SQL Injection SubSelects and IF Statements

12-12-2007

I found myself in a situation where I can't finis a SQL sentence properly because input was going to multiple different queries and it was not possible to find one injection which can end all of them properly.

To able to do some blind tricks I need to use a subselect with somekind of IF statement. Target was SQL Server so following query would be the ideal start:

SELECT Members WHERE user_id = 1 AND (IF (1=1) SELECT 1 ELSE SELECT 2)

Don't try it, it's not going to work because SQL Server doesn't support IF statemens in subselects. But it's strange you may use CASE statements in a subselect like this:

SELECT * FROM Members WHERE user_id = 1 AND 1=(select case when (1=1) then 1 end)

It's really interesting, also ice of SQLNinja pointed out that I can do bitwise tricks to emulate the same thing, that was something I missed. It's pretty cool because you may bypass couple of stupid IPS/IDS/WAF stuff. Here is an example to do similar thing with bitwise operators:

SELECT * FROM Members WHERE user_id = 1+((ascii('A'))&32)/32

My problem was, while automating these stuff my Blind SQL Injection framework didn't designed for bitwise tricks which means I need add a big chunk of code to support this. So I went with CASE thingy to exploit this.

This tricks will be in SQL Injection Cheat Sheet, also there are lots of other stuff that'll be in there. Wait for the next update.

Recent Blog Posts

See all of the blog posts