These days, all we hear about hacktivists took down a website and retrieved thousands of user’s data. One of the techniques to get unauthorized access to a database is by performing SQL injection. SQL injection is a basic technique a hacker might use to take over unauthorized access to the database or maybe to enumerate the data from the database. People might think, it’s an issue with the database configuration and you’re partly right.However, not only misconfiguration but also SQL injections which have been performed from the client side, which means from a web browser which displays your application/GUI. If your application is prone to SQL injection, it’s just because of your code flaw. If you’re not following any coding standards then your application would be prone as well. SQL injection can occur in any type of application, but it is most commonly seen in web applications because they are most often quick and easy to attack. If you’re a novice, don’t know what am I talking about then click here.
Let’s get into much deeper. It’s always good to know how to it works and what are the countermeasures.When an application processes the data provided by an end user from an input field to create a SQL statement without sanitizing the input; don’t ponder much on sanitizing input. It’s nothing but validation. The input is then submitted to a database server for execution. If it was successfully exploited, then it will give an access to a database or can take control of the server that is hosting the database. For example, the command from a hacker might display a table, users list from the database. A database table may also contain personal information such as passwords, credit card numbers, and social security numbers.
Awareness: We often get registered in websites using Gmail/Facebook accounts. I’ve seen people signing up with Gmail id and password as same as Gmail password in a website which doesn't even encrypt the passwords. Now it’s not so hard for a hacker to hack your Gmail if they hack the website in which you’ve signed up. This comes under Social Engineering. A hacker can inject SQL commands to get an access your accounts.
Be Cautious, Never use your Gmail passwords while signing up/registering in any website. Use a different password with uppercases and special characters. Okay now come back to the chapter. Where are we? Oh yeah, I got your question.
So how do we know whether an application is vulnerable to SQL injections? So, please make sure that you’re authorized to perform Penetration Testing on an application before conducting an audit. You need a written approval from the stakeholder. This is No Joke. This is the answer to the above question.
- A most common technique to check for the vulnerability is using single quotes (‘’). Doing so indicates whether the user input variable is sanitized or interpreted literally by the server. If the server responds with an error message then it’s most likely susceptible to a SQL injection attack. You may check it by appending a single quote in a URL or an input field.
- If the above scenario works then you may try few other commands to drop a table from the database. You can use the ‘SELECT’ command to retrieve data from the database and the INSERT command to add information to the database.
Let’s see another example. Assume that your application should display the items on clicking or submitting some data (the URL might look like http://www.yourapplication.com/items.aspx?itemID=150). If you want to enumerate DBMS to display all the items present in your database then try appending the statement OR ‘1’=’1http://www.yourapplication.com/items.aspx?itemID=150’ OR ‘1’=’1
If your application displays all the items present in the database, then you’ve successfully exploited. But you may wonder what just happened in the back end. Because you have altered the logic of the query it displayed all the items from the database. This happens because the appended statement results in the ‘OR’ operand of the query always returns true, that is, 1 will always be equals to 1. The query that was built and executed would be likeSELECT *FROM ItemsTbWHERE ItemID < ‘150’ OR ‘1’=’1′ORDER BY ItemDescription;The above example is just for your information. There are many other ways to exploit your database. Here are some examples of variable field text you can use a web form to test for SQL vulnerabilities (Login, forgot password, any kind of forms)
- email@example.com’ or 1=1–
- Admin’ or 1=1–
- Password:test’ or 1=1–
To get a directory list, to create a file and to ping an IP address, type the following in a form field:
- Blah‘;exec master..xp_cmdshell “dir c:*.* /s >c:dir.txt”–
- Blah‘;exec master..xp_cmdshell “You’re Hacked Baby> c:HEHEHE.txt”–
- Blah‘;exec master..xp_cmdshell “ping 192.168.7.11”–
The double dashes at the end of the command say SQL to ignore the rest of the command as a comment.
There are few types of SQL Injections
Here are a few examples:
Error Based SQL injection: Error Based SQL injection forces the database to perform some operation which returns an error.
Union SQL injection: This injection is performed by appending forged query to the original query. Union Select statements returns the union of the legitimate datasets with target datasets
Blind SQL injection: If SQL Injection was performed on a web application which was vulnerable and the results of the injection are not visible to the attacker. These kinda injections are called as Blind SQL injections
What are the tools to employ to check for this vulnerability?I am familiar with the below-mentioned tools which can be used to perform Blind SQL Injections.
- HP’s Scrawlr
Please do let me know if there are any other tools to be included. And I would suggest you perform injections manually by understanding the logic of the code. Blind SQL injections are time intensive technique. Sometimes you might end up with False Positives as well
SQL Injection CountermeasuresIt’s good to know the solution for any vulnerability. To defend against SQL injections you need to implement few secure coding practices and run any vulnerability assessment tool. First of all:
- Source Code Review (There are few tools to employ)
- Sanitizing and validating the input field
- Reject entries that contain Binary data, escape sequences and comment characters
- Checking the privileges of a user’s connection to the database
- Strong passwords for SA and Administrator accounts.
- Use IDS and IPS. I would suggest Snort (IDS- Intrusion prevention system, IPS- Intrusion prevention system)
- Use secure hash algorithms such as SHA256, MD5 etc…
- Apply least privilege rule to run the application that access database (Generally we run with admin privileges by default which is not advisable)
If miss anything then please let me know in the comments. Reviewing Store Procs and buffer overflows would come under source code review.
I hope you understand SQL Injection and Countermeasures. To be honest I really learned a lot on YouTube especially a video blog by Joseph McCray ‘Advanced SQL‘. Please surf for more information on Error based and Blind Based SQL injections. And Do Not go on random websites for the practice. You may end up in jail. So get a proper written approval before performing an audit. Else configure Damn Vulnerable Web Application (DVWA)/WebGoat in your system to play around. To I’ll get back with an article on SQLMAP soon.