Skip to main content

Database Hacking Part - 2


SQL Statements with Injection Techniques

Tutorial 1 – Introduction to SQL Statements 

  Welcome to module two of this workshop. In this module, we will learn more about SQL Statements and how we can use them to hack into databases by injecting the SQL queries which we want to execute. Firstly we should understand the core of SQL statements, which should include types of SQL Statements, and how they are executed and when we need which statement. 

  There are many SQL statements, in fact tons of statements, which you can run and this all depends on what you want to achieve by executing those statements. However, there are a few statements that are mandatory, or required, statements by all types of applications that work with backend databases of any kind. 

  In this module we will first understand what are SQL statements and how SQL Injection works. We will also execute known SQL Injection attacks to understand and practice the SQL Injections.

What is SQL Statement? 

We have learned in the previous module what is Structured Query Language (SQL), which is basically a language to communicate with the database servers or Database Management System (DBMS). Now this communication can be of different nature. 

Example 01: A database can be asked to provide information about any individual, meaning that you want to query database server for selected individual, which you already know. 

Example 02: A database can be informed regarding an individual with more current information, so that it can keep the latest information about this selected individual. 

Example 03: A database server can be asked to delete all the information.

Example 04: A database served is informed about someone about that it doesn’t have any information for; it’s like creating new record or new data in the database server.

There are many more examples and it all depends on what action we want to perform or what communication is required with database servers.

Common Types of SQL Statements

   In this section we will study the common and mostly used SQL Statements that will also cover the above four given examples. As we have already said, there are many SQL Statements that are used by programmers or database administrators, but it all depends on action required to be performed on the database server. So let’s explore those SQL Statements that are required or mandatory to be understood by a security professional. In fact, a security professional should have a solid understanding and experience with SQL statements, but at least the following statements in the graphical diagram presented below should be well understood, and practically experienced.

In union and join in the above table, I believe ‘comine’ should be ‘combine’.

Syntax of SQL Statements

  Exercise 1 – Executing SQL Statements 

  In this exercise we will practice these SQL Statements so that we understand practically how these statements work. Now, we need a platform in order to have hands-on experience and enhance our SQL injection skills. So where to practice? 

  Recommendations: we recommend that you download and install the free version of Microsoft SQL Server which can be downloaded from the below provided link. Install this free MSSQL Server and practice the SQL Statements and run different customized SQL Statements in order to advance your SQL Injection skills.

Download:

 http://www.microsoft.com/en-nz/download/details.aspx?id=29062 

 We already have MSSQL running in our lab environment so let’s have a quick walkthrough on SQL Statements. For those who don’t have any experience with databases, we will cover the setup part in the last module so that you can also have a flavor on how to setup the databases for practicing SQL statements. 

Below is the screenshot of the MSSQL Server Express edition. 


  You can notice that it has different options available in the tree view; we will explore the database part and see what is available as pre-installed for us to play.


   You can notice in the above snapshot that it has pre-installed databases as shown in the left pane as well. Now lets run a couple of queries to see what is available for us in the master databases by running a query analyzer. Now to directly run query and including database as well you need to follow the following syntax as shown in the snapshot. We are running a select query where “master” is a database and “dbo.spt_monitor” is a table name. 

 
   You can see the results in the below pane with results tab. In this query we selected all columns from the table, as we were not aware of existing columns.

  Now, we created a separate database called “sample” and then created two tables as you can see in below snapshot. We then ran different queries as shown in below snapshot. We will post the queries on the forum as well. You can practice as much as you like if you have installed the express edition of MSSQL 

  Tutorial 2 – SQL 

  Injections Now, let’s move towards the SQL Injections. Hackers use different SQL injection techniques and you can not limit the SQL injections. We will present different techniques and different SQL Injections in this module, however, let’s first have a look at what is SQL Injection.

SQL Injection

  We have explained enough about SQL statements; these statements are exploited by means of injecting another statement and this occurs because of SQL injection vulnerabilities. SQL vulnerabilities occur when the database server can be forced to execute arbitrary SQL commands or statements and this happens through web applications most of the time.

 Detecting SQL Injections

 Now, how can you detect SQL Injections? There are two different ways of detecting SQL injections, either you do it yourself manually or used a tool which helps you in detecting SQL Injections.

 Key in Detecting SQL Injections 

  Regardless of which method you choose to detect SQL injection vulnerabilities the key is that “all input fields whose values could be used in crafting SQL query including hidden fields of POST requests and then test them separately” and try as much as you can by any means to generate errors.

  Common techniques consists of adding a single quote ('), double quote ("") or a semicolon (;) to the input field on which you are testing for SQL injection vulnerability.

   We tested one web application as an example and below is the error message we got which is a signal that SQL injection vulnerability exists. 



   And above error message shows us that the backend database is SQL Server and the column name is “Log.Log_ID” this is the manual method of detecting SQL Injections, however, you can use the below mentioned tools which are well known for detecting SQL injection vulnerabilities, however, they don’t exploit SQL injection vulnerabilities. This part of the exploitation you have to do on your own and this can only happen if you are good enough with SQL Statements.

 Types of SQL Injection Attacks

  We have been explaining so far in this workshop that statement types depend on how and what you are communicating with database server. Similarly, SQL Injections also can be of many types, however, the industry categorizes them in different types which you can easily find over Internet. 

  However, in our opinion, these SQL Injection types depend on the hacker hacking into the web application because the SQL Injection itself is an SQL Statement but illegitimate in nature and this is forcefully executed by the bad user which he or she was able to execute because of the SQL Injection vulnerability present in the web application 

 “The most important thing, basically, is the method of detecting SQL Injections Vulnerabilities in the web application. If you know where this exists and you are good enough in writing SQL Statements then that’s all you need to hack into web applications by using SQL Injections.” (Note is down somewhere and follow this if you want to become expert in hacking into web applications by use of SQL Injections). Following are the key and most common types of SQL Injection Attacks:




    Authentication Bypass Attack What happens normally when you browse any web application that requires you to provide credentials before you can be granted access is that such applications are connected to backend databases and use SQL statements to authenticate you as a registered user.

   However, by using this attack you can simply bypass the login requirements, which are a valid ID and Password. However, if the SQL Statement, which is written in background to check for authentication, is vulnerable then only this bypass technique will work 

  In the login or password fields, or both fields, the following SQL Injection vectors are used to gain illegitimate access by bypassing the authentication.


   
   Now, by using these vectors you can easily bypass the authentication and gain access to the web application restricted pages. 

   Exercise 02 – Authentication Bypass Attack

   We will use any of above vectors and bypass the login on a web application to show the demo. The web application used in the below example was vulnerable to SQL Injection Authentication bypass attack and we used one of the attack vectors as shown above.

 Before Attack


                       

Performing Attack

   We were using Firefox browser and a plugin that allows us to see what is typed in the password field as shown below.

                       
   
                    

    Although we have removed the sensitive information to keep the privacy maintained, you can see that we have successfully bypassed the login and gained the Admin level access to the web application. 

  Now, what exactly happened? We manipulated the SQL Statement written in the background of the web application and inserted our own SQL Statement, which became the part of the backend application which reached the true condition and we got access.

   Explanation 

   Comment: On my screen, the black background of the following examples does not allow some of the information to be viewed..

 Login SQL Statement would be similar to the one given below



   In the above SQL Statement, two variables “formusr” and “formpwd” are basically the values coming from the input form fields. Now if we enter a pre-existing user and password, the query would look like this.



     Now, this statement will go to the database and select all fields in the table called “users” and then will search if column username has any value which is “Admin” and column password has any value which is “AdminPassword”. If both exist on the same row then the condition is true and login is granted because both values were found in the database on both sides of operator “AND”. 

  Now, imagine if what we inserted were “ ‘OR ‘a’=’a “ in both fields for username and password. If we put these values in the username and password in the above statement, this is what the statement will look like. 



  Now, with these values, again the select statement will communicate with the database and select all fields from the table username where conditions are true but since in the first instance we haven’t provided any username so condition with username is not true, But immediately we have given a true statement which is “ ‘ OR ‘a’=’a’ “ and this is a true statement because [ a = a ] is true. Similarly, the same logic will go for password, hence, both conditions on either side of the AND operator will become true and we will get the access to the restricted pages.

    Union Attack SQL Injection Well we have presented the demo for bypassing the authentication with SQL Injections, here we will explain a bit about Union Attack as walkthroughs will be covered in the upcoming module so that we can practice the hacking techniques and gain more focused experience.

    Union attack is basically appending another select statement in the input fields, which runs background SQL statements for any reason. Technically, this attack is easy to execute by appending another statement with the UNION operator but it is more difficult as it requires knowledge of database schema. Don’t worry, we will explain in detail in the next module how to gain this information and practically inject the database with UNION attack. 

  Example Attack Vector



   Error Message Attack

   This type of SQL Injection attack can be further sub-categorized, however, we will present the general concept here. Basically, the core concept is to gather as much as information by means of error messages which are generated by the backend database. This can lead to disclosure of database information schema resulting in leakage of tables and columns level information that can lead to compromise of credit cards, login information and all sensitive data. 

  Convert Attack 

    This type of SQL Injection generates sensitive information by error messages through a command called "convert". The convert command is used to convert between two data types and when the specific data cannot convert to another type, this command will return errors which can lead to disclosure of sensitive information.

Blind SQL Injection 

  This is a type of SQL Injection which you simply execute by guessing the required information for injecting the SQL statement. As you don’t see any error messages in this attack, sometimes it works well, like inserting a new record in login database. However, the key technique is asking database questions, like true or false, so that you can start gathering information based on your known knowledge of database server. The questions you are asking in the form of yes or no and then realising the information and ending up gathering information without getting any error messages.

Advanced SQL Injections This is another type in which you put together complex or customised SQL Statements which can make use of pre-defined functions and stored procedures in the backend databases. These attacks are very dangerous and can lead to disclosure of complete databases, execution of system level commands, creating system users and much more. Damage is limitless in such attacks. We will execute such statements in our lab environment to gain advanced level experience with SQL Injections. 

  Stay tuned to the workshop, in the next module we will be demonstrating these types of SQL Injections in our lab environment so that you can gain hands-on experience with SQL Injections.
  

Popular posts from this blog

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho
Read more

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the payload in the server.  Let’s e
Read more

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was
Read more