The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Download 5,76 Mb.

1 ... 474 475 476 477 478 479 480 481 ... 875

Bog'liq
3794 1008 4334

Avoiding Blocked Characters

If the application removes or encodes some characters that are often used in

SQL injection attacks, you may still be able to perform an attack without these:

■■

The single quotation mark is not required if you are injecting into a

numeric data field.

■■

If the comment symbol is blocked, you can often craft your injected

data such that it does not break the syntax of the surrounding query,

even without using this. For example, instead of injecting

‘ or 1=1--

you can inject

‘ or ‘a’=’a

■■

When attempting to inject batched queries into an MS-SQL database,

you do not need to use the semicolon separator. Provided you fix up

the syntax of all queries in the batch, the query parser will interpret

them correctly regardless of whether or not you include a semicolon.

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 474 475 476 477 478 479 480 481 ... 875