September 27, 2011

SQL Injection

By Ricardo Oliveira
SQL injection is a technique that explores poorly written software and it's one of the most common type of vulnerabilities found in software, especialy websites. It works by creating special user input strings in such a way that it allows the attacker to inject code in a SQL query enabling the attacker to execute instructions in the database and bypass validations (server side).

How it works
Injected code can range from simple small queries to very large and complex attacks. Let's start with a simple example:

The Login Form
A programmer creates a simple login form to protect a restricted area of a website.

When the "Login" button is pressed the browser sends the username and password to the server and waits for a response.

The server receives the data from the browser and validates it by making a SQL query to the database. If the username and password exist in the "Users" table the user is given access to the restricted area, otherwise he will be returned to the "Login" page.

This image shows the login process for the user "Admin".


As you can see the user input (username and password) remain unchanged until they reach the database.
Now consider this:
Instead of "Admin" as the username we will use Admin'--. It doesn't seem to make much sense but take a look at the login process again.

Notice the SQL query that is sent to the database:
SELECT * FROM Users WHERE Username='Admin'--' AND Password='(Anything)'
The username sent to the server will actualy inject SQL instructions in the query. The ' after the "Admin" will terminate the string and the -- will comment the rest of the query meaning that the database will only process this:
SELECT * FROM Users WHERE Username='Admin'
One record will be found in the table "Users" and so access to the restricted area will be granted.

That simple?!
Yes... well... usualy things are a bit more complicated than that because programmers, most of the time, are aware of this (and other) type of attacks and take some efort to protect their software. Also you probably won't know what is going on on the other side (server side) leaving you "in the dark".

There are a lot of techniques to exploit SQL injection vulnerabilities but the main purpose of this post is to explain the basis of this type of attack.

Where can I test this?
I don't recommend going to other people websites and/or applications and try to attack them as this will probably get you in trouble. But if you are a website or application developer and want to test its security I guess it will be ok as long as you ask permission if you need to. Also be carefull with the strings you inject as some can actualy damage your database. YOU HAVE BEEN WARNED! :)

If you want to improve your knowlege on this subject here are some links that can help you:
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
http://en.wikipedia.org/wiki/SQL_injection
There is also a great book about this called "SQL Injection Attacks and Defence" by Justin Clarke.

Feel free to improve this post by commenting below.

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)