Skip to main content

sql_concat_split

Function sql_concat_split 

Source
pub fn sql_concat_split(payload: &str) -> String
Expand description

SQL string-literal CONCAT splitter — converts every single-quoted string in the payload to a CONCAT('a','b',...) expression with one char per argument.

Input 'admin' → output CONCAT('a','d','m','i','n')

Bypass mechanism: CRS rules and most commercial WAF blocklists scan for literal danger-string substrings — 'admin', 'password', 'union', 'or 1', '/etc/passwd'. CONCAT-splitting decomposes the substring into one-character literals that no individual literal-string regex matches. The DB evaluates CONCAT(...) to the original string at runtime, so the attack succeeds.

Supported by MySQL, MariaDB, PostgreSQL, MSSQL (all ship CONCAT as a scalar function). Oracle uses CONCAT(a,b) as binary-only, so chained 1-char Oracle calls would need a nested form — out of scope here; the || pipe concat in PostgreSQL/Oracle is a separate tamper.

Edge cases:

  • Empty string literals ('') become CONCAT('') — valid SQL, evaluates to empty string.
  • Escaped quotes inside strings ('O\'Brien') are passed through as raw chars to CONCAT — the backslash and quote are split into separate args.
  • Strings not in single quotes are left alone (no aggressive parsing of double-quoted SQL Server identifiers).

Context: SQL injection payloads with string literals.