Tuesday, February 15, 2011

What is SQL Injection?

SQL Injection

SQL injection is most common methodology employed by a hacker to exploit vulnerabilities in software applications. Vulnerabilities are basically weak links in the software that exposes unauthorized data/information to a user. SQL injection occurs when the user input is incorrectly filtered for embedded SQL statements.

The technique is powerful enough not only to expose the information to the user but also modify and delete the content which could prove disastrous to the company.

SQL injection vulnerabilities have three forms:

Incorrectly filtered special characters: escape characters


This form of SQL injection occurs when the user manipulates the SQL statements using characters such as ’. For instance consider that you need to enter username and password while logging into your account. The SQL statement generated will be:

“SELECT * FROM users WHERE password = ’” + password + “‘;”

Now suppose the userName and/or password so entered are” ‘ or ‘1’=’1”. So the SQL statement reaching the back end will be:

“SELECT * FROM users WHERE password =’ ‘or ‘1’=’1 ‘;”

Look closely at this statement. It is deciphered by the database as select everything from the table “user” having field name equal to ‘ ‘ or 1=1. During authentication process, this condition will always be valid as 1 will always equal 1. Thus this way the user is given unauthorized access.

List of Some Important inputs used by hackers to use SQL Injection technique are:

a) ‘ or ‘a’=’a
b) ‘ or 1=1 –
c) ‘ or 1=1; –
d) ‘; select * from *; –
e) ‘ (Single quote)(Here we look at the error)
f) ‘; drop table users –

On some SQL servers such as MS SQL Server any valid SQL command may be injected via this method, including the execution of multiple statements. The following value of “username” in the statement below would cause the deletion of the “users” table as well as the selection of all data from the “data” table (in essence revealing the information of every user):

a’;DROP TABLE users; SELECT * FROM data WHERE name LIKE ‘%

Incorrectly handling input data type

This form of SQL injection occurs when the user input is not strongly typed i.e. , the input by the user is not checked for data type constraint. For example consider a field where you are asked to enter your phone number. Since the phone number input is of numeric data type, therefore the input must be checked whether it is numeric or not. If not checked, then the user can send alphanumeric input and embedded SQL statements. Consider the following SQL statement:

“SELECT * FROM user WHERE telephone = “+ input +”;”
Now if I can input alphanumeric data say “11111111;DROP TABLE user” then I have embedded an SQL statement to delete the entire table “user”. This might prove detrimental to the company!!!

If you happen to know the database table name and column names, then any user can perform SQL injection using the following inputs:

1. ‘ having 1=1 –

2. ‘ group by user.id having 1=1 –
3. ‘ group by users.id, users.username, users.password, users.privs having 1=1—
4. ‘ union select sum(users.username) from users—
5. ‘ union select sum(id) from users –

Vulnerabilities inside the database server

Sometimes vulnerabilities can exist within the database server software itself, as was the case with the MySQL server’s real_escape_chars() functions.

If the database server is not properly configured then the access to the database can easily be found out by the hacker.
The hacker can get information regarding the database server using the following input:
‘ union select @@version,1,1,1—

1. Extended Stored Procedure Attacks

2. sp_who: this will show all users that are currently connected to the database.
3. xp_readmail, , , , ,@peek=’false’ : this will read all the mails and leave the message as unread.

In the same way there is a list of such extended stored procedures that can be used by the hacker to exploit vulnerabilities existing in software application at the database layer.


Post a Comment