Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
SQL obfuscation
Posted by: Gareth Heyes
Date: August 16, 2010 09:57AM

Thought I might as well start a SQL obfuscation topic since I saw this in my feeds:-
http://isc.sans.edu/diary.html?storyid=9397

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: SQL obfuscation
Posted by: Skyphire
Date: August 16, 2010 10:32AM

Nice idea, I suspect a huge thread :) the sans example has been around for years btw. Simple cast, but requires a stored procedure or declared SQL function. Which is somewhat lame but useful for an attacker, but it can be done without it. Many ways I guess.



Edited 2 time(s). Last edit at 08/16/2010 10:36AM by Skyphire.

Options: ReplyQuote
Re: SQL obfuscation
Posted by: Gareth Heyes
Date: August 16, 2010 10:35AM

Yeah pretty lame but I realized we hadn't done anything here

.....
Mysql:-
SET @c = CONCAT(b'01010011',b'01100101',b'01001100',b'01100101',b'01100011',b'01110100',' ',b'00110001');
PREPARE s FROM @c;EXECUTE s;

Variation:-
SET @c = CONCAT(_latin1 b'01010011',_latin1 b'01100101',_latin1 b'01001100',_latin1 b'01100101',_latin1 b'01100011',_latin1 b'01110100',' ',_latin1 b'00110001');
PREPARE s FROM @c;EXECUTE s;

SET @c = CONCAT(REPLACE(MAKE_SET(5,'SEL','xxxxx','ECT'), ',', ''),' 1');
PREPARE s FROM @c;EXECUTE s;

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 3 time(s). Last edit at 08/16/2010 11:25AM by Gareth Heyes.

Options: ReplyQuote
Re: SQL obfuscation
Posted by: Anonymous User
Date: August 16, 2010 01:26PM

I would love to post some _ucs2 stuff but we all now the allowed char range here kinda forbids that :P

What about this thread?

Options: ReplyQuote
Re: SQL obfuscation
Posted by: Anonymous User
Date: August 16, 2010 01:37PM

Guess what that one yields on SQLite?

;;SELECt-"'~!1"'!,/*!\999*/1!\1

And this one on MySQL?

SELECT-!!-1||! !N'1'|2



Edited 2 time(s). Last edit at 08/16/2010 04:06PM by .mario.

Options: ReplyQuote
Re: SQL obfuscation
Posted by: Gareth Heyes
Date: August 16, 2010 04:02PM

omg newbie error dup thread doh

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote


Sorry, only registered users may post in this forum.