Oracle: ‘serv’||’ices’ Chapter 9

‘serv’+’ices’

■■

MySQL:

‘serv’ ‘ices’

[note the space]

If you are injecting into numeric data, then the following attack strings can

be used to fingerprint the database. Each of these items will evaluate to 0 on

the target database and generate an error on the other databases:

■■

Oracle:

BITAND(1,1)-BITAND(1,1)

■■

MS-SQL:

@@PACK_RECEIVED-@@PACK_RECEIVED

■■

MySQL:

CONNECTION_ID()-CONNECTION_ID()

A further point of interest when fingerprinting databases is the way in

which MySQL handles certain types of inline comments. If a comment begins

with the exclamation point character followed by a database version string,

then the contents of the comment are interpreted as actual SQL, provided that

the version of the actual database is equal to or later than that string; other-

wise, the contents are ignored and treated as a comment. This facility can be

used by programmers in a similar way to preprocessor directives in C,

enabling them to write different code that will be processed conditionally

upon the database version being used. It can also be used by an attacker to fin-

gerprint the exact version of the database. For example, injecting the following

string will cause the 

WHERE

clause of a 

statement to be false if the

MySQL version in use is greater than or equal to 3.23.02:

/*!32302 and 1=0*/