Tuesday, March 27, 2012

Log Evasion using SQL Injection Interesting technique

This is one of the interesting technique to hide your information from remote website via sql injection.
This Tutorial mainly focus upon the LOG evasion via SQL injection.
Normally when you do the SQL injection carelessly (lot of people i have seen) your logs A.K.A ip address and your injection (which might be private for bypassing things) would be logged in the access_logs in linux server and some log files in windows

So how to bypass that ?
have you ever thought of it ?
Will Greets to xpaulx :)

Ok, let us begin.

Certain web-servers are configured in such a way, that only requests of under 4,097 characters are fully logged. The ones that exceed this amount are automatically truncated using "..." in the middle of the request.

For example, we have the following request.

GET /page.php?id=69+and+false+union+select+1,2,@@version,4,5,6--

The request will be logged exactly as it is because it does not exceed the 4,097 char limit.

But what if we add an actually non existing variable to the request, such as &cacat=AAAA (4,097 times), like this:

GET /page.php?id=69+and+false+union+select+1,2,@@version,4,5,6--&cacat=AAAAAAA (4,097 times)

The variable will be ignored as it is not being used by the script and our SQL Injection will be processed succefully, though in the logs, the full request will try to get logged, thus trying to include our useless variable with 4k A's. Our request will be truncated because it exceeds the amount of 4,097 characters, and it will look something like this:

GET /page.php ... User Agent: Mozilla/4.0

Our SQL Injection will no longer appear in the logfile. We have succesfully evaded our attack being logged.

Note: This will not work on all webservers.

1 comment for "Log Evasion using SQL Injection Interesting technique"