the-web-application-hackers-handbook

Chapter 9 n Attacking Data Stores 311
TIP When multiple columns are returned from a target table, these can be
concatenated into a single column. This makes retrieval more straightforward,
because it requires identification of only a single varchar field in the original
query:
n Oracle: SELECT table_name||’:’||column_name FROM
all_tab_columns
n MS-SQL: SELECT table_name+’:’+column_name from information_
schema.columns
n MySQL: SELECT CONCAT(table_name,’:’,column_name) from
information_schema.columns
Bypassing Filters
In some situations, an application that is vulnerable to SQL injection may implement
various input filters that prevent you from exploiting the flaw without
restrictions. For example, the application may remove or sanitize certain characters
or may block common SQL keywords. Filters of this kind are often vulnerable
to bypasses, so you should try numerous tricks in this situation.
Avoiding Blocked Characters
If the application removes or encodes some characters that are often used in
SQL injection attacks, you may still be able to perform an attack without these:
n The single quotation mark is not required if you are injecting into a numeric
data field or column name. If you need to introduce a string into your
attack payload, you can do this without needing quotes. You can use
various string functions to dynamically construct a string using the ASCII
codes for individual characters. For example, the following two queries
for Oracle and MS-SQL, respectively, are the equivalent of select ename,
sal from emp where ename=’marcus’:
SELECT ename, sal FROM emp where ename=CHR(109)||CHR(97)||
CHR(114)||CHR(99)||CHR(117)||CHR(115)
SELECT ename, sal FROM emp WHERE ename=CHAR(109)+CHAR(97)
+CHAR(114)+CHAR(99)+CHAR(117)+CHAR(115)
n If the comment symbol is blocked, you can often craft your injected data
such that it does not break the syntax of the surrounding query, even
without using this. For example, instead of injecting:
‘ or 1=1--
you can inject:
‘ or ‘a’=’a