![]() ![]() * *limit*: May no be a problem but was a problem in our case because only a single search result would get displayed. * *and*, *or* keywords: Replaced by *&* and *||*. ![]() * *where* keyword: Usually can be replaced with *having*, but because of its different semantics, sometimes a subquery would be needed to get an equivalent result. * Whitespace charachters, all of them (including tab and new line): Often can be bypassed with brackets *()*. Below are filters that couldn't have been bypassed by switching case. Note that some of the filters would only apply to lowercase words and could be easily bypassed by switching the case of a single charachter, for example Table_name instead of table_name. ( ) was helpful with getting some of the ideas. It's possible that some of the bypasses are database dependant, in that case it was MySQL. I'll present some of the filters and the bypasses used to search the database for the flag. ![]() * It seems that errors are not displayed as a payload like *'* which should cause an error, returns an empty result. * The SQL injection can be confirmed with a payload like *%'#*. We are presented with a simple blog with search being pretty much its only funcionality, so the first thing to check for would be vulnerability to SQL injection. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |