Database Fingerprinting (SQL injection)

Hi everybody, this article is first article that is in this blog so I wanted to write basic subject. I may make a mistake in English grammer. (Sorry for my bed england :D ). I will mention to find Database Fingerprinting in this article. I assume you know fundamental sql injection. (this article is about fundamental sqli, too :D)

There are small differences between db management systems.  Understanding the underlying DBMS is important for us. We fully exploit the vulnerability.We are going to see now, the different techniques that can be used to fingerprint a database from an SQL injection.

 Firstly, we should look at error code because there may information in error code (unless it is blind sql inj). 
For example,

Microsoft OLE DB Provider for SQL Server error '80040e14'Unclosed quotation mark before the character string '88''./index.asp, line 269

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 
You can understand that these have dbms fingerprinting.

 Second way is identify to ask the database to identify itself. With 
OracleSELECT banner FROM v$version
SELECT version FROM v$instance
MicrosoftSELECT @@version
PostgreSQLSELECT version()
MySQLSELECT @@version
For example:

 ----------




Finally, Inference Database Fingerprinting...

 Inference Database Fingerprinting:

Our last resort is to submit SQL segments that are only valid for one DBMS. If the injected segment is  correctly executed, we can conclude that we have discovered which database is used. However, the process is different depending on the vulnerable parameter type (numeric or string).

 Numeric input: If the function injected in the vulnerable parameter is not recognized by the DBMS, an  error will be thrown. Otherwise, the function will be executed and the returned value will be integrated in the  query.
MySQL: POW(1,1)Oracle: BITAND(1,1)SQL Server: SQUARE(1)


For example:
http://site.com/sayfa.php?id=12
http://site.com/sayfa.php?id=12-POW(1,1)
(All functions listed return 1 so an  error won't be thrown )
 ---------



String input: This input is such as numeric input.

Oracle'foo'||'bar'
Microsoft'foo'+'bar'
PostgreSQL'foo'||'bar'
MySQL'foo' 'bar' [Note the space between the two strings]
CONCAT('foo','bar')


 Inference Database Fingerprinting may be used with blind sql. For example,




 I wrote DB fingerprinting from SQL injection. I hope I wrote clearly. If I make a mistake, forgive me and say me :D Good days.

 https://portswigger.net/web-security/sql-injection/cheat-sheet
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)