15 - SQL Injection

Question 1

What is SQL Injection?

Answer 1

A technique used to take advantage of un-sanitized input to pass SQL commands through a web app for execution by a backend database. It is used to either gain unauthorized access or retrieve info directly from a DB.

Question 2

What kind of attacks can SQL injection be used to implement?

Answer 2

• Authentication Bypass: An attacker logs into app without providing valid creds and gains admin privileges
• Information Disclosure: An attacker obtains sensitive info that is stored in the database.
• Compromised Data Integrity: Attacker uses this attack to deface/insert data on a web page or alter contents of a database.
• Compromised Availability of Data: Attackers use this to delete the database info or logs or audit info in a database.
• Remote Code Execution: It assists an attacker to compromise the host OS.

Question 3

What type of databases are susceptible to SQL-Injection attacks?

Answer 3

Relational databases.

Question 4

What is an HTTP Post request?

Answer 4

The POST request carries the requested data as a part of the message body. The string that is submitted to the web server is visible in the body of the HTTP or HTTPS POST request.

Question 5

What is a SQL query?

Answer 5

A SQL command that is constructed to interact with a backend SQL database.

Question 6

How does a SQL injection query exploit the normal execution of SQL?

Answer 6

The attacker is able to exploit the application’s inability to filter the request.

Question 7

What are the main types of SQL Injection?

Answer 7

• In-Band SQL Injection: Where an attacker uses the same communication channel to perform the attack and retrieve the results.
• Blind/Inferential SQL Injection: When there aren’t SQL error messages to work with, an attacker just sends queries and use boolean results to determine structure of DB and data. One step further, when data is not returned through the app, an attacker just sends queries “blindly”
• Out-of-Band SQL Injection: When an attacker uses different communication channels to perform attack and obtain the result

Question 8

What are the types of In-Band SQL Injection?

Answer 8

• Error-Based SQL Injection: Attackers intentionally throw bad data into the app in order to receive database errors.
• System Stored Procedure: DB’s stored procedures are exploited.
• Illegal/Logically Incorrect Query: Attackers throw bad queries into database in order to receive database errors.
• Union SQL Injection: Attackers use a UNION clause in order to join a forged query to original query.
• Tautology: Attackers always inject statements that are true so they always return results upon evaluation of a WHERE condition. (‘1’=’1’)
• End of Line Comment: After injecting code into a particular field, legit code is nullified by end of line comments. (“–”)
• Inline Comment: Attackers integrate multiple vulnerable inputs into a single query using inline comments.
• Piggybacked Query: Attackers inject additional malicious query to the original query.

Question 9

What is a Time-based SQL injection?

Answer 9

A way for attackers to check if a True/False statement is True. This way gets around the Generic error message response so attackers can extract data.

Question 10

What is Boolean Exploitation?

Answer 10

Where an attacker sends multiple True/False statements (one that they know is true or false) and compare the results to determine if there expression was True or False.

Question 11

What is a Heavy Query?

Answer 11

A query that retrieves a huge amount of data and in turn, will take a lot of time to execute by using multiple joins. This type of attack is a type of Time-based attack?

Question 12

What are the steps of the SQL Injection Methodology?

Answer 12

• Information Gathering and SQL Injection Vulnerability Detection
• Launch SQL Injection Attacks
• Advanced SQL Injection

Question 13

What type of steps are taken in the SQL Injection Info Gathering stage?

Answer 13

Check if web app connects to a DB server, list all input fields, hidden fields, and post requests. Attempt to inject codes to generate errors and evaluate the data in the error messages. Use a string in a number field and vice versa, use a UNION operator to combine the result-set of tow or more SELECT statements.

Question 14

What are the steps of the SQL Injection Methodology?

Answer 14

• Information Gathering and SQL Injection Vulnerability Detection
• Launch SQL Injection Attacks
• Advanced SQL Injection

Question 15

What type of steps are taken in the SQL Injection Info Gathering stage?

Answer 15

Check if web app connects to a DB server, list all input fields, hidden fields, and post requests. Attempt to inject codes to generate errors and evaluate the data in the error messages. Use a string in a number field and vice versa, use a UNION operator to combine the result-set of tow or more SELECT statements.

Question 16

What type of information is extracted through error messages?

Answer 16

It gives you OS, DB system, DB type and version, privilege version, OS interaction level, etc.

Question 17

What are some ways to generate some errors?

Answer 17

• Parameter tampering
• Injections
• Grouping Error
• Try to insert string into numeric fields
• Blind Injection
• Determine DB Engine Type
• Determining a SELECT Query Structure

Question 18

What are some methods to detect SQL injection?

Answer 18

• Function Testing: where a software or system is tested against a set of inputs according to the end user’s need. Requires no knowledge of the inner design of the code or logic.
• Fuzzing Testing: Inputting large amounts of random data and observing the changes in the output.
• Static/Dynamic Testing: Analysis of web app code.

Question 19

What is Black Box Testing?

Answer 19

Where the attacker does not need to have any knowledge about the network or the system to be tested.

Question 20

What are the steps involved in Black Box pen testing?

Answer 20

• Detecting SQL Injection Issues: Send single or double quotes to detect if input is not sanitized.
• Detecting Input Sanitization: Use right square bracket “]” to catch where user input is used as part of an SQL identifier.
• Detecting Truncation Issues: Send long strings of data to detect buffer overruns
• Detecting SQL Modification: send long strings of right square brackets, double quotes, or single quotes

Question 21

What are the types of Source Code analysis?

Answer 21

• Static Code Analysis: Analyzing source code without executing
• Dynamic Code Analysis: Code analysis at runtime.

Question 22

What are the steps for performing union SQL Injection?

Answer 22

Extract database name, extract database table, extract Table column names, extract 1st field data.

Question 23

What is a Second-Order SQL Injection?

Answer 23

Where the attacker inputs a SQL query into a backend database via an HTTP request and it is stored as data. Another request is submitted where the first request data is executed as a query from within.

Question 24

How can a firewall be bypassed with SQL injection?

Answer 24

• Normalization Method: Attacker changes structure of SQL query to perform attack.
• HPP and HPF Techniques: HTTP Parameter Pollution (HPP) and HTTP Parameter Fragmentation (HPF) are used to inject delimiting characters in query strings.
• Blind SQL Injection: Technique used to replace WAF signatures with their synonyms by using SQL functions.
• Signature Bypass: Attackers transform the signature of SQL queries to bypass the firewalls.

Question 25

What are some data obtained via enumeration (DB, Table, Column)?

Answer 25

* **_Identify User Level Privilege_** * **_DB Administrators_**: Default admin accounts include sa, system, sys, dba, admin, root and many others. The dbo is a user that has implied permissions to perform all activities in the DB. * **_Discover DB Structure_** * **_Column Enumeration in DB_**

Question 26

What is password grabbing?

Answer 26

Where an attacker grabs passwords from user defined database tables through SQL injection queries and can change, delete, or steal the grabbed password.

Question 27

How can an attacker transfer a SQL Server database to their own machine?

Answer 27

They can do so by using the OPENROWSET command and by connecting to a remote machine via port 80.

Question 28

What are the ways to interact with a DB's OS?

Answer 28

* Reading and writing system files from disk. * Direct command execution via remote shell.

Question 29

What are some MySQL functions that can interact with the file system?

Answer 29

* **LOAD\_FILE()**: used to read and return the contents of a file located within the MYSQL server. * **OUTFILE()**: often used to run a query and dump the results into a file.

Question 30

How can someone access the admin panel of a website?

Answer 30

By utilizing Google dorks, or specialized search terms, at the end of URLs. such as: * Index.php * Admin.php * Login.asp * adminlogin.aspx

Question 31

What are some methods for exploiting PL/SQL?

Answer 31

* Exploiting Quotes * PL/SQL Procedure * **_Exploitation by Truncation_**: Using inline comments to bypass certain parts of SQL statement

Question 32

What are the different methods of creating server backdoors using SQL Injection?

Answer 32

* **_Getting OS Shell_**: Using Outfile to create a PHP shell on the server, by finding the directory structure, and using buit-in DBMS functions. * **_Creating Database Backdoor_**: Attackers use/inject triggers (a stored procedure that is automatically invoked and executed in response to certain DB events) to create database backdoors.

Question 33

What methods do attackers use to evade IDS detection?

Answer 33

* **_In-Line Comment_**: Inputs in-line comments between SQL keywords * **_Char Encoding_**: Uses built in CHAR function to represent a character * **_String Concatenation_**: Concats text to create SQL keyword using DB specific instructions * **_Obfuscated Codes_**: Obscuring code to make difficult to understand * **_Manipulating White Spaces_**: Drops white space between SQL keywords * **_Hex Encoding_**: Uses hex to represent a SQL query string. * **_Sophisticated Matches_**: Uses alternative expression of "OR 1=1" * **_URL Encoding_**: Adds percent sign before each code point * **_Case Variation_**: Mixes upper and lower case to obscure * **_Null Byte_**: Uses null byte (%00) character prior to a string in order to bypass detection mechanism. * **_Declare Variables_**: Uses a variable to pass a SQL statement and bypass detection * **_IP Fragmentation_**: Fragments packets in order to bypass detection

Question 34

Why are web apps vulnerable to SQL injection attacks?

Answer 34

* The database server runs OS commands * Using privilege account to connect to the database * Error message revealing important info * No data validation * Minimizing privileges * Implementing Consistent Coding Standards * Firewalling the SQL Server

Question 35

How can you defend against SQL injection attacks?

Answer 35

* Make no assumptions about how your data supposed to be when received from your app * Validate data input * Enforce limits to prevent buffer overrun * Test content of strings * Reject entries that contain binary data, escape sequences, and comment characters * Implement multiple layers of validation * Ensure web config files for each app do not contain sensitive info * Use most restrictive SQL account types for apps * Use intrusion detection techniques to monitor injection attacks * Perform automated testing and analysis * Keep untrusted data separate from commands and queries * Eliminate special characters by the interpreter * Use secure hash algo to store passwords * Use data access abstraction layer to enforce secure data access across entire app * Apply least privilege rule to run the apps that access DBMS * Use regular expressions and stored procedures to detect potentially harmful code * Lock web server in different domain * Patch regularly * Monitor SQL statements from DB connected apps * Disable shell access to the database * Do not disclose DB error info to the end users

Question 36

What is HTTP Header-Based SQL Injection?

Answer 36

Using HTTP headers to inject SQL queries into a server. * X-Forwarded-For: Field used to identify IP of client system * User-Agent: Field that includes info about user agent who initiated HTTP request * Referer: HTTP header that is vulnerable as the application stores the input in the database without sanitization

Question 37

What is DNS Exfiltration using SQLi?

Answer 37

Attackers embed the output of a malicious SQL query in a DNS request and capture the DNS response sent by the server.