SQL Injection - some basics to remember!

on

SQL Injection




What is SQL? –


  • SQL stands for Structured Query Language

  • Allows us to access a database

  • ANSI and ISO standard computer language

  • 4The most current standard is SQL99


SQL can:

  • Execute queries against a database

  • Retrieve data from a database

  • Insert new records in a database

  • Delete records from a database

  • Update records in a database





SQL is standard but

  • There are many different versions of the SQL language

  • They support the same major keywords in a similar manner (such as SELECT, UPDATE,



DELETE, INSERT, WHERE, and others).


  • Most of the SQL database programs also have their own proprietary extensions in addition to the SQL standard!



SQL database table:-

  • A relational database contains one or more tables identified each by a name

  • Tables contain records (rows) with data

  • For example, the following table is called "users" and contains data distributed in rows and columns:












UserID

Name

Lastname

Login

Password



1

Aashish

Patil

Aashishp

Test



2

Aashish1

Patil1

Aashishp1

Test



3

Aashish2

Patil2

Aashishp2

test




SQL Queries:-

  • With SQL, we can query a database and have a result set returned

  • Using the previous table, a query like this:

SELECT LastName

FROM users

WHERE UserID = 1;

Gives a result set like this:

LastName

--------------

Patil


SQL Data manipulation language (DML):-

  • SQL includes a syntax to update, insert, and delete records:


SELECT - extracts data

UPDATE - updates data

INSERT INTO - inserts new data

DELETE - deletes data



  • The Data Definition Language (DDL) part of SQL permits:

Database tables to be created or deleted

Define indexes (keys)

Specify links between tables

Impose constraints between database tables


  • Some of the most commonly used DDL statements in SQL are:


CREATE TABLE - creates a new database table


ALTER TABLE - alters (changes) a database table


DROP TABLE - deletes a database table




  • Almost all SQL databases are based on the RDBM (Relational Database Model)


  • One important fact for SQL Injection


Amongst Code’s 12 rules for a Truly Relational Database System:

Metadata (data about the database) must be stored in the database just as regular data is


Therefore, database structure can also be read and altered with SQL queries




SQL injection?

The ability to inject SQL commands into the database engine

through an existing application



SQL injection is a type of security exploit in which the attacker adds SQL statements through a web application's input fields or hidden parameters to gain access to resources or make changes to data


SQL injection attacks can be used to steal information from a database from which the data would normally not be available and to gain access to host computers through the database engine



Applications which can be vulnerable:-


  • Almost all SQL databases and programming languages are potentially vulnerable

MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access, Sybase, Informix, etc

  • Accessed through applications developed using:

Perl and CGI scripts that access databases

ASP, JSP, PHP

XML, XSL and XSQL

Javascript

VB, MFC, and other ODBC-based tools and APIs

DB specific Web-based applications and API’s

Reports and DB Applications

3 and 4GL-based languages (C, OCI, Pro*C, and COBOL)



How SQL injection works??


  • Common vulnerable login query


SELECT * FROM users

WHERE login = 'victor'

AND password = '123'

(If it returns something then login!)


  • ASP/MS SQL Server login syntax


var sql = "SELECT * FROM users

WHERE login = '" + formusr +

"' AND password = '" + formpwd + "'";



Injection for this:-


formusr = ' or 1=1 – –


formpwd = anything



Final query would look like this:


SELECT * FROM users

WHERE username = ' ' or 1=1

  • AND password = 'anything'








For Numeric data: -


SELECT * FROM clients

WHERE account = 12345678

AND pin = 1111



PHP/MySQL login syntax


$sql = "SELECT * FROM clients WHERE " .

"account = $formacct AND " .

"pin = $formpin";



Injection for numeric field:-


$formacct = 1 or 1=1 #


$formpin = 1111



Final query would look like this:



SELECT * FROM clients

WHERE account = 1 or 1=1

# AND pin = 1111



SQL Injection Characters:-


' or " character String Indicators


-- or # single-line comment


/**/ Multiple-line comment


+ Addition, concatenate (or space in url)


|| (Double pipe) concatenate


% Wildcard attribute indicator


?Param1=foo&Param2=bar URL Parameters


PRINT useful as non-transactional command


@variable local variable


@@variable global variable


Waitfor delay '0:0:10' time delay

  • Use of ‘

It closes the string parameter

Everything after is considered part of the SQL command

Misleading Internet suggestions include:

Escape it! : replace ' with ' '


  • String fields are very common but there are other types of fields:

Numeric and Dates


These are few basics which one should remember!


Comments

Post a Comment