In association with heise online

Kung Fu

By smuggling in new commands hackers can access all kinds of tables and data and manipulate their content, such as credit card numbers that web shops might have have saved for billing purposes. To do so, however, attackers have to know the structure of the database. For instance, to read part of a table, you have to know the name of the table. If you can't look at the source code, you can only guess – or try to get the database to hand over that information. Depending on the platform and environment, web applications display error messages to users in certain situations. For instance, Microsoft's Active Server Pages provide information about unsuccessful access to an MS SQL Server.

If you then enter the user name ' having 1=1-- in the web front end, the program line

var Query = "SELECT * FROM users WHERE username = '" + username + "' and password =" ' " + password + "'";

outputs an error message because the SQL statement HAVING serves no purpose here. The message basically states that the column users.username is invalid because it is not contained in any function and no GROUP-BY argument is given. The hacker now knows that the table users contains the column username and can now attempt the following attack: ' group by users.username having 1=1--

which produces the error message, "The column users.password is invalid because it is not contained in any function and no GROUP-BY argument is given." The hacker now knows the name of another field. In addition to HAVING, other SQL commands can be used to produce error messages. To find out the type of variable, hackers can enter

' union select sum(username) from users--

The application now outputs an error message if username is of the type varchar: after all, the function sum() does not permit varchars as an argument. In other words, hackers can get an idea of the structure of the database by gradually provoking error messages. It is then relatively easy to write, edit, read, and even delete data sets.

More Kung Fu

If the database supports certain special features, it is even possible to communicate with the underlying operating system. For an MS SQL Server running on Windows 2000 and VBScript, the following instructions are common:

var Query = "SELECT * FROM myKunde WHERE card = '" 
& request.form(" input") & "'";
Set myDatensatz = myConnection.execute(Query);

This command displays all data records in which the variable input is identical to the content of the field card. Unfortunately, here the programmer apparently trusts users not to have any tricks up their sleeves. After all, if they enter

' exec master..xp_cmdshell 'net user foo bar /ADD'--

the script turns that into the following command:

SELECT * FROM myCustomer WHERE card = '' exec master..xp_cmdshell 'net user foo bar /ADD'--'

The MS SQL Server reads the last part of the command as Extended Stored Procedures (ESPs), which it executes on the server [1]. The function xp_cmdshell passes on the next string as a command to the DOS command line. Here, the user foo with the password bar is added to the system, such as Windows 2000. In principle, ESPs are dynamic libraries downloaded and executed while programs are running. In addition to MS SQL, other database vendors support Extended Stored Procedures that offer various functions, such as a reading and writing registry keys or launching and stopping services [6].

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit