pub fn sql_concat_split(payload: &str) -> StringExpand description
SQL string-literal CONCAT splitter — converts every single-quoted string
in the payload to a CONCAT('a','b',...) expression with one char per
argument.
Input 'admin' → output CONCAT('a','d','m','i','n')
Bypass mechanism: CRS rules and most commercial WAF blocklists
scan for literal danger-string substrings — 'admin', 'password',
'union', 'or 1', '/etc/passwd'. CONCAT-splitting decomposes the
substring into one-character literals that no individual literal-string
regex matches. The DB evaluates CONCAT(...) to the original string at
runtime, so the attack succeeds.
Supported by MySQL, MariaDB, PostgreSQL, MSSQL (all ship CONCAT as a
scalar function). Oracle uses CONCAT(a,b) as binary-only, so chained
1-char Oracle calls would need a nested form — out of scope here; the
|| pipe concat in PostgreSQL/Oracle is a separate tamper.
Edge cases:
- Empty string literals (
'') becomeCONCAT('')— valid SQL, evaluates to empty string. - Escaped quotes inside strings (
'O\'Brien') are passed through as raw chars to CONCAT — the backslash and quote are split into separate args. - Strings not in single quotes are left alone (no aggressive parsing of double-quoted SQL Server identifiers).
Context: SQL injection payloads with string literals.