SQL Injection

BY: Manish Bhandarkar

LAB Setup :-

1) VM with Hack me Bank Installed http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja- sec-com/

2) SQL-Map For Windows https://github.com/sqlmapproject/sqlmap/zipball/master

3) SQL-Map For Unix It is there on Backtrack 5

OWASP TOP 10

A1 : Injection

Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data

Injections

Common type of injections : SQL LDAP Xpath etc

IMAPCT : As disastrous as handling the database over to the attacker

Can also lead to OS level access

Definition

Exploiting poorly filtered or in-correctly escaped SQL queries to execute data from user input

Types

Error Based Blind Injections Boolean Injections

How They Are Work?

Application presents a form to the attacker

Attacker sends an attack in the form data

Application forwards attack to the database in a SQL query

Database runs query containing attack and sends encrypted result back to application

Application renders data as to the user

SQL MAP

SQL MAP INTRODUCTION

Powerful command line utility to exploit SQL Injection vulnerability Support for following databases

MySQL IBM DB2 Oracle SQLite PostgreSQL

Firebird Microsoft SQL Server SAP MaxDB Sybase and Microsoft Access

TECHNIQUES OF SQL INJECTION

Boolean-based blind

Time-based blind

Error-based

UNION query

Stacked queries

SQL MAP OPTION KEYS o -u <URL>

o -dbs (To enumerate databases)

o -r (For request in .txt file)

o -technique (SQL injection technique)

o - dbms (Specify DBMS)

o -D <database name> --tables

o -T <table name> --columns

o -C <column name> --dump

o --cookie (Authentication)

o --dump-all

SQL MAP FLOW

Enumerate the database name

Select database and enumerate tables

Select tables and enumerate columns

Select a column and enumerate rows(data)

Choose whatever u want

WHY USED SQL MAP?

Built in capabilities for cracking hashes

Options of running user defined queries

You could run OS level commands

You could have an interactive OS shell

Meterpreter shell with Metasploit

EXTRA USEFUL SQL MAP OPTION KEYS 1

--os-cmd Run any OS level command

--os-shell Starts an interactive shell

--os-pwn Injects a Meterpreter shell

--tamper Evading WAF

EXTRA USEFUL SQL MAP OPTION KEYS 2

--tor: Use Tor anonymity network

--tor-port: Set Tor proxy port other than default

--tor-type: Set Tor proxy type (HTTP - default, SOCKS4 or SOCKS5)

--check-payload: Offline WAF/IPS/IDS payload detection testing

--check-waf: heck for existence of WAF/IPS/IDS protection

--gpage: Use Google dork results from specified page number

--tamper: custom scripts

U WANT TO EXPLORE MORE

SQL MAP Usage Guide http://sqlmap.sourceforge.net/doc/README.html

SQL MAP WITH TOR http://www.coresec.org/2011/04/24/sqlmap-with-tor/

THANK YOU

BY: Manish Bhandarkar http://www.hackingforsecurity.blogspot.com