SQL Injections and Countermeasures

December 3, 2016 | Views: 11288

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

These days, all we hear about hacktivists took down a website and retrieved thousands of user’s data. One of the techniques to get unauthorized access to a database is by performing SQL injection. SQL injection is a basic technique a hacker might use to take over unauthorized access to the database or maybe to enumerate the data from the database. People might think, it’s an issue with the database configuration and you’re partly right.
However, not only misconfiguration but also SQL injections which have been performed from the client side, which means from a web browser which displays your application/GUI. If your application is prone to SQL injection, it’s just because of your code flaw. If you’re not following any coding standards then your application would be prone as well. SQL injection can occur in any type of application, but it is most commonly seen in web applications because they are most often quick and easy to attack. If you’re  a novice, don’t know what am I talking about then click here

Let’s get into much deeper. It’s always good to know how to it works and what are the countermeasures.
When an application processes the data provided by an end user from an input field to create a SQL statement without sanitizing the input; don’t ponder much on sanitizing input.  It’s nothing but validation. The input is then submitted to a database server for execution. If it was successfully exploited, then it will give an access to a database or can take control of the server that is hosting the database. For example, the command from a hacker might display a table, users list from the database. A database table may also contain personal information such as passwords, credit card numbers, and social security numbers.

Awareness: We often get registered in websites using Gmail/Facebook accounts.  I’ve seen people signing up with Gmail id and password as same as Gmail password in a website which doesn’t even encrypt the passwords. Now it’s not so hard for a hacker to hack your Gmail if they hack the website in which you’ve signed up. This comes under Social Engineering. A hacker can inject SQL commands to get an access your accounts.

Be Cautious, Never use your Gmail passwords while signing up/registering in any website. Use a different password with uppercases and special characters. Okay now come back to the chapter. Where are we? Oh yeah, I got your question.

So how do we know whether an application is vulnerable to SQL injections?  So, please make sure that you’re authorized to perform Penetration Testing on an application before conducting an audit. You need a written approval from the stakeholder. This is No Joke. This is the answer to the above question.

  • A most common technique to check for the vulnerability is using single quotes (‘’). Doing so indicates whether the user input variable is sanitized or interpreted literally by the server. If the server responds with an error message then it’s most likely susceptible to a SQL injection attack. You may check it by appending a single quote in a URL or an input field.
  • If the above scenario works then you may try few other commands to drop a table from the database. You can use the ‘SELECT’ command to retrieve data from the database and the INSERT command to add information to the database.

Let’s see another example. Assume that your application should display the items on clicking or submitting some data (the URL might look like http://www.yourapplication.com/items.aspx?itemID=150). If you want to enumerate DBMS to display all the items present in your database then try appending the statement OR ‘1’=’1
http://www.yourapplication.com/items.aspx?itemID=150’ OR ‘1’=’1

If your application displays all the items present in the database, then you’ve successfully exploited. But you may wonder what just happened in the back end. Because you have altered the logic of the query it displayed all the items from the database. This happens because the appended statement results in the ‘OR’ operand of the query always returns true, that is, 1 will always be equals to 1. The query that was built and executed would be like
SELECT *
FROM ItemsTb
WHERE ItemID < ‘150’ OR ‘1’=’1′
ORDER BY ItemDescription;
The above example is just for your information. There are many other ways to exploit your database. Here are some examples of variable field text you can use a web form to test for SQL vulnerabilities (Login, forgot password, any kind of forms)

  • email@address.com’ or 1=1–
  • Admin’ or 1=1–
  • Password:test’ or 1=1–

To get a directory list, to create a file and to ping an IP address, type the following in a form field:

  • Blah‘;exec master..xp_cmdshell “dir c:*.* /s >c:dir.txt”–
  • Blah‘;exec master..xp_cmdshell “You’re Hacked Baby> c:HEHEHE.txt”–
  • Blah‘;exec master..xp_cmdshell “ping 192.168.7.11”–

The double dashes at the end of the command say SQL to ignore the rest of the command as a comment.

There are few types of SQL Injections

Here are a few examples:

Error Based SQL injection: Error Based SQL injection forces the database to perform some operation which returns an error.

Union SQL injection: This injection is performed by appending forged query to the original query. Union Select statements returns the union of the legitimate datasets with target datasets

Blind SQL injection: If SQL Injection was performed on a web application which was vulnerable and the results of the injection are not visible to the attacker. These kinda injections are called as Blind SQL injections

What are the tools to employ to check for this vulnerability?
I am familiar with the below-mentioned tools which can be used to perform Blind SQL Injections.

  • SQLMAP
  • Burpsuite
  • OwaspZAP
  • SQLNinja
  • HP’s Scrawlr

Please do let me know if there are any other tools to be included. And I would suggest you perform injections manually by understanding the logic of the code. Blind SQL injections are time intensive technique. Sometimes you might end up with False Positives as well

SQL Injection Countermeasures
It’s good to know the solution for any vulnerability. To defend against SQL injections you need to implement few secure coding practices and run any vulnerability assessment tool. First of all:

  • Source Code Review (There are few tools to employ)
  • Sanitizing and validating the input field
  • Reject entries that contain Binary data, escape sequences and comment characters
  • Checking the privileges of a user’s connection to the database
  • Strong passwords for SA and Administrator accounts.
  • Use IDS and IPS. I would suggest Snort (IDS- Intrusion prevention system, IPS- Intrusion prevention system)
  • Use secure hash algorithms such as SHA256, MD5 etc…
  • Apply least privilege rule to run the application that access database (Generally we run with admin privileges by default which is not advisable)

If miss anything then please let me know in the comments. Reviewing Store Procs and buffer overflows would come under source code review.

I hope you understand SQL Injection and Countermeasures. To be honest I really learned a lot on YouTube especially a video blog by Joseph McCray ‘Advanced SQL‘. Please surf for more information on Error based and Blind Based SQL injections. And Do Not go on random websites for the practice. You may end up in jail. So get a proper written approval before performing an audit. Else configure Damn Vulnerable Web Application (DVWA)/WebGoat in your system to play around. To I’ll get back with an article on SQLMAP soon.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
9 Comments
  1. How about using iptables to counter SQLi???

    • Hi, Im not sure, how IPtables would help in preventing SQLi. Are you referring to adding a rule to allow database ports from specific network? DoS attack could be prevented by configuring iptables though

  2. “Use secure hash algorithms such as SHA256, MD5 etc…”

    LOL
    u kidding right?

  3. Thanks for the article; good stuff.

    p.s. Double-dashes are appearing as long dashes…

  4. Very good article. Thanks.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel