SQL stands for Structured Query Language. It is the and ANSI (American National Standards Institute) standard language for accessing and manipulating relational database systems. ANSI is a standards committee composed of database experts from industry, academia and software vendors. It has also been accepted as a standard by ISO (International Organization for Standardization). SQL is a standard open language without corporate ownership. The commercial acceptance of SQL was precipitated by the formation of SQL Standards committees by the ANSI and the ISO in 1986 and 1987. Two years later they published a specification known as SQL89. An improvement and expansion to the standard gave the world SQL92. We now have the third generation standard, SQL99 also known as SQL3. SQL is used to communicate with a database. The communicating parties are typically a "front end" which sends a SQL Statement across a connection to a "back end" that holds the data. SQL statements are used to perform tasks such as retrieve, create, update or delete data from a database. Some common relational database management systems that use SQL are: Oracle, MS SQL Server, MS Access, Ingres, DB2, Sybase, Informix, etc.
Although most database systems use SQL, most of them also have their own additional proprietary extensions that are usually only used on their system. Most DBMS are designed to meet the SQL92 standard partially and have not implemented the advanced features. However, the standard SQL commands such as "Select", "Insert", "Update", "Delete", "Create", and "Drop" can be used throughout all database with little changes. All of the core functions, such as adding, reading and modifying data, are the same.
A relational database system contains one or more objects called tables. The data or information for the database are stored in these tables. Tables are uniquely identified by their names and are comprised of columns and rows. Columns contain the column name, data type, and any other attributes for the column. Rows contain the records or data for the columns. Here is a sample table called "users". This is a user defined table that could be used for validating and managing application users. In this table, the first row called userID is specified as an integer. By being defined as an integer column the only type of data that can be stored in that column are numeric integers. UserID is also the Primary Key for the Table. A table usually has a column or combination of columns whose values uniquely identify each row in the table. This column (or columns) is called the Primary Key of the table and enforces the entity integrity of the table. There can be no duplicate values. The other four columns are varchar (variable character data). Any kind of strings can be stored in these columns. Character data consists of any combination of letters, symbols, and numeric characters. To note, the password field is not encrypted. This should be implemented at an application level. These passwords are not directly linked or related to the SQL database passwords or the Operating System passwords.
The SELECT statement is used to query the database and retrieve selected data that match the criteria that you specify. The column LastName that follows the SELECT keyword determines which column will be returned in the results. You can select as many column names that you'd like, or you can use a "*" to select all columns. The table name users that follows the keyword FROM specifies the table that will be queried to retrieve the desired results. The WHERE clause (optional) specifies which data values or rows will be returned or displayed. Based on the criteria described after the keyword WHERE the select statement will only bring the LastName value for all rows where UserID = 1. And also because UserID is the Primary Key (and therefore cannot have duplicate values), the only result for this query is "Smith".
SQL has many capabilities, but the most common needs are to: Read existing data - SELECT statement Change existing data - UPDATE statement Create new records holding data - INSERT INTO statement Delete data - DELETE statement
Data Definition Language (DDL) is used to define and manage all the objects in an SQL database. DDL statements are SQL statements that support the definition or declaration of database objects (for example, CREATE TABLE, DROP TABLE, and ALTER TABLE). SQL contains DDL commands that can be used either interactively, or within programming language source code, to define databases and their components. Some of the most commonly used DDL statements in SQL are: CREATE TABLE - creates a new database table ALTER TABLE - changes a database table structure DROP TABLE - deletes a table and all rows in the database table CREATE INDEX - creates an index (search key) DROP INDEX - deletes an index For each object class, there are usually CREATE, ALTER, and DROP statements, such as CREATE TRIGGER, ALTER TRIGGER, and DROP TRIGGER.
A Relational Database Management System (RDBMS) is defined as a system whose users view data as a collection of tables related to each other through common data values. Data is stored in tables, and tables are composed of rows and columns. Tables of independent data can be linked (or related) to one another if they each have columns of data (called keys) that represent the same data value. E.F. Codd’s Twelve Principles of Relational Databases continue to be used to validate the “relational” characteristics of a database product. A database product that does not meet all of these rules is not fully relational. One important aspect of all relational databases is that Metadata is stored within the database. Codd's rule #4 states: 4. Metadata (data about the database) must be stored in the database just as regular data is. Other important Codd's rules that define the way SQL Injection is done: 5. A single language must be able to define data, views, integrity constraints, authorization, transactions, and data manipulation. 10. Integrity constraints must be available and stored in the RDB metadata, not in an application program.
SQL injection is a type of security exploit in which the attacker adds SQL statements through a web application's input fields or hidden parameters to gain access to resources or make changes to data. It's a serious vulnerability, which can lead to a high level of compromise - usually the ability to run any database query. It is an attack on web-based applications that connect to database back-ends in which the attacker executes unauthorized (and unexpected) SQL commands by taking advantage of insecure code and bad input validation. It is very often done on systems connected to the Internet because it allows to completely bypass the firewall. SQL injection attacks can be used to steal information from a database from which the data would normally not be available and to gain access to host computers through the database engine.
Web-based applications constitute the worst threat of SQL injection. In our Pen Tests, over 60% of our clients continue to be vulnerable to SQL Injection. The main problem with SQL Injection is that the vulnerability is originated when the web application is coded. Most programmers are still not aware of the problem. Tutorials and demo "templates" on the Internet and even some that have been shipped with commercial databases promote building queries by concatenating strings, which is the main source for SQL Injection vulnerabilities. Additionally, a lot of the proposed solutions on the web continue to be flawed.
Almost all SQL databases and programming languages are potentially vulnerable. It is an input validation problem that has to be considered and programmed by the web application developer.
A common way of validating users in an application is to by checking if the user and password combination exists in the users table. The following query will bring back one record if there is one row where the login = 'victor' and the password = '123': SELECT * FROM users WHERE login = ' victor ' AND password = ' 123 ' To code this, a common practice among developers is to concatenate a string with the SQL command and then execute it to see if it returns something different to null. An Active Server Page code where the SQL statement gets concatenated might look like: var sql = " SELECT * FROM users WHERE login = ' " + formusr + " ' AND password = ' " + formpwd + " ' ";
SQL Injection occurs when an attacker is able to insert a series of SQL statements into a 'query' by manipulating data input. If an attacker inserts: ' or 1=1 -- into the formusr field he will change the normal execution of the query. By inserting a single quote the username string is closed and the final concatenated string would end up interpreting or 1=1 as part of the command. The -- (double dash) is used to comment everything after the or 1=1 and avoid a wrong syntax error. This could also have been achieved by inserting the following command: ' or '1'='1 By injecting any of the two commands discussed, an attacker would get logged in as the first user in the table. This happens because the WHERE clause ends up validating that the username = ' ' (nothing) OR 1=1 ( OR '1'='1' in the second statement) The first conditional is False but the second one is True. By using OR the whole condition is True and therefore all rows from table users are returned. All rows is not null therefore the log in condition is met.
The single quote character closes the string field and therefore allows all of the following text to be interpreted as SQL commands. To prevent this, a lot of the SQL Injection quick solutions found on the Internet suggest escaping the single quote with a double quote (that is the standard way of escaping single quotes in SQL99). This is only a half remedy though because there are always numeric fields or dates within forms or parameters that will remain vulnerable.
With a similar syntax a numeric login would not use single quotes because in SQL you only need quotes for strings. This PHP / MySQL code example concatenates a query that uses no single quotes as part of the syntaxis.
Injecting into a numeric field is very similar. The main difference with string injection is that in numeric injection the first number is taken as the complete parameter (no need to close it with a single quote) and all the text after that number will be considered as part of the command. In this case the # (number sign) is used instead of the -- (double dash) because we are injecting into a MySQL database.
Symbol Usage in SQL99 complaint DBs + Addition operator; also concatenation operator; when used in an URL it becomes a white space) || Concatenation operator in Oracle and Postgres - Subtraction operator; also a range indicator in CHECK constraints = Equality operator <> != Inequality operators >< Greater-than and Less-than operators ( ) Expression or hierarchy delimiter % Wildcard attribute indicator , List item separator @, @@ Local and Global variable indicators . Identifier qualifier separator ‘’ “” Character string indicators “” Quoted identifier indicators -- Single-line comment delimiter # Single-line comment delimiter in MySQL or date delimiter in MS Access /*…*/ Begin and End multiline comment delimiter
Depending on your objective the general methodology may vary. For Pen Testing purposes we have defined some comprehensive steps for testing applications.
We have based our methodology on the OWASP Testing Framework. The Open Web Application Security Project (OWASP) is a volunteer project dedicated to sharing knowledge and developing open source software that promotes a better understanding of web application security. The OWASP Testing Project has been in development for over two years. It helps understand the what, why, when, where, and how of testing web applications, and not just provide a simple checklist or prescription of issues that should be addressed. OWASP has built a testing framework from which we have expanded to build our own testing program. In our Detailed Structured Analysis each step is analyzed, and all the tangents and sub-tangents are followed (attack-trees). Above we have included our SQL Injection analysis attack tree.
Advanced sql injection 1
SQL stands for Structured Query Language Allows us to access a database ANSI and ISO standard computer language The most current standard is SQL99 SQL can: execute queries against a database retrieve data from a database insert new records in a database delete records from a database update records in a database2
There are many different versions of theSQL language They support the same major keywords in asimilar manner (such as SELECT, UPDATE,DELETE, INSERT, WHERE, and others). Most of the SQL database programs alsohave their own proprietary extensions inaddition to the SQL standard!3
A relational database contains one or more tables identifiedeach by a name Tables contain records (rows) with data For example, the following table is called "users" andcontains data distributed in rows and columns:4userID Name LastName Login Password1 AMIT SOLANKI AMS hello2 ANAND RAJ ANDY qwerty3 DINESH KUMAR SILVER pammy
With SQL, we can query a database and havea result set returned Using the previous table, a query like this:SELECT LastNameFROM usersWHERE UserID = 1; Gives a result set like this:LastName--------------SOLANKI5
SQL includes a syntax to update, insert, anddelete records: SELECT - extracts data UPDATE - updates data INSERT INTO - inserts new data DELETE - deletes data6
The Data Definition Language (DDL) part of SQL permits: Database tables to be created or deleted Define indexes (keys) Specify links between tables Impose constraints between database tables Some of the most commonly used DDL statements in SQLare: CREATE TABLE - creates a new database table ALTER TABLE - alters (changes) a database table DROP TABLE - deletes a database table7
Almost all SQL databases are based on theRDBM (Relational Database Model) One important fact for SQL Injection Amongst Codds 12 rules for a Truly RelationalDatabase System:4. Metadata (data about the database) must be storedin the database just as regular data is Therefore, database structure can also be readand altered with SQL queries8
The ability to inject SQL commands intothe database enginethrough an existing application9
It is probably the most common Website vulnerability today! It is a flaw in "web application" development,it is not a DB or web server problem Most programmers are still not aware of this problem A lot of the tutorials & demo “templates” are vulnerable Even worse, a lot of solutions posted on the Internet are not goodenough In our pen tests over 60% of our clients turn out to bevulnerable to SQL Injection10
Common vulnerable login querySELECT * FROM usersWHERE login = victorAND password = 123(If it returns something then login!)ASP/MS SQL Server login syntaxvar sql = "SELECT * FROM usersWHERE login = " + formusr +" AND password = " + formpwd + "";12
formusr = or 1=1 – –formpwd = anythingFinal query would look like this:SELECT * FROM usersWHERE username = or 1=1– – AND password = anything13
It closes the string parameter Everything after is considered part of the SQLcommand Misleading Internet suggestions include: Escape it! : replace with String fields are very common but there areother types of fields: Numeric Dates14
SELECT * FROM clientsWHERE account = 12345678AND pin = 1111PHP/MySQL login syntax$sql = "SELECT * FROM clients WHERE " ."account = $formacct AND " ."pin = $formpin";15
$formacct = 1 or 1=1 #$formpin = 1111Final query would look like this:SELECT * FROM clientsWHERE account = 1 or 1=1# AND pin = 111116
or " character String Indicators -- or # single-line comment /*…*/ multiple-line comment + addition, concatenate (or space in url) || (double pipe) concatenate % wildcard attribute indicator ?Param1=foo&Param2=bar URL Parameters PRINT useful as non transactional command @variable local variable @@variable global variable waitfor delay 0:0:10 time delay17
191) Input Validation2) Info. Gathering6) OS Cmd Prompt7) Expand Influence4) Extracting Data3) 1=1 Attacks 5) OS Interaction
SQL Injection is a fascinating and dangerousvulnerability All programming languages and all SQLdatabases are potentially vulnerable Protecting against it requires strong design correct input validation hardening20