> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/sqli/web-sqli-bypass.md).

# Bypass

## SQL Injection Keyword Filter Bypass (Case Variation)

Some web application filters block specific SQL keywords using case-sensitive string matching. SQL keywords are generally not case-sensitive in databases. Since SQL databases typically ignore keyword case, you can often bypass these filters by varying the casing.

If keywords like `SELECT` or `UNION` are blocked, try variations like:

```sql
sElect
uNion
fRom
wHere
sElEcT
UnIoN
select UNION select
```

This exploits the difference in case sensitivity between the filter and the database.

Filters might also block keywords by looking for exact strings separated by standard spaces. You can sometimes bypass keyword filters by interspersing comments within keywords or using them as alternatives to spaces. For example, `/**/` can be used:

```sql
SELECT/**/FROM
SElEcT/**/uNiOn/**/SeLeCt
```

Filters may also be bypassed by using alternative whitespace characters instead of standard spaces, particularly in web contexts where URL encoding is involved. Common alternatives include URL-encoded characters for newline (`%0a`), carriage return (`%0d`), form feed (`%0c`), or vertical tab (`%0b`). Examples include:

```sql
SELECT%0aFROM
SELECT%0bFROM
SELECT%0cFROM
SELECT%0dFROM
```

***

## SQLi Keyword Bypass Mixed Case

Filters that block specific SQL keywords might only check for exact case matches. You can potentially bypass these filters by using a mix of upper and lowercase letters for the blocked keywords.

For example, if "UNION" and "SELECT" are blocked, try injecting:

```sql
' Union Select ...
```

Another common approach is:

```sql
' uNiOn sElEcT ...
```

This technique leverages case-sensitive comparisons in the filter logic, allowing the payload to pass through. It's important to note that the case sensitivity of SQL keywords can depend on the specific database system being used and its configuration, particularly the collation settings. Case sensitivity can be exploited in SQL Injection if keywords like `UNION`, `SELECT`, etc., are filtered based on case.

***

## Sql Statement Termination Bypass

Injecting a semicolon (`;`) into a field intended for a single value can prematurely terminate the original SQL statement being built by the application. This causes the database to execute only the part of the query before the semicolon, effectively ignoring any subsequent conditions or syntax that was meant to follow.

This is particularly useful in authentication forms where injecting the termination character in the username field can bypass a password check, for example, transforming a query like `SELECT * FROM users WHERE username='[input]' AND password='...'` into `SELECT * FROM users WHERE username='admin'; AND password='...'`.

The core injection payload looks like this:

```sql
admin';
```

This terminates the query after the username check for 'admin', skipping the subsequent `AND password='...'` part.

A common variation of this technique involves terminating the initial statement with a semicolon and then using comment characters to ignore the rest of the original query. Common comment characters in SQL include `--` (double dash) for single-line comments and `#` (hash) also for single-line comments in some database systems like MySQL.

Using this approach, the payload would look like:

```sql
admin';--
```

or

```sql
admin';#
```

When a query like `SELECT * FROM users WHERE username='[input]' AND password='...'` receives `admin';--` as input for the username, it becomes:

```sql
SELECT * FROM users WHERE username='admin';--' AND password='...'
```

Here, the semicolon terminates the `SELECT` statement after `username='admin'`, and the `--` characters cause the remainder of the original query (`' AND password='...'`) to be treated as a comment, effectively ignoring the password check.

Other variations using semicolon and comment characters found in payload lists include:

```sql
';--
```

```sql
";--
```

```sql
') ;--
```

```sql
") ;--
```

These payloads are designed to handle different ways the input might be quoted or parenthesized within the original SQL query. The fundamental principle remains the same: use the semicolon to end the intended statement and the comment characters to nullify the rest.

***

## Sqlite Keyword Concatenation Bypass

When facing filters that block specific keywords, such as 'admin', you can bypass them by using the database's string concatenation feature. SQLite uses the `||` operator for string concatenation.

The payload constructs the blocked word dynamically within the query context:

```sqlite
ad'||'min';
```

This approach works because the filter sees `ad`, `min`, and `||` as separate, non-blocked strings, while the database interprets the concatenated result as the full, intended keyword 'admin'. Remember to retain any necessary syntax from previous steps, like a semicolon for terminating the query.

This technique can be extended by concatenating multiple substrings:

```sqlite
'a'||'d'||'m'||'i'||'n'
```

The concatenated string can then be used directly within a query, for instance, in a `WHERE` clause to specify a username:

```sqlite
SELECT * FROM users WHERE username = 'ad' || 'min';
```

This method is effective for bypassing filters that scan for exact string matches of forbidden words. The dynamic construction of the string at the database level circumvents such simple pattern matching. It can also be combined with other injection techniques, such as adding a tautology:

```sqlite
'ad'||'min' or 1=1--
```

or simply using the concatenated string in place of the filtered keyword:

```sqlite
'ad'||'min'--
```
