"SQL Injection"
As we have seen information about how to execute exploitation using payloads in the Metasploit Framework link here π. Now let's move towards knowing about the attacks executed in hacking, their intentions, how and conditions when they are done, and how to be secure from them...
Let's start with the first attack, SQL Injection...
πIntroduction
Almost all web applications store data in a backend which is known as Database. A database is a collection of data designed for easy storage and information access to the data. A good database is very crucial for any company or organization, it stores information such as employee records, transactional records, salary details, privileges of each person connected to the company, data security, etc.
It is easy to update data in a database using Data Manipulation Languages such as SQL. Structured Query Language or SQL is an interpreted language. SQLstatements are used to perform tasks such as data updates, data retrieve from another database, searching, deletion of the data, etc.
Any flaw did while SQL statement assignment to the database can make the application vulnerable to SQL injection. SQL Injection(SQLI) is among the top 10 vulnerability attacks by the Open Web Application Security Project(OWASP). SQLI allows the attacker to tamper with the company data, avoid important transactions, allow the complete disclosure of data, destroy or get administration access to the database server and in some cases issue commands to the operating system without knowing the password mainly due to unsafe use of escape characters in the language.
Consequences of SQLI attack can allow an attacker to:
‣ Target fields that are not quoted
‣ Find ways to bypass the need for certain escape characters
‣ Use stored procedures to hide the injected meta-characters
πTypes of SQLI
1.In-band SQLI: Attacker uses the same channel to launch attack and gather results. It is the simple and most efficient SQLI attack. It has two types:
‣ Error-based: The attacker causes the database to make error messages so that he/she could gather more information about it.
2.Inferential(blind) SQLI: The attacker sends payloads to the server and observes its response and behavior. It also has two types:
‣ Boolean: Attacker sends a SQL query to the database which returns result in form of boolean True or False based on which the HTTP response will modify and unchanged which will inform the attacker about the result.
‣ Time-based: Attacker gets same result as boolean from a SQL query after time periods and an HTTP response can be generated.
3.Out-of-band SQLI: This attack is when some features on the database server are used by the web application. It is considered as an alternative to the above two.
πPreventing SQLI on your system
⏩Proper escaping of the special string characters is the best traditional security approach against SQLI.
⏩Manually escaping characters from SQL queries can help to prevent some kind of injection attack.
πMaking more Security
⏩For better security, use parameterized queries instead of strings to pass the data and string to the database separately.
⏩Limit the potential damage of a successful exploit by reducing the application's database privileges.
⏩For even better security, many developers recommend using Object Relational Mapping(ORM) frameworks such as Hibernate, Ebean, ActiveRecord Framework.
πExample of the SQL Vulnerability Code
CREATE PROCEDURE SP_ProductSearch @prodname varchar(400) = NULL AS
DECLARE @sql nvarchar(4000)
SELECT @sql = ' SELECT ProductID, ProductName, Category, Price ' +
' FROM Product Where '
IF @prodname IS NOT NULL
SELECT @sql = @sql + ' ProductName LIKE ''' + @prodname + ''''
EXEC (@sql)
In the above case, the variable @prodname is directly taken from the user input and concatenated with the string i.e. @sql. The EXEC function is being used which takes string as parameter to execute the SQL statements. Is the above stored procedure still vulnerable to SQL injection even though the user inputs are passed to it as parameters? The answer is yes. The user input is enclosed in the single quotes and concatenated to a string to form SQL query. The problem lies here. Instead of the parameter being a search string to the SQL query, the user input has become the part of the query as it is enclosed inside the single quotes. If the user enters the values as 1' or '1'='1';exec master.dbo.xp_cmdshell 'dir'--
then the final SQL query executed at the server will be
SELECT ProductID, CustomerID, ProductName FROM Product Where
ProductName LIKE '1' or '1'='1';exec master.dbo.xp_cmdshell 'dir'--'
The above injected SQL query will return all the rows from the table as well as execute the operating system command DIR. (This is specific to the MS SQL server) Similar to above if the SQL query is built using concatenated string and passed as only parameter to the system stored procedure sp_executesql to execute, even then it is vulnerable to SQL injection.
CREATE PROCEDURE SP_ProductSearch @prodname varchar(400) = NULL AS
DECLARE @sql nvarchar(4000)
SELECT @sql = ' SELECT ProductID, ProductName, Category, Price ' +
' FROM Product Where '
IF @prodname IS NOT NULL
SELECT @sql = @sql + ' ProductName LIKE ''' + @prodname + ''''
EXECUTE sp_executesql @sql
That's all about now friends...next post we will be discussing another famous attack in the hacking world...Stay tuned...
SEE YOU ALL...LIVE LOVE...πππ
Comments
Post a Comment