Saturday, December 10, 2011

All About SQL Injection

SQL injection!
SQL injection is the most common and videly used exploit by hackers all over the
world...few days back i was just doing some SQL injection test on Indian govt sites,
I was shocked to see how many imp govt sites r open to it....this is a big thread
for us...a malicious hacker can do a lot of harm if he wish to.


* SQL: Server Query Language-used in web applications to interact with databases.
* SQL Injection: Method of exploiting a web application by supplying user input
designed to manipulate SQL database queries.
* "Injection": You enter the injections into an html form which is sent to the web
application. The application then puts you input directly into a SQL query.
In advertantly, this allows you to manipulate to query...


* A background of programming and a general idea of how most hacking methods are done.
see this pic --->


* Hacking a SQL database-driven server (usually only the ones that use unparsed user
 input in database queries). There is still a surprising number of data-driven web
applications on the net that are vulnerable to this type of exploit. Being as typical
as all method, the frequency of possible targets decreases over time as the method
becomes more known. This is one those exploits that aren't easily prevented by a
simple patch but by a competent programmer.

First, let's look at a typical SQL query:
SELECT fieldName1, fieldName2 FROM databaseName WHERE

Now, to dissect...
The red areas is where criterion is inputed. The rest of the query structures the

* SELECT fieldName1, fieldName2 - Specifies the of the names of fields that will
be returned from the database.
* FROM databaseName - Specifies the name of the database to search.
* WHERE restrictionsToFilterWhichEntriesToReturn - Specifies which entries to return.

Here is an example for somebody's login script:

SELECT userAcessFlags FROM userDatabase WHERE userName="(input here)"
AND userPass="(input here)"

The idea is guess what that application's query looks like and input things
designed to return data other than what was intended.

In the example, input like the following could give gain access to the
administrator account:

User: administrator
Pass: " OR ""="

Making the query like this:

SELECT userAcessFlags FROM userDatabase WHERE userName="administrator"
AND userPass="" OR ""=""

As you can see, ""="" (nothing does indeed match nothing)
Note: Injections are rarely as simple as this...

One can be creative and use error messages to your advantadge to access other
databases, fields, and entries. Learn a little SQL to use things like UNION to
merges query results with ones not intended.On the security side, parse user data
and get rid of any extra symbols now that you know how it's done.

The idea in this example is to break out of the quotation marks.
When stuff is inside quotation marks, the stuff isn't processed as code or anything
but as a phrase and what it is.

The password injection was: " OR ""="
What this does is close the string that was started by the quotation mark in the part
userPass=". Once you break out, THEN stuff is considered code. So, I put OR ""="
after I break out of the string. You will notice that it is comparing two quotation
marks with one, but the quotation mark already built in by the application finishes
it so we have this:
userPass="" OR ""=""
Notice how the first and last quotation marks are not colored and are not built in.

Additional notes:
This was just an extremely simplified version and you will probably need to learn a
little SQL to fully understand.

Here are a few SQL terms that do other things:
UNION: You use this to merge the results of one query with another. You may put
things like SELECT after UNION in order to search other databases and stuff.
Sometimes you may need to use ALL in conjuction to break out of certain clauses.
It does no harm so when in doubt you could do something like:
" UNION ALL SELECT 0,'','hash' FROM otherDatabase WHERE userName="admin
The key when using UNION is to make your new query return the same amount of columns
in the same datatype so that you may get the results you want.

:-- This works sometimes to terminate the query so that it ignores to the rest
 of the stuff that might be fed afterwards if you don't like it. For example:
SELECT * FROM userDatabase WHERE userName="admin";--" AND userPass="aH0qcQOVz7e0s"

NOT IN: If you have no idea which record you want you could record cycle
(you request vague info, and you put what you already got in the NOT IN clause so
that you can get the next entry)
SELECT userName userPass FROM userDatabase WHERE userName NOT IN

EXEC: This command should never work, but if it win; you could do anything.
For instance, you could inject something like this:
';EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:

All my examples so far have dealt with read processes. To manipulate a write process,
here is an example for those who know what their doing:
INSERT INTO userProfile VALUES(''+(SELECT userPass FROM userDatabase WHERE
userName='admin')+'' + 'Chicago' + 'male')
This example would theoretically put the admin's password in your profile. 

No comments:

Post a Comment