1BO4r2U
1BO4r2U
1BO4r2U
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
117 118<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
Version<br />
There are three ways to gain this information:<br />
[1] By using the global variable @@version<br />
[2] By using the function [VERSION()]<br />
[3] By using comment fingerprinting with a version number /*!40110<br />
and 1=0*/<br />
which means<br />
if(version >= 4.1.10)<br />
add ‘and 1=0’ to the query.<br />
Result Expected:<br />
A string like this:<br />
user@hostname<br />
Database name in use<br />
There is the native function DATABASE()<br />
In band injection:<br />
1 AND 1=0 UNION SELECT DATABASE()<br />
1 AND 1=0 UNION SELECT @@version /*<br />
Note: there is no way to bypass single quotes surrounding a filename.<br />
So if there’s some sanitization on single quotes like escape (\’) there<br />
will be no way to use the ‘into outfile’ clause.<br />
This kind of attack could be used as an out-of-band technique to gain<br />
information about the results of a query or to write a file which could<br />
be executed inside the web server directory.<br />
Example:<br />
vided by MySQL server.<br />
• String Length:<br />
LENGTH(str)<br />
• Extract a substring from a given string:<br />
• SUBSTRING(string, offset, #chars_returned)<br />
• Time based Blind Injection: BENCHMARK and SLEEP<br />
• BENCHMARK(#ofcycles,action_to_be_performed )<br />
• The benchmark function could be used to perform timing attacks,<br />
when blind injection by boolean values does not yield any results.<br />
• See. SLEEP() (MySQL > 5.0.x) for an alternative on benchmark.<br />
These are equivalent as the result is the same.<br />
In band injection:<br />
1 AND 1=0 UNION SELECT @@version /*<br />
Inferential injection:<br />
1 AND @@version like ‘4.0%’<br />
Result Expected:<br />
A string like this:<br />
5.0.22-log<br />
Login User<br />
There are two kinds of users MySQL Server relies upon.<br />
[1] [USER()]: the user connected to the MySQL Server.<br />
[2] [CURRENT_USER()]: the internal user who is executing the query.<br />
There is some difference between 1 and 2. The main one is that an<br />
anonymous user could connect (if allowed) with any name, but the<br />
MySQL internal user is an empty name (‘’). Another difference is that<br />
a stored procedure or a stored function are executed as the creator<br />
user, if not declared elsewhere. This can be known by using CUR-<br />
RENT_USER.<br />
In band injection:<br />
1 AND 1=0 UNION SELECT DATABASE()<br />
Inferential injection:<br />
1 AND DATABASE() like ‘db%’<br />
Inferential injection:<br />
1 AND DATABASE() like ‘db%’<br />
Result Expected:<br />
A string like this:<br />
INFORMATION_SCHEMA<br />
From MySQL 5.0 a view named [INFORMATION_SCHEMA] was created.<br />
It allows us to get all informations about databases, tables, and<br />
columns, as well as procedures and functions.<br />
Here is a summary of some interesting Views.<br />
Tables_in_INFORMATION_SCHEMA<br />
..[skipped]..<br />
SCHEMATA<br />
SCHEMA_PRIVILEGES<br />
TABLES<br />
TABLE_PRIVILEGES<br />
COLUMNS<br />
COLUMN_PRIVILEGES<br />
VIEWS<br />
ROUTINES<br />
TRIGGERS<br />
USER_PRIVILEGES<br />
DESCRIPTION<br />
..[skipped]..<br />
All databases the user has (at least) SELECT_priv<br />
The privileges the user has for each DB<br />
All tables the user has (at least) SELECT_priv<br />
The privileges the user has for each table<br />
All columns the user has (at least) SELECT_priv<br />
The privileges the user has for each column<br />
All columns the user has (at least) SELECT_priv<br />
Procedures and functions (needs EXECUTE_priv)<br />
Triggers (needs INSERT_priv)<br />
Privileges connected User has<br />
All of this information could be extracted by using known techniques<br />
as described in SQL Injection section.<br />
Attack vectors<br />
Write in a File<br />
If the connected user has FILE privileges and single quotes are not escaped,<br />
the ‘into outfile’ clause can be used to export query results in<br />
a file.<br />
1 limit 1 into outfile ‘/var/www/root/test.jsp’ FIELDS EN-<br />
CLOSED BY ‘/’ LINES TERMINATED BY ‘\n’;<br />
Result Expected:<br />
Results are stored in a file with rw-rw-rw privileges owned by MySQL<br />
user and group.<br />
Where /var/www/root/test.jsp will contain:<br />
/field values/<br />
<br />
Read from a File<br />
Load_file is a native function that can read a file when allowed by<br />
the file system permissions. If a connected user has FILE privileges, it<br />
could be used to get the files’ content. Single quotes escape sanitization<br />
can by bypassed by using previously described techniques.<br />
load_file(‘filename’)<br />
Result Expected:<br />
The whole file will be available for exporting by using standard techniques.<br />
Standard SQL Injection Attack<br />
In a standard SQL injection you can have results displayed directly<br />
in a page as normal output or as a MySQL error. By using already<br />
mentioned SQL Injection attacks and the already described MySQL<br />
features, direct SQL injection could be easily accomplished at a level<br />
depth depending primarily on the MySQL version the pentester is<br />
facing.<br />
A good attack is to know the results by forcing a function/procedureor<br />
the server itself to throw an error. A list of errors thrown by MySQL<br />
and in particular native functions could be found on MySQL Manual.<br />
Out of band SQL Injection<br />
Out of band injection could be accomplished by using the ‘into outfile’<br />
clause.<br />
Blind SQL Injection<br />
For blind SQL injection, there is a set of useful function natively pro-<br />
For a complete list, refer to the MySQL manual at http:/dev.mysql.<br />
com/doc/refman/5.0/en/functions.html<br />
Tools<br />
• Francois Larouche: Multiple DBMS SQL Injection tool - http:/www.<br />
sqlpowerinjector.com/index.htm<br />
• ilo--, Reversing.org - sqlbftools<br />
• Bernardo Damele A. G.: sqlmap, automatic SQL injection tool - http:/<br />
sqlmap.org/<br />
• Muhaimin Dzulfakar: MySqloit, MySql Injection takeover tool -<br />
http:/code.google.com/p/mysqloit/<br />
• http:/sqlsus.sourceforge.net/<br />
References<br />
Whitepapers<br />
• Chris Anley: “Hackproofing MySQL” - http:/www.databasesecurity.<br />
com/mysql/HackproofingMySQL.pdf<br />
Case Studies<br />
• Zeelock: Blind Injection in MySQL Databases - http:/archive.cert.<br />
uni-stuttgart.de/bugtraq/2005/02/msg00289.html<br />
Testing for SQL Server<br />
Summary<br />
In this section some SQL Injection techniques that utilize specific features<br />
of Microsoft SQL Server will be discussed.<br />
SQL injection vulnerabilities occur whenever input is used in the construction<br />
of an SQL query without being adequately constrained or<br />
sanitized. The use of dynamic SQL (the construction of SQL queries by<br />
concatenation of strings) opens the door to these vulnerabilities. SQL<br />
injection allows an attacker to access the SQL servers and execute SQL<br />
code under the privileges of the user used to connect to the database.<br />
As explained in SQL injection, a SQL-injection exploit requires two<br />
things: an entry point and an exploit to enter. Any user-controlled<br />
parameter that gets processed by the application might be hiding a<br />
vulnerability. This includes:<br />
• Application parameters in query strings (e.g., GET requests)<br />
• Application parameters included as part of the body of a POST request<br />
• Browser-related information (e.g., user-agent, referrer)<br />
• Host-related information (e.g., host name, IP)<br />
• Session-related information (e.g., user ID, cookies)<br />
Microsoft SQL server has a few unique characteristics, so some exploits<br />
need to be specially customized for this application.