Exploit Logic
In the
previous chapter we developed a routine
that inserts a single quote into each application parameter and
inspects the associated response to determine if it contains a
database-related error message. Although this routine detects
error-based injection vulnerabilities, the new script will contain a
modified routine that can also detect blind injection points using
various OR 1=1
exploit strings. Once the injection
point is identified, it attempts to craft a more powerful exploit
that can be used to pull arbitrary data out of the database.
A UNION
query is the most common way to
leverage SQL injection for arbitrary data retrieval. A successful
UNION
exploit must follow certain syntax rules.
Specifically, it must determine how many columns are in the original
SQL query (a UNION
query must contain the same
number of columns as the query to which it is being appended). Also,
the exploit must determine the appropriate datatype contained in each
column (datatypes for each column in UNION
queries
must be the same). Due to query variations among database servers
(i.e., target tables for sample exploits, datatype conversion
methods, etc.), the exploit engine needs to detect the type of
database server being exploited so that it can adapt the exploit
queries accordingly.
The UNION
exploit routine will employ a
combination of blind SQL injection exploit techniques as well as traditional error-based techniques. The exploit steps and underlying process we will use to construct ...
Get Network Security Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.