• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Exploiting SQL Injection

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
Jason
Forum Fanatic
Forum Fanatic


Joined: 19 Sep 2002
Posts: 16777215


Offline

PostPosted: Sun Dec 01, 2002 5:22 pm    Post subject: Exploiting SQL Injection Reply with quote

Hi, this was taken from the following URL: http://www.security-forums.com/forum/viewtopic.php?t=602

saxo wrote:

5. Do Not Send SQL Queries Without Filtering User Input

SQL Injection is the process of exploiting a Web application, usually through a Web form, tricking it to pass malicious SQL statements to the database server. With Microsoft's SQL Server, this is often done by entering a single quote in the Web form, followed by the correctly formed SQL. For example, consider the following code to authenticate a user from a Web form:

strSQL="SELECT * FROM Customers WHERE Username = '" &Request("Username") & "' & Password = '" & strPassword & "'"

Now this code is quite typical of what you would see in a Web application. However, consider what would happen if the user entered the following:

Username: Test
Password: ' or True

When the strSQL string is built, the resulting SQL will be as follows:

strSQL="SELECT * FROM Customers WHERE Username = 'ValidUser' & Password= '' or True --'"

This statement will essentially return the ValidUser customer, regardless of what password is set for that account; the True condition will always cause the WHERE condition to match. Note that the double dash ("--") at the end of the statement acts as a comment character, ignoring the remaining characters.

To sanitize form input for sending to a database, always be sure to escape the single quote by searching and replacing it with two single quotes. This will cause the database to send the quote string as a literal character rather than interpreting it as the closing of a string. Be aware, however, that since numeric input does not require quotes, this technique will not be effective. In the case of numeric input, simply check that the form input is indeed numeric.


My question is, how do change the the statement type. Ie, if you have a select statement, how can you change this to a delete * statement on the fly?

Cheers,

J
Back to top
View user's profile Send private message Send e-mail
AverageJoeUser
Just Arrived
Just Arrived


Joined: 18 Dec 2002
Posts: 0
Location: US

Offline

PostPosted: Fri Dec 20, 2002 12:31 am    Post subject: Reply with quote

I would suggest looking around the 'net for some good papers. Off the top of my head, look to www.sqlsecurity.com and www.ngssoftware.com for some additional insight.

-AJ
Back to top
View user's profile Send private message
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Fri Dec 20, 2002 1:26 am    Post subject: Reply with quote

I'm pretty sure I posted something about how to exploit SQL injection...but I'm buggered if I can find it.

Maybe it was on usenet..
Back to top
View user's profile Send private message Visit poster's website
Jason
Forum Fanatic
Forum Fanatic


Joined: 19 Sep 2002
Posts: 16777215


Offline

PostPosted: Fri Dec 20, 2002 2:02 am    Post subject: Reply with quote

I think i figured this out a little while ago:

Quote:

Select * from customers where name = 'joe' ; delete * from customers


Very Happy

From what i understand, the semicolon is supposed to let you "finish" the current statement and begin a new one. Not tested it.

Thanks for possting though. Will book mark the sites for future reference.

J
Back to top
View user's profile Send private message Send e-mail
AverageJoeUser
Just Arrived
Just Arrived


Joined: 18 Dec 2002
Posts: 0
Location: US

Offline

PostPosted: Fri Dec 20, 2002 6:55 pm    Post subject: Reply with quote

A good way to test for site vulnerability is to simply throw in a single quote (') in all user input fields. If these are feed directly into a SQL statement, it should fail (because you are appending an un-closed open quotation in the statement). This meaning that the backend DB is exposed and the front-end application is subject to exploit.

Also, user input is not limited to user input fields. Typical attack routes are URL querystring parameters, 'hidden' fields, cookies, and any other point where data from is used/expected from the client/user. Further, ASP-bound SQL can/will expose DB structure through standard ODBC error messages...so do your best to remove SQL from the presentation layer.

Anyway, those sites should offer enough information on what to look for. Good luck!

-AJ
Back to top
View user's profile Send private message
Jason
Forum Fanatic
Forum Fanatic


Joined: 19 Sep 2002
Posts: 16777215


Offline

PostPosted: Fri Dec 20, 2002 7:05 pm    Post subject: Reply with quote

Cheers mate.

I got to that stage, it was just working out how to do something malicious with a select statement that i needed a bit of help with.

Thanks again.

J
Back to top
View user's profile Send private message Send e-mail
Giro
New Member
New Member


Joined: 25 Mar 2004
Posts: 22
Location: England

Offline

PostPosted: Sat Dec 21, 2002 12:08 am    Post subject: Reply with quote

http://www.nextgenss.com/research/papers.html might help?
Back to top
View user's profile Send private message
ComSec
Trusted SF Member
Trusted SF Member


Joined: 26 Jul 2002
Posts: 16777215


Offline

PostPosted: Sat Dec 21, 2002 12:58 am    Post subject: Reply with quote

here is another url link i posted ,related to SQL,you might pick some info up from here...dont know if its been up-dated yet with a few programs.

http://www.sqlsecurity.com/scripts.asp
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register