Whenever I find a SQL injection vulnerability I always throw sqlmap at the injection point. It’s a simple, easy to use tools that will not only prove the vulnerability but allow you to extract data, gain command execution, and generally push further on with your penetration test. If I come across a filter or a web application firewall then I’ll habitually break out Burp Suite and start working on filter evasion manually, however there’s often a simpler way.
Evading user input filters whilst trying to exploit SQL injection is often a case of trying to format the same payloads but with different characters. Take the following payload for example:
' AND 3>2 --
I could rewrite this payload in a number of ways depending on which part of the payload was being filtered, for example with the greater-than sign, I could replace it using an encoded character:
' AND 3%3E2 -- ' AND 3%253E2 -- ' AND 3%u003e2 --
Alternatively I could simply reformat the payload to achieve the same result, such as:
' AND 2<3 -- ' AND 2<>3 -- ' AND 2!=3 --
These simple transforms can be achieved in an automated way with the tool that we know and love, sqlmap. If you’re unfamiliar with this tool, then check out the Introduction to sqlmap post first If you’re comfortable with the interface though, you’ll be glad to know this tool has “tamper scripts” which alter the payloads sent to the server automatically and can achieve this type of evasion. A quick way to see what type of evasion options are available is to take a look at the current list of tamper scripts.Each script includes a brief description and example. Evasion using URI encoding could be achieved with the following sqlmap command:
python sqlmap.py --tamper=charencode
You can also enter more than one filter script on the same line, like this:
python sqlmap.py --tamper=charencode,appendnullbyte,escapequotes
Want to try this kind of evasion on a working application? Check out the GracefulSecurity’s VulnVM. You’ll find two SQL injection vulnerabilities hidden in that application which, on level 2, can be exploited using the right tamper script!