Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Generic-SQLi.txt #1035

Merged
merged 1 commit into from
Jun 11, 2024
Merged

Update Generic-SQLi.txt #1035

merged 1 commit into from
Jun 11, 2024

Conversation

ashtonhogan
Copy link
Contributor

Using overlong utf8 encoding or illegal characters to bypass filters which works on servers or web applications that decode overlong utf8 characters or strip out illegal characters. This is the equivalent of ' OR 1=1

' = %C0%80%27
space = %C0%80%C0%80
+ = %C0%8F%2B
OR = %C0%80O%C0%82R
= = %C0%80%C0%A1

@g0tmi1k g0tmi1k merged commit 196a0e0 into danielmiessler:master Jun 11, 2024
@g0tmi1k
Copy link
Collaborator

g0tmi1k commented Jun 11, 2024

Thanks @ashtonhogan

@g0tmi1k
Copy link
Collaborator

g0tmi1k commented Jun 11, 2024

Is there a source at all, to give credit/background reading about it?

@ashtonhogan
Copy link
Contributor Author

@g0tmi1k I can give a bit of background. Unicode Transformation Format 8-Bit (UTF-8) was invented by Ken Thompson and Rob Pike in 1992 to represent every character in the Unicode character set while maintaining compatibility with ASCII and optimizing for storage and processing efficiency. In the initial design of UTF-8, there was the possibility of encoding certain characters in multiple ways, leading to what is now referred to as overlong encoding. For example, the character U+0000 could be encoded not only as 0x00 but also as 0xC0 0x80, 0xE0 0x80 0x80, etc. It was recognized as problematic because it would regularly bypass security filters and as a result, the Unicode Consortium updated the standard to prohibit overlong sequences to ensure that each character has a unique encoding. If you want to give credit for this contribution, you can give it to me for raising it from the dead but if you would like to explore more on encoding you can read Unicode Explained: Internationalize Documents, Programs, and Web Sites 1st Edition

@g0tmi1k
Copy link
Collaborator

g0tmi1k commented Jun 11, 2024

Thank you @ashtonhogan !

@g0tmi1k g0tmi1k added the enhancement Enhancement label Jun 11, 2024
@g0tmi1k g0tmi1k self-assigned this Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement Enhancement
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants