SQL Injection


SQL Injection is nothing but a combination of a SQL Query that can through user input from your website and execution of the query in your back-end database. I will give an example of the SQL injection. SQL Injection is just like an injection. In real life we use injection to take blood from our body or to insert a liquid into our body. SQL Injection is like a real-life injection. Using SQL Injection you can get important information or you can insert some information into the database.

SQLINJ1.gif

Here, the user tries to login into a web application using their credentials. Only authenticated users can login into the application. But a hacker can input malicious data and login to the web application even though they are not authenticated; that is called SQL injection.

How I do SQL Injection?

SQL injection is a blind attack. You do not have any idea about the application. There are so many way to do SQL Injection.

  1. Identify the back end database

    The first thing you need to find out is which database is being used by the web application. There are two ways to determine the back-end database of the web application.

    Extension name of the web page.

    The following table may or may not be correct.
     
    No. Script Language Database used by folks
    1 ASP.NET MS-SQL
    2 JSP Oracle
    3 PHP MYSQL

    Now days many applications are using web routing so you cannot see the web page extension.

    Query to identify the database.

    As we already know, all databases have a different syntax to execute a query. Such as:

    MS-SQL : Select * from tablename where id = 10 AND age=20
    Oracle : Select * from tablename where id=10 || age=20

    I will give you an example. I developed an application with ASP.NET and my database is MS SQL 2008.

    SQLINJ2.png

    Here I entered [email protected]' || word like "%"'-- string and click on Login button. I was getting the following exception; it means the web application isn't using the Oracle data base. So likewise you can execute a different database query and you can get the back end database which is used by the web application.

    SQLINJ3.png

  2. Field Mapping

    Field mapping is a very important role in SQL Injection. Field mapping is nothing but getting the field name from the tables. The first step is to guess a field name. We construct a SQL Query to finding a field name.

    SELECT fieldlist FROM table WHERE field = 'x'

    Now,

    SELECT fieldlist FROM table WHERE email = 'x' OR mail IS NULL; --';

    SQLINJ4.png

    Enter malicious string in the input box. You don't care whether the email address is correct or not, you just check the whether the query above returns a SQL exception or not. If you are getting a SQL Exception then that means the field we are checking is not in the table. You can guess many fields using that query.

    SQLINJ5.png

  3. Finding the table name

    The application's built-in query already has the table name built into it. But you don't know the name of the table. There are several ways to determine the table name, such as:

    A standalone query

    SELECT COUNT(*) FROM tabname

    Return a total number of records in the table and the query fails if the table name is invalid. So we can use the above query to find the correct table name.

    SELECT * FROM table WHERE email = 'x' AND 1=(SELECT COUNT(*) FROM tabname); --';

    Enter a malicious string in the input box and click on the login button. If you get a SQL exception then that means the table name you tried to find is not in the database.

    SQLINJ7.png

  4. Database is not read only

    A Database is not read-only so you can easily delete data from a database. Execute the following query:

    SELECT * FROM UserInfo WHERE email = 'x'; DROP TABLE UserInfo; --';
  5. Get word In your mail box

    You can easily get another user's email ID. Once you have the other user's email id you can update your email id to his email id. Execute the following query:

    SELECT * FROM UserInfo WHERE email = 'x'; UPDATE UserInfo SET email = '[email protected]' WHERE email = '[email protected]';

    Once you update your email successfully try to get the word by entering the updated email address.

How I protect my website from SQL Injection?

Filter out the character like single quote, double quote, slash, back slash, semi-colon, extended character like NULL, carriage return, new line, etc, in all strings from:

  • Input from users
  • Parameters from URL
  • Values from cookie

  1. Primary Defenses

    a. Use Parameterized Query

    b. Use a stored procedure with parameter

    c. Escaping input

    d. Avoid disclosing error information

  2. Additional Defenses

    a. Input Validation

    White List Input Validation or Black list Input validation

Primary Defenses

Use parameterized query

The most important reason to use parameterized queries is to avoid SQL injection attacks. Let me give an example:

Text Box 1 = Naren
Text Box 2 = [email protected]'); DROP TABLE Customer;--

After entering all input values, the data query becomes:

Insert into Customer(name,email) values('Naren','[email protected]');DROP TABLE Customer;--

The above query is valid for the database. When this query is executed it will delete the Customer table from the database. So you need to use a Parameter Query to protect this kind of input values.

Parameter Query

Insert into Customer(name,email) values(@name,@email)

In this case the @name and @email parameter is treated as a literal value and not as an executable code. When you execute this query, it will execute an INSERT query only. The server accepts the user input as one value of a variable and inserts that entire value into the Email field.

Use stored procedure with parameter

Use of a stored procedure does not protect against SQL injection. The important thing to do is to use a stored procedure with parameters.

The following code shows how to use a SQL Parameter Collection when calling a stored procedure.

In this case the @name parameter is treated as a literal value and not as executable code. Also, the parameter checks the type and length.

Escaping input

In SQL Server, some characters have a special meaning, such as the single quote ( ' ) and the braces ( [, ] ), but sometimes it is necessary to accept such characters.

Additional Defenses

White List Input Validation

In this white list, we allow the user to only enter valid data for our application. White list input validation is batter then black list input. I will give an example.

Username and word data are perfect candidates of data which we should white list. For instance, let's constrain the allowed characters for the username to "A-Z", "a-z", "0-9",".", "@" and use the same for the word field but perhaps add "!", "?", "#".

Reference Link

http://www.unixwiz.net/techtips/sql-injection.html

http://msdn.microsoft.com/en-us/library/ms998271.aspx

Up Next
    Ebook Download
    View all
    Learn
    View all