The following article will try to help beginners with grasping the problems facing them while trying to utilize SQL Injection techniques, to successfully utilize them, and to protect themselves from such attacks.
1.0 Introduction
When a machine has only port 80 opened, your most trusted vulnerability scanner cannot return anything useful, and you know that the admin always patch his server, we have to turn to web hacking. SQL injection is one of type of web hacking that require nothing but port 80 and it might just work even if the admin is patch-happy. It attacks on the web application (like ASP, JSP, PHP, CGI, etc) itself rather than on the web server or services running in the OS.This article does not introduce anything new, SQL injection has been widely written and used in the wild. We wrote the article because we would like to document some of our pen-test using SQL injection and hope that it may be of some use to others. You may find a trick or two but please check out the "9.0 Where can I get more info?" for people who truly deserve credit for developing many techniques in SQL injection.
1.1 What is SQL Injection?
It is a trick to inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.
1.2 What do you need?
Any web browser.
2.0 What you should look for?
Try to look for pages that allow you to submit data, i.e: login page, search page, feedback, etc. Sometimes, HTML pages use POST command to send parameters to another ASP page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:
Everything between the have potential parameters that might be useful (exploit wise).
2.1 What if you can't find any page that takes input?
You should look for pages like ASP, JSP, CGI, or PHP web pages. Try to look especially for URL that takes parameters, like:http://duck/index.asp?id=10
3.0 How do you test if it is vulnerable?
Start with a single quote trick. Input something like:
hi' or 1=1--
Into login, or password, or even in the URL.
Example:
- Login: hi' or 1=1--
- Pass: hi' or 1=1--
- http://duck/index.asp?id=hi' or 1=1--
If you must do this with a hidden field, just download the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly.
Example:
If luck is on your side, you will get login without any login name or password.
3.1 But why ' or 1=1--?
Let us look at another example why ' or 1=1-- is important. Other than bypassing login, it is also possible to view extra information that is not normally available. Take an asp page that will link you to another page with the following URL:http://duck/index.asp?category=foodIn the URL, 'category' is the variable name, and 'food' is the value assigned to the variable. In order to do that, an ASP might contain the following code (OK, this is the actual code that we created for this exercise):v_cat = request("category")sqlstr="
SELECT * FROM product WHERE PCategory='" & v_cat & "'"set rs=conn.execute(sqlstr)
As we can see, our variable will be wrapped into v_cat and thus the SQL statement should become:SELECT * FROM product WHERE PCategory='food'
The query should return a resultset containing one or more rows that match the WHERE condition, in this case, 'food'.Now, assume that we change the URL into something like this:http://duck/index.asp?category=food' or 1=1--Now, our variable v_cat equals to "food' or 1=1-- ", if we substitute this in the SQL query, we will have:
SELECT * FROM product WHERE PCategory='food' or 1=1--'
The query now should now select everything from the product table regardless if PCategory is equal to 'food' or not. A double dash "--" tell MS SQL server ignore the rest of the query, which will get rid of the last hanging single quote ('). Sometimes, it may be possible to replace double dash with single hash "#".
However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try' or 'a'='a
The SQL query will now become:
SELECT * FROM product WHERE PCategory='food' or 'a'='a'It should return the same result.Depending on the actual SQL query, you may have to try some of these possibilities:' or 1=1--" or 1=1--or 1=1--' or 'a'='a" or "a"="a') or ('a'='a
Where can I get more info?One of the earliest works on SQL Injection we have encountered should be the paper from Rain Forest Puppy about how he hacked
PacketStorm.http://www.wiretrip.net/rfp/p/doc.asp?id=42&iface=6
Great article on gathering information from ODBC error messages:http://www.blackhat.com/presentations/win-usa-01/Litchfield/BHWin01Litchfield.doc
A good summary of SQL Injection on various SQL Server on http://www.owasp.org/asac/input_validation/sql.shtml
Senseport's article on reading SQL Injection:http://www.sensepost.com/misc/SQLinsertion.htm
Other worth readings:
http://www.digitaloffense.net/wargames01/IOWargames.ppt
http://www.wiretrip.net/rfp/p/doc.asp?id=7&iface=6
http://www.wiretrip.net/rfp/p/doc.asp?id=60&iface=6
http://www.spidynamics.com/whitepapers/WhitepaperSQLInjection.pdf
Thursday, August 04, 2005
SQL Server June 2005 Community Technology Preview
SQL Server 2005 is Microsoft's next-generation data management and analysis software designed to deliver increased scalability, availability, and security to enterprise data and analytical applications while making them easier to create, deploy, and manage.
SQL Server June 2005 Community Technology Preview (CTP) is the first version of SQL Server 2005 made available for general testing. Previous versions have been available only to customers enrolled in the SQL Server 2005 beta program or those with an MSDN subscription. Please note that you cannot deploy SQL Server June 2005 Community Technology Preview in production environments. Also, peer-to-peer support is available through the SQL Server 2005 newsgroups listed in the Resources section below. SQL Server June 2005 Community Technology Preview is available from these locations:
• DVDs. This Web page lets you order both a DVD containing the SQL Server June 2005 CTP and a DVD containing the SQL Server 2005 Readiness Kit that provides additional information such as white papers and hands-on labs. You can also order Visual Studio 2005 Beta 2.
• Downloads. To download an edition of SQL Server 2005, please select an edition in the Downloads box in the upper right and click Go.
• BetaPlace. If you are enrolled in the SQL Server 2005 beta program, SQL Server June 2005 CTP downloads are available from the BetaPlace Web site.
• MSDN Subscription. SQL Server June 2005 CTP is also available if you subscribe to MSDN Universal, Enterprise, or Professional.
SQL Server June 2005 Community Technology Preview (CTP) is the first version of SQL Server 2005 made available for general testing. Previous versions have been available only to customers enrolled in the SQL Server 2005 beta program or those with an MSDN subscription. Please note that you cannot deploy SQL Server June 2005 Community Technology Preview in production environments. Also, peer-to-peer support is available through the SQL Server 2005 newsgroups listed in the Resources section below. SQL Server June 2005 Community Technology Preview is available from these locations:
• DVDs. This Web page lets you order both a DVD containing the SQL Server June 2005 CTP and a DVD containing the SQL Server 2005 Readiness Kit that provides additional information such as white papers and hands-on labs. You can also order Visual Studio 2005 Beta 2.
• Downloads. To download an edition of SQL Server 2005, please select an edition in the Downloads box in the upper right and click Go.
• BetaPlace. If you are enrolled in the SQL Server 2005 beta program, SQL Server June 2005 CTP downloads are available from the BetaPlace Web site.
• MSDN Subscription. SQL Server June 2005 CTP is also available if you subscribe to MSDN Universal, Enterprise, or Professional.
Editions Available in this CTP
The following editions of SQL Server 2005 are available for download in the SQL Server June 2005 CTP:
Enterprise Edition Enterprise
Edition scales to the performance levels required to support the largest enterprise online transaction processing (OLTP), highly complex data analysis, data warehousing systems, and Web sites. Enterprise Edition's comprehensive business intelligence and analytics capabilities and its high-availability features such as failover clustering and database mirroring allow it to handle the most critical enterprise workloads. Enterprise Edition is the most comprehensive edition of SQL Server and is ideal for the largest organizations and the most complex requirements. Note: To evaluate 64-bit edition features, please download the Developer Edition.
Standard Edition (32-bit and 64-bit)
Standard Edition is the data management and analysis platform for small and medium-sized organizations. It includes the essential functionality needed for e-commerce, data warehousing, and line-of-business solutions. Standard Edition's integrated business intelligence and high-availability features provide organizations with the essential capabilities needed to support their operations. Standard Edition is ideal for the small- to medium-sized organization that needs a complete data management and analysis platform.
Workgroup Edition Workgroup
Edition is the data management solution for small organizations that need a database with no limits on size or number of users. Workgroup Edition can serve as a front-end Web server or for departmental or branch office operations. It includes the core database features of the SQL Server product line and is easily upgradeable to Standard or Enterprise Edition. Workgroup Edition is an ideal entry-level database that is reliable, robust, and easy to manage.
Developer Edition (32-bit and 64-bit)
Developer Edition allows developers to build any type of application on top of SQL Server. It includes all of the functionality of Enterprise Edition, but is licensed for use as a development and test system, not as a production server. Developer Edition is an ideal choice for independent software vendors, consultants, system integrators, solution providers, and corporate developers who build and test applications. Developer Edition can be upgraded to SQL Server Enterprise Edition for production use.
Express Edition
Express Edition is a free, easy-to-use, and simple-to-manage database. Integrated with Microsoft Visual Studio 2005, Express Edition makes it easy to develop data-driven applications that are rich in capability, more secure in storage, and fast to deploy. Express Edition is free and can be redistributed (subject to agreement), and functions as the client database as well as a basic server database. Express Edition is an ideal choice for low-end independent software vendors, low-end server users, nonprofessional developers building Web applications, and hobbyists building client applications.
Express Manager
SQL Server 2005 Express Manager is a new and free database management tool designed for ease of use with SQL Server Express Edition. Express Manager includes numerous features to simplify, automate, and reduce the complexity of database support and administration.
For more information about the differences in features and capabilities of the SQL Server 2005 editions, please review the SQL Server 2005 Features Comparison.
Subscribe to:
Posts (Atom)
Posts
