What is SQL Injection ? Why So Dangerous ?

Posted by Shashank Krishna Monday, January 12, 2009


sharethis: A friend of mine at College was asking me this.
SQL injection is the most common and videly used exploit by hackers all over the world...few days back i was just doing some SQL injection test on Indian govt sites, I was shocked to see how many imp govt sites r open to it....this is a big thread for us...a malicious hacker can do a lot of harm if he wish to.

Vocabulary:

* SQL: Server Query Language-used in web applications

to interact with databases.
* SQL Injection: Method of exploiting a web application by supplying user input designed to manipulate SQL database queries.
* "Injection": You enter the injections into an html form which is sent to the web application. The application then puts you input directly into a SQL query. In advertantly, this allows you to manipulate to query...

Prerequisite:

* A background of programming and a general idea of how most hacking methods are done.

http://res.sys-con.com/story/jun06/232071/afshar-fig5.jpg

Application:

* Hacking a SQL database-driven server (usually only the ones that use unparsed user input in database queries). There is still a surprising number of data-driven web applications on the net that are vulnerable to this type of exploit. Being as typical as all method, the frequency of possible targets decreases over time as the method becomes more known. This is one those exploits that aren't easily prevented by a simple patch but by a competent programmer.


Use:
First, let's look at a typical SQL query:
SELECT fieldName1, fieldName2 FROM databaseName WHERE restrictionsToFilterWhichEntriesToReturn

Now, to dissect...
The red areas is where criterion is inputed. The rest of the query structures the query.

* SELECT fieldName1, fieldName2 - Specifies the of the names of fields that will be returned from the database.
* FROM databaseName - Specifies the name of the database to search.
* WHERE restrictionsToFilterWhichEntriesToReturn - Specifies which entries to return.

Here is an example for somebody's login script:

SELECT userAcessFlags FROM userDatabase WHERE userName="(input here)" AND userPass="(input here)"

The idea is guess what that application's query looks like and input things designed to return data other than what was intended.

In the example, input like the following could give gain access to the administrator account:

User: administrator
Pass: " OR ""="

Making the query like this:

SELECT userAcessFlags FROM userDatabase WHERE userName="administrator" AND userPass="" OR ""=""

As you can see, ""="" (nothing does indeed match nothing)
Note: Injections are rarely as simple as this...

One can be creative and use error messages to your advantadge to access other databases, fields, and entries. Learn a little SQL to use things like UNION to merges query results with ones not intended.On the security side, parse user data and get rid of any extra symbols now that you know how it's done.

The idea in this example is to break out of the quotation marks.
When stuff is inside quotation marks, the stuff isn't processed as code or anything but as a phrase and what it is.

The password injection was: " OR ""="
What this does is close the string that was started by the quotation mark in the part userPass=". Once you break out, THEN stuff is considered code. So, I put OR ""=" after I break out of the string. You will notice that it is comparing two quotation marks with one, but the quotation mark already built in by the application finishes it so we have this:
userPass="" OR ""=""
Notice how the first and last quotation marks are not colored and are not built in.

Additional notes:
This was just an extremely simplified version and you will probably need to learn a little SQL to fully understand.

Here are a few SQL terms that do other things:
UNION: You use this to merge the results of one query with another. You may put things like SELECT after UNION in order to search other databases and stuff. Sometimes you may need to use ALL in conjuction to break out of certain clauses. It does no harm so when in doubt you could do something like:
" UNION ALL SELECT 0,'','hash' FROM otherDatabase WHERE userName="admin
The key when using UNION is to make your new query return the same amount of columns in the same datatype so that you may get the results you want.

:-- This works sometimes to terminate the query so that it ignores to the rest of the stuff that might be fed afterwards if you don't like it. For example:
SELECT * FROM userDatabase WHERE userName="admin";--" AND userPass="aH0qcQOVz7e0s"

NOT IN: If you have no idea which record you want you could record cycle (you request vague info, and you put what you already got in the NOT IN clause so that you can get the next entry)
Usage:
SELECT userName userPass FROM userDatabase WHERE userName NOT IN ('Dehstil','Twistedchaos')

EXEC: This command should never work, but if it does...you win; you could do anything. For instance, you could inject something like this:
';EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:

All my examples so far have dealt with read processes. To manipulate a write process, here is an example for those who know what their doing:
INSERT INTO userProfile VALUES(''+(SELECT userPass FROM userDatabase WHERE userName='admin')+'' + 'Chicago' + 'male')
This example would theoretically put the admin's password in your profile.

Share/Save/Bookmark
Subscribe

Spread Firefox Affiliate Button | edit post .

0 comments

Post a Comment

Are You Planning on Quitting Facebook? Why?

@Flickr

www.flickr.com

About Me

My Photo
Shashank Krishna
Bangalore, up, India
nothin much to say.........doin B.tech in IIIT allahabad loves bloggingn hacking.... :) and loooves blogging
View my complete profile

ads2

topads