| Article Index |
|---|
| Attacking Web Datastore |
| Page 2 |
| Page 3 |
| Page 4 |
| Page 5 |
| Page 6 |
| Page 7 |
| Page 8 |
| All Pages |
Oops, we omitted the “--” characters and are informed that the “sa_Get” user does not
exist. Still, this is instructive in deducing the original form of the SQL query as well as
demonstrating the importance of correct SQL grammar. The URL should appear as:
https://www.victim.com/DataList.asp?Page=24&PageName=sp_who2+sa--
Unfortunately, this returns an HTML page that contains the column names for the
sp_who2 command, but not the output. In this scenario we were limited to procedures
that returned a single string, such as the server’s name or the software’s version number.
It would take some multiline SQL statements to gather more verbose information.
Let’s back up a second and demonstrate why this works. We only submit the
comment (--) and examine the output:
Sent - https://www.victim.com/DataList.asp?Page=2&PageName=--
Received - https://www.victim.com/Error.asp?log=True&ec=4&en=-2147217900&
ed=Line+1%3A+Incorrect+syntax+near+%27exec%27%2E&es=Microsoft+OLE+DB+
Provider+for+SQL+Server&pn=RL%2Einc&fn=ExecuteSP
As you can see, the abruptly terminated SQL statement ends with an exec command.
All we have been doing is providing stored procedures for the application to execute.
As a parting thought, consider the option that we do not even need to return data in
the error field. If we can perform SQL injection, then we most likely have access to the
xp_cmdshell, an extended stored procedure that provides the equivalent of cmd.exe. We
run a tcpdump on our system, then try a ping. If we see any incoming ICMP traffic, then it
won’t take long to build a back-channel into the database. Note that the incoming traffic
probably won’t be from the IP address of www.victim.com. The database is making the
connection, so the IP address could be a neighboring server, a connection made
through a NAT firewall, or no connection at all if strong network controls are in place
on victim.com’s network.
https://www.victim.com/DataList.asp?Page=24&PageName=
master..xp_cmdshell+'ping+192.168.90.12'--
The SQL injection process uses an iterative methodology. You first try a single invalid
character and examine the effect. Then you try a simple SQL command and examine the
effect. Eventually, you’ll reach the point where you have the correct number of ticks,
parentheses, or other formatting characters.
