how to hack a web site written in ASP. For example a web page let you input a date and access a database to retrieve your billing history. In order to do that the web page will need to construct a SQL statement to pass to the database. The SQL statement could be like this
Select BillingDate, Amount, Description From BillingTable Where UserName= ‘YourUserName’ and Date= ‘InputDate’
The web page could construct the SQL statement by concatenating
Select BillingDate, Amount, Description From BillingTable Where UserName= ‘You’ and Date=’ with the date you input and then concatenating a single quote
In that case if the hacker knows that your database has a table called Users and there is LoginName and Password field. He can pass this as the input date.
4/20/2008′ union select ‘ ’ , ‘ ’, LoginName + ‘ ’ + Password from User - -
The two dashes at the end tell SQL server to ignore the last single quote concatenated to the statement. Essentially the statement constructed not only display the billing history but also display all users login.
Of course a hacker can only do this if the web site doesn’t do validity check on the date input. If that is the case this security hole is in fact open up the entire database to the hacker because it can use it to query your system tables and discover your database structure.
Wednesday, December 8, 2010
Thursday, December 2, 2010
SQL Injection
SQL is a language that is used to query, operate, and administer database systems such as Microsoft SQL Server, Oracle, or MySQL. The general use of SQL is consistent across all database systems that support it; however, there are intricacies that are particular to each system.
Database systems are commonly used to provide backend functionality to many types of web applications. In support of web applications, user-supplied data is often used to dynamically build SQL statements that interact directly with a database. A SQL injection attack is an attack that is aimed at subverting the original intent of the application by submitting attacker-supplied SQL statements directly to the backend database. Depending on the web application, and how it processes the attacker-supplied data prior to building a SQL statement, a successful SQL injection attack can have far-reaching implications. The possible security ramifications range from authentication bypass to information disclosure to enabling the distribution of malicious code to application users.
This whitepaper will describe SQL injection attacks, how they are performed, and precautions that should be taken inside applications or networks to reduce risks that are associated with SQL injection attacks.
The string of two dash characters (--) that appears in the crafted input is very important; it indicates to the database server that the remaining characters in the SQL statement are a comment and should be ignored. This capability is one of the most important tools that is available to an attacker and without it, it would be difficult to ensure that the malicious SQL statements were syntactically correct.
Although the crafted field, which is the username field in the previous example, must be tailored to the vulnerable application, a large set of documented strings that are readily available on the Internet have proven successful at enabling SQL injection attacks. The previous example may be simplistic, but it illustrates the effectiveness of SQL injection attack techniques.
One example of the Blind SQL Injection technique is the introduction of a delay as part of a malicious SQL statement. Depending on the database software in use, an attacker could build a SQL statement that is designed to cause a database server to perform a time-consuming action. With the MySQL database software, it may be possible to craft a SQL statement using the sleep() function. For example, incorporating sleep(10) into a malicious query will create a 10-second delay. An attacker could induce a recognizable delay on database servers that do not contain the sleep() function by executing an operating system command or time-consuming sub-query or attempting to establish an outbound HTTP connection. Should the time-consuming SQL statement be executed, the web application may take noticeably longer to respond than is typical. This method allows attackers to determine whether their SQL statements are being executed with some level of certainty.
Second Order SQL Injection attacks involve user-submitted data that is first stored in the database, then retrieved and used as part of a vulnerable SQL statement. This class of vulnerability is more difficult to locate and exploit, but Second Order SQL Injection attacks justify data validation prior to the execution of all SQL statements in an application, as well as the comprehensive use of parameterized queries.
Database systems are commonly used to provide backend functionality to many types of web applications. In support of web applications, user-supplied data is often used to dynamically build SQL statements that interact directly with a database. A SQL injection attack is an attack that is aimed at subverting the original intent of the application by submitting attacker-supplied SQL statements directly to the backend database. Depending on the web application, and how it processes the attacker-supplied data prior to building a SQL statement, a successful SQL injection attack can have far-reaching implications. The possible security ramifications range from authentication bypass to information disclosure to enabling the distribution of malicious code to application users.
This whitepaper will describe SQL injection attacks, how they are performed, and precautions that should be taken inside applications or networks to reduce risks that are associated with SQL injection attacks.
SQL Injection Explained
A SQL injection attack involves the alteration of SQL statements that are used within a web application through the use of attacker-supplied data. Insufficient input validation and improper construction of SQL statements in web applications can expose them to SQL injection attacks.Ramifications of Successful SQL Injection Attacks
Although the effects of a successful SQL injection attack vary based on the targeted application and how that application processes user-supplied data, SQL injection can generally be used to perform the following types of attacks:- Authentication Bypass: This attack allows an attacker to log on to an application, potentially with administrative privileges, without supplying a valid username and password.
- Information Disclosure: This attack allows an attacker to obtain, either directly of indirectly, sensitive information that is contained in a database.
- Compromised Data Integrity: This attack involves the alteration of the contents of a database. An attacker could use this attack to deface a web page or more likely to insert malicious content into otherwise innocuous web pages. This technique has been demonstrated via the attacks that are described in Mass exploits with SQL Injection at the SANS Internet Storm Center.
- Compromised Availability of Data: This attack allows an attacker to delete information with the intent to cause harm or delete log or audit information that is contained in a database.
- Remote Command Execution: Performing command execution through a database can allow an attacker to compromise the host operating system. These attacks often leverage an existing, predefined stored procedure for host operating system command execution. The most recognized variety of this attack uses the xp_cmdshell stored procedure that is common to Microsoft SQL Server installations or leverages the ability to create an external procedure call on Oracle databases.
An Example of SQL Injection for Authentication Bypass
One of the many possible uses for SQL injection involves bypassing an application login process. The following example illustrates the general operation of a SQL injection attack. The following HTML form solicits login information from an application user. Although this example uses an HTTP POST request, an attacker could also use HTML forms that utilize the HTTP GET method. <form action="/cgi-bin/login" method=post>
Username: <input type=text name=username>
Password: <input type=password name=password>
<input type=submit value=Login>When a user enters his or her information into this form and clicks Login, the browser submits a string to the web server that contains the user's credentials. This string appears in the body of the HTTP or HTTPS POST request as:username=submittedUser&password=submittedPassword
select * from Users where (username = 'submittedUser' and password = 'submittedPassword');
username=admin%27%29+--+&password=+select * from Users where (username = 'admin') -- and password = ' ');
The string of two dash characters (--) that appears in the crafted input is very important; it indicates to the database server that the remaining characters in the SQL statement are a comment and should be ignored. This capability is one of the most important tools that is available to an attacker and without it, it would be difficult to ensure that the malicious SQL statements were syntactically correct.
Although the crafted field, which is the username field in the previous example, must be tailored to the vulnerable application, a large set of documented strings that are readily available on the Internet have proven successful at enabling SQL injection attacks. The previous example may be simplistic, but it illustrates the effectiveness of SQL injection attack techniques.
Blind and Second Order SQL Injection
In situations where data from a backend SQL database is not returned directly to the user or attacker, it may be necessary for an attacker to utilize the Blind SQL Injection technique. With this technique, an attacker can determine whether a SQL statement was executed using means other than the direct presentation of data. Using Blind SQL injection, an attacker could perform reconnaissance, obtain sensitive information, or alter database contents, including authentication credentials.One example of the Blind SQL Injection technique is the introduction of a delay as part of a malicious SQL statement. Depending on the database software in use, an attacker could build a SQL statement that is designed to cause a database server to perform a time-consuming action. With the MySQL database software, it may be possible to craft a SQL statement using the sleep() function. For example, incorporating sleep(10) into a malicious query will create a 10-second delay. An attacker could induce a recognizable delay on database servers that do not contain the sleep() function by executing an operating system command or time-consuming sub-query or attempting to establish an outbound HTTP connection. Should the time-consuming SQL statement be executed, the web application may take noticeably longer to respond than is typical. This method allows attackers to determine whether their SQL statements are being executed with some level of certainty.
Second Order SQL Injection attacks involve user-submitted data that is first stored in the database, then retrieved and used as part of a vulnerable SQL statement. This class of vulnerability is more difficult to locate and exploit, but Second Order SQL Injection attacks justify data validation prior to the execution of all SQL statements in an application, as well as the comprehensive use of parameterized queries.
Subscribe to:
Posts (Atom)
