Skip to content

Latest commit

 

History

History
43 lines (35 loc) · 4.38 KB

README.md

File metadata and controls

43 lines (35 loc) · 4.38 KB

Advanced SQL Injection Scanner - IIS & DBO

Advanced mechanisms of sql injection that can be used by malicious users to obtain critical information and take advantage of it to gain complete control of a computer system.

Explanatory Note

This article doesn't attempt to explain a new technique of compromising computer systems, the technique of SQL Injection is very old and known but at the same time can be very powerful. The article also doesn't reflect the exploit of an unknown vulnerability, this is known and has already been reported, which if can reflect are unpublished advanced mechanisms of sql injection that can be used by malicious users to obtain critical information and take advantage of it to gain complete control of a computer system.

Combining this technique with an IIS Web Server with elevated user permissions (DBO) in the Microsoft SQL Server database can lead to complete loss of control of the affected server.

This article will attempt to explain the potential risk caused by misconfiguration of an SQL database that interacts with an external web page through an IIS Web Server and give details of how malicious users can benefit from it.

Short Summary (wikipedia)

SQL Injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.

Vulnerability

Assuming that in the web page there are security problems with the passing of parameters to allow SQL Injection, the main problem is that the IIS Web Server is able to display critical information to the user by using an invalid Transact-SQL conversion function. Imagine the following URL where the id parameter allows injection.

https://www.victim.com/index.aspx?id=1

A malicious user could override the value of the id parameter by the Transact-SQL convert function

convert(int, (SELECT+USER));--

The final URL would be of this style:

https://www.victim.com/index.aspx?id=convert(int, (SELECT+USER));--

The conversion function tries to convert a string to integer, which causes an exception where the IIS Web Server makes a serious error showing the value of the executed query.

A typical output would be something like this:

Conversion failed when converting the nvarchar value '{user}' to data type int.

As we can see the {user} value corresponds to the current value of the user of the database, in addition to all of this if the value returned is dbo will tell us that the database user has maximum execution privileges, so that will be able to execute shell commands using the xp_cmdshell Transact-SQL function.

Using a web page with a database user with maximum privileges is a serious security error where system administrators should not fall.

In summary, could say that vulnerability consists of three factors:

  • Error in handling the GET/POST parameters that allow SQL Injection. (Software Developer)
  • IIS Web Server that displays the conversion function information. (Microsoft)
  • Use a database user in the web page with maximum privileges. (System Administrator/Software Developer)

Version 4.0 (Private)

The extended version 4.0 of the scanner it's in a private repository (visible by sponsors) with all its functionalities.

More information

https://advanced-sql-injection.blogspot.com/2017/06/ivan-ricart-borges-advanced-sql.html