SQL injection and buffer overflows are hacking techniques used to exploit weaknesses in
applications. When programs are written, some parameters used in the creation of the application
code can leave weaknesses in the program Generally, the purpose of SQL injection is to convince
the application to run SQL code that was not intended.
Both SQL Server injection and buffer overflow vulnerabilities are caused by the same issue:
invalid parameters that are not verified by the application. If programmers don’t take the time
to validate the variables a user can enter into a variable field, the results can be serious and
unpredictable. Sophisticated hackers can exploit this vulnerability, causing an execution fault
and shutdown of the system or application, or a command shell to be executed for the hacker.
This article will detail how to perform a SQL injection and a buffer overflow attack and
explore the best countermeasures to prevent the attack.
What is SQL injection?
SQL injection occurs when an application processes user-provided data to create a
SQL statement without first validating the input. The user input is then submitted to a web
application database server for execution. When successfully exploited, SQL injection can
give an attacker access to database content or allow the hacker to remotely execute system
commands.The impact of a SQL injection attacks depends on where the vulnerability is in
the code, how easy it is to exploit the vulnerability, and what level of access the application
has to the database.Web applications are easy targets because by their very nature they are open
to being accessed from the Internet. During a web application SQL injection attack, malicious
code is inserted into a web form field or the website’s code to make a system execute a command
shell or other arbitrary commands.
Finding a SQL Injection Vulnerability
of the database and related tables and variables is vulnerable. The steps to determine the
SQL Server’s vulnerability are as follows:
1. Using your web browser, search for a website that uses a login page or other database
input or query fields (such as an “I forgot my password” form). Look for web pages that display
the POST or GET HTML commands by checking the site’s source code.
2. Test the SQL Server using single quotes (‘’). Doing so indicates whether the user input
variable is sanitized or interpreted literally by the server. If the server responds with an error
message that says use 'a'='a' (or something similar), then it’s most likely susceptible to a SQL
injection attack.
3. Use the SELECT command to retrieve data from the database or the INSERT command to
add information to the database.
Here are some examples of variable field text you can use on a web form to test for SQL
vulnerabilities:
Blah’ or 1=1--
Login:blah’ or 1=1--
Password::blah’ or 1=1--
http://search/index.asp?id=blah’ or 1=1--
These commands and similar variations may allow a user to bypass a login depending on the
structure of the database. When entered in a form field, the commands may return many rows
in a table or even an entire database table because the SQL Server is interpreting the terms
literally. The double dashes near the end of the command tell SQL to ignore the rest of the
command as a comment.
Here are some examples of how to use SQL commands to take control:
To get a directory listing, type the following in a form field:
Blah‘;exec master..xp_cmdshell “dir c:\*.* /s >c:\directory.txt”--
To create a file, type the following in a form field:
Blah‘;exec master..xp_cmdshell “echo hacker-was-here > c:\hacker.txt”--
To ping an IP address, type the following in a form field:
Blah‘;exec master..xp_cmdshell “ping 192.168.1.1”--
The Purpose of SQL Injection
precursors to other attacks. The following are the most common purposes of a SQL injection
attack:
Identifying SQL Injection Vulnerability :The purpose is to probe a web application to discover
which parameters and user input fields are vulnerable to SQL injection.
Performing Database Finger-Printing :The purpose is to discover the type and version of
database that a web application is using and “fingerprint” the database. Knowing the type
and version of the database used by a web application allows an attacker to craft databasespecific
attacks.
Determining Database Schema :To correctly extract data from a database, the attacker
often needs to know database schema information, such as table names, column names,
and column data types. This information can be used in a follow-on attack.
Extracting Data: These types of attacks employ techniques that will extract data values
from the database. Depending on the type of web application, this information could be
sensitive and highly desirable to the attacker.
Adding or Modifying Data: The purpose is to add or change information in a database.
Performing Denial of Service These attacks are performed to shut down access to a web
application, thus denying service to other users. Attacks involving locking or dropping
database tables also fall under this category.
Evading Detection: This category refers to certain attack techniques that are employed to
avoid auditing and detection.
Bypassing Authentication: The purpose is to allow the attacker to bypass database and
application authentication mechanisms. Bypassing such mechanisms could allow the
attacker to assume the rights and privileges associated with another application user.
SQL Injection Using Dynamic Strings
generation and execution of program statements. Dynamic SQL is a term used to mean SQL
code that is generated by the web application before it is executed. Dynamic SQL is a flexible
and powerful tool for creating SQL strings.
A hacker can attack a web-based authentication form using SQL injection through the
use of dynamic strings. For example, the underlying code for a web authentication form on
a web server may look like the following:
SQLCommand = “SELECT Username FROM Users WHERE Username = ‘“
SQLCommand = SQLComand & strUsername
SQLCommand = SQLComand & “‘ AND Password = ‘“
SQLCommand = SQLComand & strPassword
SQLCommand = SQLComand & “‘“
strAuthCheck = GetQueryResult(SQLQuery)
A hacker can exploit the SQL injection vulnerability by entering a login and password in
the web form that uses the following variables:
Username: kimberly
Password: graves’ OR ‘’=’
The SQL application would build a command string from this input as follows:
SELECT Username FROM Users
WHERE Username = ‘kimberly’
AND Password = ‘graves’ OR ‘’=’’
This is an example of SQL injection: this query will return all rows from the user’s database,
regardless of whether kimberly is a real username in the database or graves is a legitimate
password.This is due to the OR statement appended to the WHERE clause. The comparison
‘’=’’ will always return a true result, making the overall WHERE clause evaluate to true for all
rows in the table. This will enable the hacker to log in with any username and password.
You can use HP Scrawlr to test for SQL injection vulnerabilities.
Using HP’s Scrawlr to Test for SQL Injection Vulnerabilities
1. Download Scrawlr from www.HP.com.
2. Install Scrawlr on your Windows lab PC.
3. Open the Scrawlr program.
4. Type a target web address in the URL Of Site To Scan field:
5. Click the Start button to start the audit of the website for SQL injection vulnerabilities.
6. Once the SQL injection vulnerability scan is complete, Scrawlr will display additional
hosts linked from the scanned site. It is a best practice to scan the linked sites as well
as the main site to ensure no SQL injection vulnerabilities exist.
SQL Injection Countermeasures
When implementing SQL injection countermeasures, review source code for the following
programming weaknesses:
* Single quotes
* Lack of input validation
The first countermeasures for preventing a SQL injection attack are minimizing the
privileges of a user’s connection to the database and enforcing strong passwords for SA and
Administrator accounts. You should also disable verbose or explanatory error messages so no
more information than necessary is sent to the hacker; such information could help them
determine whether the SQL Server is vulnerable. Remember that one of the purposes of SQL
injection is to gain additional information as to which parameters are susceptible to attack.
Another countermeasure for preventing SQL injection is checking user data input and
validating the data prior to sending the input to the application for processing.
Some countermeasures to SQL injection are
* Rejecting known bad input
* Sanitizing and validating the input field
Buffer Overflows
Buffer overflows are exploits that hackers use against an operating system or application;
like SQL injection attacks, they’re usually targeted at user input fields. A buffer overflow
exploit causes a system to fail by overloading memory or executing a command shell or
arbitrary code on the target system. A buffer overflow vulnerability is caused by a lack of
bounds checking or a lack of input-validation sanitization in a variable field.
The two types of buffer overflows are stack based and heap based
The stack and the heap are storage locations for user-supplied variables within a running
program. Variables are stored in the stack or heap until the program needs them. Stacks are
static locations of memory address space, whereas heaps are dynamic memory address spaces
that occur while a program is running. A heap-based buffer overflow occurs in the lower
part of the memory and overwrites other dynamic variables
The following are the steps a hacker uses to execute a stack-based buffer overflow:
1. Enter a variable into the buffer to exhaust the amount of memory in the stack.
2. Enter more data than the buffer has allocated in memory for that variable, which
causes the memory to overflow or run into the memory space for the next process.
Then, add another variable, and overwrite the return pointer that tells the program
where to return to after executing the variable.
3. A program executes this malicious code variable and then uses the return pointer to
get back to the next line of executable code. If the hacker successfully overwrites the
pointer, the program executes the hacker’s code instead of the program code.
Performing a Buffer Overflow Attack Using Metasploit
1. Open the Metasploit Framework.
2. Start the test machine running Windows Server with IIS.
3. From Metasploit, run the IIS Buffer Overflow attack against the test machine running IIS.
4. Choose a payload to deliver to the IIS target system via the buffer overflow exploit.
Buffer Overflow Countermeasures
If an intrusion detection system (IDS) is present on the network, it can thwart a hacker
who sends a series of NOP instructions to forward to the instruction pointer.
Programmers should not use the built-in strcpy(), strcat(), and streadd() C/C++
functions because they are susceptible to buffer overflows. Alternatively, Java can be used
as the programming language since Java is not susceptible to buffer overflows.
Disclaimer: Please do not use this information to harm anyone, this article is for education purpose only.
0 comments:
Post a Comment