-4

I'm testing a client's web site vulnerability to SQL injection, which appears to be the case. The web site is hosted in IIS on a Windows server and is using Microsoft's .NET framework with SQL. I'm able to enter SQL statements in the sign in form.

But when I enter ' or 1=1;-- in username, it replies "Your Account Has Been Blocked". Obviously, the field isn't validated which is a serious security issue.

How can I obtain the database's content using the SQL injection technique? I've read this penetration test tutorial, but no luck so far.

When I enter ' in the username field, this is what I get:

enter image description here

Steven Volckaert
  • 1,193
  • 8
  • 15
mehulmpt
  • 109
  • 1
  • 1
  • 4
  • Can you elaborate on "print out database information etc. with an input field which is executing my SQL queries"? It's unclear to me what exactly you're trying to find out. – Steven Volckaert Apr 18 '14 at 08:37
  • I'm trying to find out how can I retrieve sensitive info from the database. I know there are 2 columns, I found this by order by command. But I'm unable to find vul column and proceed. I'm following this guide. But seems it works only for URL based SQLs : http://www.breakthesecurity.com/2010/12/hacking-website-using-sql-injection.html – mehulmpt Apr 18 '14 at 08:38
  • Can you edit your answer with this info? I thought it was some kind of legal question regarding "printing out" the retrieved database content on paper. – Steven Volckaert Apr 18 '14 at 08:42
  • Obviously that's a legal work. I've got this site as a work from my client to check it against all possible vul. We are yet to launch this site. I asked you to help, please don't point out if you can't help. Thank You @Steven – mehulmpt Apr 18 '14 at 11:14
  • Pointing things like this out improves the Stack Exhange Network. Besides: Better, clearly formulated questions result in answers more quickly. Cheers. – Steven Volckaert Apr 18 '14 at 11:53
  • 7
    I would suggest to ask someone with the right skills to perform this work for your client. – ack__ Apr 18 '14 at 12:25
  • 1
    You probably get "Your account has been blocked" because the first account in the DB is blocked. You could get the second item in the returned set by trying LIMIT 1,1 (if it is mysql). – mikeazo Apr 18 '14 at 16:29

3 Answers3

7

You should ensure that you have the right skill set before offering to perform work for a client. This means that you looking at the website will be worthwhile and you won't give the client a false sense of security. This will be better for you as you will know how to take the correct steps to perform a test legally and won't get sued by the client if you slip up when [checking the site] "against all possible vul. "

I can recommend the Web Application Hacker's Handbook: 2nd edition as a good guide to getting started in the field and the resources at OWASP, but recommend taking proper training and working with more experienced people

That being said SQLMap is a good tool to use in a pinch and can be cloned off of github or found in kali / backtrack (but this version may be out of date).

Make sure you have the client's / their service provider's express written permission for testing and be sure to caveat "all known vulnerabilities" in the future or you will risk getting burned.

TildalWave
  • 10,801
  • 11
  • 45
  • 84
Stu W
  • 612
  • 6
  • 17
1

How can I obtain the database's content using the SQL injection technique?

Whether or not you can do this will depend greatly on how the information is used after it is pulled from the database. For example, if the information pulled from the database is only used to see if you have valid credentials, but never displays any of the database content that was retrieved, then you won't be able to display the database content.

Likely though you would be able to log in without a valid username/password combination. You said your first string was getting an "Account has been blocked" message. Likely, for some reason, the first returned result in the database is a locked account. You could get around this by doing something like LIMIT 1,1 (if it is mysql, or something similar if it is not).

mikeazo
  • 2,827
  • 12
  • 29
1

If this form is hackable, others are likely to be also. Getting the content of the database is problematic, but bypassing normal user authentication, altering other users accounts, or just plain trashing the database are all on the table. I doubt your client would want you to try these things on their live database.

ddyer
  • 1,974
  • 1
  • 12
  • 20