13.1 SQL Injection Concepts

What is SQL Injection?

  • SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a web application for execution by a backend database.
  • SQL injection is a basic attack used to either gain unauthorized access to a database or to retrieve information directly from the database.
  • It is a flaw in web applications and not a database or web server issue.

SQL commands used to perform operations on the database include INSERT, SELECT, UPDATE, and DELETE.

Why Bother about SQL Injection?

  • On the basic of application used and the way it processes user supplied data, SQL injection can be used to implement the attacks mentioned below:
    • Authentication Bypass: Using this attack, an attacker logs onto an application without providing valid user name and password and gains administrative privileges.
    • Information Disclosure: Using this attack, an attacker obtains sensitive information that is stored in the database.
    • Compromised Data Integrity: An attacker uses this attack to deface a web page, insert malicious content into web pages, or alter the contents of a database.
    • Compromised Availability of Data: Attackers use this attack to delete the database information, delete log, or audit information that is stored in a database.
    • Remote Code Execution: It assists an attacker to compromise the host OS.

      MSSQL, MySQL, Postgre: 有跟OS互動

How Web Applications Work

SQL Injection and Server-side Technologies

  • Server-side Technology: Powerful server-side technologies like ASP.NET and database servers allow developers to create dynamic, data-driven websites with incredible ease.
  • Exploit: The power of ASP.NET and SQL can easily be exploited by hackers using SQL injection attacks.
  • Susceptible Databases: All relational databases, SQL Server, Oracle, IBM DB2, and MySQL, are susceptible to SQL-injection attacks.
  • Attack: SQL injection attacks do not exploit a specific software vulnerability, instead they target websites that do not follow secure coding practices for accessing and manipulating data stored in a relational database.

Understanding HTTP Post Request

  • When a user provides information and clicks Submit, the browser submits a string to the web server that contains the user's credentials.
  • SQL query at the database:
    • select * from Users where (username = 'bart' and password = 'simpson');

Example: Normal SQL Query

Understanding an SQL Injection Query

Understanding an SQL Injection Query - Code Analysis

  • A user enters a user name and password that matches a record in the user's table.
  • A dynamically generated SQL query is used to retrieve the number of matching rows.
  • The user is then authenticated and redirected to the requested page.
  • When the attacker enters blah' or 1=1 -- then the SQL query will look like: SELECT Count(*) FROM Users WHERE UserName='blah' Or 1=1 --' AND Password=''
  • Because a pair of hyphens designate the beginning of a comment in SQL, the query simply becomes: SELECT Count(*) FROM Users WHERE UserName='blah' Or 1=1
  • string strQry = "DELCET Count(*) FROM Users WHERE UserName='"+ txtUser.Text+ "' AND Password='" + txtPassword.Text + "'";

    + txtUser.Text: 直接串接

Example of a Web App Vulnerable to SQL Injection: BadProductList.aspx

  • This page displays products from the Northwind database and allows users to filter the resulting list of products using a textbox called txtFilter.
  • Like the previous example (BadLogin.aspx), this code is vulnerable to SQL injection attacks.
  • The executed SQL is constructed dynamically from a user-supplied input.
    //This code is susceptible to SQL injection attacks.
if (txtFilter.Text.Length > 0){
strSQL += " WHERE ProductName LIKE '" + txtFilter.Text + '";
}

+= Dynamic SQL

Example of a Web App Vulnerable to SQL Injection: Attack Analysis

  • ProductId, ProductName, QuantityPerUnit, UnitPrice分別為1, 2, 3, 4
  • 對應至0, username, password, 0這四個,數量要一致

Example of SQL Injection: Updating Table

Example of SQL Injection: Adding New Records

Example of SQL Injection: Identifying the Table Name

Example of SQL Injection: Deleting a Table

  • Attacker Launching SQL Injection:
    • blah'; DROP TABLE Creditcard; --
  • SQL Query Executed:
    • SELECT jb-email, jb-passwd, jb-login_id, jb-last_name FROM members WHERE jb-email = 'blah'; DROP TABLE Creditcard; --

results matching ""

    No results matching ""