Skip to content

Insight

Jump to bottom
ron190 edited this page Apr 17, 2025 · 12 revisions

Injecting a target implies several steps like getting the character insertion, checking the database engine, and getting the schemas via dump optimization with syntax tricks and sometimes applying peculiar algorithm.

Identification

Character insertion

Input to internal query can take various forms and its identification is required even prior identifying any database vendor :

  • simple quotes : ... where id='{input}'
  • integer : ... where id={input}
  • parenthesis and quotes : ... where id=('{input}')
  • etc... eg. multiple parenthesis and integer : ... where (id=({input}))

Consequently the injection prefix must properly match the internal query before proceeding to read any schema. A Boolean check is set to reliably detect the correct form.

In previous examples the respective {input} prefix are :

  • ' {inject} -- with an end comment to disable the remainder '
  • 1 {inject} -- optional end comment as there's no remainder to disable
  • ') {inject} -- with an end comment to disable the remainder ')
  • 1)) {inject} -- with and end comment to disable the remainder ))

Database vendor

Each database engine uses its own SQL syntax making the injection process unreliable when vendor has not been identified first. So several techniques will look first to identify the engine :

  1. Fingerprint by error message : query with any incorrect input to get specific error message from target's engine
  2. Fingerprint by incorrect ORDER BY : query with wrong column name to get specific engine error message
  3. Fingerprint by engine specific function : call a method that works only on a given engine

Note

Create an issue to share other techniques you know.

Strategies

The query patterns can take various forms which may or may not work, the goal is to find the most effective working strategy in that specific order : Time bit, Blind bin, Blind bit, Multibit, Error, Stack and Union.

Optimizations

Improvements applied during the process are key for lowering the loading time, to decrease the number of queries, and for reducing the query size :

  • Check char insertion in parallel : search for the correct internal character insertion with optimized speed
  • Check Union indices in parallel : search for the query parameter count with optimized speed
  • Indices calibrator : identify the best Union index when multiple indices are working (eg. ... select 1,2✅,3,4,5✅)
  • Query with GROUP BY to count rows : a single query gets database names with tables count, a single query gets table names with rows count
  • Apply DISTINCT on columns : prevents getting useless duplicated data
  • Failsafe N0+1 syntax : sum interpreted by engine as N1 avoids matching when URL with N0+1 shows in the response
  • Bitwise queries in parallel : chars bitwise form is queried instead of ASCII form to avoid slower sequential "binary search"
Previous topic: Strategy, Next topic: Exploit
  1. Home
  2. TL;DR
  3. General
  4. Strategy
  5. Insight
  6. Exploit
  7. Reverse shell
  8. Window
  9. SQL Engine
  10. Parameter
  11. Preference
  12. Database
  13. Programming
  14. Test script
  15. Roadmap
  16. Changelog
Clone this wiki locally