Neperos
SIGN IN
Copy Link
Add to Bookmark
Report

1x03 Sql Injection Techniques

eZine's profile picture
eZine lover (@eZine)
Published in 
phearless
 · 14 Jan 2024

                                 
                            ................... 
                      ...::: phearless zine #1 :::...                        

....................>---[ Sql Injection Techniques ]---<.................... 

.........................>---[ by De1Rekt0n ]---<........................... 
                                                 mil0s[at]headcoders[dot]net 

\0x1 - Uvod u SQL 
\0x2 - SQL komande 
\0x3 - Primena 
\0x4 - Napadi 
	[Tipovi napada] 
	~Unauthorized data access 
	~Authentication bypass 
	~Database modification 
\0x5 - Zakljucak 

//////////////////////////////////////////////////////////////////////////// 
--==<[ 1. Uvod u SQL  
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 

Baza podataka sama po sebi je strukturna kolekcija unosa,  
najpoznatije baze podataka su: Oracle, Microsoft SQL Server,  
MySQL ili PostgreSQL itd... 
Tabelama pristupamo preko upita(query), zato se i ovo zove  
Structured Query Language(SQL). 
Vecina software-a na internetu koristi baze podataka, od foruma pa 
sve do raznih portala. 

//////////////////////////////////////////////////////////////////////////// 
--==<[ 2. SQL komande 
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 

Napravicu jednu tabelu sa osnovnim SQL komandama i njihovim 
objasnjenjima. SQL poseduje mnogo vise komandi ali ove su osnovne. 

+-----------+-------------------------+-----------------------------+ 
|SQL Komanda| Funkcionalnost          | Primer                      | 
+-----------+-------------------------+-----------------------------+ 
|SELECT     |Izlistaj podatke iz baze |SELECT * FROM neka_tabela    | 
+-----------+-------------------------+-----------------------------+ 
|UNION      |Kombinuj upite nekoliko  |SELECT prvi, drugi FROM      | 
|           |SELECT NAREDBI           |neka_tabela WHERE Ime='Pera' | 
|           |                         |UNION SELECT prvi,drugi FROM |  
|           |                         |neka_tabela2 WHERE Ime='Pera'| 
+-----------+-------------------------+-----------------------------| 
|INSERT     |Ubacivanje novog podatka |INSERT INTO neka_tabela(Ime, | 
|           |u tabelu i pravljenje    |Prezime)                     | 
|           |novog reda u tabeli      |VALUES('Pera','Peric');      | 
+-----------+-------------------------+-----------------------------+ 
|UPDATE     |Izmena podataka          |UPDATE neka_tabela           | 
|           |                         |set Pol='m' WHERE Ime='Pera';| 
+-----------+-------------------------+-----------------------------+ 
|DELETE     |Birsanje podataka        |DELETE FROM neka_tabela      | 
|	    |			      |WHERE Ime='Pera';            | 
+-----------+-------------------------+-----------------------------+ 
|DROP       |Brisanje tabele iz baze  |DROP TABLE neka_tabela;      | 
+-----------+-------------------------+-----------------------------+ 

Ove komande se mogu izvrsavati na vise nacina, najjednostavniji je iz 
shell-a: 

#mysql 
$ use BAZA; 
$ SELECT COUNT(*) FROM users; 
2333 

Prva komanda sluzi da bi se odabrala baza sa kojom se radi, druga 
selektuje broj podataka iz tabele users. 
Svaka komanda mora da se zavrsava sa ";" kako bi se oznacio kraj komande. 
Pre nego sto krenemo na exploitovanje moramo nauciti koriscenje SQL-a i 
neke osnovne komande. 

Vecina portala i foruma se zasniva na tome da scripting jezik 
prosledjuje komande bazi podataka, i iz nje vadi podatke koje posle, 
obradjuje i vraca clientu. 
Na primer PHP-Nuke je tako napravljen, koriscenjem PHP-a(Hypertext 
Preprocessor) i mySQL-a. 
Dinamicki generisane HTML stranice salju se clientu i tako radi svaki 
forum ili portal, da se nebi cuvala svaka HTML stranica na serveru, one 
se dinamicki generisu pozivanjem SQL upita i obradom rezultata upita. 

//////////////////////////////////////////////////////////////////////////// 
--==<[ 3. Primena  
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 

Evo nekoliko upita u PHP-u: 

SELECT main_module from ".$prefix."_main 

SELECT * FROM ".$prefix."_referrer 

SELECT pwd FROM ".$prefix."_authors WHERE aid='$aid' 

SELECT user_password FROM ".$user_prefix."_users WHERE user_id='$uid' 

SELECT active FROM ".$prefix."_modules WHERE title='$module' 

SELECT topicname FROM ".$prefix."_topics WHERE topicid='$topic' 

SELECT mid, title, content, date, expire, view FROM ".$prefix."_message  
WHERE  active='1' $querylang 

Primetili ste mozda znak $, sve sto pocinje sa ovim znakom oznacava, 
promenljivu u PHP-u, znaci ako bi scripta izgledla ovako: 

<?php 
echo "$Ime"; 
?> 

Mi bi pozivanjem "scripta.php?Ime=Pera" zadali promenljivoj vrednost Pera 
tu se najcesce desavaju greske u php programima stvar je u globalnim 
promenljivima koje se mogu izmeniti, o tome se i ogleda ceo trik ovoga. 
Da promenimo promenljivu i time promenimo SQL upit. 

//////////////////////////////////////////////////////////////////////////// 
--==<[ 4. Napadi  
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 

Vec ste u predhodnom delu uvideli da SQL napad nije napad na bazu, vec 
napad na aplikaciju i koriscenje baze podataka. Od ovakvih napada se ne 
moze odbraniti, zapravo rec je o tome da su aplikacije traljavo napisane. 
Mada malo vise paznje na kod i uopste na pisanje moze znacajno smanjiti 
mogucnost ovakvog napada. 
Takodje mozete primetiti da se ceo vid ovog napada svodi na izmenu upita, 
i pravljenjem sopstvenog upita. 
Jos nesto, ovi napadi su multi-platformski znaci ne zavise od sistema, 
na kome se nalaze. 

 
---< 4.1 Tipovi napada 

Unauthorized data access - Izmena upita i uzimanje podataka koji nebi  
trebali biti dostupni. 

Authentication bypass - Sama rec kaze izbegavanje autorizacije, i 
pristup delu sajta na kome nemate pristup. 

Database modification - Izmena podataka u bazi, mozete brisati editovati 
svaki podatak bez autorizacije. 

---< 4.2 Unauthorized data access 

Sada krecemo na pravu stvar, do sada ste naucili osnove, kako sad 
upotrebiti to i videti ono sto niste mogli do sada. 
Glavna caka je u, kako smo vec rekli, SQL upitima i njihovim izmenama. 
Na primer pogledajmo ovaj upit: 

SELECT Ime, Prezime FROM clanovi; 

U ovakvom upitu, sql injection je nemoguc. Pogledajmo sad ovaj primer: 

SELECT Ime, Prezime FROM clanovi WHERE $Username=$User_Clana 

Vec vidite da ovde postoji potencijalna ranjivost u SQL upitu. 
Zapravo ovde necete moci bog zna sta da uradite ali cete moci da, 
dobijete podatke o necemu sto niste mogli ranije dobiti. 
Sad pogledajte ovaj primer: 

$Username   = "Pera" 
$User_Clana = "Pera" 

SELECT Ime, Prezime FROM clanovi WHERE $Username=$User_Clana; 

Ovako nesto nije ranjivo, ali zato ovako nesto: 

$Username = "Pera" 

SELECT Ime, Prezime FROM clanovi WHERE $Username=$User_Clana; 

Gde se $User_Clana uzima iz inputa, zamislite sad ovako nesto, 
vi posaljete scripti za promenljivu $User_Clana: OR 1=1 
Time vi bi ste promenili upit i tada bi upit bio ovakav: 

SELECT Ime, Prezime FROM clanovi WHERE $username=Nesto OR 1=1; 

Time se totalno menja upit posto 1=1 je true, on ce proslediti upit, 
i uzece podatke iz baze za bilo koji username koji mu posaljete. 
Ovde nije rec o ranjivosti same baze, vec o ranjivosti date scripte. 
Ovakve greske cete tesko vidjati ali opet ih ima, danas je vecina 
programera priuceno i cesto se desava da prave ovakve elementarne 
greske. 
Sad cemo probati malo komplikovanije metode, gde cemo doraditi 
upite kako bi mogli da uzmemo jos neke podatke. 
Na primer kada bi smo hteli da pogledamo sta ima u nekoj drugoj 
tabeli, tada koristimo naredbu UNION, kao sto smo predhodno 
rekli UNION sluzi kako bi se formirala 2 razlicita upita u jedan 
i kako bi se vratio rezultat oba. 
Uzmimo predhodni primer: 

SELECT Ime, Prezime FROM clanovi WHERE $Username=$User_Clana; 

Da zamislimo da postoji tabela "admini", tada bi formirali 
ovakav upit: 

SELECT Ime, Prezime FROM clanovi WHERE $Username=$User_Clana UNION 
ALL SELECT Ime, Prezime FROM admini; 

Naravno ovo bi trebalo ubaciti u promenljivu $User_Clana: 

$User_Clana = "nesto UNION ALL SELECT Imre, Prezime FROM admini" 

Tamo gde pise nesto, to je skroz zanemarljivo, vazno je ovo sto 
ide posle toga, sada vidite da smo izmenili upit i time vratili 
sve podatke polja Ime, Prezime iz tabele admini. 
Nekada je sve ovo malo teze, a to je kad se upit radi ovako: 

SELECT Ime, Prezime FROM clanovi WHERE Username='$User_Clana' 

Sta znace '', pa to znaci da se radi o stringu, sada bi se morali 
resiti ovih navodnika sto je nekada poprilicno tesko... 

 
---< 4.3 Authentication bypass 

Do sada smo naucili neke trikove, vreme je da ih unapredimo, 
zapravo sada cemo nauciti kako da obmanemo scriptu i dobijemo 
pristup tamo gde ga nemamo. 
Evo jednog primera za proveru Username-a i Passworda: 

SELECT login FROM admin_users WHERE login = $login_in  
AND password=$password_in 

Kako ovo radi? Pa korisnik popuni forme koje prosledjuju 
username i password scripti koja dalje obradjuje te podatke. 
U ovom slucaju to su promenljive $login_in i $password_in. 
Zamislite da tabela admin_users izgleda ovako: 

+----------+-------------+ 
|login     |Password     | 
+----------+-------------+ 
|Pera      |Pera123      | 
+----------+-------------+ 
|admin     |blahblah     | 
+----------+-------------+ 
|Djoka     |qwerty       | 
+----------+-------------+ 

Scripta proverava tacnost oba polja i ako vrati true 
prosledi dalje. 
Mozete predpostaviti da ce ovde OR opet odraditi stvar: 

SELECT login FROM admin_users WHERE 
login = $login_in AND password=$password_in OR 1=1 

Znaci $password_in mora da zadrzi ovako nesto: 

$password_in = "nekipass OR 1=1" 

Time bi upit vracao true i scripta bi nas prosledila 
u deo gde nemamo pristup. 

 

---< 4.4 Database modification 

 
Do sada smo radili samo sa SELECT upitima, da se malo osvrnemo na druge  
kao sto su INSERT, UPDATE, DELETE. 
Na primer registracija kod PHP-NUKE portala, ovako izgleda query za 
dodavanje korisinka u bazu: 

INSERT INTO ".$user_prefix."_users(user_id, username, user_email, user_website, 

user_avatar, user_regdate, user_password, theme, commentmax, user_lang, user_ 

dateformat) VALUES (NULL,'$name','$email','$url','$user_avatar','$user_ 

regdate','$pwd','$Default_Theme','$commentlimit','english','D M d, Y g:i a') 

Sta bi bilo kad bi ubacili nesto sto nije namenjeno. 
Kod nekih scripti SELECT upit ne moze da nam vrati ono sto nama treba, 
pa cemo iskoristiti INSERT u nase svrhe. 

$user='Djoka' 

$pwd='qwerty' 

Ako se ovo dobije scriptom upit izgleda ovako: 

INSERT INTO users (username, password) VALUES ('Djoka','qwerty'); 

Mi cemo to malo izmeniti: 

INSERT INTO users (username, password) VALUES ('Djoka','qwerty');  

INSERT INTO users  

(username, password, is_admin) VALUES ('hacked','w00t','yes') 

Ako bi napadac mogao da izmeni promenljivu $pwd da izgleda ovako: 

$pwd='qwerty'; INSERT INTO users (username, password, is_admin) VALUES  

('hacked','w00t','yes')' 

Time bi dodali novog usera koji je admin, cime bi imali admin privilegije. 

+------------------------+ 
|LISTA ATTACK STRINGOVA  | 
+------------------------+ 

+-------------+--------------------------------------------+ 
|String       | Rezultat                                   | 
+-------------+--------------------------------------------+ 
|'            | Provera da li aplikacija preskace ' je prvi|  
|             | korak nalazenja rupe, takodje i najlaksi   | 
|	      | nacin upotrebe SQL Injection-a             | 
+-------------+--------------------------------------------+ 
|'OR 1=1      | Ovo proizilazi iz onog gore, obmanjivanje  | 
|             | WHERE upita gde  1=1 uvek biti true.       | 
+-------------+--------------------------------------------+ 
|'OR 1=1'     | Malo drugacija verzija onog iznad          | 
+-------------+--------------------------------------------+ 
|;            | Provera da li aplikacija preskace ;        | 
|             | karakter, kako bi mogli dati vise upita    | 
|             | (Pokazano kod INSERT funkcije)             | 
+-------------+--------------------------------------------+ 

 
Imajte na umu to da morate preskociti neke karaktere kada primenjujete URL, 
na primer prazan prostor postaje "%20" karakter, po ASCII kodu. 

 

//////////////////////////////////////////////////////////////////////////// 
--==<[ 5. Zakljucak 
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 

Vecina aplikacija na netu je jos uvek puno ovakvih propusta, sve sto  
treba uraditi je, imati strpljenja i malo razgledati  
po kodu open source foruma i portala. 
Ako ste dobar programer mozete napisati program koji ce da harvestuje po googlu 
i trazi ovakve propuste. 

                    =============================== 
                    |          LITERATURA         | 
                    =============================== 

SQL Injection: Are Your Web Applications Vulnerable?  
SPI Dynamics. (http://www.spidynamics.com/whitepapers/WhitepaperSQLInjection.pdf ) 

Blind SQL Injection: Are Your Web Applications Vulnerable?  
SPI Dynamics. (http://www.spidynamics.com/whitepapers/Blind_SQLInjection.pdf ) 

Advanced SQL Injection In SQL Server Applications. 
NGSS. (http://www.nextgenss.com/papers/advanced_sql_injection.pdf ) 

Advanced SQL Injection. 
NGSS. (http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf ) 

Blindfolded SQL Injection. 
WebCohort. (http://www.webcohort.com/Blindfolded_SQL_Injection.pdf ) 
-------------------------------------------------------------------------- 

Greetz to: cyberB, BaCkSpAcE, _bl00dZ3r0_, AcidCookie, Shatterhand, h4z4rd, 
BoyScout, DownBload, kUdtiHaEX, LekaMan, NIkolaVeber, B0RG ,fritz, EsC,  
SunDance i svima koje sam zaboravio...

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

guest's profile picture
@guest
15 May 2024
It’s kinda scary though
guest's profile picture
@guest
14 May 2024
Sabung Ayam Online
guest's profile picture
@guest
13 May 2024
I have fermented two different traditional and I am consistently having a Hydrogen Sulfide problem with my brews. It smells like a slight ro ...
guest's profile picture
@guest
13 May 2024
I made cider similar to this last year and it was an awesome base for Apple pie moonshine! It wasn't actual moonshine, but we blended th ...
DrWatson's profile picture
@DrWatson
12 May 2024
And also in this article the legendary civilization of Atlantis is present!
guest's profile picture
@guest
12 May 2024
I’ve read this digest for years. It has been a great source of mead making information.
guest's profile picture
@guest
11 May 2024
무섭다
guest's profile picture
@guest
10 May 2024
ㄷㄷㄷㄷ
guest's profile picture
@guest
9 May 2024
nice video
guest's profile picture
@guest
9 May 2024
Thank you for posting it. A lot of interesting infos how to make beer at home
a Francesco Arca production 2016 - 2024
Terms of Service - Privacy Policy
neperos on mastodon
Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT