2
votes

Is there a way to do a SQL injection without using the single quote '?

I've looked to a lot of questions but they are all about single quote escaping or they do not contain a solution (SQL Injection after removing all single-quotes and dash-characters).

I'm doing a hack game and basically I have to extract a password from a db, I'm trying to do it by exploiting this query:

query = text("INSERT INTO data_table VALUES ([other values], '%s')" % data)
db.engine.execute(query, user=username)

trying to set data to:

'SELECT password FROM users WHERE username="admin" '

I think that this way the select should be executed and its result stored as data (I can easily read back that data from the website).

The problem is that when uploading the value that goes into data I cannot use the single quote ' (the system shows an error and I have to choose another value).

Is there a way to perform a similar injection without the single quote?

1
maybe you can encode the single quote, in html: ' in URL: %27st mnmn
they're not working...i get them back in the displayed dataStefano Cereda
read this link:security.stackexchange.com/questions/37749/… maybe you'll find a solution therest mnmn

1 Answers

0
votes

This SELECT must be passed as a Scalar Subquery enclosed in parentheses.

If date is simply concatenated with text then setting it to

' || (SELECT password FROM users WHERE username='admin') || '

results in

INSERT INTO data_table VALUES ([other values], '' || (SELECT password FROM users WHERE username='admin') || '')

which is valid SQL concatenating empty strings and the result of the SELECT. Now the DBMS will happily execute it :-)