- CGI is a common standard for web applications to interact with command-line executables;hence,CGI scripts were the most vulnerable to shellshock attack.
The semicolon(;)metacharacter in a SQL statement is used sililar to how it’s used in command injection to combine multiple queries on the same line.
One of the most useful SQL statements is the UNION,which combines the results of two statements into one set.can also query data from other tables on the database.The only constraint of using the UNION statement is that the number of columns and the data type in the both the queries should be same:
SELECT id,rackname,value FROM inventory WHERE id=10 UNION SELECT SSN,name,address FROM employees
**If the table that you want to query does not have the same number of columns,have to use padding to complete the statement.**As shown in the following example,the employees table only has two columns,so pasdded the remaining column with 1:
SELECT id,rackname,value FROM inventory WHERE id=10 UNION SELECT (SSN,name,1) FROM employees
To find the exact number of columns in the table of the first query,we can use the order by statement and ask the database to display results sorted by the column number.If the column number in the *order by *statement is larger than the number of columns in the table,an error will be retrrned.Using this error,you can determine the number of coulmns using trial and error method.The command is as follows:
SELECT name,location,age FROM contractors ORDER BY 5
The variable passed using the GET method is also often used to build a SQL statement.
The SQL injection flaw exists in the web application not on the database server.
Blind SQL injection
- The injected SQL query may fail to execute properly on the database due do a syntax error,or due to the query been invalid on that specific database tyep.If the application conceals the real error message generated by the databasee and displays a generic error message on the web page shoen to end user,it is known as a blind SQL injection
http://www.example.org/list.php?id=20 AND 1=1with the AND operator,we can force the query to suceed or fail entirely based on the injected data.If we had inject And 1=2(which is false),the application would load a different page.If the content of the page is different for both the true and false conditions,it can used by the attacker to determine the existence of the flaw.
Scanning for SQL injection:The first step should be to inspect input fields in HTML forms,script parameters in URL query strings,values stored in cookies,and hidden fieldss.Once these fields are identified,we need to fuzz data into then fields by injecting metachatacter,SQL statements,operators,and reserved words.This step can be done through manual or automated tecniques.Using tools such as Burp suite intruder various SQL injection staements can be tested against the input fields.
Information gathering:An Apache web server on Linux is more likely to use the MySQL database rather than an mssql database.to detect:
- nmap -sV IP
- use mysql_version in metasploit
If the parameter to be injected is passed using the POST method,an HTTP file can be provided as an input ot sqlmap that contain the header and the parameter.The HTTP file can be generated using a proxy such as Burp by copying the data displayed under the Raw tab when the traffic is captured.
Another way to test for SQL injection through the POST method is using the -dateoptoin.Following are the options used in the next example:
- --method:This will select the method(POSTorGET)
- --date:This will pass the parameters that are required for the POST method
- -p:This will specify the injectable field
sqlmap -u "http://onlinebookstore.org/login.php" --method POST --data loginName=admin&password=admin&submit=log+on -p "loginName" --dbs
Using sqlmap,read and write files on the database server by exploiting the injection flaw,which invokes the *load_file()*and *out_file()*functions on the target to accomplish it.
sqlmap -r /home/data/http_file1 --threads=5 --file-read=/etc/shadow;
sqlmap -r /home/data/http_file1 --threads=5 --file-write=/tmp/test_file --file-dest=/tmp/test1
BBQSQL-the blind SQL injection framework
Sqlninja-MSSQL injection:can be integrated with Metasploit,using which you can connect to the target server via a meterpreter session when the tool exploits the injection flaw and creats a local shell.Need configuration(save in usr/share/doc/sqlninja/sqlninja.conf.example).also need to specify the local IP to which the target will connect.**step-by-step HTML guide is included with the guide in /usr/share/doc/sqlninja/sqlninja-howto.html **
Sqlninja will start injecting SQL to exploit and will return a meterpreter session when donw.can gain complete control over the target.