These days there are several database technologies are available for data storage purpose.
While performing injection attacks, how do attackers actually identify the database used by a website?
If it is possible by any queries or commands through any application entry points, can someone
explain to me the instructions to identify some leading databases like MySQL and Oracle.
Asked
Active
Viewed 2,668 times
2
Anandu M Das
- 1,981
- 14
- 31
- 46
3 Answers
5
There are three common ways to deal with the variety of databases out there:
Many web applications are tied to a specific database backend, rather than being able to use a variety of backends. For example, if someone's using MediaWiki, you know they're using either MySQL or MariaDB.
An attacker can attempt to generate an error condition, then look at the resulting error message for clues as to what database is in use. This is one reason why error messages displayed to the end user should be as generic as possible.
An attacker can simply try everything. There aren't that many common database backends in use, and making a dozen attack attempts isn't much harder than making one.
Mark
- 34,390
- 9
- 85
- 134
-
I loved the 2nd point. Could you tell me a typical way used by the attackers to generate an error message? – Anandu M Das Sep 26 '14 at 05:17
-
1Input that's invalid in an unexpected way: malformed UTF-8, words where numbers were expected, input that's wildly too large, etc. – Mark Sep 26 '14 at 05:21
2
Even though noSQL databases are on the rise, the vast majority of web applications still use some kind of SQL database. The basic SQL features are standardized, so many simple SQL queries work on any SQL database. I doubt there is any database which calls itself SQL and doesn't understand password = '' OR '1'='1'. So in many cases it isn't even required to know which database the target is using as long as it is an SQL database.
-
and if the NoSQL database negine include a query language surely you can find same kind of injection. Unless hteonly API is a criteria one. – Walfrat Apr 14 '17 at 14:20
1
well it depends on so many things i will be "including some" .
1 web application
most web attack are based on scanning lets take the Wordpress as an example
you are trying to inject the database of an Wordpress based website ..
& wordpress is not sql-I vulnerable but perhaps the plug-ins are vulnerable .
you make a scan for the plug-ins installed on the target website
then you install Wordpress on local server (for testing) during the installation the Wordpress will ask you to make a SQL user for Wordpress database installation.
you start looking for a failure in plug-ins (source code) you will be looking for a target words that can lead you to the exploit type .
after that if you got an exploit you can keep it for your self or post it on exploit databases such as Injector db(1337day.com) or Rapid7 db (exploit-db)
conclusion (you will find-out that the attacker knows because of the Open source) so if you are trying to make a web-app just for yourself do not share your sources
2/ the failure
so if the attacker is testing for sqlI on a target website & the target is infected
this is a page
http://example.com/webpage.php?id=1
the test is like that
http://example.com/webpage.php?id=1'
you will find in the head of the page a sql failure (if the website is vul) including mysql word which mean that the web application is running a MySQL server
he will get a sql failure
there are so many databases based on sql & can be injected
if you are looking for the good db you may try mongodb
it is available with php if you are interested check this blog web app based on php & mongodb: http://www.mongopress.org/
(wordpress was just an example for sql db)
Philipp
- 48,867
- 8
- 127
- 157
0b01001101 Two Times
- 11
- 2
-
1This is a mess. Can you go through and clean this up to use reasonable formatting please? The spaces in URLs aren't needed. Also, all of part 1 is nonsense and irrelevant to the question. – Polynomial Sep 25 '14 at 09:31