BEGINNERS GUIDE TO SQL INJECTIONS AUTHOR: SUBBY http://hackerlounge.no-ip.com Copyright 2004 Subby DIS-LAMER I DO NOT take responsibility for what you do with the information provided in this tutorial. It is for Administrators who do not know the real Security risks with their SQL server, and how they are exploited, I will also explain how to counter SQL Injections in your Web Server BEGINNERS SECTION This is the section for people who have a brief or absolutely no idea into what SQL is and have no idea how to find a vulnerable target and exploit it through simple SQL injections. Index PART 1 1.1- DATABASES 1.2- SQL 1.3- MS SQL 1.4- LOGIN PART 2 2.1- LOGIN.ASP /ADMIN/LOGIN.ASP 2.2- CHECKING THE SOURCE 2.3- NUMERIC PARAMETERS 2.4- THE INJECTION 2.5- OTHER QUERY STRINGS 2.6- WHAT TO DO 1.1- DATABASES This may seem boring, so skip it, I dont care. The first type of Database was infact a library. This is the best way to look at what exactly a database is, a method of storing and retrieving data. A database consists of two fields: columns, which are referred to as 'fields' and rows, which are referred to as 'records'. Take an example: Name D.O.B User ID Subby 19/2/04 001 Infinite 12/7/12 002 Shamus 14/10/99 003 Here is a simple example. I will not go too much into Databases and their workings, as I am lazy and cannot be bothered 1.2- SQL SQL is short for Structured Query Language and is a Language that is used to communicate with an SQL Database. SQL communicates with a relational database, the most commonly used database out there. SQL uses queries to get information from tables within the database. There are many commands that SQL uses, but we will not be going into the in the BEGINNERS part of the tutorial, the commands we will be focusing on is as follows: SELECT - This query is the basis of the SQ[language]. It will be the basis of the following queries, and will guide you to the right the table, and all corresponding fields and records FROM - This query selects the table name eg. 'table1' or 'password' WHERE - This allows you to specify specific conditions that are to be met The are the basics you would be using in this part of the tutorial. Now to put these commands in action. 1.3- MS SQL MS SQL is what we will be focusing on in this tutorial. MS SQL stands for Microsoft Structured Query Language. It is a cheap alternative to other SQL databases like Oracle. This means that there will be alot of targets out there, weather or not they are vulnerable is another thing, we will discuss that later in this tutorial. We will learn how to hack using out HTTP browser on port 80. In my advanced tutorial, we will also find out how to hack MS SQL on port 1434 (TCP) 1.4- LOGIN This is the basic for a login page that uses SQL (note that this is only an example, you will not find this in the page source 99% of the time) *NOTE* In SQL, * is a wildcard. It is a shortcut used to represent all values. Also not, None is not = to Null! " SELECT * FROM 'tablename' WHERE login='"&log&"' and password='"&pass&"' " Lets say that login= Th3_R@V3N and pass= haxxoRe SELECT * FROM table1 WHERE login=' Th3_R@V3N ' and pass=' haxxoRe ' Using our SQL querys, we were able to Select the Login from 'table1' and the password was haxxoRe, thus our login would be successful. 2.1- LOGIN.ASP /ADMIN/LOGIN.ASP MS SQL uses logins via the form extenstion .ASP. Doing a search on google, you will find a hell of alot of targets. However not all of these are vulnerable. When you find a target, open it up, you should see a Username Field and a Password field (in most cases). Congradulations, you are now 1337, not, but you have taken the first, and most easiest step. 2.2- Checking the Source You should all know how to look at the source of the page, if not, right click in your browser and goto View Source. There is a number of things you would look at. A typical example of what a webmaster would use would be: Code: <@language="vbscript"> <% dim conn,rs,log,pwd log=Request.form("login_name") pwd=Request.form("pass") set conn = Server.CreateObject("ADODB.Connection") conn.ConnectionString="provider=microsoft.jet.OLEDB.4.0;data source=c:\folder\multiplex.mdb" conn.Open set rs = Server.CreateObject("ADODB.Recordset") rs.open "Select * from table1 where login='"&log& "' and password='" &pwd& "' ",conn If rs.EOF response.write("Login failed") else response.write("Login successful") End if %> This is a very basic code, but just gives you an insight into the kind of code that you should look out for. Also check anything between
and
, this will most likely give you the method of the query and sometimes you may get hidden values contained. 2.3- NUMERIC PARAMETERS I will not go too much into this, as it is just a beginners guide. However, it is important to note what numeric parameters are. We note that there are normally 3 different types of fields, these are: String Data Number The SQL query is passed to determine which type it is. For example LEET would obviously be a string. However 1337 would be a Number, although it must, also, be considered a string. The difference is that Strings and Dates have quotes around them, whereas Numbers do not. EXAMPLE SELECT * FROM table1 WHERE name= ‘LEET’ SELECT * FROM table1 WHERE id= 7 This should be remembered when doing advanced hacking of SQL when using the UNION clause. It should also be remember that when doing advanced hacking of SQL, strings would need to break out of the quotes, but that will be covered later.