SQL Injection Attacks SQL Injection Attacks John Sweetnam John Sweetnam
Dec 30, 2015
Introduction
What is an SQL injection attack What is SQL How an SQL injection works What can you do to databases with it Defenses Current real world examples
SQL Injection
The ability to inject SQL commands into the database engine through an existing application
Code injection technique Exploits vulnerability in the database
layer of web applications
SQL
Structured Query Language Database computer language Designed to manage data in relational
database management systems(RBMS)
Scope Data insertion, query, update and deletion Schema creation and modification Data access control
SQL examples
Similar to simple sentences Many versions of SQL All support several key words
SELECT, FROM, WHERE, AND, CREATE, DELETE, ALTER TABLE, ADD, DROP, AND, OR, ...
Follows simple grammatical rules that allow users to specify what information they are looking for
SQL Examples
SELECT lastName FROM nameTable WHERE firstName = 'Bob'
SELECT name, region, population FROM countriesTable
SELECT * FROM infoTable SELECT name FROM countriesTable
WHERE population > 20000000
SQL Examples
CREATE TABLE tableName (num INTEGER PRIMARY KEY, name VARCHAR(30))
DROP TABLE tableName ALTER TABLE tableName ADD
columnName INTEGER ALTER TABLE tableName DROP
COLUMN columnName
2 types of SQL vulnerability
1. Improper filtering of user input for string literal escape characters
2. User input isn't strongly typed
Vulnerable Login Query
An SQL injection has the potential to bypass login procedures
Common vulnerable query: SELECT * FROM users WHERE login =
'userInput1' AND pwd = 'userInput2' If something is returned from the users
table, then the user is allowed login
Line of code isStatement = “SELECT * FROM 'users' WHERE
login = ' ” + userInput1 + “ ' AND pwd = ' “ + userInput2 + “ ' ”
Bypass authentication
User input for login and pwd ' OR '1' = ' 1
Alters the condition of the SELECT statement to read:
SELECT * FROM users WHERE login = 'userInput1' OR '1' = '1' AND pwd = 'userInput2' OR '1' = '1'
Alternate Authentication
Bypass Other potential user inputs are:
' OR '1' = '1' -- ' ' OR '1' = '1' ({ ' ' OR '1' = '1' /* '
This changes the SQL query into:SELECT * FROM users WHERE login = '' OR '1' = '1'
These would only be put into the login field
The --, ({, and /* comment out the rest of the query, allowing you to remove some of the conditions
Table modification at login
It is also possible to not bypass authentication but still alter and obtain information from the tables
Exploit input: Whatever' ; DROP TABLE 'users'; SELECT *
FROM 'userInfo' WHERE '1' = '1
Leaving the apostrophe off the beginning and the end allow it to fit multiple commands seamlessly into what should be a single query
Incorrect Type Handling
User supplied fields are not checked properly for the type constraints.
Code: Statement = “SELECT * FROM 'userinfo'
WHERE 'idNumber' = “ + variable_x + “;”
variable_x is clearly intended to be a number
However... 1;DROP TABLE 'userinfo'
Blind SQL Injection
When there is a web application vulnerable to SQL injection but the attacker is unable to see the results of the injection
The page may not display data but the page itself will display differently based on the results of injected logical statements
Can be very time intensive New statements must be constantly
recrafted
Blind SQL Injection
3 Types of blind SQL injections1) Conditional Responses2) Conditional Errors3) Time Delays
Conditional Responses
Changes what the page displays the user upon evaluation of a logical statement
Inserting ' AND '1' = '1 Should lead to a normal page being
displayed
Inserting ' AND '1' = '2 Can only return false If the page displays differently than before,
then the web application is most likely vulnerable to SQL injection
Conditional Errors
Force an SQL error by making the database evaluate a faulty query if the WHERE condition is true
For example... SELECT 1/0 FROM 'users' WHERE 'username'
= 'Bob' Division of zero causes error, giving the
attacker info about the contents of the username column in the users table
Time Delays
Force database to execut long running queries or time delay statements
Amount of time required for the page to load allows the user to determine if the statement was true or not
Steps to Running a SQL Injection on
MySQL1. Check for vulnerability
Use a conditional response Or, simply insert a character that doesn't
belong, such as ', and see if an error is thrown for incorrect SQL syntax
2. Discover the number of columns Use the ORDER BY command to iterate
through all column numbers until an error is returned
3.Test the UNION function Allows you to combine SELECT queries and
pull more information
Steps to Running a SQL Injection on
MySQL4. Obtain the mySQL version number
Achievable using @@version or version()Based on the version number, there are two options
for proceeding
5.a) if mySQL version < 5 Table and column names must be guessed Brute force the most common names, varies
depending on what you are looking for, but looking for users or passwords could grant you access to others
5. b) if mySQL version > 5 There is an information_schema that can be used
to obtain table and column names
Steps to Running a blind SQL Injection on
MySQL1. Run a conditional response with a false
condition and see if the page changes If yes, the site is vulnerable
2.Obtain the version number Best way is to insert substring(@@version,1,1) = 4
or 5 Compares first character of version number until
page loads normally
3. Test out subselect and locate the users table
Subselecting is used to further isolate data when selecting it from the database
This can be used to determine what tables names are based on proper page loading
Steps to Running a blind SQL Injection on
MySQL4. Pull information from the database
Using substring() and subselecting, you can pull the first character of the username out of the user table
By converting this character to ascii, you can compare it against ascii values
Compare the ascii value as larger than a low ascii character number, and increment your way up until the page no longer returns normally
This lets you know what ascii value the character is
You can then iterate through until you have the username/password
Defenses
Essentially, all that is needed is some form of filtering or checking to sanitize inputs
Several types of possible filtering Parameterized Statements Enforcement at the database level Enforcement at the coding level Escaping Strong typing
Parameterized Statements
Works with parameters instead of embedding user input into the statement
Example:Statement stat = prepareStatement(“SELECT *
FROM users where username=? AND password=?”);
stat.setString(1,username);stat.setString(2,password);stat.executeQuery();
Enforcement at the database level
Some database engines come with the ability to enforce parameterization of query
Can cause issues
Enforcement at the coding level
Use object-relation mapping libraries Object oriented libraries can have
parameterization of SQL statements built into the code.
Escaping
Straightforward but fallible method of preventing injections
Simple escape out any characters that have special meaning in the version of SQL being run
Requires blacklist of every special character for SQL
Easy to forget
Strong Typing
Placing very severe restrictions on intermixing of types
Variety of definitions for it At compile or run time, all functions that
disregard types are cast as erroneous Any type-matching failures are immediately
flagged with errors during runtime
Defense summary
In the end, it all comes down to sanitizing inputs
There are a variety of ways to do it, but it is all just filtering of one kind or another
Very easy to forget As seen by how prevalent SQL
injection attacks have been and still are
Real World Examples
November, 2005: high school student in Taiwan broke into information security magazine's database and stole customer data
June, 2007: Microsoft's U.K. webpage is defaced
January, 2008: tens of thousands of computers are infected by automated SQL injection through Microsoft SQL Server
Real World Examples
April, 2008: Over 10,000 social security numbers are stolen from the Sexual and Violent Offender Registry of Oklahoma
April – August, 2008: around 500,000 websites were hit by a SQL injection attack that referenced a malware Java file and corrupted all text columns without having to guess names
September, 2010: someone attempts to hand write SQL injection onto a write in ballot in the Swedish general election
Real World Examples
November, 2010: British Royal navy's website is exploited
February, 2011: HBGary, a technology security firm, was broken into by Anonymous
March 27, 2011: MySQL.com is broken into via a blind SQL injection