> I started to code a w3af extension to detect blind sql injections this > way, and I realized that CONCAT only works on mysql (doh! , that > happens when you read emails too fast, and don't pay attention to the > details). So the implementation would need to have the specific > "CONCAT" for every database, which will increase the amount of > requests per parameter a bit (not a big problem).
Yes, i introduced 'CONCAT' as an example. String concatenation are not fully standadized (if i recall correctly) that's why are used on DBMS Fingerprinting techniques. .. but what about: ?id=acme (orginale) ?id=' OR CHAR(1) = CHAR(1) -- ? > The "best case" for this technique is a query string, where you have > something like: > > http://some.tld/?id=1 > > And you test: > > http://some.tld/?id=1+1-1 > > And if they are equal you have found something. Now for the "worse > case": a search form. It works well with numerical value ... yes! > Think about a tiny search engine, where you > input your search string into an HTML form. The first bad thing is > that you don't have "the original string" in order to split it, and > use the CONCAT trick. Why is this bad? Because you'll have to guess > one! Example: > > Search: spam.eggs --> No results > Search: CONCAT('spam.','eggs') --> No results > > BUT the problem is that you don't really know if the second "No > results" is because of a successful SQL injection where the concat was > evaluated, or just because the data was validated and there is no > "CONCAT(\'spam.\',\'eggs\')" in the search table. Are my ideas ok? For Blind SQL Injection check you should retrieve these pages: * original * tautology correct (Ex: AND 1=1) * tautology incorrect (Ex: AND 1=0) then by comparing the above you shall decide if there is any Blind SQL Inj. vulenrability. Be aware, it's not an easy task to automate the above checks, you should decide how to build the comparison algorithm. * compare full retrieved page content * compare partial retrieved page content * compare pages content-length and so on .... So, your example is correct because it doesn't matter if there is any 'spam.eggs' in your search datastore, it's just importante that both: * Search: spam.eggs * Search: CONCAT('spam.','eggs') give backs the same pages (or same contents, or same paragraphs, or some words ... or something :) ) ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
