Databases Reference
In-Depth Information
true value. It may be '1'='1', or 'a'='a' or 'my dog'='my dog' or 'ron was
here'='ron was here' or 'ron was here'='ron '+'was '+'here' (in MS SQL
Server syntax) or ('ron' LIKE 'ro%') or 1<2 or . . . really—an infinite num-
ber of ways. The same is true when evading signatures of the form UNION
SELECT. I can use UN/**/ION SEL/**/ECT to evade the pattern recogni-
tion software. I can even use hex encoding to evade the signature. For exam-
ple, 0x554E494F4E can be injected instead of UNION.
The second problem is that some of these signatures may actually be
used in real systems—it is not unheard of for people to use UNION ALL—
and this is why SQL supports the function. So your IDS may alert you on
completely legal SQL—behavior that is called false-positive detection in the
industry.
The second monitoring category involves SQL errors (exceptions). SQL
injection attacks will almost always involve SQL errors. Let's look back at
the examples of UNION SELECT earlier in the chapter (results shown in
Figures 5.5 and 5.6). I showed you what would happen if the hacker
injected SQL of the form:
select name, name, crdate from sysobjects where xtype='U'
If, for example, the hacker first tries to inject the more natural string:
select name, crdate from sysobjects where xtype='U'
the following error would be returned from the various databases (note that
the precise SQL would be different for each database, but assume each one
has a column number mismatch):
SQL Server:
Server: Msg 205, Level 16, State 1, Line 1
All queries in a SQL statement containing a UNION operator must
have an equal number of expressions in their target lists.
Oracle:
ORA-01789: query block has incorrect number of result columns
Sybase:
Msg 205, Level 16, State 1:
Server '---', Line 2:
All queries in a SQL statement containing set operators must
have an equal number of expressions in their target lists.
Search WWH ::
Custom Search