14 - SQL Injection

SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a web application for execution by a backend database.

Module Objective

The objective of this lab is to provide expert knowledge on SQL Injection attacks and other responsibilities that include:

  • Understanding when and how web application connects to a database server in order to access data
  • Extracting basic SQL injection flaws and vulnerabilities
  • Testing web applications for blind SQL injection vulnerabilities
  • Scanning web servers and analyzing the reports
  • Securing information in web applications and web servers

Scenario

A SQL injection attack is done by including portions of SQL statements in a web form entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in a website's software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL commands are thus injected from the web form into the database of an application (like queries) to change the database content or dump the database information like credit card or passwords to the attacker. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

As an expert ethical hacker, you must use diverse solutions, and prepare statements with bind variables and whitelisting input validation and escaping. Input validation can be used to detect unauthorized input before it is passed to the SQL query.

I. SQL Injection Attacks on MS SQL Database

Today, SQL injection is one of the most common and perilous attacks that website’s software can experience. This attack is performed on SQL databases that have weak codes and this vulnerability can be used by an attacker to execute database queries to collect sensitive information, modify the database entries, or attach a malicious code resulting in total compromise of the most sensitive data.

As an Expert penetration tester and security administrator, you need to test web applications running on the MS SQL Server database for vulnerabilities and flaws.

Lab Objectives

The objective of this lab is to provide students with expert knowledge on SQL injection attacks and to analyze web applications for vulnerabilities. In this lab, you will learn how to:

  • Log on without valid credentials
  • Test for SQL injection
  • Create your own user account
  • Create your own database
  • Directory listing
  • Execute denial-of-service attacks

In this lab, you have gained from SQL injection attacks and to analyze web applications for vulnerabilities.

II. Testing for SQL Injection Using IBM Security AppScan Tool

By now, you are familiar with the types of SQL injection attacks an attacker can perform and the impact caused due to these attacks. Attackers can use the following types of SQL injection attacks: authentication bypass, information disclosure, compromised data integrity, compromised availability of data, and remote code execution, which allows them to spoof identity, damage existing data, execute system-level commands to cause a denial of service of the application, etc.

In the previous lab, you learned to test SQL injection attacks on MS SQL database for website vulnerabilities.

As an expert security professional and penetration tester of an organization, your job responsibility is to test the company’s web applications and web services for vulnerabilities. You need to find various ways to extend security tests and analyze web applications and employ multiple testing techniques.

Moving further, in this lab you will learn to test for SQL injection attacks using IBM Security AppScan tool.

Lab Analysis

In this lab, you have learnt how to test web applications for SQL injection threats and vulnerabilities. Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure.

III. Testing for SQL Injection Using N-Stalker Tool

In the previous lab, you have learnt to use Webcruiser tool to scan website as well as POC (Proof of concept) for web vulnerabilities: SQL Injection.

Few attackers perform SQL Injection attacks based on “error message” received from the server. If an error is responded from the application the attacker can determine entire structure of the database, and read any value that can be read by the account the ASP application is using to connect to the SQL Server. However, if an error message is returned from the database server complaining about the SQL Query’s syntax is incorrect; an attacker tries all possible True and False questions through SQL statements to stealing data.

As an expert Security Professional and Penetration Tester, you should be familiar with the tips and tricks used in SQL Injection detection. You must also be aware of all the tools that can be used to detect SQL injection flaws. In this lab, you will learn to use the tool N-Stalker to detect SQL injection attack in websites.

Lab Analysis

In this lab you have learnt to perform website scans for vulnerabilities, analyzing scanned results using N-Stalker. Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure.

Lab Objectives

The objective of this lab is to help students learn how to test web applications for SQL Injection threats and vulnerabilities.

In this lab, you will learn to:

  • Perform website scans for vulnerabilities
  • Analyze scanned results
  • Fix vulnerabilities in web applications
  • Generate reports for scanned web applications

Lab Objectives

The objective of this lab is to help students learn how to test web applications for SQL injection threats and vulnerabilities. In this lab, you will learn to:

  • Perform website scans for vulnerabilities
  • Analyze scanned results
  • Fix vulnerabilities in web applications
  • Generate reports for scanned web applications

Module Syllabus

  • SQL Injection is the Most Prevalent Vulnerability in 2010
  • SQL Injection Threats
  • What is SQL Injection?
  • SQL Injection Attacks
  • How Do Web Applications work?
  • Server-Side Technologies
  • HTTP Post Request
    • Example 1: Normal SQL Query
    • Example 1: SQL Injection Query
    • Example 1: Code Analysis
    • Example 2: BadProductList.aspx
    • Example 2: Attack Analysis
    • Example 3: Updating Table
    • Example 4: Adding New Records
    • Example 5: Identifying the Table Name
    • Example 6: Deleting a Table
  • SQL Injection Detection
    • SQL Injection Error Messages
    • SQL Injection Attack Characters
    • Additional Methods to Detect SQL Injection
  • SQL Injection Black Box Pen Testing
    • Testing for SQL Injection
  • Types of SQL Injection
    • Simple SQL Injection Attack
    • Union SQL Injection Example
    • SQL Injection Error Based
  • What is Blind SQL Injection?
    • No Error Messages Returned
    • Blind SQL Injection: WAITFOR DELAY YES or NO Response
    • Blind SQL Injection – Exploitation (MySQL)
    • Blind SQL Injection - Extract Database User
    • Blind SQL Injection - Extract Database Name
    • Blind SQL Injection - Extract Column Name
    • Blind SQL Injection - Extract Data from ROWS
  • SQL Injection Methodology
  • Information Gathering
    • Extracting Information through Error Messages
    • Understanding SQL Query
    • Bypass Website Logins Using SQL Injection
  • Database, Table, and Column Enumeration
    • Advanced Enumeration
  • Features of Different DBMSs
    • Creating Database Accounts
  • Password Grabbing
    • Grabbing SQL Server Hashes
    • Extracting SQL Hashes (In a Single Statement)
  • Transfer Database to Attacker’s Machine
  • Interacting with the Operating System
  • Interacting with the FileSystem
  • Network Reconnaissance Full Query
  • SQL Injection Tools
    • SQL Injection Tools: BSQLHacker
    • SQL Injection Tools: Marathon Tool
    • SQL Injection Tools: SQL Power Injector
    • SQL Injection Tools: Havij
  • Evading IDS
    • Types of Signature Evasion Techniques
    • Evasion Technique: Sophisticated Matches
    • Evasion Technique: Hex Encoding
    • Evasion Technique: Manipulating White Spaces
    • Evasion Technique: In-line Comment
    • Evasion Technique: Char Encoding
    • Evasion Technique: String Concatenation
    • Evasion Technique: Obfuscated Codes
  • How to Defend Against SQL Injection Attacks?
    • How to Defend Against SQL Injection Attacks: Use Type-Safe SQL Parameters
  • SQL Injection Detection Tools
    • SQL Injection Detection Tool: Microsoft Source Code Analyzer
    • SQL Injection Detection Tool: Microsoft UrlScan
    • SQL Injection Detection Tool: dotDefender
    • SQL Injection Detection Tool: IBM AppScan
  • Snort Rule to Detect SQL Injection Attacks