4.0

More documents

Recommendations

Info

120Web Application Penetration TestingResult Expected:If MySQL is present, the clause inside the comment block will beinterpreted.VersionThere are three ways to gain this information:[1] By using the global variable @@version[2] By using the function [VERSION()][3] By using comment fingerprinting with a version number/*!40110 and 1=0*/which meansif(version >= 4.1.10)add ‘and 1=0’ to the query.These are equivalent as the result is the same.In band injection:1 AND 1=0 UNION SELECT @@version /*Inferential injection:Database name in useThere is the native function DATABASE()In band injection:1 AND 1=0 UNION SELECT DATABASE()Inferential injection:1 AND DATABASE() like ‘db%’Result Expected:A string like this:dbnameINFORMATION_SCHEMAFrom MySQL 5.0 a view named [INFORMATION_SCHEMA] wascreated. It allows us to get all informations about databases, tables,and columns, as well as procedures and functions.Here is a summary of some interesting Views.1 AND @@version like ‘<strong>4.0</strong>%’Result Expected:A string like this:5.0.22-logLogin UserThere are two kinds of users MySQL Server relies upon.Tables_in_INFORMATION_SCHEMA..[skipped]..SCHEMATASCHEMA_PRIVILEGESTABLESTABLE_PRIVILEGESCOLUMNSDESCRIPTION..[skipped]..All databases the user has (at least) SELECT_privThe privileges the user has for each DBAll tables the user has (at least) SELECT_privThe privileges the user has for each tableAll columns the user has (at least) SELECT_priv[1] [USER()]: the user connected to the MySQL Server.[2] [CURRENT_USER()]: the internal user who is executing thequery.There is some difference between 1 and 2. The main one is thatan anonymous user could connect (if allowed) with any name, butthe MySQL internal user is an empty name (‘’). Another differenceis that a stored procedure or a stored function are executed asthe creator user, if not declared elsewhere. This can be known byusing CURRENT_USER.In band injection:1 AND 1=0 UNION SELECT USER()Inferential injection:1 AND USER() like ‘root%’Result Expected:A string like this:user@hostnameCOLUMN_PRIVILEGESVIEWSROUTINESTRIGGERSUSER_PRIVILEGESThe privileges the user has for each columnAll columns the user has (at least) SELECT_privProcedures and functions (needs EXECUTE_priv)Triggers (needs INSERT_priv)Privileges connected User hasAll of this information could be extracted by using known techniquesas described in SQL Injection section.Attack vectorsWrite in a FileIf the connected user has FILE privileges and single quotes are notescaped, the ‘into outfile’ clause can be used to export query resultsin a file.Select * from table into outfile ‘/tmp/file’Note: there is no way to bypass single quotes surrounding a filename.So if there’s some sanitization on single quotes like escape(\’) there will be no way to use the ‘into outfile’ clause.
121Web Application Penetration TestingThis kind of attack could be used as an out-of-band techniqueto gain information about the results of a query or to write a filewhich could be executed inside the web server directory.Example:1 limit 1 into outfile ‘/var/www/root/test.jsp’ FIELDSENCLOSED BY ‘ /’ LINES TERMINATED BY ‘\n’;Result Expected:Results are stored in a file with rw-rw-rw privileges owned byMySQL user and group.Where /var/www/root/test.jsp will contain:/field values /Read from a FileLoad_file is a native function that can read a file when allowed bythe file system permissions. If a connected user has FILE privileges,it could be used to get the files’ content. Single quotes escapesanitization can by bypassed by using previously described techniques.load_file(‘filename’)Result Expected:The whole file will be available for exporting by using standardtechniques.Standard SQL Injection AttackIn a standard SQL injection you can have results displayed directlyin a page as normal output or as a MySQL error. By using alreadymentioned SQL Injection attacks and the already describedMySQL features, direct SQL injection could be easily accomplishedat a level depth depending primarily on the MySQL version thepentester is facing.A good attack is to know the results by forcing a function/procedureorthe server itself to throw an error. A list of errors thrownby MySQL and in particular native functions could be found onMySQL Manual.Out of band SQL InjectionOut of band injection could be accomplished by using the ‘into outfile’clause.Blind SQL InjectionFor blind SQL injection, there is a set of useful function nativelyprovided by MySQL server.• String Length:LENGTH(str)• Extract a substring from a given string:SUBSTRING(string, offset, #chars_returned)• Time based Blind Injection: BENCHMARK and SLEEPBENCHMARK(#ofcycles,action_to_be_performed )The benchmark function could be used to perform timingattacks, when blind injection by boolean values does not yieldany results.See. SLEEP() (MySQL > 5.0.x) for an alternative on benchmark.For a complete list, refer to the MySQL manual at http: /dev.mysql.com/doc/refman/5.0/en/functions.htmlTools• Francois Larouche: Multiple DBMS SQL Injection tool -http: /www.sqlpowerinjector.com/index.htm• ilo--, Reversing.org - sqlbftools• Bernardo Damele A. G.: sqlmap, automatic SQL injection tool -http: /sqlmap.org/• Muhaimin Dzulfakar: MySqloit, MySql Injection takeover tool -http: /code.google.com/p/mysqloit/• http: /sqlsus.sourceforge.net/ReferencesWhitepapers• Chris Anley: “Hackproofing MySQL” -http: /www.databasesecurity.com/mysql/HackproofingMySQL.pdfCase Studies• Zeelock: Blind Injection in MySQL Databases -http: /archive.cert.uni-stuttgart.de/bugtraq/2005/02/msg00289.htmlTesting for SQL ServerSummaryIn this section some SQL Injection techniques that utilize specificfeatures of Microsoft SQL Server will be discussed.SQL injection vulnerabilities occur whenever input is used in theconstruction of an SQL query without being adequately constrainedor sanitized. The use of dynamic SQL (the construction ofSQL queries by concatenation of strings) opens the door to thesevulnerabilities. SQL injection allows an attacker to access the SQLservers and execute SQL code under the privileges of the userused to connect to the database.As explained in SQL injection, a SQL-injection exploit requires twothings: an entry point and an exploit to enter. Any user-controlledparameter that gets processed by the application might be hidinga vulnerability. This includes:• Application parameters in query strings (e.g., GET requests)• Application parameters included as part of the body of a POSTrequest• Browser-related information (e.g., user-agent, referrer)• Host-related information (e.g., host name, IP)• Session-related information (e.g., user ID, cookies)Microsoft SQL server has a few unique characteristics, so someexploits need to be specially customized for this application.How to TestSQL Server CharacteristicsTo begin, let’s see some SQL Server operators and commands/
Page 1 and 2:
1Testing Guide4.0Project Leaders: M
Page 3 and 4:
Testing Guide Foreword - Table of c
Page 5 and 6:
3Testing Guide Foreword - Table of
Page 7 and 8:
5Testing Guide Foreword - By Eoin K
Page 9 and 10:
7Testing Guide Frontispiece1Testing
Page 11 and 12:
9Testing Guide Introduction2The OWA
Page 13 and 14:
11Testing Guide Introductionvide en
Page 15 and 16:
13Testing Guide IntroductionTesting
Page 17 and 18:
15Testing Guide Introductionlaid on
Page 19 and 20:
17Testing Guide Introductionvalidat
Page 21 and 22:
19Testing Guide IntroductionUSERthe
Page 23 and 24:
21Testing Guide Introductionment wh
Page 25 and 26:
23Testing Guide Introductionoffendi
Page 27 and 28:
25The OWASP Testing Frameworksectio
Page 29 and 30:
27Web Application Penetration Testi
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72: 69Web Application Penetration Testi
Page 103 and 104: 101Web Application Penetration Test
Page 121: 119Web Application Penetration Test
Page 173 and 174:
171Web Application Penetration Test
Page 175 and 176:
Page 177 and 178:
Page 179 and 180:
Page 181 and 182:
Page 183 and 184:
Page 185 and 186:
Page 187 and 188:
Page 189 and 190:
Page 191 and 192:
Page 193 and 194:
Page 195 and 196:
Page 197 and 198:
Page 199 and 200:
Page 201 and 202:
Page 203 and 204:
Page 205 and 206:
Page 207 and 208:
Page 209 and 210:
Page 211 and 212:
209same code can be applied to sess
Page 213 and 214:
211ReportingTest IDLowest versionIn
Page 215 and 216:
213ReportingTest IDBusiness Logic T
Page 217 and 218:
215Appendixkajfghlhfkcocafkcjlajldi
Page 219 and 220:
217AppendixTesting - http:/www.nist
Page 221 and 222:
219Cross Site Scripting (XSS)For de
Page 223 and 224:
221LDAP InjectionFor details on LDA
show all

4.0

Create successful ePaper yourself

Delete template?

Save as template?