Download SQL Injection - WordPress.com

SQL Injection
Security 4
ATHLONE INSTITUTE OF TECHNOLOGY
March 18, 2014
Authored by: Joseph Kenny A00174254
Introduction
Due to the increase in online commerce and traffic, internet security is becoming a
significantly important service for the public and business community alike. The importance
of security is due to the heightened level of unsafe channels across the internet. Making
security breaches such as hacks wide spread and a major concern for internet based
companies and the public who entrust confidential information to them. Such information
most commonly includes credit card or debit card details and personal security numbers,
which can be easily sold or fraudulently used to make money.
In a report written in 2012 by the Consumer Sentinel Network of the Department of Justice
based in United States of America, it states that 60% of the initial point of contact for fraud
worldwide is Emails and internet websites. The most common of these internet website
fraud schemes being the “Work from Home” scam, whereby internet ads offer individuals a
method to make a significant amount of money by working from home. All the individual
has to do is pay a registration fee or one-time payment to sign up for the instructions.
However these packages almost never arrive and the individual has just submitted their
credit card details to a fraudulent website which is run by a con artist.
The report written by Consumer Sentinel Network further states that credit card fraud
accounts for 5.55Billion dollars worldwide which is only 40% of all financial fraud. These
statistics prove just how valuable confidential information can be, and why keeping it secure
from security breaches is a priority.
(Consumer Sentinel Network, U.S. Department of Justice;, 2012)
This paper will highlight one such security breach known as an SQL injection. This paper will
delve into the implementation of the SQL injection by hackers, the most efficient coding
practices to prevent the attack and the effects caused to businesses and networks that were
attacked by an SQL injection. Although the injection is not the most severe intrusion method
that has been used by hackers, it has been recently used more to exploit web applications
These statistics were taken from a press release from FireHost, a cloud hosting service. They
released the amount of attacks in the later part of 2013.
(FireHost, 2013)
SQL Injection Attack
Structured Query Language or SQL is a language primarily used in work with databases. The
language is based around queries and statements to interact and manipulate database
content and architecture. A typical example of a statement is “Select name, address from
user”. This statement will find information under the “title” and “publisher” columns in the
table “book”. Select is the query used to retrieve the information stored in the database. In
relation to security breaches, SQL can be used to steal information from private database
storing confidential information such as customer’s personal information. An SQL injection
attack or SQLI is a targeted external cyber-attack on a web applications database service
where statements are injected into input fields. The attack uses vulnerabilities located at
these points, such as text fields which are normally used to interact with the underlying
database information. The injection attack uses SQL statements at these points to gain
access to the database to manipulate the data stores. (Halford et al., 2006)
According to a press release by a secure cloud hosting company called FireHost, the number
of cyber-attacks on the client’s web applications has risen in 2013 and the company has
released the trends that are appearing most frequently. It stated, “Over Q3 2013, FireHost
blocked nearly 32 million attacks, a 32 percent increase over Q2 2013”. Of these 32 million
attacks SQL injection accounts for 20%, this is a rise of 2% compared to the 2 nd quarter of
the 2013. This is a worrying statistic as SQL
40%
35%
injections were primarily an attack from the
30%
25%
most skilled hackers, but the rise in the
20%
occurrence means the skill is becoming
15%
10%
increasingly easier to implement. The
5%
0%
availability of free and easy to find automated
SQL injection tools has made the attack more
2013
accessible for any computer literate individual
Q4
with a browser and a decent internet
2013
Q3
connection. An example of an automated SQL
injection tool is Pangolin, which is a free and
easy to use penetration tester. The program scans a URL for SQL vulnerability in its database
services and inputs malicious SQL statements into text fields. It then allows users to choose
various actions such as an extensive DDMS fingerprint, retrieve users and passwords and
manipulate database architecture i.e. delete database or specific tables or columns.
(FireHost, 2013)
Programs similar to Pangolin allow security analysts
to perform penetration tests on client’s web
applications; however it also gives inexperienced
users the capability of finding vulnerabilities in any
website relatively easily. Thus giving powerful
hacking tools to people who are not aware of what
damage they are inflicting upon web applications,
and the severity of the criminal implications that
may fall upon the individual who uses the program
being potentially dubbed a “Hacker” and prosecuted. Thus the availability of easy to
implement SQL injections pose an even greater threat to web applications and the
confidential information that may be stored in their databases. (NOSEC, 2011)
Implement SQL Injection
To implement an SQL injection manually, the hacker would need to have knowledge of SQL
and the experience interacting with the architecture of databases. This knowledge allows
the hacker to make educated guesses where potential vulnerabilities could lie and how to
best to expose the database framework. In a typical web applications user interface, user
input fields are used to show relevant information to the user and store user information to
the underlying database. These inputs might be used to create SQL statements which are
then executed on the database, in some cases due to poor security practices these inputs
could be handles poorly by the application. If this occurs then a user can potentially corrupt
these inputs to the database by submitting unexpected responses which are then used in
SQL statements and executed to the database. The results are severe. The hacker can gain
access to the database as a trusted user or administrator and view private information, alter
system configurations, delete information or just take overall control of the server. To
understand how SQL injection works, this paper will show various methods of how to
implement the injection. (Halford et al., 2006)
SQL Injection Example One
In a typical web application, a login page is present with at least two text fields for username
and password submissions. This is a primary target for all hackers to implement an injection.
The fields take the user input and compare it to existing data in the database, depending on
the result it will either send back a positive or negative response. The web application would
typically use an SQL statement like,
-SELECT * FROM login WHERE Username = “
” AND Password = “
”;
-SELECT * FROM login WHERE Username = “Joseph Kenny” AND Password = “password”;
The above statement is what is sent to the database to check if is compatible with existing
users. This is where an SQL injection can be inserted to gain instant access to any database.
In the below statement I use the same credentials as before but I have “-- -” inserted after
the username input. This is used to comment out portions of the query which are difficult to
predict such as passwords, thus allowing a hacker to log in by making an educated guess on
a common name or selecting a name which he has prior knowledge of its existence in the
database i.e. Root, admin or test.
-SELECT * FROM login WHERE Username = “Joseph Kenny” -- - AND Password = “password”;
This example is known as the Comment out Query, it is the one of the most basic SQL
injection methods for hackers. There are several different methods of commenting out
portions of statements being executed by databases, these methods are listed in the table
below.
#
/*
;%00
`
Hash Comment
C-Style Comment
Nullbyte
Backtick
(Halford et al., 2006) (Snyder & Southwell, 2006)
SQL Injection Example Two
Once a hacker has determined there is a vulnerability and has been successful in logging in
with fake credentials to the database, it’s time to determine how much information is
contained within the system. This is done by retrieving the amount of columns by using the
group/order by n+1 SQL injection hack. This method is implemented by incrementing “n”
until there is an error generated by the database.
-SELECT username, password, permission FROM login WHERE id
=‘http://www.hacksite.ex/confid.php?id=1’ ORDER BY 5--;
In the statement above the URL is the injection target, whilst the ORDER BY 5 determines if
the query is using five columns. 5 is the value of n which can be set to any number then
incremented or decremented. If the hacker selects five and gets an error in response, the
hacker can presume that the amount of columns is less five. Thus the hacker can then run
the statement again with four, three, two then one. The highest number for n without an
error response is the true amount of columns present.
Once the hacker is aware of information in the database system, the next step is to retrieve
tables and columns. To retrieve the tables in the database the hacker can use this union
statement.
-UNION SELECT GROUP_CONCAT (table_name) FROM information_schema.tables WHERE
version=10;
The above statement retrieves all tables and concatenates them into a single string, this is
done by using GROUP_CONCAT () which is a function that concatenate data to a string. The
output will look similar to this;
table_name
login, user, test,
admin
Similar to the table retrieval query, to get columns the hacker can use a similar statement.
The only difference being column_name replaces table_name and you set location to
tablename. The output will follow the same structure as the previous statement as well
because it uses GROUP_CONCAT ().
-UNION SELECT GROUP_CONCAT (column_name) FROM information_schema.columns
WHERE table_name = ‘tablename’;
column_name
Username,
password,
(Snyder & Southwell, 2006)
Case Study Example One
On 11th of July 2012 a hacking group known as “D33Ds Company” leaked to the public that
they had attacked Yahoo, the American internet corporation. They attacked Yahoo with an
SQL injection pinpointed at Yahoo Voices, which is a division of Yahoo responsible for online
publishing. According to the leak, the hack group obtained 453, 492 yahoo account
passwords, 2700 database tables and columns and 298 MYSQL variables. The attack method
was a Union based SQL injection on the Yahoo! Contributor Network.
Yahoo admitted, "We confirm that an older file from Yahoo! Contributor Network
(previously Associated Content) containing approximately 450,000 Yahoo! and other
company usernames and passwords was compromised yesterday, July 11, of these, less
than 5 percent of the Yahoo! accounts had valid passwords”. (Lerner, 2012)
Associated Content was an online hub for publishing articles, taking part topical discussion
and voicing expertise. In 2010, Yahoo bought Associated Content for seventy eight million
euro and rebranded it Yahoo! Voices. According to reports the last entries in the database
were from 2006, with Yahoo confirming only 5% were still active. Security experts have
stated that the most worrying concern was the fact that passwords were stored on plain
text file with no encryption.
After the attack Yahoo
stated they will take
immediate action to
prevent such attacks
from occurring again
by locating the point
of attack and changing
the passwords of the
affected users.
Although the exact
location of the
vulnerability was not disclosed, SQL injection requires input fields which allow the user to
type and submit to the web application. (Mick, 2012)
"We are taking immediate action by fixing the vulnerability that led to the disclosure of this
data, changing the passwords of the affected Yahoo! users and notifying the companies
whose users accounts may have been compromised,"
(Lerner, 2012)
Case Study Example Two
On 28th June 2013, a Turkish based hacking group known as “Redhack” infiltrated the Istanbul special
provincial administration’s website and reportedly cleared public debts. The hacking group erased
records of electricity, water, gas, internet and phone bills for various public institutions. These
reports were published by Redhack to their twitter feed along with photo proof of their exploits.
This picture serves as
evidence that the
hacking group had
actually gained access to
the database. The title
of the web application in
the picture translates to
Istanbul Special
Provincial Administration
automation program.
The database tabs from
left to right are
translated to electricity,
internet, telephone,
water and natural gas
which is what Redhack stated they had interfered with. The hackers also stated they had initially
found a vulnerable point on the government websites admin login page, which they exploited by
means of a simple SQL injection. Although the query they used was not publicized, it’s more than
likely the group exploited login fields with comment out queries like of the earlier example such as -
SELECT * FROM login WHERE Username = “admin” -- - AND Password = “password”; . This
query as stated uses `--‘ to comment out the password so that only the username field is
executed by the database.
Once logged in as admin, they published the password on their twitter feed and rallied their
followers to join them. The hackers also dumped tables and added new information to fields, such as
fake organization’s including a school named after a protester who was killed during a riot with
Turkish police on 3rd of June.
In response to the attack, the Turkish government took down the website for security patching, and
have lead a manhunt for the members of the hacking group. On 22nd of November 2013, fourteen
individuals were arrested and subjected to questioning without bail. However they were all released
shortly later with no charges pressed against them. The Turkish government has since continued
their efforts to find the members of Redhack and prosecute them on the grounds of terrorism.
(Hurriyet Daily News, 2013)
Counter SQL Injection Attack
From the case studies listed earlier, they were all attacked by means of SQL injection which
exposed or deleted sensitive information. SQL injections can irrevocably destroy a
company’s reputation and client base which is why protecting your web application is so
important. As the more protection you give, the safer your clients and potential customers
will be. No matter how sophisticated SQL injections can be, there are five practices that can
be implemented by a developer to eliminate the threat of SQL injections and other such
attacks.

Parameterized queries;
This is the most efficient way to prevent SQL injections. When implemented
variables aren’t concatenated in a query string but instead sent as parameters. These
parameters are then compared to values of the field in the table.
- SELECT * FROM login WHERE username = @username” AND password
=@password”;
Thus the parameter values @username and @password are searched for in the fields
of the table without being concatenated in the query. Therefore it results in a
negative response as the variable values are not present in the database. The same
result is given when hacker enter “1=1-“, in an attempt to return a positive response.




Validate all user input;
The process of validating data inputted by the user of the web application can shut
out hackers inputting binary data or special characters to manipulate queries sent to
database. The use of a white list can act as a filter for this input, by comparing user
input to the white list. Any input data not matched to data in the list is automatically
declined.
Restrict privilege’s;
This form of defence acts as a form of damage control, in terms of limiting the
amount of data accessible from the sign in page. Therefore if the site is
compromised the hacker will only have access to one table instead of the entire
database.
Escaping user input
This technique uses Escape routines assigned to special characters to render them
useless to hackers. These special characters tell the database that these characters
are to be interpreted literally.
Exception handling
Hackers can learn a lot from error messages generated by web applications, for this
reason the developer should only allow generic error messages displayed for
exceptions.
(Snyder & Southwell, 2006)
Conclusion
In summation, I targeted SQL injection as the security breach issue I’d investigate and I found the
experience of researching such an underestimated cyber-attack very enlightening. Initially I was
underwhelmed by the limitation of the attack, but upon further analysis I found SQL injection very
creatively structured and potentially crippling to any application that is subjected to its attack. The
most interesting aspect I found was how the injection was implemented. As I’ve had a module which
incorporates SQL, I found the process by which hackers manipulate previously existing coding
practices to their benefit fascinating.
When I investigated organisations that had been attacked by SQL injections, I discovered that the
level of data taken by the hackers was quite impressive. From the Yahoo! Attack to the Turkish
government attack, with each attack using a potentially similar method of entry at the login pages.
The damage the hackers caused to the organisations are different however, the hack on Yahoo!
caused many people and customers to question the security standard and the encryption practices
implemented. While the hack on the Istanbul special provincial administration webpage undermined
the government’s authority especially when dealing with activism and to some extend revolution.
The paper concludes with counter measure to take when dealing with SQL injection attacks, ranging
from coding practices to the restriction of information generated by the database. All five of the
prevention techniques outlined are essential to protect your web application from attacks, as it
eliminates any potential vulnerability or flaw that may exist with the structure of the application. In
conclusion I understand why SQL injections are becoming a more common trend as implementation
is becoming easier and the use of automation tools is allowing more users access to potentially
damaging cyber-attacks.
Bibliography
Consumer Sentinel Network, U.S. Department of Justice;, 2012. Statisticbrain. [Online] Available at:
http://www.statisticbrain.com/credit-card-fraud-statistics/ [Accessed 25 February 2014].
FireHost, 2013. FireHost Detects Surge in SQL Injection for Q3 2013 and Cross-Site Scripting is Rising.
Press Release. Dallas.
Halford, W.G., Viegas, J. & Orso, A., 2006. A classification of SQL-injection attacks and
countermeasures. 2006, 2006. Georgia Institute of Technology.
Hurriyet Daily News, 2013. Hurriyet Daily News. [Online] Available at:
http://www.hurriyetdailynews.com/redhack-launches-cyber-attack-on-istanbul-special-provincialadministration.aspx?pageID=238&nID=49634&NewsCatID=341 [Accessed 02 March 2014].
Lerner, S.M., 2012. InternetNews.com. [Online] Available at:
http://www.internetnews.com/security/yahoo-hit-by-sql-injection-attack.html [Accessed 01 March
2014].
Mick, J., 2012. Daily Tech. [Online] Available at:
http://www.dailytech.com/Yahoo+Loses+453000+User+Passwords+to+Hackers/article25162.htm
[Accessed 02 March 2014].
NOSEC, 2011. Pangolin v3.2.4 User Guide. [Online] Available at: http://nosec.org/wpcontent/uploads/PangolinUserGuide.pdf [Accessed 02 March 2014].
Snyder, C. & Southwell, M., 2006. Preventing SQL Injection. In Pro PHP Security. 2nd ed. Apress.
pp.249 - 261.