###########  #####        ############  ###########  #####  #####                
 #        ##  #  ##        #         ##  #        ##  #  ## #   #                 
 #  ###   ##  #  ##        #   ####  ##  #   #######  #  ###   #                 
 #      ##    #  ##        #         ##  #   #        #       #                  
 #  ###   ##  #  ########  #  ###### ##  #   #######  #  ###   #                 
 #        ##  #        ##  #  #    # ##  #        ##  #  ## #   #                
 ###########  ###########  ####    ####  ###########  #####  #####               
                                                                                 
 ############  #####  #####  ############  ############  #####        ###########
 #         ##  #   #  #  ##  #         ##  #         ##  #  ##        #        ##
 #   ####  ##  #    # #  ##  #   ########  #   #####     #  ##        #  ########
 #         ##  #     ##  ##  #   #   ##### #   ###       #  ##        #        ##
 #  ###### ##  #   #  #  ##  #   #####   # #   #####     #  ########  #######  ## 
 #  #    # ##  #   ##    ##  #         ##  #         ##  #        ##  #        ##
 ####    ####  ##### ######  ############  ############  ###########  ###########

                                                                              
                                [ SQL INJECTION ]                   
                                                                               
                          { http://www.BlackAngels.it }



             [ Table of contents ]
   
                    1 - Legal notes
                    2 - Introduction
                    3 - General knowledges
                    4 - Scripts testing
                    5 - SELECT parameter
                    6 - INSERT parameter
                    7 - STORED PROCEDURES feature



[1] Legal notes
===============
 
The BlackAngels staff refuse all responsabilities for an incorrect or illegal
use of the informations supplied with this paper or for eventual damages to
others systems.
This paper has been wrote in the respect of the Article 21 ( Italian Constitution ).
 
 
[2] Introduction
================ 

This paper will introduce the reader to one of the most dangerous vulnerabilities
of web-related applications : the SQL Injection.
Some PHP scripts are used to describe the vulnerability, but aren't required 
PHP knowledges to understand it.
 
 
[3] General knowledges
======================
 
The SQL Injection is an exploiting technique of web applications that use data 
sent from a client to a Database SQL ( DS ), without checking dangerous characters.
Infact a lot of web applications use particular variables, that an user can change 
to comunicate with the DS; unfortunately a malicius user, could change that variables
to execute arbitrary code on the remote computer or to bypass a password protected
area, for example. 
 
 
[4] Scripts testing
===================

The SQL Injection's vulnerability, could be really difficult, but in a lot of cases
the search of the bug in the application's code, could be simple; for example, if you
add an apex ( ' ) into a form and the server's response is a white errors page, probably
the script is bugged.
The best way, is that to check all variables of the script, with all probably dangerous 
characters; now we will analize an example of vulnerable script ( the example script
is the code used in blackangels.it Search Engine, but it isn't really bugged ) :

http://www.blackangels.it/Exploit/search.php?s=splatt&a=0

This url, pass to the script ( search.php ), two correct parameters ( s=splatt and
a=0, where "splatt" is the word that the script is searching for ); the script works
correctly.
Now, try to change the parameter passed to the variable s, with an apex, before the
searched word :

http://www.blackangels.it/Exploit/search.php?s='splatt&a=0

If the script is vulnerable ( for example in this case ), we have changed the parameter
passed from the form to the DS, by inserting an SQL operator ( the apex ), before it;
so the possible error's responses, could be several.
Infact, we could have a white page full of errors, like this :

There appears to be an error with the BlackAngels Search Engine database.
You can try to refresh the page by clicking here, if this does not fix the error, you 
can contact the administrator by clicking here.

Error Returned

mySQL query error: SELECT s, a
mySQL error: Unknown column 's' in 'search list'
mySQL error code: 1054
Date: Wednesday 17th of February 2003 08:40:54 PM

We apologise for any inconvenience

This is only an example of error's response.
In some cases, the error will be generated directly from the DS; then there is surely,
a SQL Injection vulnerability.
When you found a bugged script, the best thing to do, is download the page's html code
and the script's code, to search for a programming error or an unchecked variable.
 
 
[5] SELECT parameter
==================== 

A lot of web applications, use the parameter SELECT; this command is used to take a data
from a query and to compare it with a database's list.
For example, the following code, is a login script, that take the username and the 
password from the query and it compare them with a list ( the script has been took 
from freephp.html.it ) :

$login = $_GET["nlogin"];
$password = $_GET["ppass"];
$string = mysql_query("SELECT * FROM ulist WHERE login='".$login."' AND 
password='".$password."'");
if (mysql_num_rows($string) == 0)
$in = 0;
else
$in = 1;

This is the classical example of a script, vulnerable to dangerous characters, because
there aren't any check's conditions; then, to bypass the script, we could input in the
username ( $login ) and in the password ( $password ) camps, the code " OR "=" :

$string = mysql_query("SELECT * FROM ulist WHERE login=" OR "=" AND 
password=" OR "="");

As you can see, this two conditions are always true, then the script will return a
value equal to 1 ( $in = 1 ).


[6] INSERT parameter
==================== 

Another really vulnerable parameter, with the SELECT too, is the INSERT; it is used
to insert new records in a table.
For example, a malicius user could use this parameter, to add an username and a password
to a database's list; this is possible only if the DS support a particular feature,
the SUBSELECT ( Oracle and MS SQL support this feature ).
Now we can take into consideration a simple script, that add an username and a password
into a database's table ( also this code has been took from freephp.html.it ) :

INSERT INTO loginlist (username,password) VALUES ('admin','guest');

This is the correct code, that insert into the table ( loginlist ), an username ad a
password ( admin and guest ).
But if we change "admin" with " + SELECT username FROM loginlist LIMIT 1 + " and "guest"
with " + SELECT password FROM loginlist LIMIT 1 + ", the script's code will become :

INSERT INTO loginlist (username,password) VALUES (' + SELECT username FROM loginlist LIMIT 1 + '
,' + SELECT password FROM loginlist LIMIT 1 + ');

Now the query will replicate into the table, an existent record.


[7] STORED PROCEDURES feature
============================= 

The STORED PROCEDURES are a feature, that is supported from a lot of DS, like Oracle 
and MS SQL; STORED PROCEDURES are particular batch files, recalled with the EXEC 
parameter, that execute operations, directly on the DS.
Perhaps xp_cmdshell, is the most vulnerable STORED PROCEDURE of the MS SQL Server.
It could be used from a malicius user, to execute arbitrary code on the server; infact,
you could use a simple code like this, to see the list of all files, into the server's
hard drive :

EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:\'

This vulnerability is comparable with the IIS Unicode bug.
So, when this STORED PROCEDURE is active, you could execute any kind of DOS command, on
the remote server.
 
With this simple example, i close this paper.
For more informations send me a message to : nemesis[at]blackangels.it
Thank you for reading this paper.