SQL Injection (White Board)

[toggle_content title="Transcript"] Welcome to the SQL injection module lot of exciting stuff here. This is another module at work it would take years and years and years for us to really master this stuff and get it to the point where you can just do it. So I don't expect a new person to be able to just go out there and SQL inject the world but a little bit of practice we will get better. So this is another one of those modules where you can have Cheat Sheet. There is lots of different database languages and so if you are going to go from mySQL to SQL to Oracle etc. Use the cheat sheets it will help you remember how it works in one particular language or the other also most database people. They know mySQL inside and out buy they may know Oracle or they know MSSQL but they may not know mySQL realistically. It is just databases and different databases speak derivatives of the same language. It is kind of like if you learn Spanish it is not too hard to pick up Portuguese or Italian for that matter. So concepts here, ultimately you have to be able to analyze between the client and the server and then all starts with something as simple as http post request this is where we can sniff traffic and analyze that request it could be a network sniffer like a wire shark or tcp dump. But it also could be like a tool burt suite to basically dissect this client to server traffic. If you look at the clients talking to the server - normal conversation. This is what we call normal conversation - normal code analysis. The pen tester needs to understand what normal analysis looks like then they start deviating from the norms to get the computer program to basically do what they want. Ultimately in database language this is what it is going to come down to there are certain parameters like the update parameter. This when the client sensor services have like the update something in the database or select something from the database where the values are equal to whatever they are or get something from my table. Just a generic table name in that sense. Or just drop the whole field, the record, the row, the column, the database to the table. Okay so it is everything about the client or server once you get to the table once you are in the particular database then the table in which - then it is the columns and then it is the rows. So you can kind of think this hierarchically let us talk of the some of the attacks. Ultimately what you can do if you can get skilled SQl injection is remove code execution. Also you can knock that database offline therefore nobody else can access it that is an attack on availability. You can use tricks like bypassing authentication maybe send the admin credentials followed by single tick and dash dash which is a common field and then comment on the requirement for the password. Maybe just get directly into it as admin little bit of a dated technique but nonetheless older days of SQL injection it was just that simple – just comment on the password field and the server would just follow the programming logic. Okay no password that was me. information disclosure whatever is in the database. Ultimately could get disclosed. There are advanced SQL injection techniques at least I will show the theory in which you can start enumerating database names, table names, column rows and then field names. Field characters - you can change the integrity of the database in the tables you could do things like password grabbing. You can transfer the whole database from the server to the client one of my favorite techniques. One technique you have the whole database or allow the database to interact with the operating system - this is where you can start doing things like pinging and trace routing or any sort of operating system commands that you would be typically able to do at the command prompt. So let us talk about some of the tools. Okay. Does the database exist? Where is it? Ultimately you need to enumerate that. Once you find out what database it is then we must start listing the fields inside the database. We can do some basic injection tests - tested with what sort of input validation is actually present. Start doing things like the Union Command then dissect our error messages to see if we can get anymore information. Some of the traditional attack characters here or is the single tick or a double tick basically this is what we call string indicators. You can do common fields like either dash, dash or a pound sign. You can do multiple inline comments this is also great for obfuscating techniques. You can add the plus sign in addition to you can do pipes like a solid bar - you can do wild cards with the percent characters. You can add things like and equals one dash dash or you can start adding additional parameters into the database query like order by and then you can start sorting it ascending or descending etc. But while those are some of the basic attack characteristics let us talk about the basic types. You have blind SQL injection this is where you are trying to poke and prod the database but you are not getting any information back. So you really don't know if it is erring or not because the error messages are not coming back to you the penetration testers. You are kind of counter measure that with the weight for command and see if the application actually waits or not. But the trick to the wait for command is you don't want to make your time out so long that you are sitting there waiting. They don't want it to be so short that you can't figure a different way or not. You have simple SQL injection like the single tick or the one equals one tac, tac and things like that - you have your union command. This is a great technique because what you are doing is you are sending a query from the client to the server and you are saying this out of the table and by the way give me something else from other table. Union meaning combining from some other table name or error based injection. Before we go into the advanced stuff let us hit the tools – SQL injection has got really easy in the last couple of years because of tools like SQL hacker, SQL power injector or hally or variety of the other tools are on the back track of calli operating systems. So let us start taking apart some of the basic of advanced SQL injection. There are certain parameters that you can add to a URL string and then you can start guessing things like the user fields and its database names and it is basically and attack where you basically say. If the ASCII lower and substrings for the user are equal to and 1 and your parenthesis and then 97, 98, 99, 100 you can start mapping out and so this would translate to the character A, B, C, D, E, F etc. So you could keep doing this and start gaining what character and what order that character is in. And then you can start enumerating the database table, columns, rows, names etc. If you want go after user accounts you just go after the user. If you want to go after the database name they have slightly different syntax but it all comes from the basic account strike here and then you can combine this with the way forward delay and especially if you are doing this and see if it actually waits for ten seconds or not. Or you can go into the invasion techniques well if you are going to poke and prod the database you don't want to do it in a way that is going to set off the alarm systems. So the basic way in which we do this is we try to encode or obfuscate or hide or our characters. Remember the security admin or the database programmer should be doing some sort of input validation. So we just need to find that with the rows that they put in place are and then start bypassing those rules. Some of the ways in which we can do that is we can take our regular SQL expression and we can encode that in hex. So the input validation may have been done in ASCII but not in hex. We just encode it in a different encoding language like hex or base64 or something like that or UTF. In a way that the server side component is not looking for it. Well then you just defeated their rules also you can put things like inline comments or multiple line comments in between things to help obfuscate the one equals one. So it will be like the number one – start comment end comment one. So you got a bunch of comments in between that so. Realistically you know the person writing the code there would probably think while anybody can construct a statement like that where you are just obfuscating and then trying to bypass their input validation filters or you can use character encoding which is one of my favorite techniques so a little bit lengthy to that and it does require you think in character language. Up in after a while you can start thinking in 47, 32, 117 etc. and then you can start writing these - it is kind of like the matrix after a while you just see the code after a while. After a while you just see the characters but it is a great evasion technique because realistically the person that wrote the employee validation filter on the other side. They had a really better thought all of the possible ways to try to prevent me from doing something like this. So if you get really, really good with SQL injection you can try to stop me but good luck. If you were to try and stop me here is the types of things I would hope you would do. I would hope you that you set minimal privileges on the database. Because of your database is tied to a super user account and I get access to it and I am now going to be executing things as a super user - so hopefully you have the concept of privilege in place and I do get access to it and I get very, very little as a result. Hopefully I am going to interact with the (indiscernible 0:11:06) that cuts off half of the things I can do in terms of interacting with the operating system. Doing things like pinging and trace routing and IP configuration and things like that. Hopefully you are suppressing error messages. The more information I get in terms of error messages. Hey table so and so not found - well now I know your table name. So if you suppress those error messages or use custom error messages that is much better. Actually monitor your database see who is accessing it. How many things are getting put into it? Are you even backing it up? These are all really, really good ideas in terms of counter measures to prevent me the penetration tester from getting access to your stuff. Hopefully you are filtering content - hopefully you have rules that flag for base 64 encoding because at least if you are going that well then I would have a hard time avoiding the alarm system from going off. Also test your code in a secure environment. I would hope that you would be doing this by now but it still ceases - it never ceases to amaze me that people just don't test their code. The developers write their stuff, they make changes to live databases and then someone comes across and exploits your stuff. One of the best examples to do is go to Google and search for vulnerable SQL injection sites and then whatever the year you are looking for and somebody has already compiled a list of all of the web sites that have found that are basically vulnerable. Ethically don't go penetration testing on a live site or somebody else's stuff. We have got an ethical - nothing is worth your own integrity. You should also be using URL scan. Scan the URL see what goes back and forth and use the tools and use things like URL scan and then intrusion detection rules as well. The reason why chose - is because they do a phenomenal job and then two learning how to regular intrusion detection rules is good because if basically you know exactly what you are looking for. You can write own rule for that update your smart rules - you do have to kind of have some sort of intrusion detection or intrusion mindset but notice the problem here. Defensively you have to have intrusion detection mindset you have to have code developing mindset. You have to have programming mindset - these qualities in one single person are very, very rare. So now you defensively you have to have a team of people just stop a person like myself. So you in the world of SQL injection since we are all connected with database these days – it is not that hard for me to start poking and prodding websites. It is actually relatively easy plus there is a lot of tools that are out there that basically are pointing script stuff. So with a little bit of script mentality plus an insight to how databases work and combine that even more insight with the different types of databases that are out there. I mean the penetration tester is virtually unstoppable at this point. Especially when you get into the advanced SQL injection techniques. So you want to add value to your stuff - you want to add value to your career - you are going to have to be able to dissect this stuff - and the rules of making money are you got to deposit into the bank before you can withdraw into the bank. Here the same thing you have to secure your code to prevent someone else from getting access to your code. So keep that in mind and let us look at some examples. [/toggle_content] This whiteboard lecture video covers SQL Injection in detail. SQL injection is one of the more popular web application hacking methods. When this attack is used, an unauthorized person can access the database of a website and extract the data from that source.
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?