Skip to content

Insight

Jump to bottom
ron190 edited this page Mar 15, 2025 · 9 revisions

Injecting a target implies several steps like getting the character insertion, checking the database engine, and getting the schemas via dump optimization with syntax tricks and sometimes applying peculiar algorithm.

Identification

Character insertion

Input to internal query can take various forms and its identification is required even prior to the database vendor search :

  • simple quotes : ... where id='{input}'
  • integer : ... where id={input}
  • parenthesis and quotes : ... where id=('{input}')
  • etc... eg. multiple parenthesis and integer : ... where (id=({input}))

Consequently the injection prefix must properly match the internal query before proceeding to read any schema. A Boolean check is set to reliably detect the correct form.

In previous examples the respective {input} prefix are :

  • ' {inject} -- with an end comment to disable the remainder '
  • 1 {inject} -- optional end comment as there's no remainder to disable
  • ') {inject} -- with an end comment to disable the remainder ')
  • 1)) {inject} -- with and end comment to disable the remainder ))

Database vendor

Each database engine uses its own SQL syntax making the injection process unreliable if vendor has not been identified first. In that purpose several techniques will look to identify the engine :

  1. Fingerprint by error message : query with any incorrect input to get specific error message from target's engine
  2. Fingerprint by incorrect ORDER BY : query with wrong column name to get specific engine error message
  3. Fingerprint by engine specific function : call a method that works only on a given engine

Note

Create an issue to share other techniques you know.

Strategies

The pattern of queries can take various forms which may or may not work, the goal is to find at least one strategy working in that specific order : Time, Blind, Multibit, Error, Stack and Union.

Optimizations

Improvements applied during the process are key for lowering the loading time and to decrease the number of queries :

  • Query with GROUP BY to count rows : a single query gets database names with tables count, a single query gets table names with rows count
  • Apply DISTINCT on columns : prevents getting useless duplicated data
  • Failsafe N0+1 syntax : sum interpreted by engine as N1 avoids matching when URL with N0+1 shows in the response
  • Indices calibrator : identify the best Union index when multiple indices are working (eg. ... select 1,2✅,3,4,5✅)
  • Bitwise queries in parallel : chars binary form is queried instead of ASCII form to avoid slower sequential "binary search"
Previous topic: Strategy, Next topic: Exploit
  1. Home
  2. TL;DR
  3. General
  4. Strategy
  5. Insight
  6. Exploit
  7. Reverse shell
  8. Window
  9. SQL Engine
  10. Parameter
  11. Preference
  12. Database
  13. Programming jSQL
  14. Test script
  15. Roadmap
  16. Changelog
Clone this wiki locally