A Step by Step Guide to SQL Injections
[Abstract]...........................................................................................................................2 What is SQL Injection?...................................................................................................2 Test Environment for Checking SQL Injections:......................................................2 Architecture:...................................................................................................................3 Database Management System:..................................................................................3 Front- end Structure:......................................................................................................4 SQL Injections [At the Database Level].......................................................................6 Bypassing User Authentication:...............................................................................6 How to Secure against illegal authentication?.................................................................................7
Determine column of the table:................................................................................8 Getting all Columns of the Table: (Using Group by Clause)...............................8 Determining the Number of Columns: (Using Union Clause)..........................9 Finding Data types: (using aggregate functions)................................................10 Why we need all columns and Data Types?....................................................................................10
Getting Username & Password from table:..........................................................10 Inserting Values in the Table:..................................................................................13 Updating Values of the Table:..................................................................................13 Deleting Entire Data from the Table: (using Delete or Drop statement)......14 Displaying desired Information from the table in the Browser:.....................14 SQL Injections [Going beyond the Databases]........................................................15 Getting server name:.................................................................................................15 Xp_cmdshell :..............................................................................................................16 Shutting Down the SQL Server:...............................................................................16 Brute Force to Find Password of SQL Server:......................................................16 Xp_regread and Xp_regwrite extended procedure:............................................17 Xp_servicecontrol:.....................................................................................................18 Bulk Insert Statement:..............................................................................................19 How to prevent against SQL Injections:...................................................................19 Appendix:.........................................................................................................................20 Union Clause:...............................................................................................................20 Group By Clause:..........................................................................................................20 Delete/Drop statement:...............................................................................................20 ODBC driver:................................................................................................................20 Microsoft Internet Information Server (IIS):............................................................21
[Abstract]
This document discuss in detail common as well as some advance SQL Injection techniques as it applies to Microsoft Internet Information Server / Active Server Pages / Microsoft SQL Server. It discusses the various ways in which SQL can be injected & how one can protect him against the SQL injections. This document also contains brief description of the terms used in the context of databases & web Application.
What is SQL Injection? SQL Injection is a technique where an attacker creates or alters existing SQL commands (by using some special symbol) to gain access to unintended data or even the ability to execute system level commands in the server. SQL injections are the result of Poor Input Validation and can be blocked by proper input validation. Application that do not correctly validate and/or sanitize the user input, can potentially be exploited in several ways: • Changing SQL values. • Concatenating SQL Values. • Adding Function calls & stored Procedures to a statement. • Typecast and concatenate retrieved data. • Adding system functions & procedure to find out critical information about the server.
Test Environment for Checking SQL Injections: Test environment is very simple, which uses Microsoft SQL server 2000 as a Database Management System, Web Server and a authentication web site. The test environment also contains two asp pages one is for gathering user
input & another one is for checking user input against the data in the database using SQL Query. Architecture: Test Environment is based on the Two tire Architecture. Diagram of typical two- tire architecture is shown below:
In a two- tier architecture a client talks directly to a server, with no intervening server. It is typically used in small environments (less than 50 users). Some important characteristics of a two- tier application are: • User Interface on clients (desktops). • Database on servers (more powerful machines). • Business logic residing mostly on clients. • Stored procedures for data access on the servers. • SQLs used for commu nication.
Database Management System: [Microsoft SQL Server 2000]. Database Name
: Injection.
Table Name
: Authentication.
Table Structure
: Slno Name
Integer (4) Character (20)
Password Character (20)
Front- end Structure: Authentication Page: [Login.asp] This page is designed to take user input. There are two text boxes in the
page with one submit button. When user click on the submit button the values of the text boxes are submitted to verify.asp page at the Server site. [There are two methods (GET & POST) to submit values from a web page to another. Since only few applications uses GET method, so in this scenario we are using POST Method only, but same thing can be achieved by using Get Method as well. The difference between GET & POST method is in get method the data is appended to the URL using “?” and a user can see the data being transferred in the address bar. While data being transferred using post method doesn’t appended to the URL & thus doesn’t appear in the address bar i.e. it is kept hidden from the users. The data sent by using POST method is grab in ASP page using request.form object while data sent by using GET method is grab using requset.querystring object. The process of SQL injection will be same for both the cases. The following snip will tell you how information appears in the browser.
Code of the Login.asp page: