6

I have a problem I'm hoping someone could help with regarding the use of UNION SELECT, in a scripted/automated way to find columns that are exploitable (having already found the number of columns using ORDER BY)

Doing this manually

Using http://www.site.com/index.php?id=-2 UNION SELECT 1,2,3,4,5,6,7,8-- I am aware I can manually view the column numbers that appear on the page to find the columns that are exploitable, but it is extremely difficult to try and parse these out of the response content or page source using a script in an automated way to find the expoloitable columns that are revealed (unless someone knows of a reliable way this can be done?).

Automating this using a scanner/fuzzer

In a few scanners/fuzzers and sql injection tools I have found some references to getting the UNION SELECT to return a specific 'keyword' on the page which will indicate that this particular column is exploitable if that 'keyword' is then found in the response-content....

For example:

http://www.site.com/index.php?id=-2 UNION SELECT "EXPLOITABLE",2,3,4,5,6,7,8--   <-- The word EXPLOITABLE did not appear on the page content so this column is not exploitable
http://www.site.com/index.php?id=-2 UNION SELECT 1,"EXPLOITABLE",3,4,5,6,7,8--   <-- The word EXPLOITABLE did not appear on the page content so this column is not exploitable
http://www.site.com/index.php?id=-2 UNION SELECT 1,2,"EXPLOITABLE",4,5,6,7,8--   <-- The word EXPLOITABLE **DID** appear on the page content so this column **IS** exploitable
http://www.site.com/index.php?id=-2 UNION SELECT 1,2,3,"EXPLOITABLE",5,6,7,8--   <-- The word EXPLOITABLE did not appear on the page content so this column is not exploitable
http://www.site.com/index.php?id=-2 UNION SELECT 1,2,3,4,"EXPLOITABLE",6,7,8--   <-- The word EXPLOITABLE did not appear on the page content so this column is not exploitable

and so on until it reaches the last column number 8.......

The 'keyword' being a word that would not normally be found on a webpage so that false positves are prevented e.g EXPLOITABLE, InJeCtAbLE, AASSDDFFGG (or any variable you want).

The problem I am having:

As I am writing an sql injection tool/fuzzer I am looking to find the best way to find these exploitable columns in an automated/scriptable way and the most logical method seems to be the one described above using the 'keyword' (unless anyone can suggest a better way)

This is because I can then just GET each url with the UNION SELECT and the 'keyword', store the response-content and then see if the variable 'keyword' I used appears in the response-content. If it does then I will know it is exploitable, if not I will then move onto the next url and so on until the script has tried this on all column numbers.

Would this be the best/most reliable method to determine exploitable columns using UNION SELECT or can you suggest any better method to use?

yonetpkbji
  • 545
  • 2
  • 8
  • 15

1 Answers1

2

This is one of the best ways to do it, but be careful of error-based injection issues. You might find that every single result displays the random token in the output because each column is bound to an integer result, and a string will cause a cast error. In such a case, the only way to detect it is to look for typical SQL server / MySQL / PostgreSQL error messages in the output, and look for a different count of the token in the page.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • I was hoping someone would say its one of the best methods to use. I have experienced exactly what you described regarding the 'keyword' being found in every error for every column number, which is actaully what made me question whether this would be the best method to use. So for such cases, what do you mean exactly when you say `'only way to detect it is to look for typical SQL server / MySQL / PostgreSQL error messages in the output, and look for a different count of the token in the page'` as this is exactly the problem I am trying to solve, thanks a lot – yonetpkbji Apr 04 '13 at 15:14
  • 2
    So, for example, when the error appears for a binding issue your token might appear once, but when your token appears for one issue you'll get one error, and when your token appears for another issue you'll get a different error. By checking that the error changes or that the number of instances of your token in the page changes, you can detect different behaviours. – Polynomial Apr 04 '13 at 15:17
  • Okay then, I think I understand what you mean. So look for error messages that differ from the rest and chances are this will signify that the particular column is exploitable (in cases where the 'keyword' is always returned in the error message). Is this the kind of syntax you would use then --> `http://www.site.com/index.php?id=-2 UNION SELECT 1,"EXPLOITABLE",3,4,5,6,7,8--` as I can find very little information about this kind of method and how it can be written and used? thanks a lot – yonetpkbji Apr 04 '13 at 15:58
  • Having thought about this over the weekend, would I be correct in thinking that if the 'keyword' I used was an integer rather than a string (e.g instead of `"EXPLOITABLE"` I used `987987987987` as the 'keyword') would this also accommodate instances where the columns are bound to an integer result? thanks for your help. – yonetpkbji Apr 08 '13 at 09:16
  • Your point about 'look for a different count of the token in the page' is an important thing to consider, I didn't realise it's importance until implementation, thanks. – yonetpkbji Apr 17 '13 at 15:18