SQL Injection – 2 (Fingerprinting)
This is a follow up to the post SQL Injection - An Introduction. If you are new to this, I stongly suggest you read the introduction first.
In this article we shall discuss how to fingerprint the common databases managenet system backend. This forms the first part of a successful SQL Injection attack as different DBMSs have different features/weakness which can be exploited. This is the next step after identifying a vulnerablity.
Generally, fingerprinting can be done using the folowing techniques:
- Error Code Analysis
- String Concantenation
- SQL Dialect
Error Code Analysis
This is the most accurate method of fingerprinting a DBMS. In this method we intentionally insert an invalid input to obtain an error message.
Let us take a simple example to demonstrate this. Assume that there is a page which returns the registration number of a student by taking the student name as input.
http://www.example.com/regno.php
The first step is to enter a valid input, say Tom, and examine the URL passed. Suppose that the URL passed is
http://www.example.com/regno.php?name=Tom
On examining, it is obvious that the variable called is name. If we eneter an invalid value for name, we will get an error message. Suppose we enter the following URL
http://www.example.com/regno.php?name='
We will get an error message which is characteristics of the DBMS used. For example, for MYSQL, the error message generated will be something like,
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1
By examining the error message, the datbase used may be identified.
String Concantenation
This uses the fact that different DBMS handles string concantenation with different operators. Concentation is performed in different DBMS as:
MS SQL : 'string1' + 'string2'
MYSQL : CONCAT('string1','string2')
Oracle : 'string1' || 'string2' or CONCAT('string1','string2')
Let us take an example. Suppose that the URL given below is vulnerable
http://www.example.com/abc.php?id=1
Now all we have to do is add the concentenation functions described above and see which ones are true.
In MS SQL the following should be true
http://www.example.com/abc.php?id=1 AND 'str1str2' ='str1'+'str2'
In MYSQL, the following will be true
http://www.example.com/abc.php?=1 AND 'str1str2'=CONCAT('str1','str2')
In Oracle, the following are true
http://www.example.com/abc.php?=1 AND 'str1str2'=CONCAT('str1','str2')
http://www.example.com/abc.php?=1 AND 'str1str2'='str1'||'str2'
Here, 'true' means the URL will return the same page as
http://www.example.com/abc.php?=1
SQL Dialect
Every DBMS employs some more functions in addition to the standard SQL functions. This may be used to accurately determine the DBMS being employed.
Let us take some examples. Suppose, as before that, http://www.example.com/abc.php?=1 is vulnerable.
MS SQL
MS SQL has a a TOP clause which returns the first n number of rows when we are selecting rows in a table.
So in MS SQL, the following URL will be true,
http://www.example.com/abc.php?id=1 UNION ALL SELECT TOP 1 NULL, NULL
MYSQL
In MYSQL, if an exclamation mark is present in a comment block, the contents of the comment gets executed. That is in /*!<sql>*/, <sql> gets executed.
Then the URL
http://www.example.com/abc.php?=1 /*! AND 1=0*/
would be false. That is the same page will not be returned.
Oracle
Oracle supports the set operator MINUS, which is not supported by either MYSQL or MS SQL. So, we can use MINUS to see if the DBMS is Oracle.
If it is Oracle, the following URL will be true,
http://www.example.com/abc.php?id=1 MINUS SELECT NULL, NULL, NULL FROM DUAL
In other, DBMS an error will occur with the above URL.
Here we have used considered only three DBMSs. However the principle remains the same for other DBMSs too.
Watch out for some more articles on SQL Injection in the coming weeks.
Technorati tags: SQL Injection hacking database database fingerprinting