SQL
Injection
Structured
Query Language (SQL) is database computer language designed for managing data
in relational database management system (RDBMS).SQL injection is code
injection technique that exploits a security vulnerability occurring in
database layer of applications. The vulnerability is present when users input
is either filtered incorrectly for string literal escape characters embedded in
SQL statement or user input is strongly typed and thereby unexpectedly executed
.it is an instance of a more general class of vulnerabilities that can occur
whenever one programming or scripting language is embedded inside another.SQL
injection attacks are also known as SQL insertion attacks.
Attackers
target the SQL server’s common database server used by many organizations to
store confidential data. The prime objective behind SQL injection attack is to
obtain the information while accessing database table that may contain personal
information such as credit card number, social security number or password.
During SQL injection attack , Malicious code is inserted into web form field or a website’s code to make a system execute a command shell or other arbitrary command. Just as legitimate user enters queries and additions to the SQL database via a web form, the attackers can insert a command to SQL server through the same web form field. For example, an arbitrary command from an attacker might open a command prompt or display a table from the database .This makes an SQL server a high value target and therefore a system seems to be very attractive to attackers.
During SQL injection attack , Malicious code is inserted into web form field or a website’s code to make a system execute a command shell or other arbitrary command. Just as legitimate user enters queries and additions to the SQL database via a web form, the attackers can insert a command to SQL server through the same web form field. For example, an arbitrary command from an attacker might open a command prompt or display a table from the database .This makes an SQL server a high value target and therefore a system seems to be very attractive to attackers.
Many
WebPages takes parameters from web user and make SQL query to the data base.
For example, when a user logs in with username and password, an SQL query is
send to the database to check if a user has valid name and password .With a SQL
injection it is possible for an attacker to send a crafted username and/or
password field that will change the SQL query.
Steps
for SQL Injection Attack
Following are some steps for SQL injection attacks :
 |
| SQL Injection |
1. The attackers looks for the webpage that allows submitting data,that
is,login page,search page,feedback,etc. The attacker also looks for the webpage
that display HTML command such as POST or GET by checking the site’s source
code.
2. To check the source code of any website , right click on web page
and click on “ view source”. The attacker checks the source code of the HTML ,
and looks for “ FORM” tag in the HTML code. Everything between <FORM>
and</FORM> have potential parameters that might be useful to find the
vulnerabilities .
<FORM
action=Search/search.asp method=post>
<input
type=hidden name=Avalue=C>
</FORM>
3. The attacker inputs a single Quote under the textbox provided on
webpage to accept the username and password. If the respone is an error message
such as use”a”=”a”(or something similar)then the website is found to be
susceptible to an SQL injection attack.
4. The attacker use SQL command such as SELECT statement command to retrieve data from the
database or INSERT statement to add information to the database.
Here are few examples of variable filed text the attacker uses on awebpage to test for SQL vulnerabilities
1. Blah’ or 1=1--
2. Login: Blah’ or 1=1--
3. Password:: Blah’ or 1=1--
4. http://serach/index.asp?id+ Blah’ or1= 1—
Similar SQL commands may allow bypassing of a login and may return many rows in a table or even entire database table because the SQL server is interpreting the term literally. The double dashes near the end of the command tell SQL to ignore the rest of the command as comment.
 |
| Example of SQL Injection |
Blind SQL Injection
 |
| Blind SQL Injection |
Blind SQL injection is used when a web
application is vulnerable to an SQL injection but the result of the injection
are not visible to the attackers . The page with the vulnerabilities may not be the one that display differently
depending on the result of the logic statement injected into the legitimate SQL
statement called for that page. This type of attack can become time-intensive
because a new statement must be crafted for each bit recovered. These are
several tools that can automate these attacks once the location of the vulnerability
and the target information have been established.
SUMMARY :
Using SQL injection attacker can :
1. obtain some basic information
if the purpose of the attack is reconnaissance
- To get a directory listing: Blah’ ; exec master..xp_cmdshell ”dir c:\*/s>c:\directory.txt”
- To ping an IP address : Blah’ ;exec master..xp_cmdshell”ping 192.168.1.1 “.
- To get a user listing: SELECT*FROM user WHERE name=”OR ‘1’=’1’.”
- Execute the INSERT command: This may enable selling politically incorrect items on an E-Commerce website
- Execute the UPDATE command; May be used to have an expensive item suddenly be deeply “discounted.”
Tools
used for SQL server penetration
Sr.no
|
Tool
|
Brief description
|
1
|
App Detective Pro: it is a
network-based , discovery and vulnerability assessment scanner
that discovers
database applications within the
infrastructure and assesses security strength .it locates
,examines,
reports and fixes security holes and
misconfiguration as well as identify user rights and
privilege level on
its security methodology and extensive
knowledge.
based on applications –level vulnerabilities. Thus,
organizations can harden their database application.
|
|
2
|
DbProtect : It enables
organization with complex , heterogeneous
environments to optimize database security , manage risks and bolster
regulatory compliance. It integrates database assents management
,vulnerability management ,audit and threat management , policy management
and reporting and analytic for complete enterprise solution.
|
|
3
|
Database Scanner : It is an
integrated part of Internet Security System(ISS) Dynamic Threst Protection
Platform that assesses online business risks by identifying security exposure
in the database application,.Database
Scanner offers sercurity policy generation and reporting functionally which
instantly measures policy complains e and automates the process os securing
critical online business data. Database scanner runs independently and
quickly generates detailed reports with all the information needed to
correctly configure and secure the database.
|
|
4
|
Microsoft SQ L Server
Fingerprint(MSSQLFP):This is the tool that performs the fingerprint version
on Microsoft SQL Sever 2000,2005 and 2008 using well known techniques based
on several public tools that identifies
the SQL version and also can be used to identify vulnerable version of
Microsoft SQL Server.
|
How to
prevent SQL injection attacks:
 |
| Prevent SQLi attack |
SQL injection attacks occurs due to poor website
administration and coding . The following steps can be taken to prevent such
kinds of attacks.
1. INPUT VALIDATION:
·
Replace all the single
quotes(escape qoutes)to two single quotes.
·
Sanitize the input:user input
needs to be checked and cleaned of any character or strings that could possibly
used maliciously. For example , character sequence such as; , -- , select,
insert and xp_ can be used to perform SQL injection attacks.
·
Numerical values must be
checked while accepting a string value
·
Keep all the text boxes and
form fields as short as possible to limit
the length of user input
2. MODIFY ERROR REPORTS:
SQL
errors should not be displayed to outside users and to avoid this the developer
should handle or configure the eroor reports very carefully. This error
sometimes display full query pointing to the syntax error involved and the
attackers can use it for further attacks.
3. OTHER PERVENTIONS :
- The default system account for the SQL server2000 should never be used.
- Isolates database server and web server . both should resides on different machines.
- Most often the attackers may make use of different extendedstored procedures such as xp_cmdshell and xp_grantlogin in SQL injection attacks..In case such extended stored procedures are not used to have unused triggers stored procedures, user defined functions , etc then these should be moved to an isolated server.
- These are minimum counter measures that can be implemented to prevent SQL injection attacks .
0 Comments