Wednesday, December 30, 2020

SQL Injection Vulnerability

  •  SQL Injection 


Generally, the purpose of SQL injection is to convince the application to run SQL code that was not intended.

SQL injection occurs when an application processes user-provided data to create a SQL statement without first validating the input.


During a web application SQL injection attack,

The malicious code is inserted into a web form field

Or the website’s code to make a system execute a command shell

Or other arbitrary commands.


divide data into packets, each sent individually

If multiple routes are available between two points on a network, packet switching can choose the best one and fall back to secondary routes in case of failure

Packets may take any path across a network and are reassembled by the receiving node. 

Missing packets can be retransmitted, and out of-order packets can be resequenced.


Finding a SQL Injection Vulnerability 


2.Test the SQL Server using single quotes (‘’). Doing so indicates whether the user input variable is sanitized or interpreted literally by the server.


If the server responds with an error message that says use 'a'='a' (or something similar), then it’s most likely susceptible to a SQL injection attack.


Use the SELECT command to retrieve data from the database or the INSERT command to add information to the database.


Here are some examples of variable field text you can use on a web form to test for SQL vulnerabilities:

Blah’ or 1=1--

Login:blah’ or 1=1--

Password::blah’ or 1=1--

http://search/index.asp?id=blah’ or 1=1--








These commands and similar variations may allow a user to bypass a login depending on the structure of the database.

When entered in a form field, the commands may return many rows in a table or even an entire database table because the SQL Server is interpreting the terms literally.

The double dashes near the end of the command tell SQL to ignore the rest of the command as a comment


Here are some examples of how to use SQL commands to take control:

To get a directory listing, type the following in a form field:

Blah‘;exec master..xp_cmdshell “dir c:\*.* /s >c:\directory.txt”--

To create a file, type the following in a form field:

Blah‘;exec master..xp_cmdshell “echo hacker-was-here > c:\hacker.txt”--

To ping an IP address, type the following in a form field:

Blah‘;exec master..xp_cmdshell “ping 192.168.1.1”--


The Purpose of SQL Injection


SQL injection attacks are used by hackers to achieve certain results. Some SQL exploits will produce valuable user data stored in the database, and some are just precursors to other attacks.


Identifying SQL Injection Vulnerability

The purpose is to probe a web application to discover which parameters and user input fields are vulnerable to SQL injection.


Performing Database Finger-Printing

The purpose is to discover the type and version of database that a web application is using and “fingerprint” the database.

Knowing the type and version of the database used by a web application allows an attacker to craft database specific attacks.


Adding or Modifying Data

The purpose is to add or change information in a database.


Performing Denial of Service

These attacks are performed to shut down access to a web application, thus denying service to other users.

Attacks involving locking or dropping database tables also fall under this category.


Evading Detection

This category refers to certain attack techniques that are employed to avoid auditing and detection.


Bypassing Authentication

The purpose is to allow the attacker to bypass database and application authentication mechanisms.

Bypassing such mechanisms could allow the attacker to assume the rights and privileges associated with another application user.


Executing Remote Commands

These types of attacks attempt to execute arbitrary commands on the database. These commands can be stored procedures or functions available to database users.


Performing Privilege Escalation

These attacks take advantage of implementation errors or logical flaws in the database in order to escalate the privileges of the attacker.


SQL Injection Using Dynamic Strings 


static SQL statements

Many functions of a SQL database receive static user input where the only variable is the user input fields.

Such statements do not change from execution to execution.

They are commonly called static SQL statements


dynamic SQL statements

Some programs must build and process a variety of SQL statements at runtime.

In many cases the full text of the statement is unknown until application execution.

Such statements can, and probably will, change from execution to execution.

So, they are called dynamic SQL statements.


Dynamic SQL is an enhanced form of SQL that, unlike standard SQL, facilitates the automatic generation and execution of program statements.

Dynamic SQL is a term used to mean SQL code that is generated by the web application before it is executed.

Dynamic SQL is a flexible and powerful tool for creating SQL strings.


It can be helpful when you find it necessary to write code that can adjust to varying databases, conditions, or servers.

Dynamic SQL also makes it easier to automate tasks that are repeated many times in a web application.

A hacker can attack a web-based authentication form using SQL injection through the use of dynamic strings.


For example, the underlying code for a web authentication form on a web server may look like the following:

SQLCommand = “SELECT Username FROM Users WHERE Username = ‘“


SQLCommand = SQLComand & strUsername


SQLCommand = SQLComand & “‘ AND Password = ‘“


SQLCommand = SQLComand & strPassword


SQLCommand = SQLComand & “‘“


strAuthCheck = GetQueryResult(SQLQuery)



A hacker can exploit the SQL injection vulnerability by entering a login and password in the web form that uses the following variables:

Username: kimberly

Password: graves’ OR ‘’=’



The SQL application would build a command string from this input as follows:

SELECT Username FROM Users

WHERE Username = ‘kimberly’

AND Password = ‘graves’ OR ‘’=’’


This query will return all rows from the user’s database, regardless of whether kimberly is a real username in the database or graves is a legitimate password.

This is due to the OR statement appended to the WHERE clause.

The comparison ‘’=’’ will always return a true result, making the overall WHERE clause evaluate to true for all rows in the table.

This will enable the hacker to log in with any username and password



SQL Injection Countermeasures


The cause of SQL injection vulnerabilities is relatively simple and well understood:

Insufficient validation of user input.

To address this problem, defensive coding practices, such as encoding user input and validation, can be used when programming applications.

It is a laborious and time-consuming process to check all applications for SQL injection vulnerabilities.


When implementing SQL injection countermeasures, review source code for the following programming weaknesses:

Single quotes

Lack of input validation

The first countermeasures for preventing a SQL injection attack are

Minimizing the privileges of a user’s connection to the database and

Enforcing strong passwords for SA and Administrator accounts.


You should also disable verbose or explanatory error messages so no more information than necessary is sent to the hacker;

Such information could help them determine whether the SQL Server is vulnerable


Another countermeasure for preventing SQL injection is checking user data input and validating the data prior to sending the input to the application for processing.

Some countermeasures to SQL injection are

Rejecting known bad input

Sanitizing and validating the input field


https://sct.emu.edu.tr/en/Documents/System%20Security.ppt

No comments:

Post a Comment