5

Before I begin, I realize that what I'm attempting is bizarre and hackish. It's just for an isolated pen test, specifically SQL Injection.

What I need to do is write a SQL statement that behaves differently when executing on a MySQL database than it does when executing on a SQL Server Database.

Edit

The limitation of the Query I can build is that I can only change what's after the "WHERE id =" clause. I can't affect any other part of the query. Specifically, I need to be able to attach a " UNION SELECT * FROM some_other_table" that only gets executed by the SQL server to the end of my input.

This obviously would blow up MySQL because it doesn't have the tables I'm unioning.

Specifically:

SELECT * FROM USERS 
WHERE id = My input -> (MySQL code: 'x' or 1=1 )
                       (MSSQL code 'x' or 1=1 UNION SELECT * FROM table)

The problem is, if either statement gets executed by the database it wasn't meant for, it blows up (and not in the way I need it to).

This lead to my discovery of Conditional/Executable Comments in MySQL.

SELECT * FROM USERS 
WHERE id = /*! This will be executed but only by mysql */

That's great but I still can't prevent MySQL from executing MSSQL! I can only stop MSSQL from executing MySQL code.

My initial idea was to have a comment inside the MySQL conditional like:

SELECT * FROM USERS
WHERE id = /*! 4 or 1=1 --*/ MSSQL code that is ignored by mysql

But this throws an error saying to check my syntax at a line with nothing on it near ''.

I don't fully understand why this doesn't work but I know doesn't work with any form of MySQL comment I know of (Tried #, /*).

Is there a way to get my strange SQL statement to work? Or is there a way to do a conditional comment in MSSQL? I really just need MySQL to ignore anything after it's conditional but I have no idea how to make that happen without comments.

Community
  • 1
  • 1
Will
  • 733
  • 8
  • 23
  • 1
    Why must they by built as one query? why can't you have one query setup for MySQL and another one for MSSQL? – Limey Nov 15 '12 at 19:38
  • It's a SQL injection for the pen test. So all I can do is alter queries. – Will Nov 15 '12 at 19:41
  • Doesn't the fact that you can send anything beyond an ID number prove that your test will fail? ;) – Limey Nov 15 '12 at 19:45
  • can't you just submt "1 or id > 1" as your input if you are trying to get access? – Limey Nov 15 '12 at 19:47
  • @Limey Unfortunately, I need to inject the MySQL database AND the SQL Server database with one input. The actual setup is far too complex and specific for one Stackoverflow question so I isolated it to the concept that is preventing me from getting the sweet nectar of victory. – Will Nov 15 '12 at 19:51

1 Answers1

1

I'm not sure if this is what you need, but if I understand correctly you want one SQL statement that returns different results on MySQL vs. SQL Server (if that's what "behaves differently" means?). If so, one place to start would be using a system function that has the same name and syntax but different behaviour, such as SUBSTRING():

select substring('test', -1, 1)

On SQL Server that returns an empty string, but on MySQL it returns t. I don't know if using SUBSTRING() is viable in your case, but if not you may be able to find another function that's easier to use in your query.

If this doesn't help at all then I suggest you provide some more details about what limitations you have in building your query.

Pondlife
  • 15,992
  • 6
  • 37
  • 51
  • I added some clarification on what I'm limited to. I do like your trick though, could be useful in another situation. – Will Nov 15 '12 at 19:55
  • @MobyD I still don't really understand what you want: what exactly should be in the `WHERE` clause and what does "behaves differently" mean? Do you want the query to run without error but return different results? Can you post a complete query that works in MySQL but not SQL Server (or vice versa) and explain precisely what should happen when you run it on SQL Server? – Pondlife Nov 15 '12 at 21:06
  • Behave differently means that one version of the SQL string works on one database but crashes on the other. Sorry for the confusion, there are a lot of complications with what I'm trying to do. – Will Nov 15 '12 at 21:13