[SQL Injection]How <a' OR ''='> could list user ?

[pierre]

Hello,

I was wondering how this SQL syntax a' OR ''=' could list database user ??

Thnanks

[dustbyter]

This would make the conditional in the SQL statement always return true. I can see the query being something like this:

select <fields from table> from users where username = 'a'

If the application is not binding the input to the search fields, then they are concatenating and making the statement become...

select <fields from table> from users where username = 'a' or ''=''

The second part of the conditional is or '' = ''; empty string will always be equal to empty string, thus, the whole condition would return true. The first part username = 'a' would be false, but when evaluating false or true, the result is true.

Hope this helps.

[pierre]

Yes I see

But why do I have to put the quote :

a' OR "='

It is use to prolong the query ?

[cooper]

You put the quote to close the value part of the field you're inserting into.

Example SQL statement:

UPDATE USERS SET PWHASH = '<SOMETHING>' WHERE USERNAME = '<SOMETHING>';

When there is a SQLi situation you, the outside user, has full control over one or both of those <SOMETHING>'s. For this example we'll assume you only have full control over the second <SOMETHING> because the first <SOMETHING> is actually the hash of some data you provided.

What you want to do is have the database execute a SQL statement that does something WILDLY different than this. Specifically, we want to perform the SQL statement:

SELECT * FROM USERS;

You can do this via SQLi because it allows you the opportunity to replace that one SQL statement with what amounts to 2 statements by inserting our specially crafted <SOMETHING>. The problem is that when the database engine is given 2 statements to perform and the first one contains an error, it won't run the second statement. So whatever we provide as that second <SOMETHING>, it needs to produce a valid first SQL statement.

This is the 2 statements we can construct using SQLi that includes that second SQL statement:

UPDATE USERS SET PWHASH = '<SOMETHING>' WHERE USERNAME='MyUserName'; SELECT * FROM USERS; --';

Notice that the bit in red here is that second <SOMETHING> in the first statement.

A similar example using a SELECT statement:

SELECT * FROM ACCOUNTS WHERE USERNAME = '<SOMETHING>' AND PWHASH = '<SOMETHING>';

Same rules as before apply - you can change the first <SOMETHING> but not the second. You want to log in as user Admin and you know that the account returned by this statement is the account that will be activated for your current session.

SELECT * FROM ACCOUNTS WHERE USERNAME = 'Admin';-- ' AND PWHASH = '<SOMETHING>';

The bit in red is again what you provide as <SOMETHING>. Because '--' in SQL means 'what comes next is comments, just ignore that bit' you can see how this allows you to circumvent a check.

Finally a similar example that has that initial quote in it like you currently see:

SELECT * FROM ACCOUNTS WHERE USERNAME = '<SOMETHING>' AND PASSWORD = '<SOMETHING>';

You now have full control over the second <SOMETHING> but the first is somehow restricted to the point it doesn't allow SQLi. That first <SOMETHING> has to be 'Admin' like before, which is a value you can simply provide, but now that second check needs to match something too. We achieve that like so:

SELECT * FROM ACCOUNTS WHERE USERNAME = 'Admin' AND PASSWORD = '' OR '' = '';--';

Again, the bit in red is what you provided for the second <SOMETHING>. By providing this, we first compare PASSWORD against an empty string, which almost certainly won't match meaning the database record won't be produced by this statement. However it's followed by an OR statement that compares an empty string against an empty string. This will always evaluate to true, thus negating the failing condition preceding it. The end result is that the only real test the database now performs is the test for username even though the application assumes the database is also checking the password for validity.

[pierre]

So the query seems like this to the DB :

SELECT First_Name,Last_Name FROM users WHERE ID=’a’ OR ‘’ =’’; when I enter a' OR ''=' on the submit.

So I think I've understand the background idea of bolean.

But 2 things :

1) why do I have to put the first quote after the a ? To escape some restriction ?

2) why do I have to make a two statement boolean ? Why just ''=' doesn't work ?

Thanks :)

EDIT : I've seems to understand the first quote :

These produce the same results :)

So first quote mark the ends of the first value as you said :)

But what about the other part : OR ''='

Just why double quotes before the equal ?

Edited February 16, 2016 by tot94

[cooper]

It's not double quote, it's 2 single quotes (denoting the complete string).

You then get the equals, a single quote and the second single quote is what would terminate the value in the original statement.

[dustbyter]

The use of quotes in a SQLi injection string drive the completion of values in the where clause of a conditional within an SQL statement.

[pierre]

Thanks I understand.

For example here : a' OR '1'='1

-The 1st quote is for the end of the first value

-The 2nd quote is for the beginning of the 2nd value

-The 3rd quote is for the end of the 2nd value

-The 4th quote is for the beginning of the 3rd value

Finally, no need for a 5th quote, because the 3rd value is auto-shorten, right ?

[haicen]

You don't need a 5th quote because it is included in the underlying php code that handles the query.

From the DVWA code,

$id = $_REQUEST[ 'id' ];

    // Check database
    $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";

In this case, $id is equal to whatever you put into the text box. So if you take your example a' OR '1'='1 the query will look like this:

$query = "SELECT first_name, last_name FROM users WHERE user_id = 'a' OR '1'='1';";

As you can see, when your SQLi statement is given in the textbox, the quotes will be balenced. If you added another quote, the line would be like this:

$query = "SELECT first_name, last_name FROM users WHERE user_id = 'a' OR '1'='1'';";

This won't work because there is an odd number of single quotes, and will cause the php code to have an error.

Another thing to note, is that -- is the default comment operator for sql. This will cause whatever happens after the -- to not be evaluated by sql. For example, if you're target is a username/password combo, you may only need to try injecting the username field. Your test string would be

a' OR 1=1 --

this interrupts the rest of the query string, unless there is something else going on in php, this is what the sql statement looks like:

SELECT <whatever> from <database> WHERE 'a' OR 1=1

Also, note that you don't have to use '1'='1 in the previous examples either. Your test string could be:

a' OR 1=1 OR '

The SQL statement will be:

SELECT <whatever> from <database> WHERE 'a' OR 1=1 OR '' <rest of query>

The end result is the same. I prefer to use as few quotes as possible to reduce confusion on my end.

Hope this helps.

[pierre]

Thanks you very much haicen, I understand it very well now.