What is a SQL Injection Vulnerability? - Shaw

landyaddaInternet and Web Development

Nov 10, 2013 (3 years and 10 months ago)

106 views







SQL Injection


CISY 2412

June 21, 2004

Mark Silliker

100101160



June 21, 2004

CISY 2412

2

Mark
Silliker

Table of Contents


What is a SQL Injection Vulnerability?

.................

3

Overview

................................
.........................

3

How SQL Injection Works

................................
..

3

Identify the Errors

................................
...................

3

Identifying Vulnera
ble Parameters

..............................

4

Implementing SQL Injection

..............................

5

Syntax Trial and Error

................................
..............

5

Database Identification

................................
.............

6

Summary

................................
........................

7

Bibliography

................................
....................

8

Questions

................................
........................

9



June 21, 2004

CISY 2412

3

Mark
Silliker

What is a SQL Injection Vulnerability?




User Controlled Data is placed into a SQL query without being validated for
correct format or embedded escape strings.



Affects the majority of applications that use a database backend and do
n’t
force variable types.



At least 50% of the large e
-
commerce sites and about 75% of the medium to
small sites are vulnerable.



Improper validation in CFML, ASP, JSP, and PHP are the most frequent
causes.

Overview

SQL injection attacks have been on the
rise over the past few years. The increase in
database based applications, together with various publications that explain the
problem and how it can be exploited have led to many attacks and abuse of this type
of attack.


Many attempts have been made to f
ind solutions to the problem. The easiest solution
would be to build programs with a much higher degree of security, but because we
don’t live in that perfect world, not much has changed even though many articles
have been published regarding secure develo
pment of Web applications. Web
developers still don’t seem to take these security issues seriously, so this problem
still exists.

How SQL Injection Works

To make an SQL injection work, the attacker must first probe the system to identify
any error messages

displayed by the system.

Identify the Errors

Basically, there are two types of errors produced.



Web Server error, usually generated due to invalid data input.



Errors generated by the application code in response to invalid
input.

By generating various err
ors through trial and error, an attacker would
try to identify how the application deals with these errors, in order to
determine database structure.

By using SQL Injection testing methods like, SQL keywords “OR and
“AND”, meta characters semi
-
colon ;, apo
strophe ‘, and the comment
symbol
--
, the attacker can closely examine the errors produced, the
attacker will begin to narrow down which errors are a result of
manipulated input. Also, the attacker can use an intercepting proxy
tool in order to follow any
page re
-
directs and view otherwise invisible
errors.



June 21, 2004

CISY 2412

4

Mark
Silliker

The ultimate goal of this process is of course to generate a list of
suspect parameters. Once the attacker has this list, further
investigation of the most promising ones will possibly yield what he is
l
ooking for, which is a way in.

Identifying Vulnerable Parameters

Since SQL has three basic data types, an attacker must first determine
which type he is dealing with, Number, String or Date. Each parameter
sent from the application to the server will be on
e of these types.
Strings and dates are encased in single quotes, and numbers are sent
to the sever “as is”.

The behavior that allows an attacker to determine data types, is the
fact that the SQL server only cares if the expression is of the relevant
type.

This behavior gives the attacker the best way of identifying
whether an error is indeed an SQL one or unrelated.

With numeric values, the easiest way to handle this is by using basic
arithmetic operations. For instance, if we look at the following request
:

/mysite/test.asp?ID=6

Testing this for SQL injection is very simple. One way to do this is to
inject 6' as the parameter. The other way is using 3 + 3 as the
parameter. Assuming this parameter is indeed passed to an SQL
request, the result of the two te
sts will be the following two SQL
queries:

1) SELECT * FROM Products WHERE ID = 6'

2) SELECT * FROM Products WHERE ID = 3 + 3

The first one will generate an error, because the SQL syntax is
incorrect. The second, however, will execute, returning the same
p
roduct as the original request (with 6 as the ID), indicating that this
parameter is vulnerable to SQL injection.

A similar technique can be used for replacing the parameter with an
SQL syntax string expression. There are only two differences. First,
strin
g parameters are held inside quotes, so breaking out of the quotes
is necessary. Secondly, different SQL servers use different syntax for
string concatenation. For instance, Microsoft SQL Server uses the +
sign to concatenate string, whereas Oracle uses ||

for the same task.
Other than that, the same technique is used. For instance:

/mysite/test.asp?Name=Book

Testing this for SQL injection involves replacing the Name parameter,
once with an invalid string such as B', the other with one that will


June 21, 2004

CISY 2412

5

Mark
Silliker

generate a
valid string expression, such as B' + 'ook (or B' || 'ook with
Oracle). This results with the following queries:

1) SELECT * FROM Products WHERE Name = 'Book''

2) SELECT * FROM Products WHERE Name = 'B' + 'ook'

Again, the first query is likely to generate
an SQL error, while the
second is expected to return the same product as the original request,
with Book as its value.

Identifying whether SQL injection occurs is a very simple task even
without detailed error messages, allowing the attacker to easily
cont
inue with the attack.

Implementing SQL Injection

Once the vulnerability has been identified, the attacker still must establish three
more things in order to exploit it.




Generate valid syntax.



Identify the specific database server.



Build the expression.

Sy
ntax Trial and Error

This may be one of the more difficult parts of the process for the
attacker. He must now figure out how to break out of the standard
query in order to make the system perform in an abnormal way. Some
of this will require simple trial a
nd error.

In order to return a valid syntax, the attacker must be able to append
data to the original WHERE statement so that it will return different
data that it shouldn’t. In basic applications, simply adding OR 1=1 can
sometimes generate this result. H
owever in many cases, this will not
be enough for a successful result. Usually, parenthesis must be closed,
so they close the originally opened ones. Another problem that may
occur is that a altered query will cause the application to generate an
error, wh
ich cannot be distinguished from an SQL error.

Since each WHERE clause is basically a set of expressions evaluating
as True or False, joined together with OR, AND and parenthesis,
learning the right syntax that breaks out of parenthesis and properly
termin
ates the query is done by attempting different combinations. For
instance, adding 'AND 1=2' turns the entire phrase to a false one,
whereas adding 'OR 1=2' has zero influence.

The entire SQL statement must be properly terminated, so that
additional syntax
can be appended. To do that, a very simple method
can be used. After the attacker finds a valid combination of AND, OR,
1=2, and 1=1 expressions, the SQL comment sign can be used.



June 21, 2004

CISY 2412

6

Mark
Silliker

This sign, represented by two consecutive dashes (
--
), tells the SQL
server
to ignore the rest of user
-
entered data after the comment
symbol. For example, a simple login page, takes both the Username
and Password into the query:

SELECT Username, UserID, Password FROM Users WHERE
Username = 'user' AND Password = 'pass'

By sending j
ohnsmith'
--

as the user, the following WHERE clause is
generated:

WHERE Username = 'johnsmith'
--
'AND Password = 'pass'

In this case, not only was the syntax right, but the authentication was
by
-
passed.

This demonstrates how the comment sign can be used
to identify
whether the query has been properly terminated. If the comment sign
was added and no error occurred, it means that it terminated properly
right before the comment. Otherwise, additional trial and error is
required.

Database Identification

The a
ttacker must also identify the type of database that he is dealing
with in order to exploit the SQL injection.

Several tricks allow the attacker to identify the database type, based
on the differences of database engines. The following demonstrates a
techn
ique for differentiating between Oracle and Microsoft SQL Server.

This method exploits the string concatenation difference. Assuming the
syntax is known, and the attacker is able to add additional expressions
to the WHERE clause, a simple string comparison

can be done using
this concatenation, for instance:

AND 'xxx' = 'x' + 'xx'

By replacing the + with ||, Oracle can be easily differentiated from MS
SQL Server, or other databases.

Once the attacker has established the database type, he is ready to
initiate

the injection attack.



June 21, 2004

CISY 2412

7

Mark
Silliker

Summary


Hopefully, the contents of this report has now educated you as to why SQL injection

is a real threat to any system, with or without detailed error messages, and why
relying on suppressed error messages is not secure enough
. By implementing
security measures at the application level, a developer can assure the client of a
more secure application. This is really the only way one can be sure that their
application will be safe from a SQL Injection attack.



June 21, 2004

CISY 2412

8

Mark
Silliker

Bibliography


Santr
y, Patrick.

Preventing SQL Injection Attacks
, WWWCoder,
http://www.wwwcoder.com/main/parentid/258/site/2966/68/default.a
spx
.


Liu, John, and Reidy, David.
Knowledge Base

Article Number:


Q995992
, SSW Knowledge Base.,

4/07/2003.,
http://www.ssw.com.au/ssw/kb/KB.aspx?KBID=Q995992
.


Memoni & MrJade.,
Abusing poor programming techniques in
webserver scripts V
1.0
., Roses Labs., 23/07/2001.,
http://www.groar.org/expl/beginner/appt.txt
.



June 21, 2004

CISY 2412

9

Mark
Silliker

Questions


1.

In order to break out of an SQL expression, you can use the #
sign.

False

Answer: ‘


2.

The easiest way to d
etermine the database type is to compare
concatenation methods.

True


3.

In an SQL statement, the
––

symbol tells the server that what
follows is a comment.

True


4.

10% of large e
-
commerce sites are vulnerable to SQL Insertion.

False

50%


5.

Number parameters are
sent with single quotes to the server.

False

They are sent “as is”



What is SQL Injection


User Controlled Data is placed into a SQL query without being
validated for correct format or embedded escape strings.