OBJECTIVE 04 — SQL INJECTION EVASION TECHNIQUES
CEH CORE STATEMENT (MEMORIZE)
| Item | Memorize |
| SQL Injection Evasion | Techniques used by attackers to bypass security filters, firewalls, and input validation mechanisms |
WHY EVASION IS REQUIRED
| Reason |
| Web Application Firewalls (WAFs) |
| Input validation |
| Blacklist filters |
| Signature-based detection |
MEMORY HOOK:
Blocked ≠ Secure
CLASSIFICATION OF EVASION TECHNIQUES (EXAM MUST)
| Category |
| Encoding techniques |
| Case manipulation |
| Comment injection |
| Whitespace manipulation |
| Operator substitution |
| Logical obfuscation |
1. ENCODING TECHNIQUES
PURPOSE
| Purpose |
| Bypass input filters by encoding payloads |
TYPES OF ENCODING
| Encoding Type | Description |
| URL encoding | Encodes characters as % values |
| Hex encoding | Uses hexadecimal values |
| Unicode encoding | Encodes characters using Unicode |
| Double encoding | Encodes already encoded data |
EXAM EXAMPLES (RECOGNITION)
| Normal | Encoded |
| ’ | %27 |
| space | %20 |
| OR | %4F%52 |
MEMORY HOOK:
Encoded ≠ detected
2. CASE MANIPULATION
PURPOSE
| Purpose |
| Bypass case-sensitive filters |
TECHNIQUES
| Technique |
| Uppercase keywords |
| Lowercase keywords |
| Mixed-case keywords |
EXAM EXAMPLES
| Keyword | Variation |
| SELECT | SeLeCt |
| UNION | UnIoN |
| OR | oR |
MEMORY HOOK:
Case changes bypass weak filters
PURPOSE
| Purpose |
| Break query logic and ignore remaining SQL |
| Comment | DB Support |
| – | Most DBs |
| # | MySQL |
| /* */ | All DBs |
EXAM PAYLOADS
| Payload |
| ’ OR 1=1– |
| ’ OR 1=1# |
MEMORY HOOK:
Comment = query terminator
4. WHITESPACE MANIPULATION
PURPOSE
| Purpose |
| Bypass space-based filtering |
TECHNIQUES
| Technique |
| Replace space with comments |
| Replace space with tabs |
| Replace space with newline |
EXAM EXAMPLES
| Normal | Manipulated |
| SELECT * FROM | SELECT/**/FROM |
MEMORY HOOK:
No space ≠ no SQL
5. OPERATOR SUBSTITUTION
PURPOSE
| Purpose |
| Replace blocked operators with equivalents |
SUBSTITUTIONS
| Original | Substitute |
| = | LIKE |
| AND | && |
| OR | |
MEMORY HOOK:
Same logic, different syntax
6. LOGICAL OBFUSCATION
PURPOSE
| Purpose |
| Hide malicious logic |
TECHNIQUES
| Technique |
| Arithmetic expressions |
| Boolean expressions |
| Nested queries |
EXAM EXAMPLES
| Original | Obfuscated |
| 1=1 | 2-1=1 |
| TRUE | NOT FALSE |
MEMORY HOOK:
Math hides truth
7. CHAR() AND ASCII FUNCTIONS
PURPOSE
| Purpose |
| Build strings without quotes |
DB-SPECIFIC FUNCTIONS
| Database | Function AJ |
| MySQL | CHAR() |
| MSSQL | CHAR() |
| Oracle | CHR() |
EXAM EXAMPLE
MEMORY HOOK:
No quotes, no filter
8. CONCATENATION EVASION
PURPOSE
| Purpose |
| Break keywords into parts |
TECHNIQUES
| Technique |
| CONCAT() |
| + operator |
| |
EXAM EXAMPLE
| Keyword | Obfuscated |
| UNION | UN |
MEMORY HOOK:
Split keyword survives filter
9. SQL INJECTION EVASION SUMMARY (EXAM GOLD)
| Technique | Bypasses |
| Encoding | Signature filters |
| Case manipulation | Case-sensitive filters |
| Comments | Query parsing |
| Whitespace tricks | Space filters |
| Operator substitution | Keyword filters |
| Obfuscation | Pattern detection |