Monday, June 7, 2010

An SQL injection how to and preventing it

SQL injection attack is probably one of the most widely used attacks to hack or take control over a site. In the earlier days hacking/cracking was mainly done by exploiting the vulnerabilities in the Operating System. For example Ping Of Death was possible due to the fact that Windows kernel was not able to handle big sized ping packets and therefore the attacked computer would freeze or shutdown! Windows and Linux based OS have "patched" up most of the vulnerabilities that have been found, nowadays the focus has shifted to finding flaws in application and loosely written codes.Another reason for the gaining popularity is the fact that it is relatively easier than other techniques such as buffer overflow or heap overflow exploits. One such type of application layer exploit is the SQL injection attack which exploits which user input is not properly "sanitised" and is interpreted incorrectly by the database language, in this case SQL. For example suppose the SQL statement is

SELECT name FROM USERS where user= '[user input]' AND password='[user input]'

If the programmer has not taken proper measures it can create a big security hole,continuing with our example if the user gives "matrix" as the username and 1' OR '1=1 as the password the server will read it as

SELECT user FROM USERS where user= 'matrix' AND password=' 1' OR '1=1 '

Now it will search for the user matrix in the table and then check out if the password '1' OR '1=1' is true. Obviously the latter part of the statement is true and therefore authorization will be validated!
Note: In this case I somehow managed to know the username , there are techniques in which specially crafted SQL statements are input which can reveal all the usernames in the database tables.
This video illustrates how easy this technique is-


A very basic SQL injection attack, used to gain account access within minutes! from Nando Nachi on Vimeo.

This is probably the shortest article on SQL injection ever written. The aim is to create awareness on how lethal this flaw is and can be exploited by even an average computer user. Of course this is only one command and it is said that most of the SQL based servers are vulnerable and can be exploited with some form of complex command. That is why nowadays they have divided the SQL injection techniques to two groups- Basic and Advanced. Basic techniques deal with access to account using simple 'Queries' ie the user types in a command which will ask the database server to fetch details. Advanced techniques use complex and long SQl commands which can not only grant access but can be used to modify the database itself (eg deleting an account)! This was a very 'jugadoo' way of doing things and in no way is complete( I did not even mention the effects of using '--' which is used for commenting in SQL)

Preventing SQL injection
It's quite clear that if the user input is filtered of any harmful statements the vulnerability can be fixed.  Moreover the SQL software should be constantly updated.

I hope this post gave you a brief sql injection how to and described the fundamentals behind it.

These links are immensely helpful
SQL injection on Wikipedia
Preventing SQL on Microsoft SQL serverShare

2 comments:

  1. wow! you seem to be a pro at this stuff. i'm amazed you never discuss these things in college.

    ReplyDelete