Re: SQL Injection Question

[Dan Crowley <dcrowley () coresecurity com>]

Before I start, let me clarify what an SQLi flaw means: Though your
queries will likely be convoluted as all hell, **an SQLi flaw gives you
the ability to run arbitrary SQL queries with the rights of the user in
question**. Anything the user running the original query can do, you can
do. The classic "' or '1'='1" injection is only the beginning. Here's a
cheat sheet with various tricks for SQLi exploitation:
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

Firstly, you have expanded attack surface. Check the vulnerability
history for the database server in question to see if you can run any
particular query or set of queries to escalate privileges within the
database.

Secondly, with the majority of databases, it's possible to read and
write files on the database host through some amount of trickery. For
example, if you are using MySQL and your user has the FILE privilege you
can LOAD_FILE() to read arbitrary files on the system or SELECT
[arbitrary static data] INTO OUTFILE [output file] to write arbitrary
files to the host. Using this, you can get sensitive information stored
outside the database, and if you could (for instance) write a php script
inside the webroot and execute it using a web browser, you could get RCE
on the host.

Third, see what you can and can't read out of the database. Some
databases store their authentication details in the database. If you can
pull down the authentication information for an admin database user and
crack the hash using something like JtR, you might be able to escalate
your privileges within the database. If you can get a hold of admin
creds, this generally means you can do everything the database can. In
the case of database servers like MSSQL and Oracle, this also means
arbitrary shell command execution with the privileges of the database.

Good luck convincing your DBA.

(Additionally, consider trying a tool like sqlmap to automate the
process of SQL injection exploitation for you if you're too swamped with
other things to learn to exploit it yourself.)

--
Daniel Crowley, CICP, GCIH
Technical Specialist
Core Security Technologies
Direct: +1 (617) 695-1151
Fax: +1 (617) 399-6987

"All the forces in the world are not so powerful as an idea whose time
has come." - Victor Hugo




On 9/19/2010 8:36 PM, Kurt M.D John wrote:
> Hey Guys,
>
> take a look at the email below. I recently did a pentest and found that
> a site was vulnerable to sql injection but it was minimal. The user
> which runs the queries has read-only access and the information is
> public but an sql injection still spits out the full table nonetheless.
> The information below is what the DB Admin sent me in defence of the
> potential vulnerability. My question is, since it is vulnerable to sql
> injection can statements be mutated to get dangerous results such as
> privilege escalation, etc. I am not familiar with sql injection
>
>
> """ --Start DB Admin's defence
>
> I captured the select string from the form and found the they were in
> fact return a requested recorded set not a failed request. Here is an
> example of the captured string :
>
> SELECT PROJ_NBR,STATUS,FOLIO_NBR,PROJ_NAME
>
> FROM PROJECT
>
> WHERE PROJECT.FOLIO_NBR LIKE '' or '1'='1%'
>
> ORDER BY PROJ_NBR , PROJ_NAME
>
> As you can see the request is for *FOLIO_NBR LIKE '' or '1'='1%'*
>
> The request does return folio_nbr that are blank
>
> I believe that because the form behind the scene constructs the “where
> clause” as follows:
>
> The value of PMSTPARCEL is ' or '1'='1
>
> *PFILTER = "PROJECT.FOLIO_NBR LIKE '" + PMSTPARCEL + "%'" *
>
> and sends this on to the stored procedure where it is assembled as follows
>
> *SET** @SELECTSTRING = 'INSERT INTO #TempTable SELECT
> PROJ_NBR,STATUS,FOLIO_NBR,PROJ_NAME FROM PROJECT WHERE '*
>
> * *
>
> *SET** @ORDERBY =' ORDER BY PROJ_NBR , PROJ_NAME'*
>
> * *
>
> *SET** @SELECTSTRING = @SELECTSTRING + @PFILTER + @ORDERBY *
>
> Which yields :
>
> *SELECT** PROJ_NBR,STATUS,FOLIO_NBR,PROJ_NAME *
>
> * FROM PROJECT*
>
> * WHERE PROJECT.FOLIO_NBR LIKE '' or '1'='1%'*
>
> * ORDER BY PROJ_NBR , PROJ_NAME*
>
> That SQL injection is not happening--End DB Admin's Defence """

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------