CEH – SQL Injection

Vulnerabilities
Knowledge NET
 SQL Injection
• Databases supporting web servers and
applications are attractive targets for hackers

• The information contained in these databases can

be sensitive and critical to an organization

• A popular and effective attack against database

applications on web servers is known as SQL
injection
 SQL Injection
• This type of attack takes advantage of SQL server
vulnerabilities, such as lack of proper input string
checking and failure to install critical patches in a
timely fashion

• Vulnerabilities arise because the database does

not filter escape characters or because the
database does not use strong typing, which
prohibits input statements from being interpreted
as instructions
 Preparing for an Attack
• To conduct an SQL injection, a hacker will initially
test a database to determine if it is susceptible to
such an attack
• One simple approach is to place a single quote
character, ‘, into the query string of a URL
• The desired response is an Open DataBase
Connectivity (ODBC) error message that indicates
a vulnerability to an SQL injection attack
• A typical ODBC error message is:
 Microsoft OLE DB Provider for ODBC Drivers error ‘80040e14’
 [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect
syntax near the keyword ‘and’.
 /wasc.asp, line 68
 Preparing for an Attack
• It is important to search the returned page for words
such as ODBC or syntax
• Testing for vulnerabilities is enhanced if URL request
inputs, such as logins, passwords, or search boxes
• HTML source code might contain FORM tags that
support sending using a POST command to pass
parameters to other asp pages
• The code between the FORM tags is susceptible to
SQL injection testing, such as entering the ‘ character.
A sample of such HTML source code is:
 <FORM action=Search/search.asp method=post>
 <input type=hidden name=C value=D>
 </FORM>
 Conducting an Attack
• Enter the following value to login
 -Login: ron’
 -Login: 1=1- -

• Enter the value with URL

 -http://page/index.asp?id=ron’
 -http://page/index.asp?id=1=1- -

• Above two examples is the preliminary examples

• If these inputs give error message then the
respective site is vulnerable to sql injection
 Conducting an Attack
• The following sql command shutdown the database
 SELECT * FROM EMP;SHUTDOWN WITH NOWAIT;

• The following command extract user name from database

table where the value of username field matches with the
value of the “Username” TextBox
 Statement:= “SELECT Username FROM Users WHERE
Username = ‘“ + Username +“‘;”
• Now if the TextBox value is ( ‘h’ or ‘y’=‘y’ ) the command will
be translated like this
 SELECT Username FROM Users WHERE Username = ‘h’or
‘y’=’y’;
• The above command will return username as ‘y’=‘y’ wil be
evaluated as true
• A variation of the above command is
 select * from emp where empid='E2' or empid is not null or 'd'='d'
 Lack of Strong Typing
• If the program is expecting a variable of one type and a
variable of a different type is entered, an SQL injection
attack can be effected
• For example, in the following code, the value of the
variable Employeenum is expected to be a number
 Statement:= “SELECT Employeename FROM Emptable WHERE
Employeenum = ‘“ +Employeenum + “‘;”

• However, if a character string is inserted instead, the

database could be manipulated. Setting the Employeenum
variable equal to the string
 1;DROP TABLE Emptable

• Yields
 Statement:= “SELECT Employeename FROM Emptable WHERE
Employeenum =1;DROP TABLE Emptable;
 select * from login where uid='u1';drop table login
 Union Select Statements
• SQL Injection in url to know the table name
 http://page/index.asp?id=20 UNION SELECT TOP 1
TABLE_NAME FROM INFORMATION_SCHEMA.TABLES- -

• Wildcard characters are very useful to extract

information from database, but at the same time it is
also a source of SQL Injection
 “SELECT PartCost, PartName FROM PartsList WHERE PartName
LIKE ‘%” &strPartNameInclude & “%’”;

• This UNION statement will provide the broker names

for the list of brokers in the first query and the records
from the table containing the name of banks providing
brokerage services from the UNION statement
 SELECT Broker FROM BrokerList WHERE 1 = 1 UNION ALL SELECT
Broker FROM BanksList WHERE 1 = 1;
 Extended Stored Procedures
• Extended stored procedures extend the functions
available in the SQL Server environment and are
useful in setting up and maintaining the database
• Because of vulnerabilities in some of these
procedures, these programs can be called to initiate
and support SQL injection attacks
 xp_availablemedia. Provides a list of available
computer drives
 xp_dirtree. Provides a directory tree
 xp_enumdsn. Identifies server ODBC data sources
 xp_loginconfig. Provides server security mode data
 xp_makecab. Supports user generation of a
compressed archive of fileson the server and files that
can be accessed by the server
Server System Tables
SQL Injection Prevention and
Remediation
• Allow only known good input.
• Append and prefix quotes to all client inputs.
• Check for accounts with weak or old passwords.
• Check to make sure that numeric inputs are
integers before passing themto SQL queries.
• Eliminate unnecessary accounts.
• Employ needed stored procedures with
embedded parameters through safe callable
interfaces.
•
SQL Injection Prevention and
Remediation
• Ensure that patches on the server are up to
date and properly installed.
• Limit the use of dynamic SQL queries, if
possible.
• Limit user inputs to one query, preventing multi-
statement attacks.
• Monitor logging procedures.
• Practice the principle of least privilege regarding
access to the data
SQL Injection Prevention and
Remediation
• Remove stored procedures that are not
needed. Candidates include xp_sendmail,
sp_makewebtask, master..xp_cmdshell, and
xp_startmail
• Run database applications from a low-privilege
account.
• Sanitize client-supplied input by filtering data
according to least privilege, beginning with
numbers and letters. If it is necessary to
includesymbols, they should be converted to
HTML substitutes.
SQL Injection Prevention and
Remediation
• Screen input strings from users and URL
parameters to eliminate single and double
quotes, semicolons, back slashes, slashes, and
similar characters.
• Set appropriate privileges for stored procedures.
• Set security privileges on the database to the
least needed.
• Use bound parameters to create an SQL
statement with placeholders
• such as ? for each parameter, compile the
statements, and execute thecompilation later with
actual parameters.
Automated SQL Injection
Tools
• Absinthe.
 This is an automated tool used to implement
SQL injections and retrieve data from a web
server database.
 The Absinthe screen interface supports entering
target data, such as the URL, Web application
injectable parameters, cookies, delays, speedups,
and injectionoptions.
 The Absinthe screen interface is shown in next
figure
Automated SQL Injection
Tools
• Absinthe.
Automated SQL Injection
Tools
• SSRS.
 Microsoft SQL Server Resolution Service is
susceptible to buffer overflow attacks which can
lead to the server executing arbitrary code,
elevating privileges, and compromising the web
server and database
• Automagic SQL.
 This is an automated injection tool for use
against Microsoft SQL server that supports
applying xp_cmdshell, uploading database files,
and identifying and browsing tables in the
database
Automated SQL Injection
Tools
• sqlcmd.
 This utility supports entering Transact-SQL
statement, script files, and system procedures in
SQLCMD mode.
 It replaces Osql utilityfunctions.

• SQLDict.
 This application was developed on Visual
FoxPro 8.0 and supports the access of a variety
of relational databases.
 It provides a common interface to execute SQL
commands, implement and test for dictionary
attacks, browse and list database tables, display
table attributes,and export table attributes.
Automated SQL Injection
Tools
• Acunetix Web Vulnerability Scanner (WVS).
 An automated scanner that can work in
conjunction with manual utilities to analyze Web
applications for vulnerabilities, it can be used for
penetration testing
• Osql.
 Although this utility has been replaced by
sqlcmd, it is good to be aware of it. Osql
interacts with a web server using ODBC and
supports entering script files, Transact-SQL
statements, and system procedures to the server
database SQLDict.
ASSESSMENT
QUESTIONS