Introduction
Looking for SQL Injection vulnerabilities in web applications can be a complicated task. Web applications are often implemented with complicated filters or web application firewalls which can block the use of basic queries such as 'OR 1=1' or other well-used payloads. This can often trick a consultant into thinking that there is no SQL Injection vulnerability present in the tested parameter. This article will look at the use of a SQL Injection polyglot payload to identify SQL Injection vulnerability in web application filters.
Polyglot payloads are payloads that can be used in more than one context and are still treated as valid data. This means that a user can use one payload to test for a vulnerability in different areas of the application with efficiency.
Technical Details
Since SQL Injection can occur in any statement that takes invalidated input, detection can be trivial. Furthermore, successful detection will depend on various factors such as escaping quotes, breaking out of nested statements and more.
1
IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(5))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(5)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(5)))OR"*/
This payload was created by Mathias Karlsson and Fredrik Nordberg Almroth of Detectify. This SQL Injection query will work in many cases where a MySQL Injection vulnerability is present on the target. This is done by combining different queries that will work in different contexts to execute as one.
The SUBSTRING function is used to extract the version of the SQL server. If this condition is true, then the payload executes the BENCHMARK and SLEEP function to wait for a specified time. Moreover, the payload uses binary functions (OR and XOR) to concatenate the strings without breaking the syntax. This will adapt the payload to use any quotation that is necessary in order to execute correctly. Furthermore, different queries from different contexts are combined together with the OR statement.
More information regarding this research can be found at:
https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload
To test the effectiveness of this payload, the web for Pentester SQL Injection challenges provided by PentesterLab will be used as a testbed. Furthermore, the mentioned polyglot will be compared with the Burp Suite’s Active Scanner to see this technique’s strengths and weaknesses. Lastly, the following caveats will also be followed as part of the test:
- No additional data or queries will be added with the polyglot payload
- Active scan was reconfigured to scan only inserted points and test for SQL Injection vulnerabilities only
- The polyglot payload will not be modified in any way
The results are presented in the below table:
| Testbed | Context | Filter Used | SQLi Payload | Burp Suite Scanner |
|---|---|---|---|---|
| Example 1 | String | None | Success | Success |
| Example 2 | String | No Spaces | Success | Success |
| Example 3 | String | No Spaces, tabulations | Success | Success |
| Example 4 | Integer | mysql_real_escape_string |
Success | Success |
| Example 5 | Integer | Regex to remove single/double quotes | Fail | Success |
| Example 6 | Integer | Regex ensuring parameter ends with digit | Fail | Fail |
| Example 7 | Integer | Regex using multiline modifier | Fail | Fail |
| Example 8 | String (Order by clause) | No Single quote, double quote | Fail | Fail |
| Example 9 | String (Order by clause) | Regex to block backtick | Success | Success |
According to the findings presented in the table, the Burp Suite Active scanner was able to detect more SQL Injection vulnerabilities than the polyglot payload. But, it should be noted that the Burp scanner used multiple payloads to test for SQL Injection vulnerabilities within the given parameters. Furthermore, Burp Suite had to send a minimum of 40–60 requests to successfully identify a SQL Injection vulnerability within the given parameter.
It should be noted that in some examples, it is necessary to balance out the initial query with additional quotes or Boolean operators before applying the polyglot payload. This was not done due to the nature of the test.
Conclusion
To conclude, polyglot payloads can be very useful when testing an application for SQL Injection vulnerabilities while minimizing requests and additional payloads. Moreover, the mentioned polyglot payload can make it easier for a consultant to check for SQL Injection vulnerabilities with little understanding of the backend query. But, polyglot payloads should not be considered a one-hit silver bullet for finding SQL Injection vulnerabilities.
References
Let me know if you want it saved as a .md file or need the formatting tweaked!