Hacking Attacks: SQL Injection

"SQL Injection"

 

As we have seen information about how to execute exploitation using payloads in the Metasploit Framework link here πŸ‘€. Now let's move towards knowing about the attacks executed in hacking, their intentions, how and conditions when they are done, and how to be secure from them... 

 

Let's start with the first attack, SQL Injection...

Sql Server Logo png download - 1140*600 - Free Transparent Sql ...

 

πŸ‘‰Introduction

Almost all web applications store data in a backend which is known as Database. A database is a collection of data designed for easy storage and information access to the data. A good database is very crucial for any company or organization, it stores information such as employee records, transactional records, salary details, privileges of each person connected to the company, data security, etc.

 

It is easy to update data in a database using Data Manipulation Languages such as SQL. Structured Query Language or SQL is an interpreted language. SQLstatements are used to perform tasks such as data updates, data retrieve from another database, searching, deletion of the data, etc.


Any flaw did while SQL statement assignment to the database can make the application vulnerable to SQL injection. SQL Injection(SQLI) is among the top 10 vulnerability attacks by the Open Web Application Security Project(OWASP). SQLI allows the attacker to tamper with the company data, avoid important transactions, allow the complete disclosure of data, destroy or get administration access to the database server and in some cases issue commands to the operating system without knowing the password mainly due to unsafe use of escape characters in the language.

 

Consequences of SQLI attack can allow an attacker to:

 

Target fields that are not quoted

Find ways to bypass the need for certain escape characters

Use stored procedures to hide the injected meta-characters

 

πŸ‘‰Types of SQLI

 

1.In-band SQLI: Attacker uses the same channel to launch attack and gather results. It is the simple and most efficient SQLI attack. It has two types:


Error-based: The attacker causes the database to make error messages so that he/she could gather more information about it.

Union-based: It uses multiple SQL statements in the database to a single HTTP server or network using the 'union' operator in SQL.


2.Inferential(blind) SQLI: The attacker sends payloads to the server and observes its response and behavior. It also has two types: 

 

Boolean: Attacker sends a SQL query to the database which returns result in form of boolean True or False based on which the HTTP response will modify and unchanged which will inform the attacker about the result. 

Time-based: Attacker gets same result as boolean from a SQL query after time periods and an HTTP response can be generated.

 

3.Out-of-band SQLI: This attack is when some features on the database server are used by the web application. It is considered as an alternative to the above two.


Creating and Dropping tables - Beginners guide to MySQL and MariaDB

 

πŸ‘‰Preventing SQLI on your system 

 

Proper escaping of the special string characters is the best traditional security approach against SQLI.

 

Sanitizing Inputs: Make sure that email addresses provided to users match a regular expression, ensure that login pages having numeric, alphanumeric fields do not contain symbols, reject new line characters wherever not of use.


Manually escaping characters from SQL queries can help to prevent some kind of injection attack.

 

πŸ‘‰Making more Security


For better security, use parameterized queries instead of strings to pass the data and string to the database separately.

 

Limit the potential damage of a successful exploit by reducing the application's database privileges.


For even better security, many developers recommend using Object Relational Mapping(ORM) frameworks such as Hibernate, Ebean, ActiveRecord Framework.

 

πŸ‘‰Example of the SQL Vulnerability Code  

 


To understand the issue better let’s consider the following stored procedure example specific to MS SQL Server. This stored procedure returns product details taking product name as search criteria.

 

CREATE PROCEDURE SP_ProductSearch @prodname varchar(400) = NULL AS

DECLARE @sql nvarchar(4000)

SELECT @sql = ' SELECT ProductID, ProductName, Category, Price ' +

' FROM Product Where '

IF @prodname IS NOT NULL

SELECT @sql = @sql + ' ProductName LIKE ''' + @prodname + ''''

EXEC (@sql)
 

In the above case, the variable @prodname is directly taken from the user input and concatenated with the string i.e. @sql. The EXEC function is being used which takes string as parameter to execute the SQL statements. Is the above stored procedure still vulnerable to SQL injection even though the user inputs are passed to it as parameters? The answer is yes. The user input is enclosed in the single quotes and concatenated to a string to form SQL query. The problem lies here. Instead of the parameter being a search string to the SQL query, the user input has become the part of the query as it is enclosed inside the single quotes. If the user enters the values as 1' or '1'='1';exec master.dbo.xp_cmdshell 'dir'-- then the final SQL query executed at the server will be

 

SELECT ProductID, CustomerID, ProductName FROM Product Where

ProductName LIKE '1' or '1'='1';exec master.dbo.xp_cmdshell 'dir'--'
 

The above injected SQL query will return all the rows from the table as well as execute the operating system command DIR. (This is specific to the MS SQL server) Similar to above if the SQL query is built using concatenated string and passed as only parameter to the system stored procedure sp_executesql to execute, even then it is vulnerable to SQL injection.

 

CREATE PROCEDURE SP_ProductSearch @prodname varchar(400) = NULL AS

DECLARE @sql nvarchar(4000)

SELECT @sql = ' SELECT ProductID, ProductName, Category, Price ' +

' FROM Product Where '

IF @prodname IS NOT NULL

SELECT @sql = @sql + ' ProductName LIKE ''' + @prodname + ''''

EXECUTE sp_executesql @sql


 


 

 

That's all about now friends...next post we will be discussing another famous attack in the hacking world...Stay tuned...

 

SEE YOU ALL...LIVE LOVE...πŸ’“πŸ˜ŠπŸ˜Š

 

 

 

 

 

 

 

 

Comments