Bypassing Filters
In some situations, an application that is vulnerable to SQL injection may implement various input filters that prevent you from exploiting the flaw without restrictions. For example, the application may remove or sanitize certain characters, or may block common SQL keywords. Filters of this kind are often vulnerable to bypasses, and there are numerous tricks that you should try in this situation.
Avoiding Blocked Characters
If the application removes or encodes some characters that are often used in SQL injection attacks, you may still be able to perform an attack without these:
■ The single quotation mark is not required if you are injecting into a numeric data field.
■ If the comment symbol is blocked, you can often craft your injected data such that it does not break the syntax of the surrounding query, even without using this. For example, instead of injecting
‘ or 1=1–
you can inject
‘ or ‘a’=’a
■ When attempting to inject batched queries into an MS-SQL database, you do not need to use the semicolon separator. Provided you fix up the syntax of all queries in the batch, the query parser will interpret them correctly regardless of whether or not you include a semicolon.
Circumventing Simple Validation
Some input validation routines employ a simple blacklist, and either block or remove any supplied data which appears on this list. In this instance, you should try the standard attacks looking for common defects in validation and canonicalization mechanisms. For example, if the SELECT keyword is being blocked or removed, you can try the following bypasses:
SeLeCt
SELSELECTECT
%53%45%4c%45%43%54
%2553%2545%254c%2545%2543%2554
Using SQL Comments
Inline comments can be inserted into SQL statements in the same way as for C++, by embedding them between the symbols /* and */ . If the application blocks or strips spaces from your input, you can use comments to simulate whitespace within your injected data. For example:
SELECT/*foo*/username,password/*foo*/FROM/*foo*/users
In MySQL, comments can even be inserted within keywords themselves, which provides another means of bypassing some input validation filters while preserving the syntax of the actual query. For example:
SEL/*foo*/ECT username,password FR/*foo*/OM users
Manipulating Blocked Strings
If the application blocks certain strings that you wish to place as data items within an injected query, then the required string can be constructed dynamically using various string manipulation functions. For example, if the expression admin is being blocked, then you can build this in the following ways:
■ Oracle: ‘adm’||’in’
■ MS-SQL: ‘adm’+’in’
■ MySQL: concat(‘adm’,’in’)
Most databases contain many custom functions for string manipulation that can be used to construct blocked strings in arbitrarily complex ways, in order to circumvent different input validation filters. For example, Oracle contains the functions CHR , REVERSE , TRANSLATE , REPLACE , and SUBSTR . A function like CHR can be used to introduce a literal string in cases where single quotation marks are being blocked. For example, the following query effectively smuggles in the string admin :
SELECT password from users where username = chr(97) || chr(100) ||
chr(109) || chr(105) || chr(110)
Using Dynamic Execution
Some databases provide a means of executing SQL statements dynamically, by passing a string representation of a particular statement to the relevant function. For example, in MS-SQL you can use the following:
exec(‘select * from users’)
This enables you to employ any of the string manipulation techniques described previously in article anywhere within the statement to bypass filters designed to block certain expressions. For example:
exec(‘sel’ + ‘ect * from ‘ + ‘users’)
You can also create a string from hex-encoded numeric data, and then pass this string to the exec function, enabling you to bypass many kinds of input filter, including the blocking of single quotation marks, for example:
declare @q varchar(8000)
select @q = 0x73656c656374202a2066726f6d207573657273
exec(@q)
In Oracle, you can use EXECUTE IMMEDIATE to execute a query that is represented as a string. For example:
declare
l_cnt varchar2(20);
begin
execute immediate ‘sel’||’ect * fr’||’om_users’
into l_cnt;
dbms_output.put_line(l_cnt);
end;
NEXT is..Injecting into Web Scripting Languages…………………,,,,,,,……………….,,,,,,,…………….
