Certified Ethical Hacker (CEHv13) Module 15 SQL Injection

Structured Query Language (SQL)

A textual language used by a database server.

SQL Injection

Attacker injects malicious SQL queries into the user input form

SQL Injection Uses

- Authentication Bypass

- Authorization Bypass

- Information Disclosure

- Compromised Data Integrity

- Compromised Data Availability

- Remote Code Execution

Authentication Bypass

Attacker logs onto an application without providing a valid username and password

Authorization Bypass

Attacker alters authorization information stored in the database

Information Disclosure

Attacker obtains sensitive information that is stored in the database

HTTP POST Requeset

A method for carrying the requested data to the web server

SQL Query

Programmers write and execute SQL code in the form of query statement

Types of SQL Injection

- In-band

- Blind/Inferential

- Out-band

In-band SQL Injection

An attacker uses the same communication channel to perform the attack and retrieve the results

Blind/Inferential SQL Injection

An attacker poses a true or false question to the database to determine whether the application is vulnerable to SQL injection

Out-of-Band SQL Injection

Attackers use different communication channels to perform the attack and obtain the results

Types of In-band SQL Injection

- Error-based SQL Injection

- System Stored Procedure

- Illegal/Logically Incorrect Query

- UNION SQL Injection

- Tautology

- End of Line Comment

- In-line Comments

- Piggybacked Query

Error-based SQL Injection

An attacker intentionally inserts bad inputs into an application, causing it to return database errors. The attacker reads the resulting database-level error messages to find an SQL injection vulnerability in the application.

System Stored Procedure SQL Injection

An attacker may use malicious inputs to execute the malicious SQL statements in the stored procedure.

Illegal/Logically Incorrect Query SQL Injection

An attacker may gain knowledge by injecting illegal/logically incorrect requests to generate an error message that may be useful for performing further attacks

UNION SQL Injection

In a UNION SQL injection, an attacker uses a UNION clause to append a malicious query to the requested query

SQL "UNION SELECT" Statement

Returns the union of the intended dataset and the target dataset

Tautology

An attacker uses a conditional OR clause such that the condition of the WHERE clause will always be true.

End-of-Line Comment

An attacker uses line so the database will execute the code until it reaches the commented portion, after which it will ignore the rest of the query

In-line Comments

Attackers integrate multiple vulnerable inputs into a single query

Piggybacked Query

An attacker injects an additional malicious query into the original query using a ";" to separate the queries

Time-based SQL Injection

Evaluates the time delay that occurs in response to true or false queries sent to the database

Blind SQL Injection Attacks

- No error message returned

- Time based

- Boolean Exploitation

- Heavy Query

Boolean Exploitation SQL Injection

Multiple valid statements evaluated as true or false are supplied in the affected parameter in the HTTP request. By comparing the response page between both conditions, the attackers can infer if the injection was successful.

Heavy Query SQL Injection

An attacker can retrieve large amounts of data to perform a time delay SQL injection attack without using time delay functions

SQL Injection Methodology Steps

- Information gathering and SQL injection vulnerability detection

- Launching SQL injection attacks

- Compromising the entire target network

Information Gathering Steps

1. Check if the web application connects to a database server to access some data

2. List all input fields and hidden fields, and post requests whose values could be used for crafting an SQL query

3. Attempt to inject code into the input fields to generate an error

4. Try to insert a string value where a number is expected in the input field

5. Use the UNION operator to combine the result sets of two or more SELECT statements

5. Check the detailed error messages to gain information to execute SQL injection

Methods of Information Gathering Using Error Messages

- Parameter Tampering

- Determining Database Engine Type

- Determining a SELECT Query Structure

- Grouping Error

- Type Mismatch

Parameter Tampering

An attacker can tamper with HTTP GET and POST requests to generate errors

Methods in Detecting SQL Injection Vulnerabilities

- Function Testing

- Fuzz Testing

- Static Testing

- Dynamic Testing

Function Teseting

A type of software testing technique whereby a software or a system is tested against a set of inputs and the output obtained is then evaluated and compared with the expected results

Fuzz Testing

Inputting a massive amount of random data and observing the changes in the output

SQL Injection Black Box Testing Steps

1. Detecting SQL Injection Issues

2. Detecting Input Sanitization

3. Detecting Truncation Issues

4. Detecting SQL Modification

Stored Procedure

Some developers use stored procedures at the backend of the web application to support its functionality. These stored procedures are part of an SQL statement designed to perform a specific task.

Second-Order SQL Injection

Can be performed when the application uses submitted data to perform different application functions

Methods of Bypassing Firewall for SQL Injection

- Normalization Method

- HPP Technique

- HPF Technique

- Blind SQL Injection

- Signature Bypass

- Buffer Overflow

- CRLF Technique

- Integration Technique

- JSON-based SQL Injection Attack

Normalization Method

If an attacker is able to detect any vulnerability in functional dependencies, then the attacker changes the structure of the SQL query to perform the attack.

HTTP parameter pollution (HPP) Technique

Override or add HTTP GET/POST parameters by injecting delimiting characters in query strings.

HTTP parameter fragmentation (HPF) Technique

Bypassing security filters by operating HTTP data directly

Database, Table, and Column Enumeration Technqiues

- Identify User Level Privilege

- DB Administrators

- Discover DB Structure

- Column Enumeration in DB

PL/SQL

PL/SQL code has the same vulnerabilities as dynamic queries that integrate user input at run time

Reasons Web Applications Vulnerable to SQL Injection Attacks

-The database server runs OS commands

- Using a privileged account to connect to the database

- Error message revealing important information

- No data validation at the server

- Complex software stacks

- Legacy code and backward compatibility

- Relay on concatenated queries

Whitelist Validation

Only the list of entities that have been approved for secured access is accepted.

Blacklist Validation

Rejects all malicious inputs that have been disapproved for

protected access

Output Encoding

Encode the input to ensure that it is properly sanitized before passing it to the database