Principle exploitable issues with SQL Servers
- web form that does not perform error checking
- SQL server runs any type of query or command passed to it
- SQL server where the service account has elevated permissions
- SQL server which is capable of having the service account run commands
SQL injection result
- disclosure of private information
- SQL server performs unauthorized functions
Forensic examination of SQL injection should involve:
- The logs from the server hosting the web application
- The logs captured by the web application service
- The logs from the server running SQL
- The SQL application logs (Typically, SQL will retain a record of queries and commands run.)
- Firewall and IDS logs
SQL over TCP Port
TCP 1433
SQL Probe
UDP 1434
DMZ Firewall - protection?
s
DMZ Firewall - protection?
firewalls don’t protect against SQL injection
SQL injection result
- disclosure of private information (from database/table)
- SQL server performs unauthorized functions (run commands)
SQL Server Account
Service account - when compromise, take on same permissions as service account. Can run commands from SQL Server.
SQL xp_cmdshell
- spawns Windows command shell and passes string for execution. Output is text.
SQL xp_cmdshell
- spawns Windows command shell and passes string for execution. Output is text.
- disabled by default
SQL Injection Input
GET or POST commands
Forms can be ASP, PHP, CGI, etc. (no requirement)
GETS vs. POSTS
as
GETS vs. POSTS
difference in the artifacts we see
Artifacts for SQL Injections (4)
Web Server logs
firewalls
ids
SQL server
SQL value examples
‘or’1’=’1’–’
‘or’1’=’1’({‘
‘or’1’=’1’/*’
Keywords in Log Files
keyword or reps
-- execute select * @@version varchar char exec execute cast declare
Keywords in Log Files
keyword or greps:
-- execute select * @@version varchar char exec execute cast declare
