insanesecurity

SQL Injection Junkie

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks. (Wikipedia)

That is one way to name it. I see SQL Injections as vulnerabilities that should have died long ago… Not because they’ve been around for too long (look at buffer overflows), but because they are simple to prevent… Seeing the high number of new developers that pop up every year, with no secure coding habits, I foresee a great future for SQL Injections, as well as for any other web application vulnerability.

Leaving aside the sarcasm, I’ve written this article with the sole purpose of sharing SQL Injection related resources that I did find useful.

RTFM!? (Read The “Funky” Manual)

Before even trying to understand what SQL Injection is, you should have (at least) basic knowledge on the type of database that the SQL Injection back end has and it’s syntax (the ANSI/ISO SQL standard and DBMS specific functions/procedures/tables). Best direction for a start up (and quick reference) on a specific DBMS is it’s own manual:

• MS SQL (Transact-SQL)
• MySQL
• Oracle
• PostgreSQL

Note here (and through the whole article) that I will emphasis on MSSQL, MySQL, Oracle and PostgreSQL, because they are the most common DBMS’s you’ll encounter.

SQL Injection 101

You should understand basic SQL Injection attacks. I linked to OWASP’s article on SQL Injection, but you could search another one (there are plenty on the web) which may seem more appropriate to you. Also don’t forget to dive in Blind SQL Injections.

From that point onward it goes on with a bit of practice (there are a couple of challenge websites) and some DBMS specific techniques. The following articles are some examples on the subject:

• MySQL table and column names
• MySQL into outfile
• SQL Injection and Oracle
• Manipulating SQL Server Using SQL Injection

As I said, these are just a few examples. Other interesting (MySQL) techniques would be the ones using Benchmark() and Procedure Analyze().

SQL Injection Cheat Sheet

The most helpful resources when you’re doing SQL Injection attacks manually. I personally use Ferruh’s and pentestmonkey’s cheat sheets. You should not stop at only these two, there are many other cheat sheets (DBMS specific also) available. The best option would be to union more cheat sheets (some have exotic vectors, while other have more detailed examples) and from those select what you think would be appropriate for your cheat sheet.

Browserware

There are two firefox add-on’s that I would suggest for SQL Injection testing. The first one is HackBar, which I find very useful when exploiting SQL Injections from the browser directly (extracting/enumerating/dumping), while the second is SQL Inject Me, add-on which will prove useful in the pages with many input fields.

A Little Extra

Although SQL Injections can be exploited manually on several occasions (and based on your laziness) you’ll want to automate the job of extracting/detecting/dumping/bruteforcing (?) a Database. Here the following scripts/apps would prove handy…

SQLMap
sqlmap is an open source command-line automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more.

MultiInjector
MultiInjector is a mass exploitation tool (automated defacement). You basically give to the application a list of targets and payload, while it will fuzz all the found parameters by appending the payload to it. Check the website for more information.

Blind Sql Injection Brute Forcer version 2
This is a modified version of ‘bsqlbfv1.2-th.pl’. This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections. Databases supported: MSSQL, MySQL, PostgreSQL and Oracle.

SQLNinja

Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

SQLBrute
SQLBrute is a tool for brute forcing data out of databases using blind SQL injection vulnerabilities. It supports time based and error based exploit types on Microsoft SQL Server, and error based exploit on Oracle.

This is just a small list, for more check out the top 15 sql injection scanners back at security-hacks.

Bruteforce?

If you can’t SQL Inject a website, you can bruteforce the login credentials (if external access is allowed). Just download medusa/hydra (I prefer Hydra, due to Windows support :) generate a custom wordlist for your scenario (resource on wordlists and common passwords), and hit enter.

I know I’ve gone a bit off topic with the bruteforcing section, but I guess it didn’t hurt nobody a little more info.

AND 1=0

Have any suggestion? Feel free to contribute with comments/articles/cheat sheets, or any other resource which would improve this article.