Module 7 - SQL Injection

SQL injection: introduction, Recap &

More
Three major RDBMS

mysql

oracle

microsoft sql server

main differences

Exploiting SQLi
Techniques Classification

Module 7 - SQL Injection 1

 Attack Classes
INBAND

OUT-OF-BAND

INFERENCE

Inband Attacks
leverage the same channel used to inject the SQL code

most common and straightforward attack scenario

exploitation is included directly in the response from the vulnerable

web app

most common thecniques for this category:

UNION-based

Error-based

Out-of-Band (OOB)
uses alternative channel(s) to extract data from the server

contrary to Inband

it depends upon the back-end technologies implemented.

some include the following:

HTTP(s) requests

DNS resolution

E-mail

File System

used when all Inband technologies have failed.

when the only options is to use Blind techniques (Inference),

reducing the number of queries is a must!

Not so common due to level of complexity involved.

Inference Attacks (blind sqli)

Module 7 - SQL Injection 2

 most common techniques

BOOLEAN-BASED

TIME-BASED

Boolean-based

Time-based

Gathering Information from the environment

Module 7 - SQL Injection 3

 our goals are gathering information

DBMS version

Databases structure

data

database users and their privileges

Identifiying the DBMS

first piece of necessary information we need is what DBMS version we
are testing

Error Codes Analysis

forcing the vulnerable application to return an error message

Banner Grabbing
every DBMS has specific functions that return the current version

Educated Guessing
in case of BLIND scenario

Educated Guessing (String concatenation)

Module 7 - SQL Injection 4

 Educated Guessing (Numeric Functions)

Educated Guessing (SQL Dialect)

Module 7 - SQL Injection 5

 Enumerating the DBMS content
list of all schemas

tables

columns

users

privileges

Databases - MySQL
Information_SCHEMA → contains all metadata required.

all information about the other databases r stroed within the table
SCHEMATA

SELECT schema_name FROM information_schema.schemata;

DATABASE() - current database name

SCHEMA()

MYSQL INFORMATION FUNCTIONS

Databases - MSSQL

Module 7 - SQL Injection 6

 SELECT name FROM SYS.databases;

DB_NAME() → Current database name

Databases - Oracle
TABLESPACE are the place where oracle stores database objects like
tables m indexes, etc

Module 7 - SQL Injection 7

 Databases - Tables & Columns - MySQL

SELECT TABLE_SCHEMA, TABLE_NAME FROM

INFORMATION_SCHEMA.TABLES;

SHOW TABLES; # current schema

SHOW TABLES IN EMPLOYEES; #other database

Databases - Tables & Columns - MSSQL

Module 7 - SQL Injection 8

Module 7 - SQL Injection 9
 ALL_TAB_COLUMNS

SELECT column_name FROM SYS.ALL_TABL_COLUMNS

SELECT column_name FROM ALL_TABL_COLUMNS

Databases - Tables & Columns - ORACLE

Module 7 - SQL Injection 10

 SELECT NULL,NULL FROM DUAL;

Database Users and Privileges

MySQL
User() → function

Current_user() → function

Session_user() → function

Current_user → constant

Module 7 - SQL Injection 11

Module 7 - SQL Injection 12
 SELECT name FROM SYSLOGINS;

Module 7 - SQL Injection 13

 ORACLE

Module 7 - SQL Injection 14

 Advanced SQLi exploitation
Out of band exploitation via HTTP
Oracle → UTL_HTTP

HTTPURType

URIType

URL_HTTP.REQUEST

.REQUEST function can be used straight in a SQL query

REQUEST_PIECES must be used within pl/sql block.

URL_HTTP is identified as a security concern so its often disabled

HTTPURLType is not marked as a risky method.

can be used as a potential way in

Module 7 - SQL Injection 15

 Out of band exploitation via DNS
mysql

mssql
provoking DNS requests by using UNC paths

Module 7 - SQL Injection 16

 Oracle

Module 7 - SQL Injection 17