Conference: Blackhat LV 2013
Title: ‘) UNION SELECT `THIS_TALK` AS (‘NEW OPTIMIZATION AND OBFUSCATION TECHNIQUES’)%00
Presenter: Roberto Salgado, Websec
Thoughts: This presentation really took my thoughts on SQL injection to the next level. He initially discusses some optimizations to being able to retrieve data from the victim database by using a method he created called Bin2Pos Method. This method uses the position of the binary number representing the character being retrieved. Here is an example:
IF((@a:=MID(BIN(POSITION(MID((SELECT password from users where id=2 LIMIT 1),1,1)IN (CHAR(48,49,50,51,52,53,54,55,56 ,57,65,66,67,68,69,70))),1,1))!= space(0),2-@a,0/0)
This is a very clever idea but it requires the ability of using 2 different parameters. In addition he talked about obfuscating different syntax to bypass scanners and firewalls. He has does very extensive research on the documented strange behaviors of the different SQL platforms. A truly epic thing he included in his presentation was how to combine multiple SQL test for quote types into one test. This eliminates the total number of tests needed to perform which means fewer calls to the server which gets the job done quicker. Here is his example:
3 Total Tests: OR 1=1 OR '1'='1 OR "1"="1 OR COMBINE: OR 1#"OR"'OR''='"="'OR''=' AND COMBINE: !=0--+"!="'!='
For anyone building web applications using an SQL backend needs to watch this video. Anyone who does web application firewalls and scanners needs to pay close attention to this as well. Ultimately this presentation opened my mind to whole new thoughts on information encoding to achieve injection!