Chapter 14: SQL Injection Flashcards
SQL
language for specifying DB queries
SQL Injection
designed to exploit flaws in a website or web application NOT a database
attack works by inserting code into an existing line of code prior to its execution; If SQL injection is successful, attackers can cause their own code run
Goal is submit commands in order to retrieve or manipulate data
Usual cause is improper or absent input validation
Batch Execution
more then one SQL statement, each separated by a semicolon, to be executed at once
This is typically allowed by Microsoft’s SQL Server & Oracle’s Siebel
Results of SQL Injection
1) Identity spoofing
2) Alteration of prices in e-commerce apps
3) Alteration of data
4) Escalation of privileges
5) DoS
6) Data extraction and disclosure
7) Corruption of data
8) Eliminating transactions
Steps of web application’s working
1) User makes a request through web browser from internet to web server
2) web server accepts request and forwards to applicable web application sever
3) web app server performs requested task
4) web app accesses entire db available and responds to web server
5) web server responds back to user once transaction is complete
6) requested info presented on user’s monitor
Server-side technology examples
ASP, Oracle, SQL,PHP,JSP,etc
Define database
a hierarchical, structured format for storing info for later retrieval, modification, mgmt, etc
types of databases
1) RELATIONAL DB //data can be organized and accessed in various ways as appropriate for the situation, for example for a customer table, you can group by zip code, sale price, etc
2) DISTRIBUTED DB //designed to be dispersed or replicated between different locations across a NW
3) OBJECT-ORIENTED PROGRAMMING DB //build around data-defined object classes and subclasses
4) HIERARCHICAL DB //A hierarchical database model is a data model in which the data is organized into a tree-like structure. The data is stored as records which are connected to one another through links. A record is a collection of fields, with each field containing only one value.
Structures of a database to allow easy manage, query, and retrieval:
1) RECORDS OR ROWS //each record in a DB represents a collection of related data such as information about a person
2) COLUMN //represents one type of data, such as age
Locating Databases on the NW
SQLPing 3.0 is designed to discover DBs
SQLRecon
After locating a database, SQLPing can be used to crack PWs
Steps of an SQL Injection
1) Acquire a target //you can use various techniques, but we will use google hacking (use of advanced search query commands) Some queries include (check page 603-604)
2) Look for vulnerabilities //one easy way to determine if a site is vulnerable is to add an apostrophe to the end of the URL //if an error returns, it is vulnerable
3) Initiate an attack //learn the structure of the DB by adding "order by" to the end of the URL //If this code returns any result other than an error, increment the # after the order by, by 1 or any # until an error occurs //when an error is encountered, it indicates that the last entry that did not return an error is the number of columns in the DB
http: //www.somewebsite.com/default.php?id=1 order by 1
4) Once columns have been determined, you can establish whether you can make queries against the system; do so by appending ‘union select’ on the end of the URL
http: //www.somewebsite.com/default.php?id=-1 union select 8
//notice the hypen after the = sign in id, the 8 is how many columns you determined existed
//Once results of this query are returned, you will see that column #s are returned. The #s that are returned indicate that queries are accepted against these columns, you can now inject further refined SQL statements
5) Lets identify the SQL version in use
@@version OR
version () //to determine version of DB
//you have to target a column
http://www.somewebsite.com/default.php?id=-1 union select 3 @@version
//let’s determine that the DB used is MySQL and the version is at least version 5
The rest of the directions on page 607
Altering data w/ SQL injections
websites ask for information, you can manipulate this information
an example would be when you have forgotten your password, it will ask you to input your email, when doing this, add a single quote after
name@domain.com’
One of two things will happen: application will sanitize the input by removing the quote; or the application does not have protection in place and accepts the input without sanitizing it; In this case, the SQL is being run by the application
Error message will result in vulnerable DB
could possibly change the emails
UPDATE table
SET email = ‘name@domain.com’
WHERE email = ‘hadona@domain.com’;
Injecting Blind
perhaps target does not return messages at all; this attack does not depend on error messages;
since no error messages are returned, you can use WAITFOR DELAY command to check the SQL execution status
:; IF EXISTS(SELECT * FROM users) WAITFOR DELAY, ‘time’ (time is Seconds i.e. 0:0:5)
//If the system cannot run this, the system is not vulnerable….wait time indicates vulnerability
Evading detection mechanisms
EVADE AN IDS // IDS will typically look for common codes used in SQL injection, therefore use hex coding, use of whitespace, use of comments in code to break up statements, concat strings
SQL Injection Countermeasures
1) USE VALIDATION //using whitelists and blacklists
2) AVOID DYNAMIC SQL //Dynamic statements are generated from the options and choices made on the client side; Such statements should be avoided in favor of using stored procedures or predefined statements
3) PERFORM MAINTENANCE ON SERVER REGULARLY AND UPDATE PATCHES
4) IDS
5) HARDEN A SYSTEM TO INCLUDE OS AND DB //DISABLE UNNEEDED FEATURES, i.e. disable cmd
6) EXERCISE LEAST PRIVILEGE //give only access to what is needed
7) TEST APPS BEFORE DEPLOY INTO PROD
8) AVOID DEFAULT CONFIGS AND PWS
9) DISABLE ERROR MESSAGES OUTSIDE TEST AND DEV ENVIRONMENTS
