OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Aaron C. Newman (aaronNEWMAN-FAMILY.COM)
Date: Wed Feb 07 2001 - 18:47:37 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    In many SQL databases, two single quotes placed consecutively and embedded
    as a literal between two other single quotes are translated to a single
    quote. Basically the first quote is escaping the second quote.

    For instance:
    print 'test''test'
    shows up as
    test'test

    Or:
    print 'test''''test'
    shows up as
    test''test

    Looks like the code is attempting to escape quotes by translating each
    single quote to two single quotes. The % are simply wildcard values for the
    search.

    What can you do with this? It depends. What database platform is being used?
    How is the connection being made from the web server to the database, ODBC,
    JDBC, ole db?

    For instance, if the web server is using jdbc to connect to oracle, a
    backslash '\' should escape the quote. You can try passing

    aaa%\' UNION SELECT Password from dba_users WHERE USERNAME = 'SYSTEM

    which should translate to:
    SELECT Name FROM Users WHERE Name LIKE 'aaa%\'' UNION SELECT Password from
    dba_users WHERE USERNAME = 'SYSTEM'

    Try as many different escape characters as you can think of - &^\/{}. Try
    sending a backspace character after the single quote to see if it might
    erase one of them but not the other, or you may even be able to backspace
    over the entire statement.

    Once you've escaped the quote, executing any sql statement becomes easy.

    HTH,
    Aaron Newman

    > -----Original Message-----
    > From: Penetration Testers [mailto:PEN-TESTSECURITYFOCUS.COM]On Behalf
    > Of Aurobindo Sundaram (+1 512 918 1390)
    > Sent: Wednesday, February 07, 2001 3:08 PM
    > To: PEN-TESTSECURITYFOCUS.COM
    > Subject: [PEN-TEST] Hacking SQL queries ...
    >
    >
    > I have to audit a bit of code that does the following
    >
    > SELECT Name FROM Users WHERE Name LIKE '%input%' ORDER BY Name
    >
    > where input is the user-input. When I try the input 'test, the code
    > generated is
    >
    > SELECT Name FROM Users WHERE Name LIKE '%''test%' ORDER BY Name
    >
    > Since I'm an SQL newbie, I'd be curious to know how someone could supply
    > the appropriate input to do bad things on the SQL server - either
    > in R/O or
    > R/W mode
    >
    > If there are SQL hacking pages someplace, a link would be appreciated
    >
    > Thanks,
    > Robin
    >