Ingenieria

Advanced SQL Injection In SQL Server Applications
Chris Anley [chris@ngssoftware.com]

An NGSSoftware Insight Security Research (NISR) Publication ©2002 Next Generation Security Software Ltd http://www.ngssoftware.com

Table of Contents [Abstract] ............................................................................................................................ 3 [Introduction]...................................................................................................................... 3 [Obtaining Information Using Error Messages] ................................................................. 7 [Leveraging Further Access]............................................................................................. 12 [xp_cmdshell]............................................................................................................... 12 [xp_regread].................................................................................................................. 13 [Other Extended Stored Procedures] ............................................................................ 13 [LinkedServers]............................................................................................................ 14 [Custom extended stored procedures]........................................................................... 14 [Importing text files into tables] ................................................................................... 15 [Creating Text Files usingBCP]................................................................................... 15 [ActiveX automation scripts in SQL Server]................................................................ 15 [Stored Procedures]........................................................................................................... 17 [Advanced SQL Injection]................................................................................................ 18 [Strings withoutquotes]................................................................................................ 18 [Second-Order SQL Injection]...................................................................................... 18 [Length Limits] ............................................................................................................. 20 [AuditEvasion]............................................................................................................. 21 [Defences] ......................................................................................................................... 21 [Input Validation].......................................................................................................... 21 [SQL ServerLockdown]............................................................................................... 23 [References] ...................................................................................................................... 24 Appendix A - 'SQLCrack' ................................................................................................. 25(sqlcrack.sql)................................................................................................................. 25

Page 2

[Abstract] This document discusses in detail the common 'SQL injection' technique, as it applies to the popular Microsoft Internet Information Server/Active Server Pages/SQL Server platform. It discusses the various ways in which SQL can be 'injected' into the application and addresses some of the data validation and database lockdownissues that are related to this class of attack. The paper is intended to be read by both developers of web applications which communicate with databases and by security professionals whose role includes auditing these web applications. [Introduction] Structured Query Language ('SQL') is a textual language used to interact with relational databases. There are many varieties of SQL; most dialects...