Develop an Attack Plan

Developing an attack plan for a back-end system or database is very similar to developing one for a web front-end system. Many attack methods can be performed through the same web application or forms.

The most likely difference in planning an attack on a database is that additional discovery tools need to be used to identify the database type. Most scanning tools identify database types based on open ports or services running on the system. However, if the database type cannot be determined by scan tools, then another method that sometimes works is field manipulation and forcing error messages. Inputting a wrong value in a field the database processes may cause an error. The resulting error message displayed on the screen may give information about the database.

Once the database type is identified, the general plan of attack on a database might attempt the following:

1. Access or retrieve data by injecting data into fields or forms

2. Access or retrieve data by gaining privileged access

3. Crash the database to gain privileged access to other portions of the system

Identify Gaps and Holes

Probing database applications for gaps and holes is a common feature of the penetration testing software on the market. Metasploit, a freeware tool, is adept at exploit testing, as its name implies. Metasploit has modules, or preconfigured test scripts, for numerous database types and their vulnerabilities, but it is not as user-friendly as some other tools mentioned in this chapter. Even the Windows version runs as a command-line utility.

Many of the web application scanners also have scripts and tests for back-end databases. Acunetix is one of those programs and will attempt to connect to the database as well as run SQL commands.

Escalate the Privilege Level

Attempting to escalate privileges for back-end databases is very similar to the strategy used for web server applications. Once again, Metasploit is a good utility for attempting various strategies for escalating privileges. One item to be cautious about, however, is that many of the scripts and techniques used to gain escalated privilege level involve strategies to crash either the application or the database itself. If the database is crashed, then accessing data may be considerably more difficult, even if privileged access is gained.

Perform an SQL Injection for Data Extraction

Most scanning and pen test utilities now have built-in SQL injection testing capabilities. However, SQL injection is a fairly simple activity that an attacker can attempt manually by manipulating URLs in a browser.

SQL injection is the act of inserting various SQL commands into a URL, or sometimes into a form field, so that the command will be run against the back-end database. The following steps contain a basic SQL injection attempt:

1. Look for webpages that contain data entry fields for entering data such as a username or password. Webpages for that purpose are typically not static HTML but written using a language like ASP or PHP. These webpages will contain extensions such as .asp, .php, or .jsp somewhere in the string of characters. For example, http://mydatabase.com/index.asp?user= might correspond to a text box asking for a logon ID.

2. Upon typing the name Sam into the logon ID field on the webpage, the string would look like: http://mydatabase.com/index.asp?user=Sam. The database might then start a query to look for the name Sam in its tables, and the actual database query might look like: SELECT*FROM customers WHERE User =’Sam’

3. By either manipulating the URL or entering data into the field, you can now try some characters that have special meaning in SQL queries such as a single quote ‘, or two dashes --. The single quote, for example, tells SQL to escape from the search criteria and back to the SQL statement. Knowing this, you can enter data to the webpage’s field to be injected as part of the SQL statement. For example, entering the characters ‘ OR 1 = 1 tells the statement to return data if statement processes are true. Because 1 always equals 1, the statement is true, and all data are returned.

4. From here, more advanced knowledge of SQL query formatting or SQL server commands are necessary to get creative with SQL injection. Basically, though, any type of SQL command can now be inserted into the text box or URL and, if properly formatted, cause the SQL server to execute the command as if the attacker was sitting at the SQL console. For example, the following text would cause SQL to stop its normal query and execute anything after the semicolon, such as a privileged SQL server exec command: ‘; exec...

With some quick Google searching, an attacker could find information on the exec command and its options allowing for some very powerful capabilities. Exec can then be used to perform actions such as the following:

• EXEC xp_cmdshell ‘dir *.exe’ which returns a list of all .exe files on the server

• EXEC @retstat..., which runs a script, or collection of commands, from a remote server