This is part 3 out of a series! The next part will go into Blind SQL injection! For this tutorial we will look at some tricks of the trade to bypass SQL injection security.
Read my previous tutorials:
|Using Comments to Bypass|
So let’s get right into this with using comments to bypass filers and code.
When you are injecting there is often code past the point you are injecting into. For example if we are injecting into the statement: (this is pseudocode)
if id = 1 and id.isnum():
go to page one
go to page two
The code ‘and id.isnum()’ could stop our injection from working after we entered text as our SQL code. If we inject in a comment symbol this will nullify the ‘isnum’ function. This is over simplified but I hope you guys get the jist.
There are many different ways to comment in SQL but I usually use — or # or /*
For reference… your union statement should look like this:
http://www.site.com/news.php?id=5 union all select 1,2,3 —
Commenting after your injection is not always necessary but it never hurt to use it.
|Bypassing MySQL Errors|
Some webmasters set up systems to alert and block a user from running certain SQL commands using GET requests. Some SQL programs have precautions such as these by default. If you are (for example) trying to find the version using a UNION statement and the variable @@version:
http://www.site.com/news.php?id=5 union all select 1,@@version, 3
and you get an error such as “union + illegal mix of collations (IMPLICIT + COERCIBLE) …” or really any error saying you couldn’t access a variable that has to exist or such you will need to retrieve the data using another command.
I recommend using the convert command because it is not blocked on most MySQL tables today.
http://www.site.com/news.php?id=5 union all select 1,convert(@@version using latin1),3
Replace where you would normally just put @@version with a convert function retrieving that same data! You could also the hex and unhex functions:
http://www.site.com/news.php?id=5 union all select 1,unhex(hex(@@version)),3
I bet there are other similar functions that retrieve data while bypassing any function blocking!
If you are ever injecting and receive unexplained error messages that say your SQL is bad you probably either messed up your SQL statements or there are functions in the source code you preventing preventing you from running the function.
Before your statement add a quote ‘ or two ” to close any previous statements.
If the command was:
id = “$input”
entering ” hack this and that — would work because not only did you close off the quote but you commented the rest off.
Always check the source code to try to nullify the code around you!
|Bypassing the Escape Function|
A common method of stopping normal SQL injection attacks is my preventing quotes from being inputted into the input data. A common function (in JS) would look like this:
input = replace(input, “‘”, “””)
escape = input
It is difficult to test for SQL vulnerabilities and in many times inject without the use of quotes and characters. A smart webmaster would use the replace function to not allow any symbols in the input.
This is very easy to bypass however, we just need help from the char function!
http://www.site.com/news.php?id=5 + char(0x27)
You can see a list of cahrcodes and hex codes here for the ascii system (CLEAR WEB): http://web.cs.mun.ca/~michael/c/ascii-table.html
Some sites will attempt to make SQL injection harder by limiting the character input. Firstly you need to realize that you do not need a lot of space to make a devastating SQL command.
Executing ‘;shutdown– (which is only 12 characters) will shutdown the SQL server for instance.
Putting in place character limits can lead to more vulnerabilities. If a username input has a limit of 10 characters you can go into the page source and temporarily edit the length to allow you to send a GET request with more characters.
If you sent exampletxt’ the ‘ character would carry down to the password input where you could input in as a GET request ‘; shutdown– The shutdown part and be changed to any short SQL command.
The bigger picture of the last example would look like this:
select * from users where username = ‘exampletxt” and password = ”’; shutdown–
I hope the above SQL command gives you an idea of how the past example worked.
A tool that many website owners can use to make sure input data is real data and not injected is T-SQL or Transac-SQL. T-SQL not only logs all input requests but it checks for suspicious inputs and will comment them off. If an attack tryed to input:
‘ get password
T-SQL would comment it off and log something like “the command ‘get password’ was detected. it has been commented off for security reasons”
To bypass this we could repeat the malicious command twice in the input but have the second copy commented already. T-SQL logs the attack but does not comment it off (because we did that already) allowing us to still run the command:
‘ get password –get password
Now… An example using all that we learned!
Imagine a site http://www.bigshop.com. Since they are big they have 3 SQL injection cautions in place:
Escape all single and double quotes
Reject all text that represents an SQL command
No symbols of any kind
Now… How would we inject into the id parameter (GET request) to access the version (or any command)
Try to find out without we telling you… The answer is below if you scroll down on the code:
. Answer is below
. Actually try to get it
. Feel free to scroll up
You would use the following SQL input:
uni + char(0x27) + on sele + char(0x27) + ct vers + char(0x27) + ion() – + char(0x27) + –
It works because
[*]The char functions allow us to have quotes
[*]The system detects no bad commands because it looks like uni’on sele’ct vers’ion() -‘- to them
[*]Then the quotes are canceled and the code runs
Hope you enjoyed this tutorial! It took a long time but I hope you guys learned from it!
Also read my next tutorial about Blind SQL injection!