SQL Injection (SQLi) Attacks :
SQL Injection can be used in a range of ways to cause serious problems. By levering SQL Injection, an attacker could bypass authentication, access, modify and delete data within a database. In some cases, SQL Injection can even be used to execute commands on the operating system, potentially allowing an attacker to escalate to more damaging attacks inside of a network that sits behind a firewall.
SQL injections typically fall under three categories:
1. In-band SQLi (Classic),
2. Inferential SQLi (Blind) and
3. Out-of-band SQLi.
You can classify SQL injections types based on the methods they use to access backend data and their damage potential.
{1} In-band SQLi (Classic) Injection Attacks:
The attacker uses the same channel of communication to launch their attacks and to gather their results. In-band SQLi’s simplicity and efficiency make it one of the most common types of SQLi attack. There are two sub-variations of this method:
[I] Error-based ~SQLi Attacks
the attacker performs unwanted and undesired actions by sending some malicious query to the database that cause the database to produce error messages. The attacker can potentially use the data provided by these error messages to gather information about the structure of the database.
(a) Comment-Line Based SQLi:
Using comment line to cause the database to ignore a part of a valid query.
Example:Select * from stores where product_id = blah’ or 1=1-- (everything after this will be neglected)
(b) Tautology Based SQLi:
There are a lot of strings which always evaluates to be true, like ‘1’ = ‘1’ ‘a’ = ‘a’, etc., using them in the query to create constantly true conditions.
Example:Select * from users where username=’blah’ or ‘a’=’a’ -- and password=’pass’
[II] Union-based SQLi
this technique takes advantage of the UNION SQL operator, which fuses multiple select statements generated by the database to get a single HTTP response. This response may contain data that can be leveraged by the attacker.
Using union command in SQL query to execute additional queries; thereby, modifying/inserting/deleting or dropping the contents of the table.
Example:
Select * from stores where product_id=1 union select 1,database(),user(),4#
(a) Stored procedures Based SQLi:
Creating malicious inputs to execute malicious queries.
(b) Incorrect queries Based SQLi:
Coming up with logically incorrect queries to see the error messages to get more information about the target database.
Example:
Select * from stores where id=1’
The above query will result in a syntax error and might reveal the backend database type.
{2} Inferential (Blind) SQLi Injection Attacks:
The attacker sends data payloads to the server and observes the response and behavior of the server to learn more about its structure. This method is called blind SQLi because the data is not transferred from the website database to the attacker, thus the attacker cannot see information about the attack in-band.
Blind SQL injections rely on the response and behavioral patterns of the server so they are typically slower to execute but may be just as harmful. Blind SQL injections can be classified as follows:
[I] Boolean Based ~ Blind SQLi
that attacker sends a SQL query to the database prompting the application to return a result. The result will vary depending on whether the query is true or false. Based on the result, the information within the HTTP response will modify or stay unchanged. The attacker can then work out if the message generated a true or false result.
Only correct queries show the result, wrong queries do not return anything. Attackers should try to generate logically correct queries.
If suppose the original query to the database is
Select * from users where id=’id.txt’
If we give blah’ and 1=1# as input which evaluates to be a right query
Select * from users where id=’blah’ or 1=1#, we will see the user results.
If we give blah’ and 1=2# as input which is a wrong query then we don’t see any results.
Select * from users where id=’blah’ or 1=2#
[II] Time Based ~Blind SQL Injection
attacker sends a SQL query to the database, which makes the database wait (for a period in seconds) before it can react. The attacker can see from the time the database takes to respond, whether a query is true or false. Based on the result, an HTTP response will be generated instantly or after a waiting period. The attacker can thus work out if the message they used returned true or false, without relying on data from the database.
Depending on some conditions, setting a time delay. If that condition is satisfied, we can observe the time delay; thereby, concluding that the input we gave produced a positive result. This is a time consuming process.
Tools:
SQLMAP, Marathon tool.
Perimeter tools (IDS) Evasion Techniques:
Use encryption..
Obfuscate string to avoid pattern matching.
Use Concatenation to confuse the IDS.
Use encoding like ASCII encoding, hexadecimal encoding to avoid detection.
Insert inline comments between query.
{3} Out-of-band SQLi Injection Attacks:
The attacker can only carry out this form of attack when certain features are enabled on the database server used by the web application. This form of attack is primarily used as an alternative to the in-band and inferential SQLi techniques.
Out-of-band SQLi is performed when the attacker can’t use the same channel to launch the attack and gather information, or when a server is too slow or unstable for these actions to be performed. These techniques count on the capacity of the server to create DNS or HTTP requests to transfer data to an attacker.
This attack is bit more complex and may be used by an attacker when they cannot achieve their goal in a single, direct query-response attack. Typically, an attacker will craft SQL statements that, when presented to the database, will trigger the database system to create a connection to an external server the attacker controls. In this fashion, the attacker can harvest data or potentially control behavior of the database.
A Second Order Injection is a type of Out-of-Band Injection attack. In this case, the attacker will provide an SQL injection that will get stored and executed by a separate behavior of the database system. When the secondary system behavior occurs (it could be something like a time-based job or something triggered by other typical admin or user use of the database) and the attacker’s SQL injection is executed, that’s when the “reach out” to a system the attacker controls happens.
About Author :
Sanjeev Singh
sanjeev.cyber4all.in
Sanjeev Singh is Certified Cyber Security Specialist & Professional. Also, Founder of "CYBER4ALL Community".
His area of interest are Red Teaming, Offensive Security, Digital forensics, Malware analysis & Security Assessments & Penetesting.
He is active blogger and publisher of Cyber Security related articles on Cyber4All.
LinkedIn Profile: Singhsanjeev617
Top