Sql Injection Part I Clearly this technique is one of the most dangerous is in an application, whether web or desktop, by the power he has and the ability to enter a system it effectively. In practice I can say is that I like vulnerability test, as it has many avenues of attack. Decided to set up post on the subject divided into parts, this will be the first delivery
:)
.
We will see from the pricipio and practice it locally, so a package called LAMPP nesesitas for working in Linux (also can do from W $ ), Which brings us packed APACHE, PHP, MYSQL and FTP.
What is SQL Injection?
is the technique that allows to enter arbitrary SQL commands in a query
setting at the application, which the variables that ask the user does not pass through some filters, being able to enter SQL commands that are then interpreted by the DBMS. Depending on the engine
injected in one way or another, this tutorial will be based on
MySQL with PHP.
Requirements:
Download Last Version
Lammpp
Knowledge of PHP and MySQL knowledge
phpMyAdmin
Starting
1) Installing lampp
As I said,
the tutorial to teach how to install the lampp, so basic could find more data on its homepage
. When we lampp file in this case would this
xampp-linux-1.7.3a.tar.gz,
to install has a super easy way, we log in as r00t and placed on the console
#
tar xvfz xampp-linux-1.7.3a.tar.gz -C / opt This will create a folder called lampp in the directory / opt. Therefore all files, binary, conflagrations, databases, etc will be in the / opt / lampp.
can play its part in it and get familiar, # cd / opt / lampp; ls-la The conflagration of lampp for now we will leave as default, in order to make shots taken over on MySQL. What if we change the Apache DocumentRoot
, which is the logical root of where apache start reading the documents, they have to edit the Apache httpd.conf file
# cd / opt / lampp / etc
We - a backup before making changes in configuration files of any type. # cp httpd.conf httpd.conf # nano httpd.conf.backup PC I use nano or VI could use they want, look for the line that says DocumentRoot "/ opt / lampp / htdocs "
- and changes to a folder in our home, I mean in my case DocumentRoot" / home / magnobalt / www
- Once this store, open another shell, common user and create the folder in our home www
$ mkdir / home / magnobalt / www ahead on this we have apache configured to come to read this folder and find the files to run on the server. Here is where we put our files html, js, php, css, etc.
To boost lampp services do the following as r00t.
# / opt / lampp / lampp start Starting XAMPP for Linux 1.7.2 ... XAMPP: Starting Apache with SSL (and PHP5) ...
XAMPP: Starting MySQL ...
XAMPP: Starting FTP .. XAMPP for Linux started.
With this information means that all services are running smoothly, if there is a problem I notice with a legend, but do not touch anything if everything will run perfectly. In order to begin can go to your browser and type http://localhost
or
http://127.0.0.1
, what which is the loopback ip, I mean we enter our own machine, as we have no index file, html, index.php etc, still in our DocumentRoot in my case / home / magnobalt / www surely surely show a 403 error Fordiben. PhpMyAdmin To enter the place in the browser http://localhost/phpmyadmin
, you will realize that enters directly, that's why when you install lampp the root password in mysql is blank, this should not Obivamente be so, it would have to put one, but here obviously.
First SQL Injection:
The first thing we do is bypass a login, this injection is the easiest to understand, "Bypass WTF!?. The term bypass means to bypass security
some sort, for example, if a developer puts me in a function that accepts a variable integers, and somehow I get the application to take
integers, I'm bypassing (skipping) the security programmer. :)
What we do is create a Panel Manager, which will ask user name and password, but above all for this nesesitas create a database and a table called Users
. For them we will use the phpMyAdmin.
The image shows how we creating a table called users with compos,
id, user, password, name and email.
The ID field is our key and is incremental.
serious in SQL like this: CREATE TABLE `
hacking '.` Users `(` id `INT
(2) NOT NULL PRIMARY KEY AUTO_INCREMENT,
` user `VARCHAR (20) NOT NULL,
`password` VARCHAR (20) NOT NULL, `name` VARCHAR
(35) NOT NULL, `email` VARCHAR
(50) NOT NULL
) ENGINE = MyISAM;
Now that we have the table, we php files to create, as the panel is always in a folder called
, admin, administrator, administrator etc. Let's create a folder called admin that goes to our DocumentRoot to where we are going to save the Log files, which would stay
/ home / magnobalt / www / admin
Files nesesita we will make index.php, login .
style.css php
index.php
\u0026lt;! DOCTYPE html PUBLIC "- / / W3C / / DTD XHTML 1.0 Transitional / / EN" "http:/ / www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd "> \u0026lt;html xmlns="http://www.w3.org/1999/xhtml">
\u0026lt;head> ;
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Hacking Nea</title>
<link rel="STYLESHEET" type="text/css" href="../estilo.css">
</div>
<!--fin de encabezado-->
<div id="menu">
</div>
<div id="areatexto">
<div id="cuadrodialogo">
<h1><b>Sistema de Logueo ZamBonet</b></h1>
<form action="login.php" method="post">
<br>Nombre:
<br>
<input type="text" name="nombre" maxlength="8"> <br>
<br>
Contrasena:
<br>
<input type="password" name="pass" maxlength="80">
<br>
<input type="submit" value="Enviar">
</form>
</div>
</div>
<!--fin areatexto-->
<div id="pie">
\u0026lt;! - Standing order ->
\u0026lt;/ div>
\u0026lt;! - End container ->
\u0026lt;/ body>
\u0026lt;/ html> ;
This file is the form that asks the user to enter user name and password, which input data are processed by a file called login.php.
login.php \u0026lt;?
php $ hostname = "localhost";
$ database = "hacking"
$ username = "root";
$ password = "";
$ link = mysql_connect ($ hostname, $ username, $ password) or die ('Error connecting. "Mysql_error ());
$ user = $ _POST [' name '] ;
$ password = $ _POST ['pass'];
mysql_select_db ($ database, $ connection);
$ sql = "SELECT * FROM users WHERE username =' $ user 'AND password =' \u200b\u200b$ password '"
echo" This is the query: ". $ sql;
echo" \u0026lt;br> "echo" \u0026lt;br> "
$ login = mysql_query ($ sql, $ connection) or die ('Error in the consultation. " mysql_error ());
$ row = mysql_fetch_array ($ login);
if (isset ($ row) & &! empty ($ row)) {/ / verify that the variable $ row has information
echo "\u0026lt;br>"
echo "\u0026lt;h1> \u0026lt;b> \u0026lt;b> ALLOWED ACCESS \u0026lt;/ h1>";
echo "\u0026lt;br>"
echo "These are your data ";
echo" \u0026lt;br> "echo" \u0026lt;br> "
echo" Username: ". $ row ['user'];
echo "\u0026lt;br>"
echo "Password:". $ Row ['password'];
echo "\u0026lt;br>"
echo "Email:". $ Row ['email'] ;
} else { echo "CLOWN ERRORRRRRR \u0026lt;b> \u0026lt;h1> \u0026lt;b> \u0026lt;/ h1>";}
?>
The first line is the connection to the database, the database containing the users table, we created earlier on a call Hacking, maybe pc called it another way, the user who is conducting consultations is r00t (super user of MySQL), which is a serious error that should never happen it would have to create a user with the application nesesita, r00t bears all privileges and would have to be used only for administrative tasks. In practice this case is rare but encunetran, but in places where they have a dedicated server for them, and assembled without the knowledge and leave the service by default.
We're going to run our website with r00t so you can see how dangerous it is and the power of SQL injection with these privileges. Nesesita
was also a arhicovo. Css style.css called POSE copy it from here
and keep it in the folder www
in my case / home / magnobalt / www
, this file is
site layout.
Ahh I forgot before starting the next step is practice, loading some records in the user table, I put in as admin and password 123456
, and other great and password qwerty
what is loaded occur.
Action
Finally
If all goes well in addressing http://localhost/admin units, will show this screen.
is the form where it asks username and password to enter a restricted area, if the user is entered incorrectly show this screen.
will leave the legend of "ERORRRRRR CLOWN" and above that is the interesting thing is the query that is passed to the DBMS in this case is MySQL, with this legend, let's go observing what is going to inject code.
If the user will leave this screen is correct
As you will see the SQL statement is still showing up, all he does is that if we access out the Legend "ACCESS PERMITTED" and we shows User data.
Where's the Bug?
error in the code that is not filtered variables passed by the form and are passed automatically to the SQL query. $ user = $ _POST ['name']; $ password = $ _POST ['pass']; $ sql = "SELECT * FROM users WHERE username = '$ user' AND password = '$ password' "
These are the lines of the problem, as you can see what happens to us through the form, the username and password drove him to the variable $ username and $ password, then automatically, without placing any security tipped it over to the SQL query If I put as the name admin and password 123456, the query returns a TRUE and data would bring the database as user admin password is 123456. Would look like
SELECT * FROM users WHERE username = 'admin' AND password = '123456 ' The MySQL string delimited by' (single quote), I mean that everything is enclosed in two ' MySQL takes it as a string. In order to inject into this case, we would have to escape from the quote, simple, and then there put SQL statements. To better understand see the example.
What would happen if instead of putting a grand name for example I would put a single quote, the query would stay this way (This can be testing in their labs and are increasingly entering show the SQL statement that is sending to MySQL)
can see that the user
field, there are 3 quotes, two of which are outside the developer placed to define what the user entered as a string, and the middle is our simple quote that just sent, which gives the following
MySQL are complaining saying that there is a syntax error more precisely is a single quote without closing. This means that the single quote is being interpreted as SQL code for the DBMS, there is interesting.
Attack 1
the consul ta stay so
SELECT * FROM users WHERE username ='
' or 1 = 1 -
'AND password =''
user without knowing the password or enter as admin .. ;)
study a bit what we did, entering 'or 1 = 1 -
. The single quote entered by us meets the function of closing the first quote that is programmer would look like '
' , with that we can place SQL statements because we are not inside the single quotes, then comes this or 1 = 1
,
the sentence or means that if something is true then everything is true, and as 1 = 1 is true then the whole our office will be true for more we did not find that the user is equal to''(so all). Or behaves this way
1 - V or V = True 2 - V or F = True
3 - F or V = True *
4 - F or F = False
In our case it would behave like the line number 3, True or False bone. Then comes what is
-
'AND password =''
, -
comment in sql is so then all that comes after you take it there and commented, that we can tell the DBMS what follows, I mean 'AND password ='' , take it as a comment. Killing the 'simple post that was left by the programmer and the part where it asks the password is = to what the user enters:)
Attack 2
In the previous attack could enter without knowing the user or the password, but fall only on the first record in the table in question (Users).
We turn to track the user knowing and not knowing the contraeƱa, for it almost always placed
admin manager, administrator etc.
as usernames, I in my table I have an admin user. Then injected and entered as user without knowing their password. Users put
In admin' -
, leaving the SQL query SELECT * FROM users WHERE username = ' admin' - ' AND password ='' we enter as admin without knowing the password:)
as magnum:)
study a bit what we did, we entered admin' -
the admin
word is taken as a string and that will be enclosed by the first quote of the programmer but the following quote we enter it
admin '. Being thus
' admin'
, then
-
performs the same functions previously left to comment the quote is left but the statement which calls for password 
. The solution When Starting Out this example said that the way to inject was able to escape the limitations of the single quote, I mean if we can get to achieve that if the user when placing a single quote it transforms to something else, you enter what you enter always remains within the quotes that the program places. To do this we have ways of filtering quotes, have the server side and application side Server Side A very popular function is the magic_quotes , located in the php.ini file (in our lampp case is / opt / lampp / etc.) What does this function is automatically put slashes, variables that are passed through $ _POST and $ _GET. For this is practically used to prevent SQL injection but from the versions of PHP 5.3.0, are turned off more info. To activate this feature have to edit the php.ini file, for this we turn to the configuration folder lampp # cd / opt / lampp / etc # cp php.ini php.ini.backups # nano php.ini and look for this line magic_quotes_gpc = Off And we put it in On magic_quotes_gpc = On Then restart apache for the changes to take # / opt / lampp / lampp restart Now if we want to inject the single quotes 'we transform this \\' Bone that if I enter again bypasses the login to the query will look like. SELECT * FROM users WHERE username = '
\\' or 1 = 1 -
'AND password =''
As always we will stay locked enter the quotes of the programmer, which income that income as long as our data will be taken as a common string:).
Side Application the side of the application there are also functions that allow us to add slashes, and recommend using this function before the magic_quotes. Addslashes
is a php function that allows us to act in a manner similar to magic_quotes, escaping
', ", \\ and NULL .
our code to be able to filter those layers this function to add quotes variable coming from the user and are passed to the DBMS. The code would stay safe so
$ user = $ _POST ['name'];
$ password = $ _POST ['pass']; $ user = addslashes ($ user);
$ password = addslashes ($ password);
$ sql = "SELECT * FROM users WHERE username = '$ user' AND password = '$ password'";
With this we filter out the quotes getting the same functionality magic_quotes. I recommend reading about the function mysql_
Time_
escape_ string. Here
but not the password should be stored in database in encrypted form using a hash function such as MD5, SHA1 etc, or some other algorithm. You can also create a password function that happens 6 or N times the hash function so if anyone can see it can not be easily broken with brute force or dictionary. For example, 123456 is e1 md5
0adc3949ba59abbe56e057f20f883e
, if someone You can obtain this hash, you could pass for any dictionary that exist on the web. Good tools for this is the rub shoulders here
Daniel see . This hash can see that it is easy to break out the dictionary.
the same user password 123456, passed 6 times md5 function would 74e59720dd08b1db45f7152d082c5051
, and passed by the bruteador
note two things, which is a low rate of detection, and the dictionary alimamed.pp.ru, we kill our security jaja xD ...
Upcoming Deliveries
The next delivery will be made attacks on variables like $ _GET, and you will see that if the data is an integer not nesesita the single quote, depending on the programming !. Will look to detect that the application is vulnerable and how to exploit the UNION clause and then how to solve.
And the latest installment of SQL injection will be more advanced than are those that allow to compromise the HOST.
It could also make a fourth installment to talk about Blind SQL, and SQL travez DOS injection.
Festival Speech Synthesis System 1.96: beta July 2004 
<div id="contenedor"> 
SELECT * FROM users WHERE username = '
Have an error in your SQL syntax; check the manual That corresponds to your MySQL server version for the right syntax to use near''''AND password ='''at line 1 
'or 1 = 1 - 
'
chain "UNION SELECT 1.2" 
