SQLi

Introduction : SQL injection is very popular and basic web application attack. Each level of hacker or security expert aware of this attack.

Here in this article we are going to discuss about Tautology based SQL injection.

Tautology means always true, any statement which will return always true is called as tautology.

Very well known and familiar tautology is ‘ OR ‘1’ = ‘1 . 

As all of the folks are very familiar with this basic tautology I am not going to describe more about basic Tautology based Injections.

Research Description : One day I found a situation like I gained access to one web site with the help of basic tautology. I successfully logged to the web site, the problem is I logged in as normal user and he is not having any write permission, or he is having basic permissions, with that I am almost reached dead end as that user don’t have any write permission. I tried with lot of other options to find other ways to collect more information. Finally I exhausted but no use.

After some time I got an idea why can’t we manipulate tautology, as always it is going to give us first record access. I started thinking of tautology manipulation to change the record selection. If direct tautology it will always give login access of first user(maximum situations). So if we can manipulate the query and control the record’s then we can login with other users. May be other users can have more permissions, so that I can get more information about that web site.

When I got this idea, I started implementing this. Opened MySQL and started different permutation combinations to change the order of the records. In sudden I got an Idea like what if I perform Order by on the query. As per my knowledge this should work. I started manipulating that.

' OR '1' = '1' ORDER BY 1--

I end up with this query. This worked for me. I am able to login as another user. Find the bellow mentioned full query formation.

SELECT * FROM USERS WHERE UName = '' OR '1'='1' AND Password = '' OR '1'='1' ORDER BY 1--

This will give us access of other users by changing the ORDER BY #no and ORDER BY #no ASC or DESC.

Some how I manipulated Tautology based injection. Still I didn’t feel comfortable with the solution, as I didn’t get full control over users. Once again I started thinking about other options to gain more control over query.

Same thing happened once again. I end up with another technique which given me full control over records of User’s table.

I have just taken advantage of LIMIT clause of MySQL database.

' OR 1 = 1 LIMIT 1,1;--

That’s it I got full control over User’s table. By changing the Offset value I can get specific record from User’s table. That means I have full control over User’s table, I  can pic any user from that table see full formation of Query.

SELECT * FROM USERS WHERE UName = '' OR '1'='1' AND Password = '' OR 1=1 LIMIT 1,1;--

After LIMIT first value is Offset and second one is number of records to be fetched, as we required only one record we can keep it as is and can change the Offset value like LIMIT 2,1  , LIMIT 3,1 etc.

Above solution will work for MySQL Database only. It is very easy to find other DB formations for retrieving same kind of information.

My SQL DB:

UName : a' OR '1' = '1
Password : a' OR 1 = 1 LIMIT 1,1--

Oracle DB :

UName : a' OR '1' = '1
Password : a' OR 1=1 AND ROWNUM = 1--

MS SQL Server DB:

UName : a' OR '1' = '1
Password : a' OR 1=1 ORDER BY ID OFFSET 1 ROWS FETCH NEXT 1 ROWS ONLY--

All of the above commands are executed in test environment and worked as expected.

This content is outcome of my research and only for education purpose, using this content for doing any malicious activities is not encourageable. I am not responsible for any kind of damage.