Contents

CEH v10: 15_SQL_Injection

Terminology

The intention of SQL injection is to reveal or manipulate sensitive information from the database by injecting commands into existing queries.

  • Bypassing authentication
  • Revealing sensitive information
  • Compromise data integrity
  • Erase database
  • Remote code execution

Tools

  • sqlmap

SQL

SQL stands for Structured Query Language.

SQL tutorial here

Types of SQL Injection

In-Band SQL Injection

Use the same communication channel to launch the attack and get the result.

Error Based SQL Injection

  • Server throw an error message
  • Error message is useful during the development, but should be disabled it when the application is live

Techniques to perform SQL Injection

  • System stored procedure
  • End of line comment
  • Illegal / Logically incorrect query
  • Tautology (something that is inherently true, like " OR 1=1”)

Union SQL Injection

Involves the UNION SQL operator, to combine the queries.

Select the password from table1 and table2 using UNION:

1
2
3
SELECT password FROM table1
UNION
SELECT password FROM table2

Inferential SQL Injection

  • Known as Blind SQL Injection
  • No data is transferred from the via the application, the attacker sending payloads, then observe the web application’s response and behavior.

Boolean-based Blind SQL Injection

Sending an SQL query to the database which send a different result depending on whether the query returns TRUE or FALSE result, the HTTP response will change or remain the same.

This type of attack is slow, attacker need to enumerate the database, character by character.

Time-based Blind SQL Injection

Attacker send a query, force the database to wait for a specified time before respond. The respond time indicate that the query TRUE or FALSE.

Out-of-band SQL Injection

Depends on the features allowed on the database server (DNS, HTTP request), so not a very common attack.

Use different channel to launch the attack.

SQL Injection Methodology

Information Gathering And Vulnerability Detection

  • Collect the information about the web application, server, OS, database, …
  • Identify vulnerabilities
  • Evaluate input fields

Launch Attack

  • Select the appropriate type of SQL Injection, based on the gathered information

Advanced SQL Injection

  • Enumerate the database (Postgre, MySQL, Oracle, …)
  • Identify privilege level of users
  • Passwords and hashes grabbing
  • Transfer database to a remote machine

Evasion Techniques

Evading IDS

  • Inserting inline comment in between keywords
  • Character encoding
  • String Concatenation
  • Obfuscated codes
  • Manipulating white spaces
  • Hex encoding
  • Sophisticated matches

Countermeasures

  • Penetration testing (manual, with tool)
  • Source code analysis
  • Wep Application Firewall (WAF)
  • Remove debugging messages
  • Database account with minimal privileges
  • Input validation
  • Filter data
  • Customize error messages
  • IDS