Library tutorials & articles
SQL Injection Attacks by Example
Finding some users
Finding some users
At this point we have a partial idea of the structure of themembers table, but we only know of one username: the random member who got our initial "Here is your password" email. Recall that we never received the message itself, only the address it was sent to. We'd like to get some more names to work with, preferably those likely to have access to more data.
The first place to start, of course, is the company's website to find who is who: the "About us" or "Contact" pages often list who's running the place. Many of these contain email addresses, but even those that don't list them can give us some clues which allow us to find them with our tool.
The idea is to submit a query that uses the LIKE clause, allowing us to do partial matches of names or email addresses in the database, each time triggering the "We sent your password" message and email. Warning: though this reveals an email address each time we run it, it also actually sends that email, which may raise suspicions. This suggests that we take it easy.
We can do the query on email name or full name (or presumably other information), each time putting in the % wildcards that LIKE supports:
SELECT email, passwd, login_id, full_name
FROM members
WHERE email = 'x' OR full_name LIKE '%Bob%';Keep in mind that even though there may be more than one "Bob", we only get to see one of them: this suggests refining our LIKE clause narrowly.
Ultimately, we may only need one valid email address to leverage our way in.
Brute-force password guessing
One can certainly attempt brute-force guessing of passwords at the main login page, but many systems make an effort to detect or even prevent this. There could be logfiles, account lockouts, or other devices that would substantially impede our efforts, but because of the non-sanitized inputs, we have another avenue that is much less likely to be so protected. We'll instead do actual password testing in our snippet by including the email name and password directly. In our example, we'll use our victim, bob@example.com and try multiple passwords.
SELECT email, passwd, login_id, full_name
FROM members
WHERE email = 'bob@example.com' AND passwd = 'hello123';This is clearly well-formed SQL, so we don't expect to see any server errors, and we'll know we found the password when we receive the "your password has been mailed to you" message. Our mark has now been tipped off, but we do have his password.
This procedure can be automated with scripting in perl, and though we were in the process of creating this script, we ended up going down another road before actually trying it.
UNIX Wizard and Microsoft MVP
Related articles
Related discussion
-
how create multilanguage website in php using unicode database as mysql?
by osmancarik (2 replies)
-
how to find second largest number through a query in sql
by om_java2009 (29 replies)
-
Lets Open our Eyes
by mawcot (0 replies)
-
Check this out - Free PHP Security Videos
by Arne1983 (1 replies)
-
Malaysia Web Design Projects (MWDP)
by karsin (0 replies)
Related podcasts
-
Roundup 09 - Java Plugin Architectures
Roundup 09 - Plug-in Architectures in JavaFully formatted shownotes can always be found at http://javaposse.com NetBeans pluginshttp://platform.netbeans.org/tutorials/nbm-google.html IntelliJ pluginshttp://www.jetbrains.com/idea/plugins/plugin_developers.html Hudson pluginshttp://wiki.hudson-c...
Events coming up
-
Dec
3
The Auckland PHP December meetup
Auckland, New Zealand
Topic: Magento E-Commerce platform Speaker: Robert Popovic, LERO9, Robert is the Technical Director and co-founder of LERO9. Robert attended the Electrotechnical Faculty at The University of Belgrade where he graduated with a Masters in Computer Science and Information Technology. Robert has worked exclusively in the field of web and software development throughout his career.
http://database.ittoolbox.com/browse.asp?c=DBPeerPublishing&r=%2Fpub%2FSG090202%2Epdf
This thread is for discussions of SQL Injection Attacks by Example.