SQL injections
Where the attack take place
This is a pretty simple method that works on unguarded databases. Is quite simple. Here is the logic behind it.
Think about a simple login page. What shall happen here.
1. User will enter username and passwords.
2. [They may undergo encryption in order to prevent sniffing in intermediate steps]
3. These data will reach the server side
4. Server will find the correct password (In advance situations hash value of the password) for the given user name.
5. It will be compared with the user provided password (or its hash value)
6. If they match permission will be granted permission
Now look closely. There are many place one can exploit. In the Sql injection technique step 5 is the point of attack. Think about the common code found in comparison. It will be something like following.
If (user_provided_password = = password_in_database)
{ Grand permission ;}
Else
{Permission denied ;}
Method
A hacker will try to enter server side key words in order to alter the mechanism.
After the database has been identified, the attacker will place a single ‘ inside a username field to test for SQL vulnerabilities, and this ‘ is sometimes referred to as a tick. The attacker will look for a return result similar to the one shown here:
Microsoft OLE DB Provider for SQL Server error ‘80040e14′
Unclosed quotation mark before the character string ‘ and Password=”.
/login.asp, line 42
Attackers search for and exploit databases that are susceptible to SQL injection. SQL injection occurs when an attacker is able to insert SQL statements into a query by means of a SQL injection vulnerability. SQL injection allows the attacker to take advantage of insecure code on a system and pass commands directly to a database. This gives attackers the ability to leverage their access and perform a variety of activities. Servers vulnerable to SQL injection can be shut down, have commands executed on them, have their databases extracted, or be susceptible to other malicious acts
Example is given below.
Example
Take a close a look at the “user provided password”
If user provided ‘abc’ as the password and if the correct password is ‘xyz’ above line will be replaced by
“If (abc = = xyz)”
Since they do not match user will not be get the permission.
What would happened if user entered something like following in the password box
“1==1 or abc”
Then the code would be
If (1==1 or abc= = password_in_database)
Since no filtering is used what ever the user enters in to the password box will directed to the server. Even key words that can alter the flow. As in the above example a hacker may use key words to misguide the validation and gain access. Here ‘1==1′ is true, it is combined with a logical ‘or’ operator. As a result user will be get the permission although he had not provided the correct password. With more advance users even complete sql statements might me thrown at the server. They may be directed for devastating effects such as deleting all tables.
Other tools that can be used to SQL vulnerabilities
There are a lot of tools to hack SQL databases. Some are listed here
1. SQLDict Performs a dictionary attack against the SQL server.
2. SQLExec Executes commands on a compromised SQL server.
3. SQLbf Another password cracking program that performs both dictionary and brute force attacks.
4. SQLSmack A Linux-based command shell program.
5. SQL2.exe This UDP buffer overflow attack will return a command prompt to the attacker.
6. Msadc.pl A SQL injection exploit.
Prevention
Always filter any input comes from user. Most server side languages such as PHP has built in function for this purpose. Other strategies contain good coding practices, patching systems, and using strong authentication. You can also strengthen the database by making sure that the application is running with only enough rights to do its job and implement error handling so that when the system detects an error, it will not provide the attacker with any useable information
Note:
SQL injection highly dependent on the language server script is implemented. But most of the time a user is able to determine it by checking the extention of the web page (such as PHP or ASP)