

SQL injection string encoding

What kind of encodings are used for bypassing SQL filters? Does Hex or Base64 work? What other kinds of encodings are used for this? And if I'm trying to test the filter of a login function,
can I just put the encoded string into the input field, or do I need to use an intercepting proxy?
I know a proxy has to be used for things that aren't editable like cookies, http headers etc but do I need a proxy for things I can directly edit, like input fields?
<<

bigapple

Newbie
Newbie

Posts: 8

Joined: Thu Aug 18, 2011 12:07 pm

Post Sat Aug 20, 2011 3:58 pm

Re: SQL injection string encoding

Btw I have no idea why the text is formed like that. I didn't type it that way.
<<

jimbob

Post Sat Aug 20, 2011 4:29 pm

Re: SQL injection string encoding

Many encoding techniques won't work with SQLi since they will not be decoded and interpreted as SQL.

One advantage of using an intercepting proxy rather than just using a HTML form is that you capture a record of the HTTP request and response. This can be vey useful for going back and seeing what you did and tweaking requests. I've also seen sites that implement input sanitisation in JavaScript and avoing the web form also gets around this.

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software