4.0
1NSchAb
1NSchAb
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
119<br />
Web Application Penetration Testing<br />
http: /www.example.com/pls/bookstore/books.search?author=DICK’||’ENS<br />
one described in the Section on Testing for SQL Injection.<br />
http: /www.example.com/page.php?id=2<br />
If this request returns books by Charles Dickens, you’ve confirmed<br />
the presence of the SQL injection vulnerability.<br />
Tools<br />
• SQLInjector -<br />
http: /www.databasesecurity.com/sql-injector.htm<br />
• Orascan (Oracle Web Application VA scanner), NGS SQuirreL<br />
(Oracle RDBMS VA Scanner) - http: /www.nccgroup.com/en/<br />
our-services/security-testing-audit-compliance/informationsecurity-software/ngs-orascan/<br />
References<br />
Whitepapers<br />
• Hackproofing Oracle Application Server (A Guide to Securing<br />
Oracle 9) -<br />
http: /www.itsec.gov.cn/docs/20090507151158287612.pdf<br />
• Oracle PL/SQL Injection - http: /www.databasesecurity.com/<br />
oracle/oracle-plsql-2.pdf<br />
Testing for MySQL<br />
Summary<br />
SQL Injection vulnerabilities occur whenever input is used in the<br />
construction of a SQL query without being adequately constrained<br />
or sanitized. The use of dynamic SQL (the construction of SQL queries<br />
by concatenation of strings) opens the door to these vulnerabilities.<br />
SQL injection allows an attacker to access the SQL servers.<br />
It allows for the execution of SQL code under the privileges of the<br />
user used to connect to the database.<br />
MySQL server has a few particularities so that some exploits need<br />
to be specially customized for this application. That’s the subject<br />
of this section.<br />
How to Test<br />
When an SQL injection vulnerability is found in an application<br />
backed by a MySQL database, there are a number of attacks that<br />
could be performed depending on the MySQL version and user<br />
privileges on DBMS.<br />
MySQL comes with at least four versions which are used in production<br />
worldwide, 3.23.x, <strong>4.0</strong>.x, 4.1.x and 5.0.x. Every version has<br />
a set of features proportional to version number.<br />
• From Version <strong>4.0</strong>: UNION<br />
• From Version 4.1: Subqueries<br />
• From Version 5.0: Stored procedures, Stored functions and the<br />
view named INFORMATION_SCHEMA<br />
• From Version 5.0.2: Triggers<br />
It should be noted that for MySQL versions before <strong>4.0</strong>.x, only<br />
Boolean or time-based Blind Injection attacks could be used, since<br />
the subquery functionality or UNION statements were not implemented.<br />
From now on, we will assume that there is a classic SQL injection<br />
vulnerability, which can be triggered by a request similar to the the<br />
The Single Quotes Problem<br />
Before taking advantage of MySQL features, it has to be taken in<br />
consideration how strings could be represented in a statement, as<br />
often web applications escape single quotes.<br />
MySQL quote escaping is the following:<br />
‘A string with \’quotes\’’<br />
That is, MySQL interprets escaped apostrophes (\’) as characters<br />
and not as metacharacters.<br />
So if the application, to work properly, needs to use constant<br />
strings, two cases are to be differentiated:<br />
[1] Web app escapes single quotes (‘ => \’)<br />
[2] Web app does not escape single quotes (‘ => ‘)<br />
Under MySQL, there is a standard way to bypass the need of single<br />
quotes, having a constant string to be declared without the<br />
need for single quotes.<br />
Let’s suppose we want to know the value of a field named ‘password’<br />
in a record, with a condition like the following:<br />
[1] password like ‘A%’<br />
[2] The ASCII values in a concatenated hex:<br />
password LIKE 0x4125<br />
[3] The char() function:<br />
password LIKE CHAR(65,37)<br />
Multiple mixed queries:<br />
MySQL library connectors do not support multiple queries separated<br />
by ‘;’ so there’s no way to inject multiple non-homogeneous<br />
SQL commands inside a single SQL injection vulnerability like in<br />
Microsoft SQL Server.<br />
For example the following injection will result in an error:<br />
1 ; update tablename set code=’javascript code’ where 1 --<br />
Information gathering<br />
Fingerprinting MySQL<br />
Of course, the first thing to know is if there’s MySQL DBMS as a<br />
back end database. MySQL server has a feature that is used to let<br />
other DBMS ignore a clause in MySQL dialect. When a comment<br />
block (‘/**/’) contains an exclamation mark (‘/*! sql here*/’) it is<br />
interpreted by MySQL, and is considered as a normal comment<br />
block by other DBMS as explained in MySQL manual.<br />
Example:<br />
1 /*! and 1=0 */