49

I understand when they put a + at the end, URL treats it like a space.

I want to know what -- - does. I do know what the "double dash" does. Including the double dash with a "space at the end". I specifically want to know what a dash-dash-space-dash does.

Andronicus
  • 103
  • 3
Linux Newbie
  • 635
  • 1
  • 5
  • 7
  • 2
    It is also used by [Little Bobby Tables](https://www.explainxkcd.com/wiki/index.php/327:_Exploits_of_a_Mom). – Peter Mortensen Apr 01 '20 at 03:19
  • 1
    @Peter Mortensen: Disagree -- I think the question-mark is part of the school administrator's sentence, not part of the name he is quoting. Munroe neglected to sanitize the comic's dialog with delimiting quotes. – A. I. Breveleri Apr 01 '20 at 04:15

1 Answers1

90

The last dash basically protects the trailing space. If you exploit SQL injection in a browser (e.g. via the URL), some browsers remove trailing space characters. Some prominent SQL flavors explicitly require the Space after Dash-Dash to treat the sequence as the start of a comment, so attackers often add a character after the Space to protect it against such browser optimization.

You could use any character to accomplish this. -- x would do exactly the same.

Michael
  • 2,391
  • 2
  • 19
  • 36
Demento
  • 7,249
  • 5
  • 36
  • 45
  • 1
    So is "-- -" the exact same as "--+" and "--%20" when it comes to what it's effect is? As in the browser will just treat the last space AS space? So why do so many of the Youtube hackers first try "--+" and then they try"-- -" if it has the same effect? – Linux Newbie Mar 31 '20 at 16:04
  • 34
    I have seen the removal of trailing spaces mostly in the browser, but it is also possible that trailing spaces are removed on server side. So you cannot be sure that encoding the space as + or %20 will always do the trick. So it is just a safety net, because if "-- " is treated as comment, the final Dash will not hurt anyway. – Demento Mar 31 '20 at 16:16
  • Can you give an example of a browser that removes trailing space? How does one demostrate, that it's indeed removed? – Andrew Savinykh Apr 01 '20 at 10:35
  • 6
    Reminds me of my first SQL Injection. I didn't know that MySQL treats `--` without a trailing space like `-`, and pulled my hair out trying to figure out why it wasn't working. –  Apr 01 '20 at 10:40
  • 1
    @Andrew Savinykh: All browsers remove the extra space at the end, because it's redundant. You can examine the sent URL's using tools like Burp Suite. – Linux Newbie Apr 01 '20 at 10:52
  • @AndrewSavinykh Spaces are invalid characters in URLs. Your browser probably use a heuristic to determine whether the space is part of the URL and should be encoded (e.g. as %20) or if it's a search term. – CJ Dennis Apr 01 '20 at 13:02
  • 3
    @Demento SQL Server at least doesn't require the space after '--' to recognise the start of a comment. – BWFC Apr 01 '20 at 13:43
  • It's also not just about the browser - sometimes it's quite sensible for the server-side application to strip spaces. As a CTF player, I probably had one instance sometime where just a space didn't work, so now I'd always just include another character (especially when time is of the essence). – ManfP Apr 03 '20 at 12:47