Comments on: Quickpost: Quasi-Tautologies & SQL-Injection http://blog.didierstevens.com/2010/02/02/quickpost-quasi-tautologies-sql-injection/ (blog 'DidierStevens) Sat, 11 Feb 2012 16:16:49 +0000 hourly 1 http://wordpress.com/ By: Didier Stevens http://blog.didierstevens.com/2010/02/02/quickpost-quasi-tautologies-sql-injection/#comment-37647 Thu, 04 Feb 2010 23:43:25 +0000 http://blog.didierstevens.com/?p=1966#comment-37647 @dblackshell: Actually, when you provide a constant as seed value, you can predict the next numbers and thus achieve 100% (or 0%) success rate.

]]> By: dblackshell http://blog.didierstevens.com/2010/02/02/quickpost-quasi-tautologies-sql-injection/#comment-37638 Thu, 04 Feb 2010 09:30:29 +0000 http://blog.didierstevens.com/?p=1966#comment-37638 As specified in the MySQL documentation for function RAND():

Returns a random floating-point value v in the range 0 <= v < 1.0. If a constant integer argument N is specified, it is used as the seed value, which produces a repeatable sequence of column values.

So to produce a Pseudo-random number, a parameter should be specified; and in that case would you have a 99% success rate

]]> By: Justin Clarke http://blog.didierstevens.com/2010/02/02/quickpost-quasi-tautologies-sql-injection/#comment-37632 Wed, 03 Feb 2010 23:53:49 +0000 http://blog.didierstevens.com/?p=1966#comment-37632 This is a nice twist on the concept – and its equally true that just looking for tautologies isn’t going to be a reliable measure as you can find something that will return true most of the time. I’m more of a fan of something that learns the syntax of the SQL code itself, and then notes where it deviates. GreenSQL does this to some extent, however I did see a fascinating talk at BlackHat USA a few years ago on using formal grammars for detecting SQL Injection – this would be a good example in that having a tautology (or even near one) would change the grammar tree generated and allow you detect tampering. Haven’t heard anything on anyone trying this approach since then – its a bit of a challenge as you need a grammar for each dialect of SQL, unfortunately.

]]> By: Didier Stevens http://blog.didierstevens.com/2010/02/02/quickpost-quasi-tautologies-sql-injection/#comment-37622 Wed, 03 Feb 2010 10:08:06 +0000 http://blog.didierstevens.com/?p=1966#comment-37622 @dblackshell No, I assume the PRNG produces random numbers following a uniform distribution (http://en.wikipedia.org/wiki/Pseudorandom_number_generator), so on average, the injection will succeed around 99% of the time.

]]> By: dblackshell http://blog.didierstevens.com/2010/02/02/quickpost-quasi-tautologies-sql-injection/#comment-37620 Wed, 03 Feb 2010 07:33:01 +0000 http://blog.didierstevens.com/?p=1966#comment-37620

you stand a 99% chance of being succesful (provided the application is vulnerable to SQL-injection)!

I think the chances are unknown, because it’s random.

]]> By: xanda http://blog.didierstevens.com/2010/02/02/quickpost-quasi-tautologies-sql-injection/#comment-37590 Tue, 02 Feb 2010 16:13:07 +0000 http://blog.didierstevens.com/?p=1966#comment-37590 GreenSQL will also detect the attempt of quasi-tautologies with ‘or’ token

]]> By: Didier Stevens http://blog.didierstevens.com/2010/02/02/quickpost-quasi-tautologies-sql-injection/#comment-37589 Tue, 02 Feb 2010 14:45:58 +0000 http://blog.didierstevens.com/?p=1966#comment-37589 @oldami Yes, this is a pure tautology.

]]> By: oldami http://blog.didierstevens.com/2010/02/02/quickpost-quasi-tautologies-sql-injection/#comment-37585 Tue, 02 Feb 2010 13:13:37 +0000 http://blog.didierstevens.com/?p=1966#comment-37585 how about comparing the current seconds != 99?
Always true and the system would have to know the valid range for anything that might be compared to detect this.

]]>