October 2016
Beginner to intermediate
650 pages
14h 43m
English
One method of halting SQL Injection is filtering through either server side text manipulation or
Web App Firewalls (WAFs). These systems target specific phrases commonly associated with attacks such as SELECT, AND, OR, and spaces. These can be easily evaded by replacing these values with less obvious ones, thus highlighting the issue with blacklists in general.
We will create a script that takes attack strings, looks for potentially escaped strings, and provides alternative attack strings.
The following is our script:
subs = [] values = {“ “: “%50”, “SELECT”: “HAVING”, “AND”: “&&”, “OR”: “||”} originalstring = “' UNION SELECT * FROM Users WHERE username = 'admin' OR 1=1 AND username = 'admin';#” secondoriginalstring ...Read now
Unlock full access