SQL Injection

axl9u46“Its hard to trust people these days!”

What is SQL Injection?

SQL Injection is an attack in which the SQL code is inserted or appended into application or user input parameters that are later passed to a back-end SQL server for parsing and execution. Any procedure that constructs SQL statements could potentially be vulnerable, as the diverse nature of SQL and the methods available for constructing it provide a wealth coding options. The primary form of SQL Injection consists of direct insertion of code into parameters that are concatenated with SQL commands and executed. A less direct attack injects malicious code into strings are that destined for storage in a table or as metadata. When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code is executed. When a Web Application fails to properly sanitize the parameters which are passed to dynamically created SQL statements (even when using parameterization techniques) it is possible for an attacker to alter the construction of back-end SQL statements. When an attackers is able to modify an SQL statement, the statement will execute with the same rights as the application user; when using SQL server to execute commands that interact with the operating system, the process will run with the same permissions as the component that executed the command (e.g. database server, application server, or Web server), which is often highly privileged.

Characteristics of SQL Injection

SQL Injection was combined with other vulnerability to attack their client. The Structured Query Language (SQL) is a standardized language foe interacting with relational databases. It was first released in 1979 and is the most widely used database language. In spite of there being ANSI and ISO SQL standards, there are frequently portability issues between different vendor implementations. SQL Injection attacks most frequently occur when queries are constructed from user inputs. These inputs can come from web forms, Uniform Resource Locators (URL), or browser cookies.

How SQL Injection Attack?

  • Example :

          SELECT data FROM table WHERE field = ‘$INPUT’;

Where $INPUT is user input. The system translates $INPUT and places its contents                into the query some possible values for $INPUT:

  • 123’ or ‘x’=’x
  • ;DROP TABLE table–
  • ;exec(char(0x73687574646f776e)–
  • ;convert(int,(select top 1 name from sysobjects where xtype=’u’))

Which can be embedded into the query. These entries will do the following:

  1. Since ‘x’=’x’ is a tautology, this clause is true for all entries in the table. This can give an attacker access to the entire database table. For example, an attacker can trick the system into emailing it a list of all passwords for the system.
  2. The “;”character signals the end of one statement and the start of a new statement. “Drop TABLE table” will delete the entire TABLE table from the database.
  3. The command “exec(COMMAND)” send COMMAND to the shell to be executed. Command “char(HEX)” translates the hexadecimal value HEX into a string of characters. In this example, 0x73687574646f776e translates into “SHUTDOWN”, which leads to the database server being taken offline.
  4. The system takes the first object of type ‘u’, which means the first user table. It tries to convert it into and int, which is illegal. An error message is generated that informs the attacker of the database name. This can be used to discover the types of data stored in the database.

Reference

  • Books :-
  • Introduction to Computer and Network Security (Navigating Shades of Gray) by Richard R. Brooks
  • SQL Injection Attacks and Defense (Second Edition) by Justin Clarke
Advertisements