Sql Databases Mini Lecture

---

Sql Databases Mini Lecture by d4JinX / AZTEK / Spiderman / Mikkkeee http://blacksun.box.sk

---

*Note: This lecture was held impromptu so we didn't have a chance to cover many more important areas of sql databases.

*** Mikkkeee sets mode: +m
okay we got something set
its going to be an sql lecture
-xenitanus- thanks :)
pl/sql then php/sql then cracking sql
then we can kill reptile after we are done
*** Mikkkeee sets mode: -m
<_cir_> lol
sounds ok
hm
okay
lol nick, now its 4.30? and before 10.00?=)))))))))))) you are are from california, aren t you?
we will survive
=)
ok mikkee
espescially the end
<_cir_> im 4 killing reptile
n0 man
d4JinX: is starting
*** AZTEK sets mode: +m
lol
take it away d4JinX
Am I?
*** Mikkkeee sets mode: +o d4JinX
*** ChanServ sets mode: -o d4JinX
well you want to start with history
I think sql should run first..
*** SySt3mShk has joined #bsrf
ok
----------------sql lecture------------------------
Okay, SQL stands for Structured query language
SQL originated from IBM's research labs in the early 1070's
k..
SQL is the post cursor to SEQUEL
Structured English QUEry Language
*** d4JinX is now known as d4J1nX
*** Lone[Star] has quit IRC (Quit: see ya pplz l8r)
sql is strictly a language to access relational databases
*** _ciR_ has quit IRC (Quit: )
such as oracle or paradox
the latest ansi is recomendation sql-92
and thats my history now for d4J1nX
brb
As Aztek said SQL is a language used to access databases
It has very simple syntax
And is very easy to pick up
*** SySt3mShk has quit IRC (Ping timeout: 181 seconds)
Languages such as ASP and PHP use SQL statements
Say we had a database called people
I hope everyone knows what a database is ;-)
Within that database would be a number of tables
These tables hold the data in the form of fields with their corresponding types
ok back
eg people table
This could be made up of
wb Az
thx
SURNAME VARCHAR2(50)
FORENAME VARCHAR2(50)
TELEPHONE NUMBER
VARCHAR and number are the types
PHONENUM INTEGER(7)
*** StartX has joined #bsrf
There would also be an ID field
Used for indexing and joining tables
It has to be unique
And it cant be null when a new record is added to the table
*** SySt3mShk has joined #bsrf
PEOPLE_ID NUMBER
So we have a table called people with the fields already stated
Say we have a web front end
And we want to display all the people within the table
We would use a statement like
SELECT * FROM People
SELECT * from people
* being all the fields
We could pull back one field or two
SELECT surname,forename FROM table
If its a big table
SELECT *
Can take a long time
*** WishGenie has joined #bsrf
So sometimes its better to pull back only the fields required
If your lazy as well, SELECT * lol
*** Drager has quit IRC (Ping timeout: 180 seconds)
Once we issue this statement a temporary table is setup
a view
Which has the relevant fields and the relevant values
Yes, you can have views too
*** CodE4 has joined #bsrf
i was just wondering when you were goign to start them
*** idiocy|idle has quit IRC (Read error: 104 (Connection reset by peer))
If we want to add to the people tablAka's: Brian-17-, Mr_Innocent
Name: Brian
Age: 17
Department: Warez
Rank: Head
Skillz: nuking, kloning, email bombing, spoofing, flooding, viral attacks, networking, troubleshooting, finding illegal software
WeFuck
My buffer
its what i would have done first
kay
You go for it
lol from that site form the message board
phone
Yep
no no your doing fine
2 secs phone
*** [PhaLanX] has quit IRC (Ping timeout: 180 seconds)
*** ken has joined #bsrf
*** CodE4 has left #bsrf
*** d4J1nX has quit IRC (Ping timeout: 180 seconds)
okay the lecture will presume in a few min
i am sorta not here and here
so i will be in and out
same here iam going to wrap some stuff for the cracking part
*** freespeachlamer has joined #bsrf
*** AirriK has joined #bsrf
*** d4J1nX has joined #bsrf
*** [PhaLanX] has joined #bsrf
*** Mikkkeee sets mode: +v d4J1nX
wb
Thx
Side lecture - See when ya have a cable modem, dont let your cellphone anywhere near it, especially when it rings
*** AirriK is now known as _AirriK-
lol
Keep getting caught with that
Had to reboot
So, where were we?
was there any lecture?
*** _AirriK- has quit IRC (Quit: Leaving)
yah were doing an sql lecture instead
oh
If we want to add to the people tablAka's: Brian-17-, Mr_Innocent
Name: Brian
Age: 17
Department: Warez
Rank: Head
Skillz: nuking, kloning, email bombing, spoofing, flooding, viral attacks, networking, troubleshooting, finding illegal software
we were up to there
who's giving it?
oh ok
aztek/d4j1nx/and I
*** lostmode has joined #bsrf
Kay
*** xenitanus has quit IRC (Quit:)
So basically we pull back a temporary table from that statement
We can also have conditional syntax
Such as
*** freespeachlamer has left #bsrf
SELECT surname FROM people WHERE surname LIKE '%on'
Will pull back all the records where the surname has on at the end
Or
SELECT phone_number FROM people WHERE phone_number>809090
Self explanatry I hope
If we want to add to a table
Then we use an INSERT statement
*** Litte has joined #bsrf
*** cupelmen has joined #bsrf
INSERT into people(surname,forname,phone_number) VALUES ('woods','jim',0202020)
The ID will be created automatically by means of a trigger - will get to it later
If we wanted to update the table then we would use the UPDATE statement..
UPDATE people SET surname='newsurname';
deleting would require knowing the id, more practical, although not necessary
DELETE from people where people_id=349
*** StartX has quit IRC (Quit: )
The three basic db maintenance statements
All pretty simple syntax, as I mentioned before
*** Devil_Panther has joined #BSRF
*** zwanderer has joined #bsrf
*** Shadow_Stalker has joined #bsrf
So we know how to add to a table in a database, delete from a table and update a record in a table
*** reptile has joined #bsrf
*** Litte has quit IRC (Quit: Clone for reptile w00t w00t)
*** _ciR_ has joined #bsrf
yep it is simple
As I mentioned earlier..
A trigger is used to created the id automatically
*** _ciR_ is now known as __ciR_-
A trigger is a small script, if you like that will add the id to the id field on an insert into the table
*** D12_BoyZ has joined #bsrf
This ID number is taken from a number sequence in the database
The sequences are created manually
*** ewren has joined #bsrf
*** D12_BoyZ has left #bsrf
Each table that is normalized and has an ID field will have a different sequence
Now..
Say we have another field in our people table
*** paranoid has joined #bsrf
Called contact_name
And contact_address
*** MrBS480 has joined #bsrf
*** cupelmen has joined #bsrF
Now in order to normalise a db we would remove these two "repeating" fields and replace them with one
Contact_ID
And a separate table would be created called contacts
This table would have the fields.
Contact_id
Contact_name
*** Mikkkeee sets mode: +v Devil_Panther
Contact_address
brb door
*** paranoid has left #bsrf
okay seems like reptile showed up, so were going to finish this lecture and then do the vb coding
*** MrBS480 has quit IRC (Quit: )
*** ewren has quit IRC (Quit: )
*** flipu has joined #bsrf
back
Kay, I hope this is making some sense here, didnt really have time to prepare
Right so we now have two tables
*** lostmode has quit IRC (Quit: )
Contact table
And people table
Say we wanted all contact names for all the people whose first name was john
We would have to join our tables in the query statement
*** flipu has quit IRC (Not enough time connected)
*** torpor has joined #bsrf
*** __ciR_- has left #bsrf
SELECT contact_name FROM people p,contact c WHERE p.contact_id=c.contact_id AND forename = 'John'
Notice the c and p used for an alias and to remove ambiguity
*** WishGenie has quit IRC (Quit: i gotta reboot)
*** cupelmen has quit IRC (Quit: time to sleep...)
That statement will pull back the contact names for all the people called John
On an off note..
Say we had a drop down/combo box on our webpage
And we wanted the full details of a particular person
*** makzee has quit IRC (Ping timeout: 180 seconds)
*** SpiderMan has joined #bsrf
*** ChanServ sets mode: +o SpiderMan
In the drop box we would have the details "John Woods" or "Chris Simms"
*** bluehaze has quit IRC (Ping timeout: 180 seconds)
But the actual value would be the corresponding id in the table
hail spider
hey
Spidey
*** ken has quit IRC (Quit: )
all hail SpiderMan
hey AZTEK
*** Capt_InsaneO has joined #bsrf
Depending on the langauge being used we loop through each record brought back from the query and have a formselectOption for each
*** Mezzano has quit IRC (Read error: 113 (No route to host))
SELECT people_id, forename FROM people;
The forename would be in the dropdown
*** torpor has left #bsrf
But behind the scenes the actual value for that selection is the id
*** Capt_InsaneO has left #bsrf
*** mezzano has joined #bsrf
*** acid519 has joined #bsrf
oh... hi spidy
This is moving on to front end languages though and since php seems to be very popular at the moment, Aztek will take it form here
Hey Spider :-)
hi
sorry to disturb
np
ok i guess its php time
and we are going to php and not perl
so soon?
lets hit it spidy\
yea
ok
nothing more of SQL?
WHERE clause
php now
db normilization
ok
AZTEK,,, i guess you preffer php on perl... huh?!
we did the WHERE
yea
Thats already been done Spider
ok
Plus normalisation - although not alot
ok then I guess it is php time :)
mysql is the prefered datbase engine of choice by us phpers
because it's small, fast, and cheap
what make us choose mysql over any other
You want me to go into normalisation more first Aztek?
exactly
cant beat free
also it's avaliable on many platforms
ok ok...
LECTURE PLS
yea any platform apache and php run mysql does
lol
*** BaGeL has joined #bsrf
ok
mysql_connect();
you have to connect to the mysql host
Can php use access databases Az?
usually localhost
d4J1nX: yes
actually i am waiting for spidy to give me the syntax since i don't have my manual open
for mysql_connect()?
it's localhost, username, password
yea
in strings
yea but port
and stuff
if no port is given it uses the default
int mysql_connect ([string hostname [:port] [:/path/to/socket] [, string username [, string password]]])
you don't have to provide the port unless it's different then the standard
yea
i was wanting the full atribs :)
ah, I'll open my docs
ok mysql_connect() returns a database handle
that we will use later for other things
you should always check for a valid handle
we use mysql_query();
te send a query which d4J1nX when over the standard querys earlier
$con= mysql_connect("localhost", "jared", "pass"); if(!$con) {die("can't connect!");}
*** Shiva_Shanti has joined #bsrf
mysql_query("SELECT * FROM people");
int mysql_query (string query [, int link_identifier])
*** d4J1nX has quit IRC (Ping timeout: 180 seconds)
$result = mysql_query("SELECT * FROM people");
thats will return what mysql said for the query
then you can use functions such as mysql_fetch_array() to get the results
yea
umm thats the reson php is popular for database use its really easy :)
*** acid519 has quit IRC (Ping timeout: 180 seconds)
use mysql_drop_db("database name"); to delete a database
use mysql_create_db("database name"); to create a databse
anything else spidy
like i said its easy
int mysql_create_db (string database name [, int link_identifier])
let's give an example
ok
from the start
how about something to pull news out of a db
*** d4J1nX has joined #bsrf
ok
let's say a database is set up with an id field and a news field
to get the news out we could do this
if (!mysql_connect("host", "user", "pass")) {die("error!");}
*** TCL has joined #bsrf
*** ChanServ sets mode: +v TCL
mysql_select_db("db");
|ID|NEWS |
--------------------------
|1 |.....................|
|2 |.....................|
|3 |.....................|
|4 |.....................|
|5 |.....................|
that's what the db table would look like
$result= mysql_query("SELECT * FROM news ORDER BY id DESC);
we use that to select the news and id out
then using a while loop fetch all the data
*** Shiva_Shanti has quit IRC (Quit: eat, bbl)
while($row= mysql_fetch_array($result)) {
$news= $row["NEWS"];
$id= $row["ID"];
*** divinator has quit IRC (Ping timeout: 180 seconds)
echo "id= $id
";
*** N0_Nick has quit IRC (Ping timeout: 180 seconds)
echo "news= $news
";
}
and after that we close the connection to the database
ok i tought spidy was just pulling this out of one of his scripts
never mind
heh nope
just wrote it up right now
ok
using my little impromtu database
heh yup
question time?
.mode #bsrf -m
*** AZTEK sets mode: -m
whew
*** N0_Nick has joined #bsrf
=)
i felt so
muzzled
heh
*** acid519 has joined #bsrf
ah got it one the log file;)
damn laptop
we can talk again ;)
well its not over
Explain each line of code Spider
d4J1nX
is about to do perl
not over?
hey i got disconnected
ok
man
oo
wait I want to give some tips before we go to perl
perl
*** AZTEK sets mode: +m
ok so first we connect to the database using mysql_connect()
*** acid519 is now known as _acid519-
*** pixel_chomp has joined #bsrf
we test to make sure we could connect in the if clause
if (!mysql_connect("host", "user", "pass")) {die("error!");}
if we can't connect we exit the script with the error message
*** _ciR_ has joined #bsrf
in a real script you would give a better error
yea like
"You fucked it up"
lol
$result= mysql_query("SELECT * FROM news ORDER BY id DESC);
in fact if you want to get the error mysql gives you, you can use the function mysql_error()
now we query the database asking for all info in the databse news and we want it ordered by the id feild decending
you forgot your "
*** SySt3mShk has left #bsrf
$result= mysql_query("SELECT * FROM news ORDER BY id DESC");
*** SySt3mShk has joined #bsrf
heh whoops
while($row= mysql_fetch_array($result)) {
$news= $row["NEWS"];
$id= $row["ID"];
*** divinator (Oper@box.sk) Quit (Ping timeout: 180 seconds)
echo "id= $id
";
*** N0_Nick (hgfhf@202.179.171.BOX-24341) Quit (Ping timeout: 180 seconds)
echo "news= $news
";
}
that says while there are rows to fetch, get them
here we are looping
yea
-d4J1nX- I have to go here, going out, I will speak soon
*** UnHaFox has left #bsrf
$row becomes a hask array with the column names as identifiers
-d4J1nX- say bye for meeee
hash array*
yea hash
*** d4J1nX has quit IRC (Quit: )
and echo is self explainatory
yeah
just print it out
*** UnHaFox has joined #bsrf
thats about it
when the script finishes the connection to the db will close
also just a tip
now
if you are using larger scripts
use mysql_pconnect()
*** AZTEK sets mode: -m
it will save memory
for persestant connection
ah=)
so they wont keep connecting with each user
*** divinator has joined #bsrf
;)
?
so questions?
lol rep
<_cir_> oh
<_cir_> lets kill reptile
<_cir_> lol
yo
now i guess Mikkkeee will cover hacking sql
sup div
<_cir_> he didnt show up
yes i have one, but this one doent concern this subject, so can i ask it?
you guys are done?
yea
;()
UnHaFox: uh...depends on what it is
can i ask?
well d4jinx isn't here for perl :(
well reptile said he was late but shit lets do my section and then do one or two of his lectures
its not a stupid one
juz ask UnHaFox
did anyone log this ?
i got the log
i did
i got the logs
i'll send'em to u
:P
<_cir_> k
this will be one huge ass log
okay i'll cut up the log
and i will probably end up converting it
shit 3 lectures
lol
hahah
yea
there is so much more to cover
we'll have to divide it
i'll spend the weekend doing that
:P
*** AZTEK sets mode: +m
lol
yea spidys right
UnHaFox never got to ask his question
*** SpiderMan sets mode: -m
we barely scratched the surface
ask quickly
ok, how can i change the version reply of mirc? successfully changed one of the version replies, but not the first one..... (where it say micr 5.81) or soemthing like that?
thx
heh with my I just hex it
UnHaFox:wait for the mirc scriptin lecture
:)
off topic! ;)
what version reply? read the irc war tutorial
ok
sorry
i covered that section
okay let me do my section then reptile can do his lecture
*maybe* ill cover hexing the mirc client
which are you doing reptile?
heh
heh
guys for more info on php+sql go to www.php.net
and look at their docs
ok only use a hex editor, and find this entry, ok thx guys
lol
Mikkkeee:vb,vb advanced,vb super advanced,api and shit,mirc scriptin,*maybe* haxoring the mirc ckuebt
UnHaFox: for an example version me
okay lets do the cracking sql section
lol
*client
*** Mikkkeee sets mode: +m
*** Mikkkeee sets mode: +v reptile
okay iam going to talk a bit about breaking into ms sql servers for versions 6.5 and 7.0
tankies
via tcp/ip on port 1433.
many ms sql servers run on port 1433,
if they are not configured to run on another tcp port. Many scanners can
tell you the running sevice on the open port
and what service is running
ie- Retina from eEye and whatever you use.
so now
lets begin with the brute force attack
- many or most databases have some default and well known passwords.
usually the system admin accounts can not be changed in many of the commercial databases,
so thats a good thing for us. "sys" for ORACLE and "sa" for SQL server cannot be changed.
*** Azido has quit IRC (Ping timeout: 180 seconds)
There is no password lockout that is avaiable for sql server.
one fault that is quite amusing is that sql sever doesn't not require a strong password.
While we know this for a fact its is very trivial and at the same time eazy to use brute force attacks against the database
server with nothing standing in our way that can prevent us from trying to break it to the highest lvl.
-okay let me name one good brute forcer.
goto packetstorm and search for sqlbf
if there are any better ones then try those.
Lets say you have cracked into the database, well once your in the game begins.
lets start with system compromise by using extended procedure, for v6.5
Many systems have very powerful feature
s
convieniet to DATABASES
but are going to be our backdoors into the database server host.
=usually many databases because of lazy admins have no password,
this case the "sa" account, usually the admin is a lazy bum and has not put a password.
*** pixel_chomp has quit IRC (Quit: type /quit newbie status to become an op)
-so now anyway once we get the password our aim moves to takeing over the os, which usually is an nt box.
hi-ho hi-ho its off to code i go
*** AZTEK is now known as AZTEK[coding]
hehe
-by logging in as "sa" the attacker has the use of the extended stored procedure which is "xp_cmdshell",
this will allows an sql server user or attacker to run an dos cammand as if he is that person running the cammand at the console.
one thing the attacker can do
is add a user into windows nt account
and then can do it to the admin group.
*** Artist has joined #bsrf
to do this
they would type
:
Xp_cmdshell'net user hacker 678re0 /ADD'
now the attacker
*** Shadow_Stalker has quit IRC (Quit: May the force be with you :-))
just added a user hacker with the password 678re0
hehe nice password.
how cool
wouldnt this be cracking?
now lets add it to the administrators group.
there in
already they are backdooring the box
they would type:
Xp_cmdshell 'net localgroup /ADD Administrators hacker;
haha now hacker has become an NT administrator,
the reason this has worked is because the commnads are being sumbitted to the os using the nt account under which the sql server is being run,
this is local system account
which is the most powerful local account on the nt box.
-Another very good attack is to compromise the nt box by reading the sam._ file
under the winnt/repair/sam._ and
cracking the hashed password using the cracking tool
l0phtCrack
that tool is a work of art
Lets do this then,
we will need to use the exteded stored procedurer,
xp_regread which is from the registry.
so what are we waiting for lets get that little sam file.
xp_regread'HKEY_LOCAL_MACHINE;,'SECURITY\SAM\DOMAINS\ACCOUNT'.'F
we were going to read the passord out of the registry
so now if your a lazy attacker
you might want to use a canned tool, ahh let me name a good one, goto
packetstrom and d/l SQLPOKE.
now lets talk about other procedures
-attacking the database/ gaining the password local compromise.
well the sa password is stored in clear text
so if you got local access goto
HKEY_CURRENT_USER\SOFTWARE\MICROSHIT\ oops
lol
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\MSSQLServe\SQLEW\REGISTERED SERVER\SQL 6.5
mikkkeee is there a way to determine if a server is runnin SQL?
*** elite has quit IRC (Quit: )
above i talked about the scanner from eEye
retina?
yup
that costs $30k dude
*** Lone[Star] has joined #bsrf
;(
haha pay
lol
the VER might be different well thats the path and the password is stored as clear txt so you shouldn't have a hard time to obtain it.
- another attack if the system is not secured usually its not.
one method is to scan the host for smb ports (tcp 139, udp, 137 and 138)
nt uses them for smb ports to communicate.
tankies
these should be closed by a firewall but you can belucky.
im off to writing a simple scanner for this
to attack the nt box using this attack you can chk out rhino9
;)
tutorial called "THE WINDOWS NT WARDOC, A STUDY IN REMOTE PENETRATION"/
*** d3molisher has joined #bsrf
i belive we got an nt tutorial at the tuts page in blacksun
-well now you know that both usernames/passwords and
Another good hole in very bad nt machines is the front page vti thing
data is usually sent unencrypted so that means you guessed it can be sniffeed.
*** Devil_Panther has quit IRC (Quit: LOL = Lamers On-Line (®©, and all the other lame legal shit))
nice /quit msg
yah the chances are slim
like finding phf vul pages
but you never know
Another method is keyloggers,
god blessssss the loggers
hi Mikkkeee:)))
get a good one from www.keyloggers.com
hey angel
whats up?
the best one against nt is called i think stealth keyloger its the best well the sharewares ones kick ass. get those.
usually the shareware ones are called legit loggers so i don't think AV scanners pick up those
but they might
.
*** BaGeL has quit IRC (Quit: Twenty-two points, plus triple word score, plus 50 points for using all my letters. Game's over, I'm outta here. -Kwyjibo)
now let me talk a little about securing and we can goto the other lecture
well one thing you can do to protect your self if your running a dbs is to \:
1-click the encyption option,
that isn't done by default so you got to do that in order to encytp it so that could make snifferes useless,
2- make sure your got a good firewall setup this is good for the smb ports and against the portscanners.
3-multi protocol
will let you use random tcp ports by default or you can use fixed ports to ease firewall rulz.
*** _acid519- has quit IRC (Ping timeout: 180 seconds)
4-if you can try to use muti protocol and enable encryption
if not then try to use ip sockest,
change the default ports and install some good firewall.
*** Artist has quit IRC (Quit: Leaving)
Checkpoint Firewall-1 is a good choice
5-Use a COM component or a webserver,
as the business obj layer.
okay done
any questions
*** Mikkkeee sets mode: -m
*clap *clap *clap *clap *clap *clap *clap *clap
nope
if none reptile which are you going to do next?
VB!
:)
*** freakOVER[away] is now known as freakOVER
bv
vb
w00t
aw, AZTEK and I didn't get a nice thing like that
nooooo! not VB!
now
:)
what do u ppl wanna start with vb/mirc scripting?
so if no questions this is the end of the sql lecture
*clap *clap *clap *clap *clap *clap *clap *clap
--------------------END OF LECTURE----------------