Pages

SQL Injection1

SQL Injection...

Since the most popular web hacking technique is the sql injection I think you should learn about it. You should know a web scripting language(php is the most popular) and an sql database(MYsql is the most popular) to understand the sql injection. I thought in this topic we can share our knowledge and resources.

This is one of the documents I liked. It's written by cypherxero;




With the growing popularity of websites using the standard php/sql interfaces, a new and dangerous
type of attack is becoming more popular for hackers, and that is sql injection. sql, or Standard Query
Language, is a type of database specification for reading and writing information to a database. This is
used to create dynamic webpages with structured content, and other data types.

The problem is not actually a problem with the sql database itself, but rather how it is accessed
and used via the scripting language on the website. The standard scripting language on the web for
interacting with sql databases is php. The real issue lies with the php programmers not writing the sql
statements correctly, which can allow an attacker to inject their own commands directly to the sql
database. Here's a sample of php code that dynamically builds a sql command to be processed:

$sql = "select * from users where username='".$_GET['username']."' and password = '".md5($_GET['password'])."'";

The sql command would look like this to the database:

select * from users where username='cypherxero' and password = '5f4dcc3b5aa765d61d8327deb882cf99';

This would lookup my username (cypherxero), and then compare the password hash with the one in the
database. If they're the same, then I'm authenticated, and logged in. The problem with this statement is
that there is no sanitation on the user input, so if you entered your own sql command, say for this login
box, then you can bypass authentication!

Consider this sql Statement:

' OR 1=1--

Inserting this into the sql command that already exists, we get this:

select * from users where username='' OR 1=1--' and password = '5f4dcc3b5aa765d61d8327deb882cf99';

This statement would return true (since 1 does equal 1), and the rest of the sql statement after the
double-dashes will be commented out, and the system will return the first username in the database, and
log you into the system as the first user (most likely admin) without the need for a password!

Other ways of using sql injections is with http get statements that pass variables onto the database.
Let's take a look at a real sql injection I found a few weeks ago, in a component on the Joomla CMS. I
first discovered this flaw while doing some random web app sec testing on one of my friend's company's
website. Let's take this url from her site:

http://www.klochko.com/index.php?option=com_philaform&&Itemid=34&form_id=5

As you can tell, we're passing the variables option, Itemid, and form_id to index.php, and the php script
is passing those variables onto the sql database. Let's see what happens when I insert a single tick mark
at the end of the last variable:

You have an error in your sql syntax; check the manual that corresponds to your Mysql server version for
the right syntax to use near \'\\' order by ordering ASC\' at line 1 sql=select * from
jos_philaform_detail where form_id=5\\' order by ordering ascno elements defined

Since we passed a variable that the database didn't know what to do with, it freaked out and returned an
error message. Now, any sane person that's not a hardcore geek would just think something wrong happened,
and try another website. Not me. I knew right then from seeing that message that I had a sql injection,
and that I wanted to see what I could do. I searched google, milw0rm, packetstorm, and securityfocus, and
couldn't find a sql injection for Phil-a-Form, which upon further research, was a piece of software for
Joomla to add extra functionality. So, I figured either it was impossible to get an injection and had been
done before without any luck, or that no one had found it yet. It turns out no one had found it yet, and
now it was a race against the clock to find a proof-of-concept injection and submit it before someone else
found it.

There's a nice little sql command called union that combines data from more than one table into one
output, and that's what I was going to need. My goal was to get the administator password (in MD5 hash
format) from the database. The sql statement from the error messaged helped me understand what was going
on with the query, and helped me write my injection. I knew that it was pulling data from the sql database
for the forms that were on the page. I needed to combine that form table and data from another table onto
one page. I did some research on Joomla, and found the list of the default sql tables, and the format that
they were in. I knew I needed to pull the password from the jos_users table, and that the password field
was called password.

Since union commands need to keep the columns the same for both tables, there were a lot more tables in
the jos_philaform table than in the users table, so to keep the tables the same for the union command, I
had to fill the injection string with enough nulls to make them the same. Since Phil-a-Form is
pay-software, I didn't feel like putting my money down on software that I don't need, so it was just a
matter of trial and error until I had the correct column size. The final sql injection string looked
looked like this:

union select null,null,password,null,null,null,null,null,null,null,null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null
from jos_users --

This statement, put on the end of the "form_id=5", pulled the password has from the database, and returned
it to me on the page. The final result was the form on the page, but at the very bottom, a nice little
error message, with, lo and behold, the MD5 hash of the first user in the table, the administrator.

Fatal error: Cannot instantiate non-existent class: philaform_5f4dcc3b5aa765d61d8327deb882cf99 in
/home/klochko/public_hhtml/components/com_philaform/philaform.class.php on line 437

There it was, what I was looking for, the password in MD5. All that was left was to crack it using rainbow
tables, and then if I was malicous, to log into admin and deface the website, or do whatever I wanted at
that point. My friend's website has since been upgraded to the newer version of Phil-a-Form, and no, that
is not the real admin hash, I don't think they would make their password "password".

0 comments:

Blog Archive