Sql injection

HASHMI SAFWAN
Table of Contents
1. SQL Injection.................................................................................................................................. 1
1.1 What is SQL?..........................................................................................................1
1.2 What is SQL Injection?........................................................................................... 1
1.3 How Common Is It..................................................................................................1
1.4 Valnerable Applications.......................................................................................... 2
1.5 How Does SQL Injetion Work ...............................................................................2
1.6 The Power of ' (Single Qoute)................................................................................4
1.7 SQL Injection Characters........................................................................................5
1.8 Impact of SQL Injetion ........................................................................................... 5
2. Classification of SQL Injections Attacks .......................................................................6
2.1. Classification of SQL Injection Attacks .................................................................6
3. Preventing SQL Injections Attacks.................................................................................7
3.1. Novel Model for Preventing SQLIA .......................................................................7
3.2 . Pattern Matching Alogorithm ...................................................................................8
3.3 . SQLrand Architecture............................................................................................ 9
3.4 . Comparative analysis of All Existing Models ............................................................ 10
4. SQL Injections Attacks.................................................................................................... 11
5. SQL Ijnection Conclusion .............................................................................................. 13
6. References........................................................................................................................ 14

HASHMI SAFWAN
List of Figures
Fig 1.1 High Level Structure of Crypton ............................................................................2
Fig 1.2 Data Representation Array.......................................................................................3
Fig 1.3 Byte-Wise Substitution ...........................................................................................4
Fig 1.4 Byte-Wise Permutation(a) .......................................................................................4
Fig 1.4 Byte-Wise Permutation(b) .......................................................................................5
Fig 1.5 Colum to Row Transposition ..................................................................................5
Fig 1.6 Key Scheduling........................................................................................................5
Fig 1.7 Minimum Diffusion Patterns ..................................................................................6

HASHMI SAFWAN
List of Table
Table 1.1 Table User(a).......................................................................................................4
Table 1.1 Tables Users(b) ...................................................................................................5
Table 1.1 Classificationg of SQL Injection Attacks............................................................5
Table 3.1 Comparative Analysis of Existing Models .........................................................4

HASHMI SAFWAN
List of Figures
Fig 3.1 Web Architecture ....................................................................................................2
Fig 3.2 Tokenizatuon Architecture.......................................................................................3
Fig 3.3 Pattern Architecture ................................................................................................4
Fig 3.4 SQLrand Architecture..............................................................................................4

HASHMI SAFWAN
Abbreviations and Acronyms
SQL Structured Query Language
ANSI American National Standards Institute
SQLIA SQL Injection Attack
SBSQLID Service Based SQL Injection Detection
RDUD Rule based Detection of SQL Injection Attack
SANIA Syntactic and Semantic Analysis for Automated Testing against SQL Injection

HASHMI SAFWAN
1. SQL INJECTION
SQL injection is a type of security exploit in which the attacker adds SQL statements through
a web application's input fields or hidden parameters to gain access to resources or make
changes to data [1].
It's a serious vulnerability, which can lead to a high level of compromise - usually the ability
to run any database query.
1.1 What Is Sql?
SQL stand for Structured Query Language [2][3]. It allows us to access a database. SQL
is based on ANSI and ISO standard Computer Language. The most current standard is
SQL99. SQL statements are used to perform tasks such as retrieve, create, update or
delete data from a database.
Some common relational database management systems that use SQL are: Oracle, MS
SQL Server, MS Access, Ingres, DB2, Sybase, Informix, etc. Although there are many
versions of SQL language, However, the standard SQL commands such as "Select",
"Insert", "Update", "Delete", "Create", and "Drop" can be used throughout all
database with little changes. All of the core functions, such as adding, reading and
modifying data, are the same.
1.2 What Is Sql Injection?
The ability to inject SQL commands into the database engine through an existing
application.
It is an attack on web-based applications that connect to database back-ends in which
the attacker executes unauthorized (and unexpected) SQL commands by taking
advantage of insecure code and bad input validation. It is very often done on systems
connected to the Internet because it allows to completely bypass the firewall. SQL
injection attacks can be used to steal information from a database from which the
data would normally not be available and to gain access to host computers through
the database engine.
1.3 How Common Is It?
The principle issue with SQL Injection is that the weakness is begun when the web
application is coded. Most software engineers are still not mindful of the issue.
Instructional exercises and demo "layouts" on the Internet and even some that have
been transported with business databases advance building inquiries by connecting
strings, which is the primary hotspot for SQL Injection vulnerabilities.

HASHMI SAFWAN
1.4 Vulnerable Applications
All SQL databases and programming dialects are possibly vulnerable. It is an input
validation problem that must be considered and customized by the web application
engineer.
Programming languages are potentially vulnerable:
➢ MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access, Sybase, Informix, etc
Accessed through application developed using:
➢ Perl and CGI scripts that access databases
➢ ASP, JSP, PHP
➢ XML, XSL and XSQL
➢ Java Script
➢ VB, MFC, and other ODBC-based tools and APIs
➢ DB specific Web-based applications and API’s
➢ Reports and DB Applications
➢ 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL)
1.5 How Does Sql Injection Work?
A typical method of validating users in an application is to by checking if the user and
password combination exists in the user table.
SELECT * FROM users WHERE USERNAME = 'SAFWAN' AND PASSWD = ' Admin! @#'
The above statement will bring one record if there is one row where the USERNAME
= 'SAFWAN' AND PASSWD = ' Admin! @#'.
USERID USERNAME PASSWD ROLEID STATUS
1 SAFWAN Admin! @# 1 ACTIVE
2 ZIAD ZAID@@#$3 1 ACTIVE
3 WAQAR ABC@ASDFJ23 2 ACTIVE
Table 1.1 User Table
Injecting through Strings
If attacker insert username as USERNAME = ' or 1=1 – – and password as PASSWD =
anything. Then final query would look like this
SELECT * FROM users WHERE username = ' ' or 1=1 AND password = 'anything'

HASHMI SAFWAN
By inserting a single quote, the username string is closed and the final concatenated
string would end up interpreting or 1=1 as part of the command. The -- (double dash)
is used to comment everything after the or 1=1 and avoid a wrong syntax error. This
could also have been achieved by inserting the following command:
' or '1'='1
By injecting any of the two commands discussed, an attacker would get logged in as
the first user in the table. This happens because the WHERE clause ends up
validating that the username = ' ' (nothing) OR 1=1 (OR '1'='1' in the second
statement) The first conditional is False but the second one is True. By using OR the
whole condition is True and therefore all rows from table users are returned. All
rows are not null therefore the log in condition is met.
If the username field is Numeric as in bellows table
USERID PIN ROLEID STATUS
12345678 1111 1 ACTIVE
78945612 1113 1 ACTIVE
35255468 0555 2 ACTIVE
Table 1.2 User Table
Then the SQL command for retrieving record will be.
SELECT * FROM USER WHERE USERID = 12345678 AND pin = 1111
If attacker insert username as USERID = 1 or 1=1 # and PIN as PIN = anything. Then
final query would look like this.
SELECT * FROM User WHERE USERID = 1 Or 1=1 # AND Pin = 1111
Injecting into a numeric field is very similar. The main difference with string injection
is that in numeric injection the first number is taken as the complete parameter (no
need to close it with a single quote) and all the text after that number will be
considered as part of the command.
In this case the # (number sign) is used instead of the -- (double dash) because we are
injecting into a MySQL database

HASHMI SAFWAN
1.6 The Power Of ' (Single Quote)
The single quote character closes the string field and therefore allows all of the
following text to be interpreted as SQL commands. To prevent this, a lot of the SQL
Injection quick solutions found on the Internet suggest escaping the single quote with
a double quote (that is the standard way of escaping single quotes in SQL99).
This is only a half remedy though because there are always numeric fields or dates
within forms or parameters that will remain vulnerable.
1.7 Sql Injection Characters
• ' or " character String Indicators
• -- or # single-line comment
• /*…*/ multiple-line comment
• + addition, concatenate (or space in url)
• || (double pipe) concatenate
• % wildcard attribute indicator
• ? Param1=foo&Param2=bar URL Parameters
• PRINT useful as non-transactional command
• @variable local variable
• @@variable global variable
• wait for delay '0:0:10' time delay
1.8 Impact of Sql Injection
• Leakage of sensitive
information.
• Reputation decline.
• Modification of sensitive
information.
• Loss of control of db server.
• Data loss.
• Denial of service.
Graph 1.1 Impact of SQL Injection

HASHMI SAFWAN
1.9 Latest Sql Injection Statistics in 20016
SQL Injection logs ratio from one monitored network in the past 60 days (over 8000 events):
Fig 1.2 SQL Injection Log Ratio [4]
Fig 1.3 Identification of the attacking sources in the TP events [4]

HASHMI SAFWAN
Fig 1.4 Distribution by country of the attacking sources in the TP events [4]

HASHMI SAFWAN
2. CLASSFICATION OF SQL INJECTION ATTACKS
2.1 Classification of SQL Injection Attacks
CLASSIFICATION METHODS TECHNIQUES/
IMPLEMENTATION
1 Intent • Identifying injectable parameters
• Extracting Data
• Adding or Modifying Data
• Performing Denial of Service
• Evading detection
• Bypassing Authentication
• Executing remote commands
• Performing privileges escalation
See ‘Input type of Attacks’
2 Input Source • Injecting through cookies Malicious strings in web
form. Both Get and Post
Method
• Infecting through cookies Modified cookies fields
containing SQLIA
• Injection through server
variables
Hackers are
manipulated to contain
SQLIA
• Second order injection • Frequency-based
primary application
• Frequency based
Secondary
Application
• Secondary Support
Application
• Cascaded
Submission
Application
3 Input Type of
attacks
technical
aspects
Classic SQLIA • Piggy-Backed Quires
• Tautologies
• Alternate Encodings
• Illegal/ Logically
Incorrect queries
• Unions SQLIA
• Stored Procedure
SQLIA

HASHMI SAFWAN
Inference • Classic Blind SQLIA
Condition Reponses
Conditional Errors
Out of Band
channeling
• Timing SQLIA
Double blind SQLIA
(Time
delays/Benchmark
attacks).
Deep Blind SQLIA
(Multiple statements
of SQLIA)
DBMS specific SQLIA • DB Fingerprinting
• DB Mapping
Compound SQLIA • Fast-Fluxing SQLIA
Table 2.1 Classification of SQLIA

HASHMI SAFWAN
3. PREVENTING SQL INJECTION ATTACKS (SQLIA)
3.1 Novel Model for Preventing SQLIA
Gaurav Srivastava and Kshitij Pathak Presented an architecture for preventing SQL Injection
Attack.
Fig 3.1 Web Architecture (a) [6]
3.2 Propose Architecture (b) [6]
This model proposes double authentication process on both relational and hierarchical
databases by applying tokenization approach on both databases. This task is performed via
three steps.
Step 1: Query Forward.
Step 2: Tokenization process on query.
Step 3: Comparison of array index.
Figure 3.2 shows the proposed architecture of SQLIA prevention through double
authentication via tokenization by using above three essential steps.
Step 1: Query Forwarding- When a query comes from a user via user interface, the input
query is forwarded to both databases, one which is created by relational approach and other
based on hierarchical approach.
Step 2: Tokenization Process on Query- the input query is divided into various tokens on the
basis of space, single quotes and double dashes between them. Once the tokens are decided,
they are stored in array. Tokenization process is applied on both databases.

HASHMI SAFWAN
Step 3: Comparison of Array Index- In this step, the array length of both the arrays are
compared. If the length of L1 and L2 are same, there is no injection present in the query and
the query is proceeding further to main database for retrieving result. But if the lengths
L1andL2are different, then injection exists and query is not forwarded to the database. The
result is a NULL value.
3.2 Pattern Matching Algorithm
This proposed scheme has following two modules [7],
1) Static Phase
Step 1: User generated SQL Query is send to the proposed Static Pattern Matching
Algorithm
Step 2: The Static Pattern Matching Algorithm.
Step 3: The Anomaly patterns are maintained in Static Pattern List, during the
pattern matching process each pattern is compared with the stored Anomaly
Pattern in the list
Step 4: If the pattern is exactly match with one of the stored pattern in the
Anomaly Pattern List then the SQL Query is affected with SQL Injection Attack
2) Dynamic phase
Step 1: Anomaly score value us calculated for the user generated SQL Query, if
this value is more than threshold value, then Alarm is given and query will pass to
the administrator.
Step 2: If the Admin receive any alarm then query is manually analyzed. If this
query is infected by SQLIA then a pattern is generated and will be added to static
pattern list.
Fig 3.3 Pattern Matching Algorithm for Preventing SQLIA [7]

HASHMI SAFWAN
3.3 SQLrand Architecture
➢ Apply Instruction-set randomization to SQL
➢ Creating instances of the language that are unpredictable to the attacker
➢ Queries injected by the attacker will be caught by the database parser.
➢ An intermediary proxy that translates the random SQL to its standard
language.
➢ Mechanism imposes negligible performance overhead to query processing and
can be easily retrofitted to existing systems.
Fig. 3.4 SQLrand Architecture [8]
Mechanism provides a tool reads an SQL statement(s) and rewrites all keywords
with the random key appended.
select gender, avg(age) from cs101.students
where dept = %d
group by gender
The utility will identify the six keywords in the example query and append the key to
each one (e.g., when the key is “123”):
select123 gender, avg123 (age)
from123 cs101.students
where123 dept = %d
group123 by123 gender
Built proxy server that sits between the client (web server) and SQL server, de-
randomizes requests received from the client, and conveys the query to the server.
If an SQL injection attack has occurred, the proxy’s parser will fail to recognize the
randomized implementation focused on CGI scripts as the query generators, a similar
approach applies when using JDBC query and will reject it.

HASHMI SAFWAN
3.4 Comparative Analysis of All Existing Models
Model Advantages Disadvantages
Sania 1) It can detect SQL
vulnerabilities during the
development and
debugging phase of a web
application.
2) It identifies vulnerable
spots by analysing SQL
queries.
1) It requires knowledge of
database in lack of
knowledge attack cannot be
handled.
SBSQLID 1) The main advantage of
this approach is, error
massage generated does
not contain any Metadata.
(Information about the
database which could help
the attacker)
1) Web service is not
integrated with the web
application. Any
modification that should be
done to the system should
be done in such a way that
it should be supported by
the web service.
RDUD 1) It uses supervised
learning approach using
SVM to learn and to classify
a query at run time.
2) It is based on
classification task.
1) Special care is taken for
maintaining the integrity of
the web profile files to avoid
poisoning of web profiles.
2) Not applicable for by pass
Authentication
Trans SQL 1) It is a server side
application. So, it does not
change the legacy web
application.
2) Query is checked twice
before retrieving
information.
1) This model is unable to
prevent against set
operations, instances, alias
directly.
Query Tokenization 1) It converts query into
tokens which contains
between space, single
quotes and double dashes.
2) Applied for all types of
SQLIA.
1) The original query of
input query which contain
injection, must be stored.
Table 3.1 Comparative Analysis of All Existing Models [9]

HASHMI SAFWAN
4. Top Most 5 Victim of SQL Injection Attacks
4.1 TalkTalk Cyber-attack [10]
A cyber-attack exploits vulnerabilities in three webpages which are operated by
TalkTalk. The exploitation of this vulnerability allows access to an underlying database
holding customers’ personal data including names, addresses, dates of birth, phone
numbers, email addresses and financial information.
The attack type - SQL injection - was identified shortly after midday on 21 October,
and around an hour later TalkTalk removed its websites and replaced them with a
holding page.
TalkTalk says 156,959 customers' personal details accessed, 15,656 bank account
numbers & sort codes stolen
The investigation found there had been two previous SQL injection attacks on 17 July
2015 and between 2-3 September 2015 but TalkTalk did not take any action due to a
lack of monitoring of the webpages.
The ICO decides to issues its biggest ever fine – £400,000 – to TalkTalk, Firm settles
ICO fine for £320,000 - Saves £80,000 by coughing up early.
4.2 Russian Hackers Amass Over a Billion Internet Password[11]
A Russian crime ring has amassed the largest known collection of stolen Internet
credentials, including 1.2 billion user name and password combinations and more
than 500 million email addresses, security researchers say.
So far, the criminals have not sold many of the records online. Instead, they appear to
be using the stolen information to send spam on social networks like Twitter at the
behest of other groups, collecting fees for their work
the Russian hackers have been able to capture credentials on a mass scale using
botnets — networks of zombie computers that have been infected with a computer
virus — to do their bidding. Any time an infected user visits a website, criminals
command the botnet to test that website to see if it is vulnerable to a well-known
hacking technique known as an SQL injection, in which a hacker enters commands that
cause a database to produce its contents. If the website proves vulnerable, criminals
flag the site and return later to extract the full contents of the database.
4.3 Human Rights Foundation Website Hacked, Thousands of Accounts Exposed [12]
The Hungarian Human Rights Foundation website was hacked by Kapustkiy and
CyberZeist, who managed to get access to over 20,000 accounts and personal
information, including phone numbers and home addresses.

HASHMI SAFWAN
Security pentester Kapustkiy told us that the data breach was possible with a SQL
injection, which provided him with access to databases that included thousands of
accounts, including some that are related to the US government (using the @state.gov
suffix).
4.4 Hackers exploit vBulletin flaw to access 27M accounts on 11 websites [13]
Attackers used a flaw in the internet forum software vBulletin to breach 11 websites,
exposing the personal information of 27 million accounts, according to the breached
data monitoring service Leaked Source.
The breached websites used outdated versions of the vBulletin software that
contained SQL Injection flaws in the Forum Runner add-on
Several other domains were also breached, including expertlaw.com,
ageofconan.com, anarchy-online.com, freeadvice.com, gamesforum.com,
longestjourney.com, ppcgeeks.com, and thesecretworld.com.

HASHMI SAFWAN
5. SQL INJECTION CONCLUSION
SQL injection is technique for exploiting applications that use relational databases as their
back end. Applications compose SQL statements and send to database. SQL injection use the
fact that many of these applications concatenate the fixed part of SQL statement with user-
supplied data that forms WHERE predicates or additional sub-queries.
➢ The technique is based on malformed user-supplied data
➢ Transform the innocent SQL calls to a malicious call
➢ Cause unauthorized access, deletion of data, or theft of information
➢ All databases can be a target of SQL injection and all are vulnerable to this
technique.
➢ The vulnerability is in the application layer outside of the database, and the moment
that the application has a connection into the database.

HASHMI SAFWAN
6. REFERENCES
1. Microsoft. "SQL Injection". Retrieved 2016-12-25. SQL injection is an attack.
2. "Media Type registration for application/sql". Internet Assigned Numbers Authority.
10 April 2013.
3. "The application/sql Media Type, RFC 6922". Internet Engineering Task Force. April
2013. p. 3.
4. Adi Kaploun, Eliran Goshedn ,”Check point threat interlligence and research team” ,
posted 2015/05/07 . Retrieved, 2016/12/25
5. E
6. Gaurav Srivastava “SQL Injection Attacks: Technique and Prevention Mechanism”
International Journal of Computer Applications (0975 – 8887) Volume 69– No.7,
May 2013
7. Swapnit Kharche ,” preventing sql injection attack using pattern matching algorithm”
2015.
8. Stephen W, Boyd “SQLrand: Prenventing SQL Injection Attacks” Department of
Computer Science Columbia Universty { fswb48,angelosg}@cs.columbia.edu
9. Gaurav Srivastava “SQL Injection Attacks: Technique and Prevention Mechanism”
International Journal of Computer Applications (0975 – 8887) Volume 69– No.7,
May 2013
10. Andres Andreu, Professional Pen Testing for Web Applications, Wrox, 2006.
11. “TalkTalk Cyber Attak” 2015 Access Date 26 Dec 2016
https://ico.org.uk/about-the-ico/news-and-events/talktalk-cyber-attack-how-the-ico-
investigation-unfolded/
12. “Russian Hackers Amass Over a billion internet Password” Access Date 26 Dec 2016
http://www.business2community.com/tech-gadgets/russian-hackers-means-website-
0979723#!bLWV8O#sKDlGwuCIcLY2dVc.97
13. “vBulletin Flaw to access 27 M accounts” Access Date 26 Dec 2016
http://news.softpedia.com/news/human-rights-foundation-website-hacked-thousands-of-
accounts-exposed-510384.shtml
14. Chris Anley, “Advanced SQL Injection In SQL Server Applications,”
http://www.nextgenss.com/papers/advanced_sql_injection.pdf, 2002.
15. Stephen J. Friedl, “SQL Injection Attacks by Example,”
http://www.unixwiz.net/techtips/sql-injection.html, 2005.

Sql injection

More Related Content

What's hot

Similar to Sql injection

More from Safwan Hashmi

Recently uploaded

Sql injection