14 - SQL Injection

SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a web application for execution by a backend database.

Module Objective

The objective of this lab is to provide expert knowledge on SQL Injection attacks and other responsibilities that include:

• Understanding when and how web application connects to a database server in order to access data

• Extracting basic SQL injection flaws and vulnerabilities

• Testing web applications for blind SQL injection vulnerabilities

• Scanning web servers and analyzing the reports

• Securing information in web applications and web servers

Scenario

A SQL injection attack is done by including portions of SQL statements in a web form entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in a website's software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL commands are thus injected from the web form into the database of an application (like queries) to change the database content or dump the database information like credit card or passwords to the attacker. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

As an expert ethical hacker, you must use diverse solutions, and prepare statements with bind variables and whitelisting input validation and escaping. Input validation can be used to detect unauthorized input before it is passed to the SQL query.

I. SQL Injection Attacks on MS SQL Database

II. Testing for SQL Injection Using IBM Security AppScan Tool

III. Testing for SQL Injection Using N-Stalker Tool

Module Syllabus

• SQL Injection is the Most Prevalent Vulnerability in 2010

• SQL Injection Threats

• What is SQL Injection?

• SQL Injection Attacks

• How Do Web Applications work?

• Server-Side Technologies

• HTTP Post Request

  • Example 1: Normal SQL Query

  • Example 1: SQL Injection Query

  • Example 1: Code Analysis

  • Example 2: BadProductList.aspx

  • Example 2: Attack Analysis

  • Example 3: Updating Table

  • Example 4: Adding New Records

  • Example 5: Identifying the Table Name

  • Example 6: Deleting a Table

• SQL Injection Detection

  • SQL Injection Error Messages

  • SQL Injection Attack Characters

  • Additional Methods to Detect SQL Injection

• SQL Injection Black Box Pen Testing

  • Testing for SQL Injection

• Types of SQL Injection

  • Simple SQL Injection Attack

  • Union SQL Injection Example

  • SQL Injection Error Based

• What is Blind SQL Injection?

  • No Error Messages Returned

  • Blind SQL Injection: WAITFOR DELAY YES or NO Response

  • Blind SQL Injection – Exploitation (MySQL)

  • Blind SQL Injection - Extract Database User

  • Blind SQL Injection - Extract Database Name

  • Blind SQL Injection - Extract Column Name

  • Blind SQL Injection - Extract Data from ROWS

• SQL Injection Methodology

• Information Gathering

  • Extracting Information through Error Messages

  • Understanding SQL Query

  • Bypass Website Logins Using SQL Injection

• Database, Table, and Column Enumeration

  • Advanced Enumeration

• Features of Different DBMSs

  • Creating Database Accounts

• Password Grabbing

  • Grabbing SQL Server Hashes

  • Extracting SQL Hashes (In a Single Statement)

• Transfer Database to Attacker’s Machine

• Interacting with the Operating System

• Interacting with the FileSystem

• Network Reconnaissance Full Query

• SQL Injection Tools

  • SQL Injection Tools: BSQLHacker

  • SQL Injection Tools: Marathon Tool

  • SQL Injection Tools: SQL Power Injector

  • SQL Injection Tools: Havij

• Evading IDS

  • Types of Signature Evasion Techniques

  • Evasion Technique: Sophisticated Matches

  • Evasion Technique: Hex Encoding

  • Evasion Technique: Manipulating White Spaces

  • Evasion Technique: In-line Comment

  • Evasion Technique: Char Encoding

  • Evasion Technique: String Concatenation

  • Evasion Technique: Obfuscated Codes

• How to Defend Against SQL Injection Attacks?

  • How to Defend Against SQL Injection Attacks: Use Type-Safe SQL Parameters

• SQL Injection Detection Tools

  • SQL Injection Detection Tool: Microsoft Source Code Analyzer

  • SQL Injection Detection Tool: Microsoft UrlScan

  • SQL Injection Detection Tool: dotDefender

  • SQL Injection Detection Tool: IBM AppScan

• Snort Rule to Detect SQL Injection Attacks