Bypassing checks for apostrophes in a database

by Max Dulin, April 01, 2018

Background

An SQL injection is when the input is crafted to to where the user can manipulate the database to do something unintended. Given a user and password storage, a query may look something like:
SELECT * FROM users WHERE password = var1 AND username = var2
However, when inputing this into the database, the var1 and var2 aren't that simple. Languages such as javascript force quotations to be used correctly. So, the input turns into something like:
"SELECT * FROM users WHERE password = " + var1 + " AND username =" + var2

Bad inputs

A user can given malicious inputs to this in order to manipulate the intended purpose of it:
username: hacker' OR 'A'='A
password: password' OR 1+2='3
would bypass all filters here, then log in as the first user!

Mitigations

Because of the above statement, filtering has been done to avoid this.
This led to taking out all malicious characters, such as ', " and other potentially breaking characters.

Avoid this filter

But, this filter can be avoided! There are functions in SQL that can be executed.
The interesting one here is CHAR, which can turn an ASCII code, into a character.
Now, the username: hacker' OR 'A'='A is equivalent to hacker CHAR(39) OR CHAR(39)ACHAR(39)=CHAR(39)A
The only differene is that the second one would avoid all filters for the ' character.

Enjoy it!

There are so many other ways to bypass SQL code with functions; just have to understand the language, database version/software and be creative!


Something wrong with this post? Edit it here.

Didn't understand something? Have a question? Ask it here.