What is a SQL Injection?

SQL Injection are extremely common although the this attack has been well known and documented since the late 90's. Some security experts say that at least 40% of all web sites are vulnerable to this attack, others says the percent is much higher.

It has become one of the favorite techniques for back hat hackers because it's very common, easy to find, exploit and the result can be devastating.
If a cyber criminal is able to pull off this attack he can extract information form the data base, modify information from the data base, delete information and in some cases even load files into the server and gain command line control over the server.

For a SQL injection to work a couple of thing need to happen.

1. You need to have a variable that a hacker can manipulate, from a cookie, a form (POST method) or a dynamic page (GET method).

2. This variable needs to be unfiltered and used in the SQL query.

It works on mysql, mssql and oracle how ever there are some differences in how the attack has to we written to work.


Here is a example.
Lets say we have a url like this one.

http://www.yourdomain.com?id=1

lets say that the variable "id" is used directly in the query code, like so.

SELECT * FROM victim_table WHERE id=$id


By modifying the url we are able to change the output, in a vulnerable page if we write this URL

http://www.yourdomain.com?id=1 and 1=1

We get the original content, but if we write

http://www.yourdomain.com?id=1 and 1=2

You see the information of the database does not get printed on the website.

This can be further leveraged to ask the database questions, till you extract all the information from the database, modify it or delete it. Depending on the permissions of the user.

How can this be avoided? There are 2 main strategies to avoid this, one is paramenterized queries which we talked about in one of our blogs already, and the other is sanitizing the input provided by the user.

Sanitizing has the added advantage that if you apply it correctly you also protect yourself against other attacks like XSS.
Basically we only allow the kind of input we expect, in this case we expect a integer number input. I would write code so that all other input is denied or deleted.
If this is not done correctly this control can be bypassed easily, therefore we recommend you let a security professional help you with that.

Meanwhile there are many automated tools that will do all of this for you automatically, meaning hackers with a very low skill level can seriously damage a website.
Here are 2 example of these automated programs although the list is almost endless.

SQLMAPS is a very efficient command line tool for this purpose.
Havij is a GUI program for Windows that is incredibly easy to use.

These tools have limitations, in some cases they do not work, therefore serious security professionals should know how to perform these attacks manually.

This technique can get extremely intricate, for further information I recommend you read the book.
"SQL Injection Attacks and Defense" by Justin Clarke


Contact us