13.1 SQL Injection Concepts
What is SQL Injection?
- SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a web application for execution by a backend database.
- SQL injection is a basic attack used to either gain unauthorized access to a database or to retrieve information directly from the database.
- It is a flaw in web applications and not a database or web server issue.
SQL commands used to perform operations on the database include INSERT, SELECT, UPDATE, and DELETE.
Why Bother about SQL Injection?
- On the basic of application used and the way it processes user supplied data, SQL injection can be used to implement the attacks mentioned below:
- Authentication Bypass: Using this attack, an attacker logs onto an application without providing valid user name and password and gains administrative privileges.
- Information Disclosure: Using this attack, an attacker obtains sensitive information that is stored in the database.
- Compromised Data Integrity: An attacker uses this attack to deface a web page, insert malicious content into web pages, or alter the contents of a database.
- Compromised Availability of Data: Attackers use this attack to delete the database information, delete log, or audit information that is stored in a database.
- Remote Code Execution: It assists an attacker to compromise the host OS.
MSSQL, MySQL, Postgre: 有跟OS互動
How Web Applications Work
SQL Injection and Server-side Technologies
- Server-side Technology: Powerful server-side technologies like ASP.NET and database servers allow developers to create dynamic, data-driven websites with incredible ease.
- Exploit: The power of ASP.NET and SQL can easily be exploited by hackers using SQL injection attacks.
- Susceptible Databases: All relational databases, SQL Server, Oracle, IBM DB2, and MySQL, are susceptible to SQL-injection attacks.
- Attack: SQL injection attacks do not exploit a specific software vulnerability, instead they target websites that do not follow secure coding practices for accessing and manipulating data stored in a relational database.
Understanding HTTP Post Request
- When a user provides information and clicks Submit, the browser submits a string to the web server that contains the user's credentials.
- SQL query at the database:
select * from Users where (username = 'bart' and password = 'simpson');
Example: Normal SQL Query
Understanding an SQL Injection Query
Understanding an SQL Injection Query - Code Analysis
- A user enters a user name and password that matches a record in the user's table.
- A dynamically generated SQL query is used to retrieve the number of matching rows.
- The user is then authenticated and redirected to the requested page.
- When the attacker enters
blah' or 1=1 --
then the SQL query will look like:SELECT Count(*) FROM Users WHERE UserName='blah' Or 1=1 --' AND Password=''
- Because a pair of hyphens designate the beginning of a comment in SQL, the query simply becomes:
SELECT Count(*) FROM Users WHERE UserName='blah' Or 1=1
string strQry = "DELCET Count(*) FROM Users WHERE UserName='"
+ txtUser.Text
+ "' AND Password='" + txtPassword.Text + "'";
+ txtUser.Text
: 直接串接
Example of a Web App Vulnerable to SQL Injection: BadProductList.aspx
- This page displays products from the Northwind database and allows users to filter the resulting list of products using a textbox called txtFilter.
- Like the previous example (BadLogin.aspx), this code is vulnerable to SQL injection attacks.
- The executed SQL is constructed dynamically from a user-supplied input.
//This code is susceptible to SQL injection attacks. if (txtFilter.Text.Length > 0){ strSQL += " WHERE ProductName LIKE '" + txtFilter.Text + '"; }
+=
Dynamic SQL
Example of a Web App Vulnerable to SQL Injection: Attack Analysis
- ProductId, ProductName, QuantityPerUnit, UnitPrice分別為1, 2, 3, 4
- 對應至0, username, password, 0這四個,數量要一致
Example of SQL Injection: Updating Table
Example of SQL Injection: Adding New Records
Example of SQL Injection: Identifying the Table Name
Example of SQL Injection: Deleting a Table
- Attacker Launching SQL Injection:
blah'; DROP TABLE Creditcard; --
- SQL Query Executed:
SELECT jb-email, jb-passwd, jb-login_id, jb-last_name FROM members WHERE jb-email = '
blah'; DROP TABLE Creditcard; --