In Black Hat 2013, Roberto Salgado (@LightOS) came up with the idea of optimizing the detection phase for SQL injection vulnerabilities.
Usually, to test if a parameter is vulnerable to SQL injection, a maximum of six requests must be performed to find out the context of the injection. It might be between single quotes (‘), double quotes (“) or with no delimiters at all:
TRUE RESPONSES
-1′ or ‘1’=’1
-1″ or “1”=”1
-1 or 1=0
FALSE RESPONSES
-1′ or ‘1’=’0
-1″ or “1”=”0
-1 or 1=0
This means that if, for instance, there are 100 parameteres in the application, a maximum of 600 requests should be performed in order to test all parameters against SQL injection.
LightOS came up with the idea of detecting vulnerable parameters with just one request by fusing the three testing vectors. This is the multi-context functional polyglot that works in any of the already three mentioned contexts:
-1 OR 1#”or”‘OR”='”=”‘OR”=’
Numeric context:
–1 OR 1#“or”‘OR”='”=”‘OR”=’
Double quotation:
-1 OR 1#“or”‘OR”=’“=”‘OR”=’
Single quotation:
–1 OR 1#”or”‘OR”=’“=”‘OR”=’
You can find his slides in the following link: https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf
I wanted to see if I could optimize this further by making the vector shorter in length. Surprisingly, I managed to shorten LightOS’s vector by 7 bytes (from 29 to 22). Here is the result:
-1 or 1#’or”or'”!=’!=”
Numeric context:
–1 or 1#‘or”or'”!=’!=”
Single quotation:
–1 or 1#‘or”or’“!=‘!=“
Double quotation:
-1 or 1#’or“or’“!=‘!=”
This means that instead of performing 300 requests, only 100 requests are needed; the process has been optimized by making it 300% faster.
See if you can make it even shorter.