CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [73]
Here are some examples of how to use SQL commands to take control.
To get a directory listing, type the following in a form field:
Blah';exec master..xp_cmdshell "dir c:\*.* /s >c:\directory.txt"--
To create a file, type the following in a form field:
Blah';exec master..xp_cmdshell "echo hacker-was-here > c:\hacker.txt"--
To ping an IP address, type the following in a form field:
Blah';exec master..xp_cmdshell "ping 192.168.1.1"--
Describe SQL Injection Countermeasures
The first countermeasures to prevent a SQL injection attack are to minimize the privileges of a user's connection to the database and to enforce strong passwords for SA and Administrator accounts. You should also disable verbose or explanatory error messages so no more information than necessary is sent to the hacker (such information can help them determine whether the SQL server is vulnerable).
It's critical to review source code for the following programming weaknesses:
Single quotes
■ Lack of input validation
Some countermeasures to SQL injection are:
■ Rejecting known bad input
■ Checking input bounds
Buffer Overflows
As a CEH, you must be able to identify different types of buffer overflows. You should also know how to detect a buffer overflow vulnerability and understand the steps a hacker may use to perform a stack-based overflow attack. We'll look at these topics, as well as an overview of buffer-overflow mutation techniques, in the following sections.
Identify the Different Types of Buffer Overflows
and Methods of Detection
Buffer overflows are exploits that hackers use against an operating system or application; like SQL injection attacks, they're usually targeted at user input fields. A buffer overflow exploit causes a system to fail by overloading memory or executing a command shell or arbitrary code on the target system. A buffer-overflow vulnerability is caused by a lack of bounds checking or a lack of input-validation sanitization in a variable field (such as on a web form). If the application doesn't check or validate the size or format of a variable before sending it to be stored in memory, an overflow vulnerability exits.
The two types of buffer overflows are stack-based and heap-based. The stack and the heap are storage locations for user-supplied variables within a running program. Variables are stored in the stack or heap until the program needs them. Stacks are static locations of memory address space, whereas heaps are dynamic memory address spaces that occur while a program is running. A heap-based buffer overflow occurs in the lower part of the memory and overwrites other dynamic variables. As a consequence, a program can open a shell or command prompt or stop the execution of a program. The next section describes stack-based buffer overflow attacks.
To detect program buffer overflow vulnerabilities that result from poorly written source code, a hacker sends large amounts of data to the application via a form field and sees what the program does as a result.
Overview of Stack-Based Buffer Overflows
The following are the steps a hacker uses to execute a stack-based buffer overflow:
1. Enter a variable into the buffer to exhaust the amount of memory in the stack.
2. Enter more data than the buffer has allocated in memory for that variable, which causes the memory to overflow or run into the memory space for the next process. Then, add another variable, and overwrite the return pointer that tells the program where to return to after executing the variable.
3. A program executes this malicious code variable and then uses the return pointer to get back to the next line of executable code. If the hacker successfully overwrites the pointer, then the program executes the hacker's code instead of the program code.
Most hackers don't need to be this familiar with the details of buffer overflows. Prewritten exploits