Conditional/Executable Comments in MySQL/SQL Server

Question

Before I begin, I realize that what I'm attempting is bizarre and hackish. It's just for an isolated pen test, specifically SQL Injection.

What I need to do is write a SQL statement that behaves differently when executing on a MySQL database than it does when executing on a SQL Server Database.

Edit

The limitation of the Query I can build is that I can only change what's after the "WHERE id =" clause. I can't affect any other part of the query. Specifically, I need to be able to attach a " UNION SELECT * FROM some_other_table" that only gets executed by the SQL server to the end of my input.

This obviously would blow up MySQL because it doesn't have the tables I'm unioning.

Specifically:

SELECT * FROM USERS 
WHERE id = My input -> (MySQL code: 'x' or 1=1 )
                       (MSSQL code 'x' or 1=1 UNION SELECT * FROM table)

The problem is, if either statement gets executed by the database it wasn't meant for, it blows up (and not in the way I need it to).

This lead to my discovery of Conditional/Executable Comments in MySQL.

SELECT * FROM USERS 
WHERE id = /*! This will be executed but only by mysql */

That's great but I still can't prevent MySQL from executing MSSQL! I can only stop MSSQL from executing MySQL code.

My initial idea was to have a comment inside the MySQL conditional like:

SELECT * FROM USERS
WHERE id = /*! 4 or 1=1 --*/ MSSQL code that is ignored by mysql

But this throws an error saying to check my syntax at a line with nothing on it near ''.

I don't fully understand why this doesn't work but I know doesn't work with any form of MySQL comment I know of (Tried #, /*).

Is there a way to get my strange SQL statement to work? Or is there a way to do a conditional comment in MSSQL? I really just need MySQL to ignore anything after it's conditional but I have no idea how to make that happen without comments.

Answer 1

I'm not sure if this is what you need, but if I understand correctly you want one SQL statement that returns different results on MySQL vs. SQL Server (if that's what "behaves differently" means?). If so, one place to start would be using a system function that has the same name and syntax but different behaviour, such as SUBSTRING():

select substring('test', -1, 1)

On SQL Server that returns an empty string, but on MySQL it returns t. I don't know if using SUBSTRING() is viable in your case, but if not you may be able to find another function that's easier to use in your query.

If this doesn't help at all then I suggest you provide some more details about what limitations you have in building your query.