Elusive Thoughts

SQL Fuzzing This article is created to introduce an SQL query injection reference, meanning strings that can be used without any modification (a simple copy paste) in web application SQL fuzzers to perform balck box SQL fuzzing (no assumption made about back end database). In the following table M means MSSQL, O means Oracle, P means Postgre and My means MySQL. SQL Injection Strings For Fingerprinting 'SELECT @@version -- M Note: This injection query works with any instance of SQL Server 2000 or of a later version. ' UNION SELECT @@version,NULL,NULL-- M Note: This injection query can be used to identify amount of table columns, data types and database version. 'SELECT SERVERPROPERTY('productversion'), SERVERPROPERTY ('productlevel'), SERVERPROPERTY ('edition') -- M Note: This query works with any instance of SQL Server 2000 or of a later version. The following results are returned: The produ...

Prologue This is not another boring SQL injection cheat sheet, since already a lot of this cheat sheets already exist in the Internet (e.g. pentestmonkey e.t.c). This article is about categorizing and formalizing the procedure of SQL injection fuzzing step by step. So SQL Injection issues should be categorized in three different types: 1. Error Based SQL injections (no input validation or output database error filtering). 2. Semi Error Based SQL injections (minor or no input validation but some output database error filtering). 3. Blind SQL injections (strict both input and output filtering). The first category is probably the most obvious since it is the most easy to identify, plus what ever you inject (even a single quote) is going to return back a database SQL error. The second type of SQL injection is the semi blind SQL injection where the developers either don't filter the input properly (but do filter) or they don't filter at all BUT do filter some of the datab...