SQL Injection:
SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input.
Injected SQL commands can alter SQL statement and compromise the security of a web application.
SQL injection errors occur when:
Data enters a program from an untrusted source.
The data used to dynamically construct a SQL query.
Types:
First Order Attack:
The attacker can simply enter a malicious string and cause the modified code to be executed immediately.
Examples of First Order SQL Injection Attack:
1.UNIONS added to an existing statement to execute a second statement
2.Subquery added to an existing statement
3.Existing SQL short-circuited to bring back all the data (for example, adding a query condition such as OR 1=1)
Second Order Attack:
The attacker injects into persistent storage (such as a table row) which is deemed as a trusted source. An attack is subsequently executed by another activity.
Examples of Second Order SQL Injection Attack:
1.Suppose you have a Web-based application which stores usernames alongside other session information. Given a session identifier such as a cookie you want to retrieve the
current username and then use it in turn to retrieve some user information. You might therefore have code for an "Update User Profile" screen somewhat similar to the following:
execute immediate 'SELECT username FROM sessiontable WHERE session
='''||sessionid||'''' into username;
execute immediate 'SELECT ssn FROM users WHERE
username='''||username||'''' into ssn;
2.This will be injectable if the attacker had earlier on the "Create Account" screen created a username such as:
XXX' OR username='JANE
Which creates the query:
SELECT ssn FROM users WHERE username='XXX’ OR username='JANE'
If the user XXX does not exist, the attacker has successfully retrieved Jane’s social security number.
3.The attacker can create malicious database objects such as a function called as part of an API, or a maliciously named table by using double quotation marks to introduce dangerous constructs.
For example, an attacker can create a table using a table name such as "tab') or 1=1--", which can be exploited later in a second order SQL injection attack.
Lateral SQL Injection:
The attacker can manipulate the implicit function To_Char() by changing the values of the environment variables, NLS_Date_Format or NLS_Numeric_Characters.
Examples of Lateral SQL Injection Attack:
1.Using Lateral SQL Injection, an attacker can exploit a PL/SQL procedure that does not even take user input. When a variable whose data type is date or number is concatenated into the text of a SQL statement, then, contrary to popular belief, there still is a risk of injection. The implicit function TO_CHAR() can be manipulated by using NLS_Date_Format or NLS_Numeric_Characters, respectively. You can include arbitrary text in the format model, and you do not need to include any of the “structured” elements such as Mon, hh24, and so on. Here's the “normal” use of that flexibility:
SQL> SET SERVEROUTPUT ON
ALTER session SET NLS_Date_Format = '"The time is"... hh24:mi'
Session altered.
SQL> SELECT TO_CHAR(SYSDATE) d FROM Dual D
--------------------
The time is... 19:49
SQL> DECLARE
d DATE := TO_DATE('The time is... 23:15');
BEGIN
-- Implicit To_Char()
DBMS_OUTPUT.PUT_LINE(d);
END;
The time is... 23:15
PL/SQL procedure successfully completed.
More Explanation:
SQL Injection Based on 1=1 is Always True:
Comes in to First Order Attack.
Lets assume your SQL query
SELECT * FROM Users WHERE UserId = Username
When username recieved in request is proper value (username), then everything works fine.
If username is something like this
"diffusername or 1=1"
Then your SQL statement becames like
SELECT * FROM Users WHERE UserId = 105 or 1=1
If you sending overall object as response from server thats it story ends. Here the hacker got all user table.
I seen in many websites people returning hash_code (which is the hashed password), If you do that hacker can decode hashed code, there are thousands of decoders available on net.
If hacker decided to collaspe all your client business, He will send username as "diffusername ; DROP TABLE USERS"
SELECT * FROM Users WHERE UserId = 105 or 1=1
If this statement got executed no more users ,no more logins and
no more business. Main triggers on particular queries is another best way.
Ref:
download.oracle.com/oll/tutorials/SQLInjection/html/lesson1/les01_tm_attacks.htm
https://www.owasp.org/index.php/SQL_Injection
http://www.slideshare.net/RespaPeter/types-of-sql-injection-attacks
Still there are many interesting things about SQL Injection, If you people interested I will update in my next Post.
SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input.
Injected SQL commands can alter SQL statement and compromise the security of a web application.
SQL injection errors occur when:
Data enters a program from an untrusted source.
The data used to dynamically construct a SQL query.
Types:
First Order Attack:
The attacker can simply enter a malicious string and cause the modified code to be executed immediately.
Examples of First Order SQL Injection Attack:
1.UNIONS added to an existing statement to execute a second statement
2.Subquery added to an existing statement
3.Existing SQL short-circuited to bring back all the data (for example, adding a query condition such as OR 1=1)
Second Order Attack:
The attacker injects into persistent storage (such as a table row) which is deemed as a trusted source. An attack is subsequently executed by another activity.
Examples of Second Order SQL Injection Attack:
1.Suppose you have a Web-based application which stores usernames alongside other session information. Given a session identifier such as a cookie you want to retrieve the
current username and then use it in turn to retrieve some user information. You might therefore have code for an "Update User Profile" screen somewhat similar to the following:
execute immediate 'SELECT username FROM sessiontable WHERE session
='''||sessionid||'''' into username;
execute immediate 'SELECT ssn FROM users WHERE
username='''||username||'''' into ssn;
2.This will be injectable if the attacker had earlier on the "Create Account" screen created a username such as:
XXX' OR username='JANE
Which creates the query:
SELECT ssn FROM users WHERE username='XXX’ OR username='JANE'
If the user XXX does not exist, the attacker has successfully retrieved Jane’s social security number.
3.The attacker can create malicious database objects such as a function called as part of an API, or a maliciously named table by using double quotation marks to introduce dangerous constructs.
For example, an attacker can create a table using a table name such as "tab') or 1=1--", which can be exploited later in a second order SQL injection attack.
Lateral SQL Injection:
The attacker can manipulate the implicit function To_Char() by changing the values of the environment variables, NLS_Date_Format or NLS_Numeric_Characters.
Examples of Lateral SQL Injection Attack:
1.Using Lateral SQL Injection, an attacker can exploit a PL/SQL procedure that does not even take user input. When a variable whose data type is date or number is concatenated into the text of a SQL statement, then, contrary to popular belief, there still is a risk of injection. The implicit function TO_CHAR() can be manipulated by using NLS_Date_Format or NLS_Numeric_Characters, respectively. You can include arbitrary text in the format model, and you do not need to include any of the “structured” elements such as Mon, hh24, and so on. Here's the “normal” use of that flexibility:
SQL> SET SERVEROUTPUT ON
ALTER session SET NLS_Date_Format = '"The time is"... hh24:mi'
Session altered.
SQL> SELECT TO_CHAR(SYSDATE) d FROM Dual D
--------------------
The time is... 19:49
SQL> DECLARE
d DATE := TO_DATE('The time is... 23:15');
BEGIN
-- Implicit To_Char()
DBMS_OUTPUT.PUT_LINE(d);
END;
The time is... 23:15
PL/SQL procedure successfully completed.
More Explanation:
SQL Injection Based on 1=1 is Always True:
Comes in to First Order Attack.
Lets assume your SQL query
SELECT * FROM Users WHERE UserId = Username
When username recieved in request is proper value (username), then everything works fine.
If username is something like this
"diffusername or 1=1"
Then your SQL statement becames like
SELECT * FROM Users WHERE UserId = 105 or 1=1
If you sending overall object as response from server thats it story ends. Here the hacker got all user table.
I seen in many websites people returning hash_code (which is the hashed password), If you do that hacker can decode hashed code, there are thousands of decoders available on net.
If hacker decided to collaspe all your client business, He will send username as "diffusername ; DROP TABLE USERS"
SELECT * FROM Users WHERE UserId = 105 or 1=1
If this statement got executed no more users ,no more logins and
no more business. Main triggers on particular queries is another best way.
Ref:
download.oracle.com/oll/tutorials/SQLInjection/html/lesson1/les01_tm_attacks.htm
https://www.owasp.org/index.php/SQL_Injection
http://www.slideshare.net/RespaPeter/types-of-sql-injection-attacks
Still there are many interesting things about SQL Injection, If you people interested I will update in my next Post.
Next >>>
No comments:
Post a Comment