Penetration Testing mailing list archives

Re: [PEN-TEST] Hacking SQL queries ...

From: "Aaron C. Newman" <aaron () NEWMAN-FAMILY COM>
Date: Wed, 7 Feb 2001 19:47:37 -0500

In many SQL databases, two single quotes placed consecutively and embedded
as a literal between two other single quotes are translated to a single
quote. Basically the first quote is escaping the second quote.

For instance:
print 'test''test'
shows up as
test'test

Or:
print 'test''''test'
shows up as
test''test

Looks like the code is attempting to escape quotes by translating each
single quote to two single quotes. The % are simply wildcard values for the
search.

What can you do with this? It depends. What database platform is being used?
How is the connection being made from the web server to the database, ODBC,
JDBC, ole db?

For instance, if the web server is using jdbc to connect to oracle, a
backslash '\' should escape the quote. You can try passing

aaa%\' UNION SELECT Password from dba_users WHERE USERNAME = 'SYSTEM

which should translate to:
SELECT Name FROM Users WHERE Name LIKE 'aaa%\'' UNION SELECT Password from
dba_users WHERE USERNAME = 'SYSTEM'

Try as many different escape characters as you can think of - &@^\/{}. Try
sending a backspace character after the single quote to see if it might
erase one of them but not the other, or you may even be able to backspace
over the entire statement.

Once you've escaped the quote, executing any sql statement becomes easy.

HTH,
Aaron Newman

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Aurobindo Sundaram (+1 512 918 1390)
Sent: Wednesday, February 07, 2001 3:08 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] Hacking SQL queries ...


I have to audit a bit of code that does the following

SELECT Name FROM Users WHERE Name LIKE '%input%' ORDER BY Name

where input is the user-input. When  I try the input 'test, the code
generated is

SELECT Name FROM Users WHERE Name LIKE '%''test%' ORDER BY Name

Since I'm an SQL newbie, I'd be curious to know how someone could supply
the appropriate input to do bad things on the SQL server - either
in R/O or
R/W mode

If there are SQL hacking pages someplace, a link would be appreciated

Thanks,
Robin

Current thread:

Re: [PEN-TEST] Expand right under Win2K Gary Flynn (Feb 06)
- Re: [PEN-TEST] Expand right under Win2K Tamas Foldi (Feb 06)
- <Possible follow-ups>
- Re: [PEN-TEST] Expand right under Win2K Reinder Wiersma (Feb 07)
  - [PEN-TEST] Hacking SQL queries ... Aurobindo Sundaram (+1 512 918 1390) (Feb 07)
    - Re: [PEN-TEST] Hacking SQL queries ... Nicolas GREGOIRE (Feb 07)
    - Re: [PEN-TEST] Hacking SQL queries ... Aaron C. Newman (Feb 07)
    - Re: [PEN-TEST] Hacking SQL queries ... Florian Specker (Feb 07)
    - Re: [PEN-TEST] Hacking SQL queries ... Philip Wagenaar (Feb 07)
    - Re: [PEN-TEST] Hacking SQL queries ... Aaron C. Newman (Feb 10)