Hacking Module 14

NMCSP
2008 Batch-I
Module XIV
SQL Injection
Scenario
When the university imposed

new rules for its admission
program, the students opposed
in unison. Their demands went
unheeded and the rules were to
be enforced from the start of
the new academic year.
Johnny, the student’s
representative, decided to
strike back and voice their
protest through the university
website.
1. What can be in Johnny’s mind?
2. What can Johnny do to
increase the reach of the
protests?
Module Objectives
 What is SQL Injection?

 Attacking SQL Servers
 Using SQL Injection techniques to gain access
to a system
 SQL Injection Scripts
 Attacking Microsoft SQL Servers
 MSSQL Password Crackers
 Prevention and Countermeasures
Module Flow
Discovering SQL Servers

Attacking SQL Servers
to Attack
SQL Injection Scripts Tools for SQL Server Attacks
Countermeasures
Attacking SQL Servers
Techniques Involved
• Understand SQL Server and

extract necessary information
from the SQL Server
Resolution Service
• List servers by Osql-L probes
• Sc.exe sweeping of services
• Port scanning
• Use of commercial
alternatives
SQL Server Resolution Service (SSRS)
 This service is responsible for sending a

response packet containing connection details
of clients who send a specially formed request.
 The packet contains the details necessary to
connect to the desired instance, including the
TCP port for each instance.
 The SSRS has buffer overflow vulnerabilities
that allow remote attackers to overwrite
portions of system memory and to execute
arbitrary codes.
Osql L- Probing
 It is a command-line utility provided by

Microsoft with SQL Server 2000 that allows the
user to issue queries to the server.
 Osql.exe includes a discovery switch (-L) that
will poll the network looking for other
installations of SQL Server.
 Osql.exe returns a list of server names and
instances but no details about TCP ports or
netlibs.
Port Scanning
Port scanning should be done as a last attempt or as a quick

way to discover servers that have at least one instance of SQL
Server
Sniffing, Brute Forcing and finding
application configuration files
 Passwords transmitted over the network are
trivially obfuscated so that a simple number
game can turn them into plaintext.
 Sniffing can be useful to monitor the SQL
Server traffic passing over the network.
 Access can be obtained to the SQL server by
guessing the naming convention used for the
SQL server accounts.
Tools for SQL Server Penetration
Testing
 SQLDict
 SQLExec
 SQLbf
 SQLSmack
 SQL2.exe
 AppDetective
 Database Scanner
 SQLPoke
 NGSSQLCrack
 NGSSQuirreL
 SQLPing v2.2
Hacking Tool: SQLDict
http://ntsecurity.nu/cgi-
bin/download/sqldict.exe.pl
"SQLdict" is a dictionary
attack tool for SQL Server.
It tests the account
passwords to see if they are
strong enough to resist an
attack.
Hacking Tool: SQLExec
http://phoenix.liu.edu/~mdevi/util/Intro.htm
This tool executes commands on compromised Microsoft SQL Servers using the
xp_cmdshell extended stored procedure.
It uses the default sa account with NULL password.
USAGE: SQLExec www.target.com
Hacking Tool: SQLbf
http://www.cqure.net/tools.jsp?id=10
 SQLbf is a SQL Sever Password Auditing tool. This tool should
be used to audit the strength of Microsoft SQL Server
passwords offline. The tool can be used either in Brute Force
mode or in Dictionary attack mode. The performance on a
1GHZ pentium (256MB) machine is around 750,000
attempts/sec.
 To be able to perform an audit, one needs the password hashes
that are stored in the sysxlogins table in the master database.
 The hashes are easy to retrieve although one needs a privileged
account to do so, like sa. The query to use would be:
select name, password from master..sysxlogins
 To perform a dictionary attack on the retrieved hashes:
sqlbf -u hashes.txt -d dictionary.dic -r
out.rep
Hacking Tool: SQLSmack
 SQLSmack is a Linux based Remote Command

Execution for MSSQL.
 When provided with a valid username and password the

tool permits execution of commands on a remote MS
SQL Server by piping them through the stored
procedure master..xp_cmdshell
Hacking Tool: SQL2.exe
 SQL2 is a UDP Buffer Overflow Remote Exploit hacking

tool.
OLE DB Errors
The user filled fields are enclosed by single quotation marks

('). A simple test would be to try using (') as the username.
The following error message will be displayed when a (') is
entered into a form that is vulnerable to SQL injection:
If this error is displayed then SQL injection

techniques can be tried.
Input Validation attack
Input validation attacks occur here on a website

Login Guessing & Insertion
 The attacker can try to login without a password.

Typical usernames would be 1=1 or any text within
single quotes.
 The most common problem seen on Microsoft SQL
Servers is the default <blank> sa password.
 The attacker can try to guess the username of an
account by querying for similar user names (ex: ‘ad%’ is
used to query for “admin”).
 The attacker can insert data by appending commands or
writing queries.
Shutting Down SQL Server
 One of SQL Server's most powerful commands is

SHUTDOWN WITH NOWAIT, which causes it to
shutdown, immediately stopping the Windows service.
Username: ' ; shutdown with nowait; --
Password [Anything]
 This can happen if the script runs the following query:
select userName from users where
userName='; shutdown with nowait;-' and
user_Pass=' '
Extended Stored Procedures
 There are several extended stored procedures that can

cause permanent damage to a system.
 An extended stored procedure can be executed using a
login form with an injected command as the username.
For example:
Username: ' ; exec master..xp_xxx; --
Password: [Anything]
Username: ' ; exec master..xp_cmdshell ' iisreset' ; --
Password: [Anything]
SQL Server Talks!
This command uses the 'speech.voicetext' object,

causing the SQL Server to speak:
Username: admin'; declare @o int, @ret int exec sp_oacreate

'speech.voicetext', @o out exec sp_oamethod @o, 'register',
NULL, 'foo', 'bar' exec sp_oasetproperty @o, 'speed', 150 exec
sp_oamethod @o, 'speak', NULL, 'all your sequel servers are
belong to us', 528 waitfor delay '00:00:05'--
Source:
Advanced SQL Injection In SQL Server Applications ,
author Chris Anley
Scenario
Johnny does footprinting and

identifies the configurations of
the Server. He finds unsanitized
input opportunities in Web
applications due to the presence
of security holes. He was able to
execute SQL commands against
the database and inject
statements to alter the contents
of the database.
Johnny successfully defaced
the university website !!!!
Preventive Measures
 Minimize Privileges on Database Connections

 Disable verbose error messages
 Protect the system account ‘sa’
 Audit Source Code
• Escape Single Quotes
• Input validation
• Reject known bad input
• Input bound checking
Summary
 SQL Injection is an attack methodology that targets the

data residing in a database.
 It attempts to modify the parameters of a Web-based
application in order to alter the SQL statements that are
parsed to retrieve data from the database.
 Database footprinting is the process of mapping out the
tables on the database and is a crucial tool in the hands
of an attacker.
 Exploits occur due to coding errors as well as
inadequate validation checks .
 Prevention involves enforcing better coding practices
and database administration procedures.

Hacking Module 14

Uploaded by

Hacking Module 14

Uploaded by

NMCSP

When the university imposed

 What is SQL Injection?

Discovering SQL Servers

SQL Injection Scripts Tools for SQL Server Attacks

• Understand SQL Server and

 This service is responsible for sending a

 It is a command-line utility provided by

Port scanning should be done as a last attempt or as a quick

 SQLSmack is a Linux based Remote Command

 When provided with a valid username and password the

 SQL2 is a UDP Buffer Overflow Remote Exploit hacking

The user filled fields are enclosed by single quotation marks

If this error is displayed then SQL injection

Input validation attacks occur here on a website

 The attacker can try to login without a password.

 One of SQL Server's most powerful commands is

 There are several extended stored procedures that can

This command uses the 'speech.voicetext' object,

Username: admin'; declare @o int, @ret int exec sp_oacreate

Johnny does footprinting and

 Minimize Privileges on Database Connections

 SQL Injection is an attack methodology that targets the

You might also like