iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (0)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
SQL injection for noobs
  • chroniccommand
    Posts: 1,389
    [-----------------------------------]
    Paper: SQL injection for noobs
    Author: Chroniccommand
    Poison ; iExploit ; HaxMe ; xPC
    [-----------------------------------]

    Table of Conents:
    0x01..Introduction......
    0x02..What is SQLi.....
    0x03..How to fix it......
    0x04..Works cited.......

    0x01 [Introduction]
    First of all, this is by no means a tutorial. I will not be showing how to do an SQL injection. There are plenty of guides like that plastered all over the internet. In this paper I will be going how how SQL injection works. I will show an example of an SQL injectable PHP code(Straight from DVWA), I will be explaining how/why an SQL injection works and what happens behind the scenes of an SQL injection.

    [align=center]---Break---[/align]

    0x02 [What is SQLi]
    In this section I will be explaining what SQL injection is and how it works. I will be going over basic SQL syntax and what happens when you inject an SQL query. First of all I'll explain what it is.

    An SQL injection is a serious web application vulnerability. Many pages have this vulnerability due to poor coding or because attack methods can get quite advanced. I will not be showing the advanced methods here, you can find that somewhere else on the internet.

    This particular vulnerability occurs when a web script accesses an SQL database and executes queries. The biggest web scripting language that uses SQL is PHP. Connecting to and executing SQL queries on PHP is easy, but if not managed correctly can be disastrous. Malicious attackers can gain access to your SQL databases and read them/write to them. In fact, SQL injection can be so serious an attacker can gain full operating control with some advanced techniques. I have a paper on it HERE

    So why does an SQL injection work? Well I'm sure all of you have heard of // tried SQL injection before. After all, SQL injection is a basic attack method that nearly anybody can do. Unfortunately not as many people like to take the time to understand how it works(yes its a shame). But theres a time for learning and that time is now. So lets dive in.
    An SQL injection involves an attacker executing syntactically correct SQL commands through unsanitized user input. First lets take a look at a simple SQL query:

    SELECT * FROM users WHERE id = '\" + UID + \"'\";

    This is simple and correct. We are grabbing from the users table where the id is equal to UID. UID can be a number of things. In this case it is going to be unsanitized user input.
    Now lets take a look at this command that is added on when an attacker adds some extra commands into the input box.

    SELECT * FROM users WHERE id = '1';show tables--

    First this selects user ID 1 from users. But then we see something new. We have a semicolon(;) and then another query. A semicolon means the end of one query and the start of another. Then we are showing the tables in the current database. The two dashes mean the rest of the query is a comment. You can also use /* */ which means everything in between is a comment.

    This will display the tables to the attacker, which is not what we want. Here is another example of a destructive SQL injection:

    SELECT * FROM users WHERE id = '1';drop table users--

    This drops the table users. Dropping basically means delete the table. So if we delete that table, legitimate users(including the admin with UID 1) will not be able to login(assuming the login uses SQL).

    [align=center]---Break---[/align]

    0x03 [How to fix it]
    This section will show you an example of vulnerable PHP code that fails to sanitize user input. I will be showing examples from Damn Vulnerable Web App.


    <?php    

    if(isset($_GET['Submit'])){
        
        // Retrieve data
        
        $id = $_GET['id'];

        $getid = \"SELECT first_name, last_name FROM users WHERE user_id = '$id'\";
        $result = mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' );

        $num = mysql_numrows($result);

        $i = 0;

        while ($i < $num) {

            $first = mysql_result($result,$i,\"first_name\");
            $last = mysql_result($result,$i,\"last_name\");
            
            echo '<pre>';
            echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last;
            echo '</pre>';

            $i++;
        }
    }
    ?>

    You should be able to find the error here. We take user input and execute the following SQL query:

    \"SELECT first_name, last_name FROM users WHERE user_id = '$id'\";

    Simple SQL query. We get the first name and last name of the user. If the attacker enters '1' we get an output similar to this:

    ID: 1
    First name: admin
    Surname: admin

    So now the attacker may execute SQL commands. Now lets take a look at the "high security" setting of SQL injection on DVWA:

    <?php    

    if (isset($_GET['Submit'])) {

        // Retrieve data

        $id = $_GET['id'];
        $id = stripslashes($id);
        $id = mysql_real_escape_string($id);

        if (is_numeric($id)){

            $getid = \"SELECT first_name, last_name FROM users WHERE user_id = '$id'\";
            $result = mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' );

            $num = mysql_numrows($result);

            $i=0;

            while ($i < $num) {

                $first = mysql_result($result,$i,\"first_name\");
                $last = mysql_result($result,$i,\"last_name\");
                
                echo '<pre>';
                echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last;
                echo '</pre>';

                $i++;
            }
        }
    }
    ?>

    This is a much better approach. Yes it is still vulnerable but it's a better approach. In this example we use PHP methods such as 

    mysql_real_escape_string();

    And

    stripslashes();

    This is a good idea. This will prevent many SQL injection attacks. A determined and smart attacker can of course make it through this.

    A good idea is escaping special characters, so SQL injections are less possible. I am no PHP master but mysql_real_escape_string(); sounds pretty good.

    [align=center]---Break---[/align]

    0x04 [Works cited]
    http://www.pantz.org/software/mysql/mysqlcommands.html
    http://en.wikipedia.org/wiki/SQL_injection
    http://msdn.microsoft.com/en-us/library/ms161953.aspx

    I hope you enjoyed this simple but (hopefully) informative paper. If you'd like to practice SQL injection, please download Damn Vulnerable Web App
    http://www.dvwa.co.uk/

    --chroniccommand
  • Xin
    Posts: 3,251
    True, be sure to distinguish the difference between normal SQL queries you run as a db admin and the ones you inject into web forms, as they are slightly different.

    Examples identify columns you can inject the command into,

    The comment syntax /* / --

    Nice article though :)
    Xin
  • chroniccommand
    Posts: 1,389
    said:


    True, be sure to distinguish the difference between normal SQL queries you run as a db admin and the ones you inject into web forms, as they are slightly different.

    Examples identify columns you can inject the command into,

    The comment syntax /* / --

    Nice article though :)



    Yes it wasn't much of a "tutorial". I focused mainly on showing how SQL injection works and what happens with the SQL queries.
  • Xin
    Posts: 3,251
    said:


    said:


    True, be sure to distinguish the difference between normal SQL queries you run as a db admin and the ones you inject into web forms, as they are slightly different.

    Examples identify columns you can inject the command into,

    The comment syntax /* / --

    Nice article though :)



    Yes it wasn't much of a "tutorial". I focused mainly on showing how SQL injection works and what happens with the SQL queries.



    Its nice to see something different than the classic union all select 1,2,3 etc , theres hundreds of other ways to inject than that lol/.
    Xin
  • chroniccommand
    Posts: 1,389
    said:


    said:


    said:


    True, be sure to distinguish the difference between normal SQL queries you run as a db admin and the ones you inject into web forms, as they are slightly different.

    Examples identify columns you can inject the command into,

    The comment syntax /* / --

    Nice article though :)



    Yes it wasn't much of a "tutorial". I focused mainly on showing how SQL injection works and what happens with the SQL queries.



    Its nice to see something different than the classic union all select 1,2,3 etc , theres hundreds of other ways to inject than that lol/.

    There are too many to count lol. I have a paper on that books.tar.gz with going from SQLi to full operating system control. It's pretty advanced.
  • Xin
    Posts: 3,251
    If you have teamviewer il show you my SQL Injection slideshow that im working on thats pretty advanced.
    Xin
  • chroniccommand
    Posts: 1,389
    said:


    If you have teamviewer il show you my SQL Injection slideshow that im working on thats pretty advanced.



    PM me I'm interested. I'm not much into web exploitation but I'd love to see it.
Add a Comment