.

SQL Injection Question

<<

digitalvampire

Newbie
Newbie

Posts: 23

Joined: Wed Mar 07, 2012 7:49 am

Post Thu Nov 15, 2012 6:29 am

SQL Injection Question

Hey All,

I've been trying to work more on learning SQL syntax to better understand injection statements.  I came across an example, and I'm not sure I understand it completely.

They are detailing a sample authentication bypass, initially they put a purposefully wrong statement of:

SELECT * FROM admins WHERE (user = '' OR '1'='1') AND (pass = '')

They said it was wrong, as it would only match user's with blank passwords and I can see that, the parentheses change the order of operation.

This is what they suggested as the correct statement:

SELECT * FROM admins WHERE user = '' OR 1=1 OR '1'='1' AND pass = ''

Why are the two true conditions in there.. not sure why that fixes it?

If anyone could explain that, I would really appreciate it - it's stuck in my head, so I've been trying to find an answer!

Thanks in advance for all the help!

-DV :)
<<

digitalvampire

Newbie
Newbie

Posts: 23

Joined: Wed Mar 07, 2012 7:49 am

Post Thu Nov 15, 2012 6:36 am

Re: SQL Injection Question

Hmm wouldn't you know right after I didn't think I could figure it out an d posted the question, I think I might understand now..

Is it to make sure the last AND is not executed, as we don't want it to return blank passwords.. just all users? Or one user is we specify one.. ?

Thanks again!! :)
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Nov 15, 2012 8:29 am

Re: SQL Injection Question

Hi digitalvampire,

Where did you get these examples? You are right that two true statements are not necessary. But sometimes when fuzzing, we would try many, many different things to see if something crashes the application.

Take a look at http://code.google.com/p/fuzzdb/source/browse/#svn%2Ftrunk%2Fattack-payloads%2Fsql-injection to find many useful SQL Statements that may help you understand/fuzz for SQLi vulnerabilities.

But the two examples you posted aren't too good:

This:
SELECT * FROM admins WHERE (user = '' OR '1'='1') AND (pass = '')
Should be:
SELECT * FROM admins WHERE user = '' OR '1'='1'

And this one:
SELECT * FROM admins WHERE user = '' OR 1=1 OR '1'='1' AND pass = ''
Should also be something like:
SELECT * FROM admins WHERE user = '' OR '1'='1'

Note: Depending on a few factors (WAF, Database vendors, Application logic, etc), SQLi techniques can vary greatly , so experiment!!  ;)
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

jimbob

User avatar

Newbie
Newbie

Posts: 14

Joined: Tue Aug 01, 2006 3:56 pm

Post Thu Nov 15, 2012 8:40 am

Re: SQL Injection Question

digitalvampire wrote:This is what they suggested as the correct statement:

SELECT * FROM admins WHERE user = '' OR 1=1 OR '1'='1' AND pass = ''

Why are the two true conditions in there.. not sure why that fixes it?


What they may have meant was something like this:

  Code:
SELECT * FROM admins WHERE user = '' OR 1=1 AND pass = '' OR 1=1


The two true statements together in their example would not change the outcome of the query. What would do would be manipulating both the user and pass parts of the query to always be true.

What you might also try if you know a valid username is to manipulate only the password field.

  Code:
SELECT * FROM admins WHERE user = 'admin' AND pass = '' OR 1=1


You would typically do this by terminating the SQL query in your injected string with a semicolon e.g. by entering  "' or 1 = 1' ;--" in the password box.

Good luck!
Jimbob
<<

digitalvampire

Newbie
Newbie

Posts: 23

Joined: Wed Mar 07, 2012 7:49 am

Post Thu Nov 15, 2012 9:22 am

Re: SQL Injection Question

Hey Guys!

Thanks for the information, and links.
I actually got these out of the SQL Injection Attack and Defense book from syngress.

It was in their section detailing inline sql injection.  The examples you gave actually make much more sense.

So, now I'm curious - in regards to the statement:

  Code:
SELECT * FROM admins WHERE user = '' OR 1=1 OR '1'='1' AND pass = ''


How would that be interpreted?

Would it evaluate the AND pass = '' at the end still, I thought maybe they used the two OR's so that it would never reach the pass section?

Thanks again for all of your help! :)
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu Nov 15, 2012 11:04 am

Re: SQL Injection Question

Without having had opportunity to glance at the query (for some reason, it's not letting me scroll on my mobile interface, today, so I can's see much past the second OR), what I'd suggest would be to setup a similar query against a local SQL database, and see how it's interpreted.  Even if you don't query with the bypass params (like 1=1, etc) and just use regular search data.  That way, you can see how the AND's and OR's are interpreted (ie - in what order, etc)

I often find learning SQL to be easiest, by doing, even if against a basic DB that you've setup yourself, just to practice query syntax. 

(Note - I have the advantage of working with SQL, pretty much daily, now, so it's easier.  But I'd still setup and test against an ordinary DB, to be able to test logical comparisons, etc)

;)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Nov 15, 2012 11:23 am

Re: SQL Injection Question

digitalvampire wrote:SELECT * FROM admins WHERE (user = '' OR '1'='1') AND (pass = '')


user = '' or '1' = '1' will always evaluate to true since 1 will always equal 1, regardless of what the user is. With OR, you only need one condition to evaluate to true for the statement to be evaluated as true.

This effectively makes the SQL query: SELECT * FROM admins WHERE TRUE AND pass = ''

With AND, you need both conditions to be true in order for a record to be returned. pass = '' will only evaluated to true for blank passwords, so that is correct.

I'm answering this one out-of-order since it will make the last response make more sense:
digitalvampire wrote:
  Code:
SELECT * FROM admins WHERE user = '' OR 1=1 OR '1'='1' AND pass = ''


How would that be interpreted?


http://dev.mysql.com/doc/refman/5.0/en/ ... dence.html

In other words: SELECT * FROM admins WHERE user = '' OR 1=1 OR ('1'='1' AND pass = '')


digitalvampire wrote:SELECT * FROM admins WHERE user = '' OR 1=1 OR '1'='1' AND pass = ''


'1'='1' AND pass = '' will similarly evaluate to true only for users with blank passwords. However, consider how the additional OR changes the equation with the possibilities of blank usernames and passwords.

Non-Blank User, Blank Password: SELECT * FROM admins WHERE FALSE OR TRUE OR TRUE

Non-Blank User, Non-Blank Password: SELECT * FROM admins WHERE FALSE OR TRUE OR FALSE

Blank User, Blank Password: SELECT * FROM admins WHERE TRUE OR TRUE OR TRUE (Why bother with SQLi though? Just hit "submit" ;))

Blank User, Non-Blank Password: SELECT * FROM admins WHERE TRUE OR TRUE OR FALSE

Both of those statements will now evaluate to true since only one condition has to be true.

What you are trying to do is make the AND pass = '' irrelevant, and you need an OR to do that. However, you can't just add another OR since your statement would then be SELECT * FROM admins WHERE user = '' OR 1=1 OR AND pass = '', which would cause your query to break. You could also do OR '1'='2' AND pass = '' and have it evaluate to false every time; it wouldn't matter since you already have a TRUE in a series of ORs, and you only need one.

Edit: Man, Hayabusa always manages to ninja a response in when I go on a rant. His name is well-deserved :D
The day you stop learning is the day you start becoming obsolete.
<<

digitalvampire

Newbie
Newbie

Posts: 23

Joined: Wed Mar 07, 2012 7:49 am

Post Thu Nov 15, 2012 12:11 pm

Re: SQL Injection Question

Thanks guys!  That helps a lot, and answers my question.
I think I will create a database to test the queries against too, that's a great idea.

Thanks for all the help! :)

-DV
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu Nov 15, 2012 12:24 pm

Re: SQL Injection Question

ajohnson wrote:Edit: Man, Hayabusa always manages to ninja a response in when I go on a rant. His name is well-deserved :D


<evil grin>  Never know when I'm lurking, for the day...  ;)

@digitalvampire - glad to give you the good idea!
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software