SQLi Without Quotes

So you can only inject SQL if application is not filtering quotes?

I’m not talking about injections like id=1 where you can simply start to inject statements!

I’m talking about a simple trick that allows a tester or attacker to break out from a string value, which are mandatory to be enclosed by single or double quotes (backticks also).

Thankfully, SQL allows us to escape special characters with a backslash (\)!

Here’s an example:

But this can be used out of its original context giving us the ability to change the parsing of SQL statements like in the following:

SELECT * FROM login WHERE username = '$INPUT1' AND password = '$INPUT2';

So if we use a backslash as $INPUT1 it will make the right next single quote be ignored like a common char! Parser then will look for the next one to pair with the 1st quote, which is the one that starts the password value.

What parser will do is highlighted in red:

SELECT * FROM login WHERE username = '\' AND password = '$INPUT2';

So by controlling the $INPUT2, the password field, we can control this query.

Here in Eternal Noobs, in our Database Injections Forum there was a challenge to bypass a login form.

Quotes are filtered with a simple PHP’s htmlentities() function with ENT_QUOTES flag set. If any result of the above query is returned then user is logged in.

Exploitation is straightforward using the backslash trick:

username: \
password: ||1#

Try it here.

The || is the equivalent of the logical “or” so we are building a statement where we are telling the database to pick up the user \’ AND password =  (which obviously does not exist) OR 1 (equivalent to TRUE), returning true. The hash sign is used to comment the rest of the query.

This same backslash trick can be used is several other scenarios, as long as we have at least 2 injection points in the same query.

#hack2learn

2 Replies to “SQLi Without Quotes”

Leave a Reply