Docstoc

Module 14 V 30

Document Sample
Module 14 V 30 Powered By Docstoc
					Ethical Hacking


Module XIV
SQL Injection
       Module Objective

            What is SQL Injection?
            Exploiting the weakness of Server Side
             Scripting
            Using SQL Injection techniques to gain access
             to a system
            SQL Injection Scripts
            Attacking Microsoft SQL Servers
            MSSQL Password Crackers
            Prevention and Countermeasures
EC-Council
       Introduction - SQL Injection




EC-Council
       OLE DB Errors

     The user filled fields are enclosed by single quotation marks
     ('). So a simple test of the form would be to try using (') as
     the username.
     Lets us see what happens if we just enter ' in a form that is
     vulnerable to SQL insertion.




             If you get this error, then we can try
             SQL injection techniques.
EC-Council
       Input Validation attack




             Input validation attack occurs here on a website
EC-Council
       Login Guessing & Insertion

            The attacker can try to login without a password.
             Typical usernames would be 1=1 or any text within
             single quotes.
            The most common problem seen on Microsoft MS-SQL
             boxes is the default <blank>sa password.
            The attacker can try to guess the username of an
             account by querying for similar user names (ex: „ad%‟ is
             used to query for “admin”).
            The attacker can insert data by appending commands or
             writing queries.
EC-Council
       Shutting Down SQL Server

            One of SQL Server's most powerful commands is
             SHUTDOWN WITH NOWAIT, which causes it to
             shutdown, immediately stopping the Windows service.
             Username: ' ; shutdown with nowait; --
             Password [Anything]
            This can happen if the script runs the following query:
             select userName from users where
             userName=';       shutdown with nowait;-' and
             user_Pass=' '

EC-Council
       Extended Stored Procedures

            There are several extended stored procedures that can
             cause permanent damage to a system.
            We can execute an extended stored procedure using our
             login form with an injected command as the username
             as follows:
             Username: ' ; exec master..xp_xxx; --
             Password: [Anything]
             Username: ' ; exec master..xp_cmdshell ' iisreset' ; --
             Password: [Anything]

EC-Council
       SQL Server Talks!

       This command uses the 'speech.voicetext' object, causing
         the SQL Server to speak:




EC-Council
       Hacking Tool: SQLDict

    http://ntsecurity.nu/cgi-
    bin/download/sqldict.exe.pl


    "SQLdict" is     a dictionary
    attack tool for SQL Server.
    It lets   you test if the
    accounts are strong enough to
    resist an attack or not.


EC-Council
       Hacking Tool: SQLExec
   This tool executes commands  on compromised MIcrosoft SQL Servers
   using xp_cmdshell stored procedure.
   It uses   default sa account with NULL password. But this can be modified
   easily.
   USAGE: SQLExec www.target.com




EC-Council
       Hacking Tool: sqlbf

    http://www.cqure.net/tools.jsp?id=10
     Sqlbf is a SQL Sever Password Auditing tool. This tool should
       be used to audit the strength of Microsoft SQL Server
       passwords offline. The tool can be used either in BruteForce
       mode or in Dictionary attack mode. The performance on a
       1GHZ pentium (256MB) machine is around 750,000
       guesses/sec.
     To be able to perform an audit, one needs the password hashes
       that are stored in the sysxlogins table in the master database.
     The hashes are easy to retrieve although you need a privileged
       account to do so, like an sa account. The query to use would be:
       select name, password from master..sysxlogins
     To perform a dictionary attack on the retrieved hashes:
       sqlbf -u hashes.txt -d dictionary.dic -r
       out.rep
EC-Council
       Hacking Tool: SQLSmack

            SQLSmack is a Linux based Remote Command
             Execution for MSSQL.

            The tool allows when provided with a valid username
             and password on a remote MS SQL Server to execute
             commands by piping them through the stored
             procedure master..xp_cmdshell




EC-Council
       Hacking Tool: SQL2.exe

            SQL2 is a UDP Buffer Overflow Remote Exploit hacking
             tool.




EC-Council
       Preventive Measures

            Minimize Privileges of Database Connection
            Disable verbose error messages
            Protect the system account „sa‟
            Audit Source Code
             • Escape Single Quotes
             • Allow only good input
             • Reject known bad input
             • Restrict length of input

EC-Council
       Summary

            SQL Injection is an attack methodology that targets the
             data residing in a database through the firewall that
             shields it.
            It attempts to modify the parameters of a Web-based
             application in order to alter the SQL statements that are
             parsed to retrieve data from the database.
            Database footprinting is the process of mapping out the
             tables on the database and is a crucial tool in the hands
             of an attacker.
            Exploits occur due to coding errors as well as
             inadequate validation checks .
            Prevention involves enforcing better coding practices
             and database administration procedures.


EC-Council

				
pham tien huong pham tien huong
About