Module_3

MODULE 3



PERFORMING SQL INJECTIONS



What is an SQL Injection?

SQL Injection is a type of an injection attack that makes it feasible to execute malicious SQL
statements. These statements control a database server behind a web application. Attackers
can use SQL Injection vulnerabilities to bypass application security measures. They can avoid
authentication and authorization of a web page or application and retrieve the content of the
entire SQL database. SQL Injection can be used to add, modify, and delete records in the
database.

An SQL Injection vulnerability can affect any website or application that uses an SQL database
such as MySQL, Oracle, SQL Server, or others. Hackers may use it to gain unauthorized access to
your sensitive data such as customer information, personal data, intellectual property, trade
secrets, and more. SQL Injection attacks are one of the oldest, most prevalent, dangerous web
application vulnerabilities.



Why Is an SQL Injection Attack Performed?

SQL Injections can be used to find the credentials of other users in the database and
then they can impersonate these users. The impersonated user could be a database
administrator with all database privileges.
SQL lets you select and output data from the database. An SQL Injection vulnerability
could allow the attacker to gain complete access to all data in a database server.
SQL also allows you alter data in a database and add new data. For example, in a
financial application, an attacker could use SQL Injection to alter balances, void
transactions, or transfer money to their account.
SQL can be used to delete records from a database and even drop tables. Even if the
administrator makes database backups, deletion of data could affect application
availability until restoration. Also, backups may not cover the most recent data.
In some database servers, you can access the operating system using the database
server. This may be intentional or accidental. In such case, an attacker could use an SQL
Injection as the initial vector and then attack the internal network behind a firewall.

How does it work?

To make an SQL Injection attack, first an attacker must find vulnerable user inputs within the
web page or web application. A web page or application that has an SQL Injection vulnerability
uses such user input directly in an SQL query. The attacker can create input content often called
a malicious payload. This is the key part of the attack. Malicious SQL commands are executed in
the database, after the attacker sends this content

SQL is a query language that was designed to manage data stored in relational databases. You
can use it to access, modify, and delete data. Many web applications and websites store all the
data in SQL databases. In some cases, you can also use SQL commands to run operating system
commands.

Simple SQL Injection Example:

The example shows, how an attacker can use an SQL Injection vulnerability to go around
application security and authenticate as the administrator.

The following script is pseudocode executed on a web server. It is a simple example of
authenticating with a username and a password. The example database has a table
named users with the following columns: username and password.



# Define POST variables

uname = request.POST['username']
passwd = request.POST['password']

# SQL query vulnerable to SQLi
sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” + passwd +
“’”

# Execute the SQL statement
database.execute(sql)

These input fields are vulnerable to SQL Injection. An attacker could use SQL commands in the
input in a way that would alter the SQL statement executed by the database server. For
example, they could use a trick involving a single quote and set the passwd field to:

password' OR 1=1

As a result, the database server runs the following SQL query:

SELECT id FROM users WHERE username='username' AND password='password' OR 1=1'

Because of the OR 1=1 statement, the WHERE clause returns the first id from the users table no
matter what the username and password are. The first user id in a database is very often the
administrator. In this way, the attacker not only bypasses authentication but also gains
administrator privileges. They can also comment out the rest of the SQL statement to control
the execution of the SQL query further:

-- MySQL, MSSQL, Oracle, PostgreSQL, SQLite

' OR '1'='1' --

' OR '1'='1' /*

-- MySQL

' OR '1'='1' #

-- Access (using null characters)

' OR '1'='1' %00

' OR '1'='1' %16

The consequences of SQL Injection

1. Authentication bypass:

If the authentication form of the application is vulnerable to SQL injection, the user may
log into the application without providing proper credentials.

2. Gaining access of unauthorized data:

Through SQL injection, a user may gain access to data which he is not entitled to.

3. Unauthorized data manipulation:

SQL injection may also allow an application user to inset, modify or delete data which he
is not permitted to. This causes data integrity to be compromised.

4. Gain administrative privileges:

SQL injection could allow an attacker or a malicious user to gain administrative
privileges on the database or the database server and ultimately could perform actions
like shutting down the database. This affects the availability of the database and
consequently, unavailability of the application.

5. Leakage of sensitive information:
Because of SQL injection the companies of the may lose their sensitive information from
their database.

6. Reputation decline:

SQL injection can cause the leakage of sensitive and confidential information of the
company because of which the company may lose his reputation among their customers
as well as in IT world.

7. Denial of Services:
SQL injection may also lead to Denial of Service.



Prevention against SQL injection?

The most important precautions, which should already be in place are data sanitization and
validation. Sanitization usually involves running any submitted data through a function (such as
MySQL's mysql_real_escape_string() function) to ensure that any dangerous characters (like " '
") are not passed to a SQL query in data.

Validation is a bit different. It attempts to ensure that the data submitted is in the form that is
expected. At the most basic level this includes ensuring that e-mail addresses contain an "@"
sign, that only digits are supplied when integer data is expected, and that the length of a piece
of data submitted is no longer than the maximum expected length. Validation is usually carried
out in two ways: by blacklisting dangerous or unwanted characters (although hackers can often
get around blacklists) and by whitelisting only those characters that are allowed in a given
circumstance, which can involve more work on the part of the programmer. Although validation
may take place on the client side, hackers can modify or get around this, so it's essential that
you also validate all data on the server side as well.

Here are ten ways you can help prevent or mitigate SQL injection attacks:

1. Trust no-one: Assume all user-submitted data is tainted and validate and sanitize
everything.

2. Don't use dynamic SQL when it can be avoided: used prepared statements,
parameterized queries or stored procedures instead whenever possible.

3. Update and patch: vulnerabilities in applications and databases that hackers can exploit
using SQL injection are regularly discovered, so it's vital to apply patches and updates as
soon as practical.

4. Firewall: Consider a web application firewall (WAF), either software or appliance based,
to aid filter out malicious data. Good firewalls will have a comprehensive set of default
rules and make it easy to add new ones whenever necessary. A WAF can be particularly
useful to provide some security protection against a particular new vulnerability before
a patch is available.

5. Reduce your attack surface: Get rid of any database functionality that you don't need to
prevent a hacker taking advantage of it. For example, the xp_cmdshell extended stored
procedure in MS SQL spawns a Windows command shell and passes in a string for
execution, which could be very useful indeed for a hacker. The Windows process
spawned by xp_cmdshellhas the same security privileges as the SQL Server service
account.

6. Use appropriate privileges: Unless there is a compelling reason, don't connect to your
database using an account with admin-level privileges. Using a limited access account is
far safer, and can limit what a hacker is able to do.

7. Keep your secrets secret: Assume that your application is not secure and act accordingly
by encrypting or hashing passwords and other confidential data including connection
strings.

8. Don't divulge more information than you need to: hackers can learn a great deal about
database architecture from error messages, so ensure that they display minimal
information. Use the "RemoteOnly" customErrors mode (or equivalent) to display
verbose error messages on the local machine while ensuring that an external hacker
gets nothing more than the fact that his actions resulted in an unhandled error.

9. Don't forget the basics: Regularly change the passwords of application accounts in the
database. Although it is common sense, in practice these passwords often stay
unchanged for months or even years.

10. Buy better software: Before the software is delivered, make code writers responsible
for checking the code and for fixing security flaws in custom applications.





References:
What is SQL Injection and How to Prevent it- Acunetix
https://www.acunetix.com/websitesecurity/sql-injection/

What is use for SQL Injection? Query Home
https://www.queryhome.com/tech/171652/what-is-use-for-sql-
injection?state=answer
10 ways to prevent or mitigate SQL Injection Attacks – Paul Rubens

http://www.enterprisenetworkingplanet.com/netsecur/article.php/3866756/10-Ways-

to-Prevent-or-Mitigate-SQL-Injection-Attacks.htm