Web applications attacks/SQL injection

From aldeid
Jump to: navigation, search

Description

Overall definition

SQL injection is certainly the most dangerous attack on web applications. Hence, it enables to gather critical data, update and delete data from a database. Hackers exploit vulnerabilities in web forms to inject a content that modifies the expected behavior of SQL requests. Suppose you have an authentication form that is programmed as follows:

Basic example 1

<?php
  mysql_connect('localhost', 'test', 'test');
  mysql_select_db('test');
  if(isset($_POST['username']) && isset($_POST['password'])) {
    $sql = "SELECT username
            FROM   user
            WHERE  username='".$_POST['username']."'
            AND    password='".$_POST['password']."'";
    echo("<div>$sql</div>");
    $query = mysql_query($sql);
    $result = mysql_fetch_row($query);
    if(is_array($result)) {
        echo("<p>Access granted as ".$result[0]."</p>");
    } else {
        echo("<p>Invalid credentials</p>");
    }
  }
?>

<form method="post" action="test.php">
  <div>Username: <input type="text" name="username" /></div>
  <div>Password: <input type="password" name="password" /></div>
  <div><input type="submit" value="Go" /></div>
</form>

Sql-injection-001.png

The initial request expects two arguments (username and password) as follows:

SELECT username
FROM   user
WHERE  username='myusername'
AND    password='mypassword'

This request only returns results if there is an existing record in table USER, corresponding to provided credentials.

But, by injecting 'or 'a'='a in both fields (username and password), request becomes:

SELECT username
FROM   user
WHERE  username=''or 'a'='a'
AND    password=''or 'a'='a'

The request is now always true, and returns the first login found in the USER table. This technique is called SQL injection.

Basic example 2

If a hacker now injects following content:

  • username: admin'#
  • password: whatever

The request becomes:

SELECT username FROM user WHERE username='admin'#' AND password='whatever'

The sharp symbol (#) indicates that everything that follows the symbol is a comment. The request will then only test the username, and the hacker won't have to provide a valid password to grant the access.

Although, for this attack to succeed, the request needs to be on one line. If the request is on several lines in the source code, it will fail.

Why do SQL injections work?

Because:

  • SQL injection vulnerabilities are common and well documented on the Internet
  • Many applications consider database content as trusted and fail to properly escape it.

Examples

Basic SQL injections

Basic SQL injections enable to bypass non-protected forms.

UNION ALL SELECT injection

There is another SQL injection based on the "UNION ALL SELECT" SQL statement. It enables to concatenate the results of a normal/expected table with the results of another table.

Blind SQL injection

Persistent SQL injections

Escalation

SQL injections may enable one to complete take control over the machine:

Protection

  • Don't trust data from your database; it could have been compromised.
  • Control and purify data that are sent from the browser on server-side.
  • Enforce coding standards: Use prepared statements and stored procedures to avoid SQL injections
  • Use mysql_real_escape_string() function.
  • Use white lists input validation

Tools

  • Absinthe is a tool that automatizes the reverse-engineering of databases, based on a variety of SQL injections.
  • GoogleHacks: the famous GHDB from Johnny Long
  • Pangolin is an automatic SQL injection penetration testing tool developed by NOSEC. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it has detected one or more SQL injections on the target host, it is possible to perform an extensive back-end database management.
  • Arachni is a fast asynchronous Web Application Security Scanner that detects, among others, SQL injections.
  • Darkjumper will try to find every website that is hosted at the same server at your target and will check for every vulnerability of the discovered websites.
  • Havij is a tool that automates SQL injections (blind SQL, SQL errors, UNION) to reverse-engineer a database and gather relevant data on a server.
  • Puzlbox is a PHP fuzzing tool that scans for Arbitrary Command Execution, Arbitrary File Read/Write/Change/Rename/Delete, Local File Inclusion (LFI), Arbitrary PHP Execution, SQL Injection and Reflected Cross-site Scripting (XSS).

Comments

Talk:Web applications attacks/SQL injection