Saturday, January 12, 2008

Conversion Attacks with SQL Injection

With any discussion of SQL Injection, folks commonly tend to migrate towards two basic types of SQL Injection:

  • Verbose SQL Injection
  • Blind SQL Injection

If you were to sit down and compare the variations of SQL Injection, these two would probably cover the 80/20 rule for the majority of attacks. For those of you who might be unfamiliar with the differences.

Verbose SQL Injection is loosly based around the idea that you are reading from error messages which the application is providing to your malformed requests. Blind SQL injection is a bit different in that you are basically "flying blind" with your attacks. In other words, there are no error messages being returned to you (however, there may be other indications which we won't go into here), but rather, you are forced to play 20 questions with the server. The basics behind this attack is you are asking the server yes-no, true-false, binary, etc. questions in an attempt to weed your way through a possible injection. (For more information on Blind SQL Injection, I would recommend this whitepaper from SPI Dynamics)

Convert Attacks

Conversion attacks are absolutely nothing new, but I wanted to push out a post (sounds like a bathroom break) here because quite often, folks are unfamiliar with this attack technique.

Conversion attacks are really quite simple whereas you might use the "convert" or "cast" functionality in a database to gather additional information. For example, you might use the attack string in a particular form field:

xxx-xx-xxxx '

to initiate the litmus test for SQL Injection. By the returned results, you might try something like....

xxx-xx-xxxx ' union select name from sysobjects - -

If we are provided good data, we might then try to convert 'name' in the request. We are assuming much at this point (please remember, i'm only trying to pass along the idea here), but if we were given data which met our needs, we might try to convert 'name' in our query with...

xxx-xx-xxxx' union select convert(int,(name)) from sysobjects - -

When using functionality such as convert, you will quite often receive (barring this is verbose SQL Injection) an error message which resembles:

Conversion failed when converting the nvarchar value of 'Table_Name' to data type int.

While the conversion does fail, the attack (actually, the error message) generates a table name in the error message itself.

Cast Attacks

Casting a variable is also a nice option with Injections. A cast specifies how to perform a conversion between two data types. A simple example might be:

someError=cast((select name from sysobjects) as int) - -

Again, what I am describing here is nothing new; however, it's a very handy solution that might be of great assistance in digging around for data.

Additional Information

If I were going to recommend a couple of resources for additional information on SQL Injection, you might check out: