Introduction to SQL Injection

Thursday, 15 September 2011

This article will cover the basics of what SQL Injection is and how it works under the hood. Most people act as if they know SQL Injection just because they can simply use a vulnerability in PHP-Nuke by pasting it in the Address Bar and bam it’s done. It’s not that easy to discover, once discovered it’s a lot easier to use, which is what people mostly do—use already discovered SQL Injections.
What is SQL?
SQL stands for Structured Query Language. It has been around for ages and is designed to work with all programming languages, if not there will be an optional function to simulate what SQL can do. The basic function of SQL is to give full control over databases. With SQL you can call on what is known as a “statement” which will allow you to execute instructions that would do things ranging from displaying just users from a table, or adding new users / passwords / descriptions into a table or DB in general.
Example Scenario:
Let’s say you have an Access Database that contains a table called TblUsers. Each Column contains information on that user, let’s say, it would contain Username, Password, Hash, Email. You want to be able to just show the username and password from the Access DB using SQL Statements. You would do the following:
SELECT Username,Password FROM TblUsers
This would specifically “select” the Username and Password (always seperated by the delimiter “,”) “from” the table you wish to pull the information from, which was TblUsers. Then, you would simply execute your SQL Statement and have it dump to whatever you are displaying the information in (listview, text file, html file etc.).
So, as you can see, SQL is a very handy. That’s just a simple example of what it’s used for. You can also use basic commands like INSERT which would allow you to INSERT information into Columns. Which is where a lot of the vulnerabilities come into play with SQL Injection.
What is SQL Injection? (Example based off PHP scripts)
SQL Injection is a method of injecting data into a remote Table or other sorts of Databases that are managed by SQL Statements. It is not just limited to injecting information. You can also use it to pull back and display valuable information, even using the common statements above, given the correct scenario. A lot of times, SQL Injection is as simple as re-arranging a PHP scripts post information and adding things like “admin=1” etc. which normally would be a hidden function only used for when creating administrators.
A lot of times web logins that you see, which have a section for entering a Username / Password will be querying an SQL Statement that will be used to verify and validate that you are truly a registered user in the database. You could inject SQL commands into the query, sending your own crafted username and password. The limits are endless to the types of information you could be injecting.Let’s look at some prime examples of vulnerabilities in PHP Nuke (they will be out dated, but you will get the idea).
modules.php?name=Downloads&d_op=viewdownload&cid=2%20UNION%20select%20counter,%20aid,%20pwd%20FROM%20nuke_authors%20—”;
Lets cross examine this old vulnerability. At first you see the basic PHP script which are the prime targets for a lot of attacks. They requested a basic page, but after the &cid=2 they executed an SQL Statement, which if the script is not coded to deny SQL statements you can use almost any query on the vulnerable script.
Now, you see that they ran UNION Select Counter,aid,pwd FROM nuke_authors—
UNION is a common statement that allows you to execute two SQL queries together and dump the information all into the same output. After that they use the basic example that I showed you, but notice the “—”? This is a common method used to bypass login credentials. When you execute “—” it’s going to automatically ignore any errors that would otherwise be displayed.
So, the output would be dumping the information from the colums onto the web site.

Conclusion
If you’re wanting to test your own creations for SQL Injection, I recommend getting an SQL book or file that has all of the possible SQL Statements and attacking your own modules with common statements. If you’re wanting a more in-depth set of examples, which would teach you a lot more then what I did, I just gave you the foundation, now yuou must take it that next step and learn on your own, check out SecurityFocus Article.
This article is not huge, but it should give you a basic understanding of SQL Injection and SQL in general. This way when you hear someone bragging about how they attacked a site with SQL Injection and all they could show you is what they injected, but not how they got that information, you know right away the truth about them.

0 comments:

Post a Comment