SQL Injection - Neuroon Networks

Breaking

Friday, February 23, 2018

SQL Injection

What is SQL Injection?

SQL injection is a code injection technique, which is used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution. SQL injection must exploit a security vulnerability in an application's software. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

By leveraging an SQL Injection vulnerability, given the right circumstances, an attacker can use it to bypass a web application’s authentication and authorization mechanisms and retrieve the contents of an entire database. SQL Injection can also be used to add, modify and delete records in a database.

To such an extent, SQL Injection can provide an attacker with unauthorized access to sensitive data including, customer data, personally identifiable information (PII), bank details, credit card details, trade secrets, intellectual property and other sensitive information.

How it works?

The following server-side pseudo-code is used to authenticate users to the web application.

# Define POST variables 
uname = request.POST['username']  
passwd = request.POST['password'] 

# SQL query vulnerable to SQLi 
sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” + passwd + “’” 

# Execute the SQL statement  
database.execute(sql)

The above script is a simple example of authenticating a user with a username and a password against a database with a table named users, and a username and password column.
The above script is vulnerable to SQL Injection because an attacker could submit malicious input in such a way that would alter the SQL statement being executed by the database server.
A simple example of an SQL Injection payload could be something as simple as setting the password field to  

password’ OR 1=1.

This would result in the following SQL query being run against the database server.

SELECT id FROM users WHERE username=’username’ AND password=’passwordOR 1=1

An attacker can also comment out the rest of the SQL statement to control the execution of the SQL query further.

-- MySQL, MSSQL, Oracle, PostgreSQL, SQLite 
' OR '1'='1' -- 
' OR '1'='1' /* 
-- MySQL 
' OR '1'='1' # 
-- Access (using null characters) 
' OR '1'='1'  
' OR '1'='1' %16

Once the query executes, the result is returned to the application to be processed, resulting in an authentication bypass. In the event of authentication bypass being possible, the application will most likely log the attacker in with the first account from the query result the first account in a database is usually of an administrative user.

The Different Types of SQL Injection

1. Error-Based SQL Injection : When exploiting an error-based SQL Injection vulnerability, attackers can retrieve information such as table names and content from visible database errors.
 

2.  Boolean-Based SQL Injection : When an SQL query fails, sometimes some parts of the web page disappear or change, or the entire website can fail to load. These indications allow attackers to determine whether the input parameter is vulnerable and whether it allows extraction of data.

3. Time-Based SQL Injection : Hackers determine this by instructing the database to wait (sleep) a stated amount of time before responding. If the page is not vulnerable, it will load quickly; if it is vulnerable it will take longer than usual to load. This enables hackers to extract data, even though there are no visible changes on the page. The SQL syntax can be similar to the one used in the Boolean-Based SQL Injection Vulnerability.

4. Out-of-Band SQL Injection Vulnerability : Sometimes the only way an attacker can retrieve information from a database is to use out-of-band techniques. Usually these type of attacks involve sending the data directly from the database server to a machine that is controlled by the attacker. Attackers may use this method if an injection does not occur directly after supplied data is inserted, but at a later point in time.

Preventing SQL Injection 

  •  Using Prepared Statements as SQL Injection Prevention -> Insecure SQL Queries are a Problem
  • Non Development Related SQL Injection Protection -> Running Updated Software, Block URLs at Web Server Level, Securing the Database and Privileges, Segregating Sensitive and Confidential Data, Analyzing HTTP Requests Before Hitting the Web Application


References : https://en.wikipedia.org/wiki/SQL_injection

     

2 comments: