A lot of papers have been published on SQL injection in Microsoft SQL Server applications, and because Sybase and MS SQL Server have a common heritage, it is worthwhile to take a quick survey of the known techniques and see how well they work in Sybase.
Sybase uses the -- and /* comment styles in exactly the same manner as MS SQL Server, so you can truncate queries in the same way using the -- sequence. It's unwise to get too hung up on -- because it's always possible to complete the query in a manner that makes the comment sequence unnecessary. For example, in the preceding UNION SELECT example,
we could just conclude the query with an unnecessary “or” term:
This way we would make the entire query syntactically correct. In general, a superfluous “or” operator in a where clause will work, or (if you're injecting a batch of statements) an additional “select” at the end of the batch.
As you have just seen, “union select” statements work in almost exactly the same way.
Sybase error messages are almost as helpful as MS SQL Server error messages. Specifically, the “integer conversion” trick works identically. ...