Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Introducing SQLol

At the most recent Austin Hackers Association meeting I unveiled a project I've been working on for a couple months now called "SQLol". I was helping a colleague to exploit an SQL injection flaw in the wild with a MySQL backend database. It was a blind SQL injection flaw but none of the myriad of tools available to automate SQL injection were working properly.

I knew a technique existed for extracting data from verbose errors in SQL Server: Cast a non-numeric string to an integer and you'll get an error like the following:

"Failed to cast varchar value 'whateverstringyouwerecasting' to type int."

What's interesting about this error is that you can do a subquery to pull some bit of information out of the database and then have it handed to you in an error message by casting it to an integer. I have a feeling that this sort of extraction method is possible for any type of database you can encounter, it's just a matter of poking through the error messages the database can throw, picking out the ones with dynamic parts (usually they have %s somewhere in there) and figuring out how to get the data you want into one of them.

With some experimentation and research, we found an error-based extraction technique for MySQL and were able to pull data from the database much faster than we could have with blind SQL injection techniques. I mused about the many different techniques for data extraction from SQL injection flaws and lamented the fact that I have never seen a vulnerability test-bed that includes SQLi verbose error extraction techniques. For that matter, I have never seen a vulnerability test-bed which includes SQL injection in a DELETE query. The vast majority of the SQLi fu I have acquired over the years is through real-world exploitation, which is certainly sub-optimal.

So, with inspiration in hand, I set out to make a test-bed specifically for SQL injection flaws, one which would be useful to those who know nothing about SQLi, those who are on the dizzying edge, and all those in-between. To put it poetically, here's a sonnet in iambic pentameter about SQLol:

I humbly posit that the current state

(With much respect to work which does precede)

Of test-beds made with vulns to demonstrate

Is lacking some in flexibility.

Two options are presented present-day,

As far as when one deals with S-Q-L:

A blind injection (bool or time delay)

And UNION statement hax (oh gee, how swell…)

Imagine we could choose how queries read

And how our input sanitizes, oh!

How nimble and specific we could be

To recreate our 'sploit scenarios.

And thus is S-Q-L-O-L conceived:

That we can study how to pwn DBs.

Ahem. Now that I'm done being inexcusably geeky, let's examine some of the customization features that SQLol offers:

Type of query (SELECT, DELETE, INSERT, UPDATE, and custom)

Injection location (String/Int in WHERE clause, column name, ORDER BY clause, etc.)

Type and level of sanitization (Single quotes [remove, escape, double], keyword blacklist [three levels of difficulty], etc.)

Query result verbosity (No rows, One row, All rows)

Error verbosity (No errors, Generic errors, Verbose errors)

Additionally, SQLol comes with a set of challenges which task you with performing some flavor of SQL injection and have pre-configured settings. And if that's not enough, there's even a reset button which allows you to nuke the SQLol database from orbit and rebuild it, should you happen to make it useless, for instance when you experiment with DELETE query injection.

SQLol is be available on the SpiderLabs GitHub.

Latest SpiderLabs Blogs

Fare Thee Well ModSecurity: End-of-Life and Last Commercial Rules Update for June 2024

A Fourteen-Year Journey Comes to an End In June 2010, Trustwave acquired Breach Security, which brought with it the popular Open-Source Web Application Firewall ModSecurity for Apache. At that time,...

Read More

Secure Access Service Edge: Another Multi-Tool for the SOC

Over the years, several security defense architectures have merged into a single solution. Endpoint detection tools can perform sophisticated detections and correlations that used to require a...

Read More

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a...

Read More