I have a website which is vulnerable to SQL injection. It has a username and a password and when we write the username as admin and the password as 'or 1=1-- it logs in saying that you have been successfully logged in as admin. I want to find the password of admin using an SQL injection. What can I do ? Strictly for learning purposes.
I need the password of admin while performing an SQL injection on the username and password fields.
Your ability to retrieve the admin password depends on how the password is stored, and how the server-side script that accesses the database is written. If the password is properly salted and hashed, it is virtually impossible to retrieve it; you're simple overriding the system that checks the password. If not, it would still be very difficult and you would need to do a lot of experimentation (see this answer on Information Security Stack Exchange). Either way, you will need to know a lot about the system and how it works in order to attempt such an attack.
Related
Here on my company we have a SQL Database with several users. However everyone knows the password of 'sa' user.
Now, we have create a Intranet and it is necessary to limit the access to the Intranet database.
I have tryed to create a new owner and remove the permissions from 'sa' user to this database but with no success. What it is more recommended?
Continue this or create a new password for this specific database (is this possible)?
Thanks in advance
I would simply suggest reset the SA account's password. Very very few people should know this password ever. If you need to give specific people this access, then create accounts for them. Applications should almost never have this level of access.
Edit: In MS Sql Server you can have a user on the server level with no access, and then you make that user DBO in a specific database - this enables a user to "admin" a database without being able to mess with the server settings.. This is highly recommended imho.
Here is a detailled guide on how to do it:
First make a login:
http://msdn.microsoft.com/en-us/library/aa337562.aspx
Then give that user access to the DB:
http://msdn.microsoft.com/en-us/library/aa337545.aspx
Don't use SQL Server logins
Use windows logins. When the user should not have access, remove the windows login. You can't make people forget a password but you can revoke windows login access.
I installed postgreSQL by default with apt-get and I believe it has automatically added a user for me called "postgres".
I only have one database that I want to sort on postgres, so is
there any point creating another user account for this database or
should I just keep with the one which is installed with postgreSQL
"postgres"?
The user account postgres which is made for me, is it given some
kind of default password? Is it recommended that I put in my own
password?
EDIT: I misinterpreted the question, the OP is asking about internal users, not system users
Original Answer: System users for running servers
Most services running on a linux box are given their own independent user, as a standard security practice. In the off-chance that the postgreSQL server was compromised -- either you made a mistake, or there was a vulnerability in postgresql, or whatever -- the attacker can only gain access to the resources allowed to the user running the postgresql server. If that user is root, you lose the machine. If that user is your user, you lose not quite as much. If that user is postgres, which only has minimal access to anything.. you lose the database, and that's all.
So:
You merely need a single user for the postgreSQL server, regardless of what, exactly, that server process is hosting. If (it sounds like one was) a user was created for you automatically, you're all set with this step. If you need to make one manually (sounds like you don't), you would also have to change the permissions so that the new user can access only what it needs to.
That account very possibly cannot be directly logged into; if it has a password at all it's a lot of random data. In order to use the account, you need to start out as root, and then voluntarily "downgrade" yourself to postgres. In the case of the server, root starts the server "under the name of" postgres. I would advise leaving it alone.
Second Answer: Database users
Once you have a server running, the server will keep its own set of users, for the purposes of accessing the database. The simplest architecture you could use there is just having a base user with full permissions do everything. While this works, it is not advised if you are hosting this externally. A more preferable solution is to have a set of users, similar to how the OS is set up: a bunch of users to do specific tasks, and one admin user to rule them all. That said:
You don't have to, but if you are going to host this anywhere (if you're not just using it for personal things, and it's world-accessible), I would advise extra users with limited permissions.
http://archives.postgresql.org/pgsql-admin/2001-10/msg00192.php
There is no password by default; create one with ALTER USER.
Passwords do not take effect unless pg_hba.conf is set up to use them. If
it is, and you have not assigned a password to postgres, you will not be
able to connect as postgres.
re 1)
the default database user that is created during installation is a "superuser" and for the same reason you should not do your daily work as "root", you shouldn't work with a superuser in a DBMS. So the answer is a clear: yes, do create a second user. You can grant that role all privileges on the default database (also called postgres), so that you don't need a second database.
More details on how to create a user and how to grant privileges can be found in the manual:
http://www.postgresql.org/docs/current/static/sql-createuser.html
http://www.postgresql.org/docs/current/static/sql-grant.html
re 2)
I don't know Linux that well, but usually you should have been asked for a password during installation. At some point in the installation a new data directory is initialized using the command initdb which requires a password to run.
If you don't know the password, you log into the postgres linux account, then you can probably run psql without specifying a password. That enables you to reset the database password and create a new user.
More details about users and authentication are in the manual:
http://www.postgresql.org/docs/current/static/client-authentication.html
http://www.postgresql.org/docs/current/static/user-manag.html
We have thousands of users using H2 database, and sometimes, somehow, someone forgets the password.
Is there a way of recovering, at least, the SA user password?
Of course, i tell them that no one would be happy that this would be possible if the database was stolen...
Anyway, i need to be sure, for all the affected users sake.
Thanks.
No, it is not possible to recover the password of any user, because passwords are not stored in the database file. Instead, the password, together with a random salt, is hashed, and only the hash and the salt are stored. The random salt protects against rainbow attacks. By the way, in the server mode, the password is not transmitted - only the hash is transmitted. See the documentation for details.
However, if the database is not encrypted, the data can be extracted from a database file.
I'm researching a security model for our web portal, we have decided to use a partner that requires the users (and passwords) to be stored in some kind of LDAP.
Since we have a database with users (and current passwords hashed) already I would like to be able to use that database instead of the LDAP's method of storing users and passwords.
We have no means of getting the passwords from the hash and we don't want to send new passwords to our customers.
What I would like is something that can "fake" the LDAP protocol and read the users from our MS SQL Database.
The LDAP will only be used as authentication, the users permissions will be handled in another way.
Any suggestions?
You can use OpenLDAP with the SQL backend for exactly this.
Is there a way to explicitly specify a user/domain/password when using windows authentication for MS SQL?
I mean in the connection string.
Edit:
I would like to connect to another SQL server with a specific username and password on a different computer so impersonating I don't think is possible.
No, there isn't - your two choices in the connection string are Integrated Authentication (the current Windows user) and SQL authentication.
If I understand you correctly, what you're trying to do it log in to the SQL Server as a different Windows user. You can look at either impersonating a user (though this would have to be a separate process, not your main application), or you can look into something like Database Roles:
MSDN Article
UPDATE: Since you've stated that you're in a workgroup (I assume both the client and server are), then this blog post seems to say that as long as the username and password you're using exactly match a user on the server, you should be okay. Not sure if this is a possibility, but worth consider. Also, if either computer is on a domain, the bet is off - in that case, you'll have to impersonate to make this happen.
No that is not possible. When using Windows authentication you send the current user's identity and you have no way of specifying that explicitly. You could change the current thread principal though.