Penetration Testing mailing list archives
Re: SQL Injection Question
From: Dan Crowley <dcrowley () coresecurity com>
Date: Mon, 20 Sep 2010 09:44:10 -0400
Before I start, let me clarify what an SQLi flaw means: Though your queries will likely be convoluted as all hell, **an SQLi flaw gives you the ability to run arbitrary SQL queries with the rights of the user in question**. Anything the user running the original query can do, you can do. The classic "' or '1'='1" injection is only the beginning. Here's a cheat sheet with various tricks for SQLi exploitation: http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ Firstly, you have expanded attack surface. Check the vulnerability history for the database server in question to see if you can run any particular query or set of queries to escalate privileges within the database. Secondly, with the majority of databases, it's possible to read and write files on the database host through some amount of trickery. For example, if you are using MySQL and your user has the FILE privilege you can LOAD_FILE() to read arbitrary files on the system or SELECT [arbitrary static data] INTO OUTFILE [output file] to write arbitrary files to the host. Using this, you can get sensitive information stored outside the database, and if you could (for instance) write a php script inside the webroot and execute it using a web browser, you could get RCE on the host. Third, see what you can and can't read out of the database. Some databases store their authentication details in the database. If you can pull down the authentication information for an admin database user and crack the hash using something like JtR, you might be able to escalate your privileges within the database. If you can get a hold of admin creds, this generally means you can do everything the database can. In the case of database servers like MSSQL and Oracle, this also means arbitrary shell command execution with the privileges of the database. Good luck convincing your DBA. (Additionally, consider trying a tool like sqlmap to automate the process of SQL injection exploitation for you if you're too swamped with other things to learn to exploit it yourself.) -- Daniel Crowley, CICP, GCIH Technical Specialist Core Security Technologies Direct: +1 (617) 695-1151 Fax: +1 (617) 399-6987 "All the forces in the world are not so powerful as an idea whose time has come." - Victor Hugo On 9/19/2010 8:36 PM, Kurt M.D John wrote:
Hey Guys, take a look at the email below. I recently did a pentest and found that a site was vulnerable to sql injection but it was minimal. The user which runs the queries has read-only access and the information is public but an sql injection still spits out the full table nonetheless. The information below is what the DB Admin sent me in defence of the potential vulnerability. My question is, since it is vulnerable to sql injection can statements be mutated to get dangerous results such as privilege escalation, etc. I am not familiar with sql injection """ --Start DB Admin's defence I captured the select string from the form and found the they were in fact return a requested recorded set not a failed request. Here is an example of the captured string : SELECT PROJ_NBR,STATUS,FOLIO_NBR,PROJ_NAME FROM PROJECT WHERE PROJECT.FOLIO_NBR LIKE '' or '1'='1%' ORDER BY PROJ_NBR , PROJ_NAME As you can see the request is for *FOLIO_NBR LIKE '' or '1'='1%'* The request does return folio_nbr that are blank I believe that because the form behind the scene constructs the “where clause” as follows: The value of PMSTPARCEL is ' or '1'='1 *PFILTER = "PROJECT.FOLIO_NBR LIKE '" + PMSTPARCEL + "%'" * and sends this on to the stored procedure where it is assembled as follows *SET** @SELECTSTRING = 'INSERT INTO #TempTable SELECT PROJ_NBR,STATUS,FOLIO_NBR,PROJ_NAME FROM PROJECT WHERE '* * * *SET** @ORDERBY =' ORDER BY PROJ_NBR , PROJ_NAME'* * * *SET** @SELECTSTRING = @SELECTSTRING + @PFILTER + @ORDERBY * Which yields : *SELECT** PROJ_NBR,STATUS,FOLIO_NBR,PROJ_NAME * * FROM PROJECT* * WHERE PROJECT.FOLIO_NBR LIKE '' or '1'='1%'* * ORDER BY PROJ_NBR , PROJ_NAME* That SQL injection is not happening--End DB Admin's Defence """
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- SQL Injection Question Kurt M.D John (Sep 19)
- Re: SQL Injection Question Joe Peters (Sep 20)
- Re: SQL Injection Question chintan dave (Sep 20)
- Re: SQL Injection Question Dan Crowley (Sep 20)
- Re: SQL Injection Question Jason Ross (Sep 20)
- Re: SQL Injection Question Kurt M.D John (Sep 20)