Skip to content

SQL Injection (SQLi) Evasion Techniques

1. Obfuscation Techniques

1.1 Comment Insertion

  • Definition: Use SQL comments to break up or hide parts of the SQL query.
  • Example: 1' OR 1=1-- can be obfuscated as 1' OR 1=1 /* comment */--.
  • Purpose: Hide the true intent of the injected SQL code from detection mechanisms.

1.2 Encoding

  • Definition: Encode the payload using various encoding schemes to evade detection.
  • Types:
  • URL Encoding: Convert characters to their URL-encoded equivalents (e.g., %27 for ').
  • Hex Encoding: Use hexadecimal values (e.g., 0x27 for ').
  • Base64 Encoding: Encode payloads in Base64 (e.g., JTIxPTElM0El for 1=1).
  • Example: 1' OR 1=1-- can be encoded as 1%27%20OR%201%3D1--.

1.3 Case Manipulation

  • Definition: Alter the case of SQL keywords and operators.
  • Example: SELECT can be written as sElEcT or SeLeCt.
  • Purpose: Bypass simple pattern-matching filters.

1.4 String Concatenation

  • Definition: Break up SQL keywords or payloads using string concatenation functions.
  • Example: SELECT can be broken as CONCAT('SE', 'LECT').
  • Purpose: Avoid detection by breaking up recognizable patterns.

2. Advanced Evasion Techniques

2.1 Dynamic SQL Injection

  • Definition: Exploit SQL queries that are dynamically constructed at runtime.
  • Example: Attacking a query that builds SQL commands using user input.
  • Purpose: Bypass static query detection and filtering.

2.2 Blind SQL Injection

  • Definition: Use techniques that do not return error messages but still manipulate the database.
  • Types:
  • Boolean-Based Blind SQLi: Infer information based on changes in the response (e.g., AND 1=1 vs. AND 1=2).
  • Time-Based Blind SQLi: Measure the time taken for responses to infer data (e.g., SLEEP() function).
  • Purpose: Extract information without visible data or errors.

2.3 Out-of-Band SQL Injection

  • Definition: Use alternative channels (e.g., DNS or HTTP requests) to extract data.
  • Example: Using functions like xp_cmdshell to make the database server contact an attacker’s server.
  • Purpose: Bypass direct response-based filtering and detection.

2.4 Using Built-in Functions

  • Definition: Exploit SQL built-in functions to gather information or manipulate queries.
  • Example: Using UNION ALL SELECT to combine results from multiple queries or @@version to get database version.
  • Purpose: Extract information without directly triggering detection mechanisms.

3. Other Evasion Techniques

3.1 Character Substitution

  • Definition: Replace SQL keywords or special characters with alternative representations.
  • Example: Replacing AND with +AND+ or using CHAR() function for character substitution.
  • Purpose: Bypass keyword-based filters.

3.2 Using Alternative Syntax

  • Definition: Exploit alternative SQL syntax or functions that achieve the same result.
  • Example: Using SELECT * FROM INFORMATION_SCHEMA.TABLES instead of SELECT * FROM sysobjects.
  • Purpose: Avoid detection by using less common SQL syntax or functions.

3.3 HTTP Parameter Pollution

  • Definition: Inject malicious parameters into HTTP requests to alter the query.
  • Example: Adding extra parameters to a URL or POST request to manipulate the SQL query.
  • Purpose: Bypass input validation and filtering mechanisms.

3.4 Advanced Encoding Techniques

  • Definition: Use more sophisticated encoding schemes to obscure payloads.
  • Types:
  • Double Encoding: Encode the payload twice (e.g., %2527 for ').
  • Unicode Encoding: Use Unicode representations to obfuscate SQL keywords.
  • Purpose: Evade detection by making the payload less recognizable.