Practical-6

SQL Injection Overview

SQL injection is currently the most common form of web site attack in that web forms are very common, often
they are not coded properly and the hacking tools used to find weaknesses and take advantage of them are
commonly available online. This kind of exploit is easy enough to accomplish that even inexperienced hackers
can accomplish mischief. However, in the hands of the very skilled hacker, a web code weakness can reveal
root level access of web servers and from there attacks on other networked servers can be accomplished.

Structured Query Language (SQL) is the nearly universal language of databases that allows the storage,
manipulation, and retrieval of data. Databases that use SQL include MS SQL Server, MySQL, Oracle, Access
and Filemaker Pro and these databases are equally subject to SQL injection attack.

Web based forms must allow some access to your database to allow entry of data and a response, so this kind of
attack bypasses firewalls and endpoint defenses. Any web form, even a simple logon form or search box, might
provide access to your data by means of SQL injection if coded incorrectly.

How SQL Injection Works

Prospects, customers, employees and business partners may all have the right to store or retrieve information
from your database. Your site probably allows any site visitor to submit and retrieve data. Legitimate access for
visitors includes site search, sign up forms, contact forms, logon forms and all of these provide windows into
your database. These various points of access are quite possibly incorporated in ‘off-the-shelf’ applications or
may be custom applications set up just for your site. These forms and their supporting code have likely come
from many sources, were acquired at different times and possibly installed by different people.

SQL injection is the use of these publicly available fields to gain entry to your database. This is done by
entering SQL commands into your form fields instead of the expected data. Improperly coded forms will allow
a hacker to use them as an entry point to your database at which point the data in the database may become
visible and access to other databases on the same server or other servers in the network may be possible.

Web site features such as contact forms, logon pages, support requests, search functions, feedback fields,
shopping carts and even the functions that deliver dynamic web page content, are all susceptible to SQL
injection attack because the very fields presented for visitor use MUST allow at least some SQL commands to
pass through directly to the database.

SQL Injection Risk

Since databases control many web site functions, nearly all web sites invite input from visitors and so many
web forms are vulnerable, SQL injection has become and for years remained the most common form of web site
hacking tool used. Additionally, so many criminals are now using SQL injection that new server, application
and code weaknesses are being discovered almost daily.

Our own records indicate that most (over half) of the web sites we have been asked to scan had SQL injection
risks of either High or Medium levels. A high level of risk is one that is effectively an unlocked, unguarded
door. A medium risk is one that when combined with one or more other factors could mean trouble. An even
larger number of sites had Low risk issues. What you need to know: The percentage of sites that have at least
one major risk is actually increasing.

Even though SQL injection has been a known issue for years, there are several factors causing the rate of risk to
increase. First is that more companies are offering more web site interaction with visitors and this trend is
increasing dramatically. Second is that as more hackers gain skills in SQL injection, they are discovering more
applications and services that are susceptible to attack and are developing new attacks on old applications. The
result is a nearly exponential increase in the opportunities to use this attack method.

Your risk of being successfully attacked using SQL injection is based on two factors: the nature and size of your
business and the age, status of updates and patches on your applications and the skill and number of your
technical staff. It boils down to whether you are an interesting target and whether your web server, the
applications on it and your web site code are well designed, well integrated and have all the current patches and
updates.

Your site is in immediate danger if your company stores data of high value, if your company or entity is
operating in a highly contested field of business, or if your site has political or social importance or value.
Naturally if you have something of monetary value then you are a target. But you are also a target if your site is
an opinion leader in a contentious environment. We have been asked by bloggers for help because the subject
matter covered there had drawn SQL injection attacks.

SQL injection attacks are now being solicited online. An upset customer, competitor, or even ex spouse can
now easily hire a ‘script kiddie’ – or worse, a talented hacker – to attack a site. The chance of the hacker getting
caught is low. The chance that the upset party can cause damage to your site without being fingered as the
responsible party is high.

Technically you are at risk of SQL injection if you have any equipment or applications which have not been
routinely updated and patched, or if you have code on your site that was not correctly written. The age of
equipment, the applications and the code is a rough indicator of risk. Another is the number of servers involved,
number of applications and number of web site access points. If you are using hosted servers or if you are using
outsourced technical resources, then a third party review of your site security is important. And even in-house
staff can be so pressed for time and short on resources that updates and patches can get delayed or old legacy
code get used without proper review.

Why Do Attackers Perform an SQL Injection Attack?

To perform an SQL injection attack, an attacker must locate a vulnerable input in a web application or webpage.
When an application or webpage contains a SQL injection vulnerability, it uses user input in the form of an
SQL query directly. The hacker can execute a specifically crafted SQL command as a malicious cyber intrusion.
Then, leveraging malicious code, a hacker can acquire a response that provides a clear idea about the database
construction and thereby access to all the information in the database.

SQL serves as the way of communication to the database. SQL statements are used to retrieve and update data
in the database. Attackers use malicious SQL statements in the input box, and in response, the database presents
sensitive information. This exploit of security aims at gaining access to the unauthorized data of a website or
application. Several websites and web applications store data in SQL databases. For any of these applications, it
becomes essential to perform vulnerability testing to ensure there are no loopholes for executing SQL injection.
How an SQL Injection Attack Is Performed

SQL injection is performed by using a structured query that instigates the desired response. The response is
essential for the attacker to understand the database architecture and to access the secured information of the
application. An attacker may perform SQL injection with the following approaches:

SQL statement that is always true

A hacker executes an SQL injection with an SQL statement that is always true. For instance, 1=1; instead of just
entering the “wrong” input, the hacker uses a statement that will always be true.

Entering “100 OR 1=1” in the query input box will return a response with the details of a table.

"OR ""="

This SQL injection approach is similar to the above. A bad actor needs to enter "OR ""=" into the query input
box. These two signs serve as the malicious code to break into the application. Consider the following example.
An attacker seeks to retrieve user data from an application and can simply type “OR=” in the user ID or
password. As this SQL statement is valid and true, it will return the data of the user table in the database.

Batched SQL injection

Batched SQL injection comprises a set of SQL statements separated by semicolons. The only thing that can
make this approach successful is if the SQL statements are true and valid—that is, the statement after the
semicolon needs to be true. For example, if the hacker enters “105; DROP TABLE Supplier,” the SQL
statement after the semicolon will delete the supplier table from the application database.

Some of the most common SQL injection queries are included in the next section.

Types of SQL Injection

SQL injection can be categorized into three categories: in-band, inferential, and out-of-band.

In-band SQL injection

In-band SQL injection is the most frequent and commonly used SQL injection attack. The transfer of data used
in in-band attacks can either be done through error messages on the web or by using the UNION operator in
SQL statements. There are two types of in-band SQL injection: union-based and error-based SQL injection.

 Union-based SQL injection. When an application is vulnerable to SQL injection and the application’s
responses return the results for a query, attackers use the UNION keyword to retrieve data from other
tables of the application database.
 Error-based SQL injection. The error-based SQL injection technique relies on error messages thrown by
the application database servers. Here, attackers use the error message information to determine the
entities of the database.

Inferential SQL injection

Inferential SQL injection is also known as a blind SQL injection attack. In a blind SQL injection attack, after
sending a data payload, the attacker observes the behavior and responses to determine the data structure of the
database.
There are two types of blind or inferential SQL injection attacks: Boolean and time based.

 Boolean based. The Boolean-based technique sends SQL queries to the database to force the application
to return a Boolean result—that is, either a TRUE or FALSE result. Attackers perform various queries
blindly to determine the vulnerability.
 Time based. The time-based SQL injection attack is often used when an application returns generic error
messages. This technique forces the database to wait for a specific time. The response time helps the
attacker to identify the query returns as TRUE or FALSE.

Out-of-band SQL injection

The out-of-band SQL injection attack requests that the application transmit data via any protocol—HTTP, DNS,
or SMB. To perform this type of attack, the following functions can be used on Microsoft SQL and MySQL
databases, respectively:

 MS SQL: master..xp _dirtree

SQL Injection Example

Every time a web site visitor enters data into a form on your site a SQL query is generated and delivered to your
database. In the case of a simple logon form the user name and password is presented to the database and if
valid, the database responds with an answer and user is allowed access (or not). So, no matter how simple the
form or web process, database access is required and a response is expected.

Using SQL injection, a hacker will try to enter a specifically crafted SQL commands into a form field instead of
the expected information. The intent is to secure a response from the database that will help the hacker
understand the database construction, such as table names. The next step would be to access and view data in
important tables or to add data to tables, such as adding new accounts or user names and passwords. The third
step, roughly, would be to use access to the database to discover and change security settings on a server that
would allow a hacker administrative access.

Any dynamic script language including ASP, ASP.NET, PHP, JSP, and CGI is vulnerable to attack. The only
equipment needed is a web browser. There are tools widely available online that will semi-automate the process
of searching for weaknesses, and there are many forums in which hackers share exploits and help each other
overcome obstacles.

SQL Injection Outcomes

As you can imagine, a hacker gaining administrative access to your server means that you will have effectively
lost all of the data on that server to the invader. Worse yet there is now a beachhead behind your firewall from
which attacks on other servers and services can now be made. In this way SQL injection can provide access
to all company or personal data.

From a hacker’s point of view a component part of the hack that is almost as important as the break-in is
maintaining secrecy. Setting off an ‘alarm’ of some sort is the last thing they want to do. Their infiltration work
takes time and often the value of stolen data drops if the theft is discovered (information of value in identity
theft or credit card theft for example). Thus SQL injection hacks are often discovered months and in some cases
years after their initiation.
 Alternatively, if outright damage is the intent then there is no shortage of bad things that can be done to a
database once one has gained access to running commands. An entire table can be permanently deleted using a
single SQL command. However a more sophisticated SQL injection attack could involve massive corruption of
large databases and even destruction of backup copies.

Defense Against SQL Injection

Because web sites require constant access to the database, firewalls provide little or no defense against SQL
injection attacks. Your website is public and firewalls must be set to allow every site visitor access to your
database, usually over port 80/443.Antivirus programs are equally ineffective at blocking SQL injection attacks.
They are intended to spot and stop an entirely different kind of incoming data.

The most commonly used SQL injection defense is made up of two components. First there is routine updating
and patching of all servers, services and applications which of course has many advantages and is common
practice. Then there is producing and using well written and well tested website code that disallows unexpected
SQL commands.

These two defenses are by definition enough to halt any SQL injection attack. So, why are web site
vulnerabilities and risks on the rise and why are successful attacks occurring more often? The answers are each
simple, and combine into a daunting list:

 The number of servers, applications and volume of code on web sites is increasing

 These servers, applications and code languages interact with each other in sometimes unpredictable ways

 The number and frequency of updates and patches is increasing

 IT departments are doing more work with fewer staff and some activities such as updates get postponed

 IT staff turnover and layoffs sometimes leave camouflaged holes in security routines

 Automatically installing every patch and update that comes along often produces unwanted side effects

 Legacy code is often re-used when sites are updated, sometimes keeping code written to old standards in use
long after it was obsolete

 The number of people attempting to do hacks and the number of tools available to simplify hacking are both
going up almost exponentially

More and more companies with huge risk factors and large web ‘footprints’ are coming to conclude that
patching everything and hiring more staff to watch the work of existing staff is no longer viable.

Web Site Scanning as a SQL Injection Cure

The new solution to SQL injection attacks (and all other web-based attacks) is to focus limited and valuable IT
time on the serious risks that are actually present, rather than to use a shotgun approach and apply every
possible fix to every server, every application and every page of code whether it was needed or not. This new
approach is like having a doctor evaluate a patient and proscribe the ONE medicine that is needed to produce a
cure, rather than have the patient go directly to the pharmacy to get every possible medicine and take them all at
once.
Thus greater security is accomplished through using web application testing tools, such as beSECURE, to
examine (scan) a web site using a list of thousands of known attacks and then report on the relatively few
(usually less than a dozen) serious issues.

Web site scanning works on the basis of spotting and reporting KNOWN risks. Common hacking is very
‘public’ activity. The tools are widely promoted. Techniques are broadly disseminated in public forums. Even
new methods become public within hours or days of their first use, thanks to groups like SecuriTeam.com and
others who watch for and then broadly warn others.

beSECURE, the automated vulnerability detection system, is a web-based service that uses a compilation of all
known risks into families and all families into a single database that has taken many years to compile and many
hours a day to maintain. Using this database beSECURE can evaluate any web site and produce a report of
REAL and PRESENT risks rated according to their relative importance – often within hours and without
disturbing ongoing site activities.

Now, you can take your valuable IT man hours and directly address real risks such as SQL injection rather than
spend hundreds of hours installing patches and updates, most of which you don’t need or that handle risks that
are so small as to be negligible.