110 likes | 363 Views
SQL Injection. Error-based SQL Injection. Error-based SQL Injection. Typical modern Web application. Client. Web Server. Web Server may host eBusiness applications Database Server hosts databases including customers accounts, payments info, etc. Database Server.
E N D
SQL Injection Error-based SQL Injection
Error-based SQL Injection • Typical modern Web application Client Web Server • Web Server may host eBusiness applications • Database Server hosts databases including customers accounts, payments info, etc. Database Server
Error-based SQL Injection • Typical user login (authentication) 1 4 Client Web Server • Client submits login request (username and password) • Web application “sanitizes” the login request and creates an SQL query that is passed to the Database Server • The Database Server replies • The Web app authenticates the user or sends an error-message 2 3 Database Server
SQL Injection • An SQL query asking if there is a matching pair of username and password looks like: SELECT id FROM users WHERE username = 'aillia' AND password = 'xyx@#$' • This SQL query should return a result like this Row id 1 154 • SQL has a syntax. Using special characters including single quotes to pass values like 'aillia' is part of the syntax • SQL Injection is a result of braking SQL syntax (e.g. misusing the special characters) and bad programming.
SQL Injection • Braking SQL syntax generates runtime errors • Runtime errors play a key role in SQL Injection • Example of SQL query with broken syntax SELECT id FROM users WHERE username = 'aillia ' 'AND password = 'xyx@#$' • Example of runtime error: msg ORA-00103, Level 15, Row 1, Line 1 Incorrect syntax near = 'xyx@#$' msg ORA-00105, Level 15, Row 1, Line 1 Unclosed quotations after string '' .
SQL Injection • In order for SQL Injections to succeed, …… • Attackers must brake SQL syntax by “smuggling” special characters in SQL queries they type in online forms. • The poisonous SQL must modify the Web application behavior to make it do what the attacker wants. • Example: aillia ' Errormessage shown in attackers browser with part of the SQL query revealed Oracle Enterprise 9g error '80040e14' Unclosed quotation mark after the character string like 'aillia' AND cust_password = ' ' . /portal/default.asp, line 20
SQL Injection • Once the attacker gets a runtime error message revealing part of the SQL query, it’s an indication that there is “hole” in the Web application • The attacker can, then, try to bypass the authentication by entering something like this at login: • As a result, the user may be authenticated as the first user from the top of the list (first row) Row id 1 154 aillia ' OR 1=1 -- --
SQL Injection: What happens behind the scene • Attacker’s login (aillia ' OR 1=1 -- ) becomes: SELECT id FROM users WHERE username = 'aillia ' OR 1=1 -- AND password = ‘xxxxx' Which is a “true” statement because: • 1 = 1 is True and • -- is a symbol used for comments in SQL syntax.
SQL Injection: determining the DBMS version • To get the DBMS version, the attacker may enter the following at login: • The result may be an error message like the following that can reveal the DBMS version: aillia ' OR 1=(SELECT @@version) -- -- Error when converting the nvarchar value Oracle Enterprise 10g Release 2: 10.2.0.1-2010 on Windows 2003 Server R2 to data type int. /portal/default.asp, line 20
SQL Injection: Extracting data from a database • To extract multiple rows from the database, the attacker may enter the following at login: • The result may be an error message revealing more data. • But to automate extraction of more data, tools like Burp Suiteor SQL Map aillia ' OR 1=(SELECT top 1 name FROM master…sysdatabases WHERE name NOT IN (SELECT top 0 name FROM master..sysdatabases)) -- --