SQL hacking on the web

Tuesday, August 07, 2007 7:32:00 PM

There has been a new rash of SQL injection attacks originating from the far east and other places
using the following types of attacks:

somevariable=1%20and%201=convert(int,(select%20top%201%20username%20from
%20adminusers))

or

somevariable=1%20and%201=convert(int,(select%20top%201%20char(97)%2bpassword
%20from%20adminusers))

or an attack specific to SQL Server:

somevariable=convert(int,(select top 1 table_name from information_schema.tables))--

sp_password

somevariable=convert(int,(select top 1 table_name from information_schema.tables where

table_name not in (dtproperties)))--sp_password

somevariable=convert(int,(select top 1 table_name from information_schema.tables where

table_name not in (dtproperties,sysconstraints)))--sp_password

somevariable=convert(int,(select top 1 table_name from information_schema.tables where

table_name not in (dtproperties,sysconstraints,syssegments)))--sp_password

somevariable=convert(int,(select top 1 table_name from information_schema.tables where

table_name not in (dtproperties,sysconstraints,syssegments)))--sp_password

The first problem was an exploit of the user's default error handling page -- if no error handling
is in place, the error message might contain the username, password, or other information:

Error Executing Database Query. [Macromedia][SQLServer JDBC Driver][SQLServer]Syntax

error converting the varchar value 'yourpassword' to a column of data type int. <br>The error
occurred on line 102.

In the real attack, the user password was shown on the page. The password was prefaced with the
letter "A" -- the char(97) in the attack. This is in case the password started with a number. This
can be prevented by using <cfqueryparam> or other device specific to your programming
language to make sure integer values are passed as integers.
The second problem is that the default web database user has access to tables that should never
be accessible to the web. The malicious user was able to obtain table information from
information_schema.tables, and work from there, systematically building each time on
information that was previously obtained.

The best possible scenario is to turn off all table access to the web and only access data through
stored procedures. That is not always possible. At the very minimum, only expose the data
necessary for the site, and only allow access to statements that are required for operation of the
site. For example, if you have a table called "Payments", and this is only available to admins,
create two SQL username/password logins and use one for the publicly accessed site and one for
the admin section. Turn off all permissions to the "Payments" table for the web user. Create
"SELECT" permissions only on tables that only need to have data displayed.

As a DBA (which you are if you have a web site with a database and you are the person
responsible for the database), you need to know how to secure your data. That involves setting
up specific database users for specific access. If a web host gives you a dbo user for a specific
database, do not under any circumstance use this username for your web site. This user can
be used to create web user logins with specific access. MySQL has similar security features.
Access users are out of luck.

The other key is never displaying error messages to users. Make sure your error handling page
only shows a pretty message to the user with no information in it, like "You've created an error.
Go back and try again." Or prettier than that.

And don't use words or letters for username/password combinations. Passwords should be 10
characters or more, and contain letters, numbers, and special characters. Brute force password
guessing programs can figure out a password quickly if you use English language words or just
letters.

I'm getting these attacks on my site too. It's scary sometimes having a web site, but hopefully
there are safety measures in place to keep these parasites out.

Top 15 SQL Injection Scanners

While the adoption of web applications

for conducting online business has enabled companies to connect seamlessly with their
customers, it has also exposed a number of security concerns stemming from improper coding.
Vulnerabilities in web applications allow hackers to gain direct and public access to sensitive
information (e.g. personal data, login credentials).

Web applications allow visitors to submit and retrieve data

to/from a database over the Internet. Databases are the heart of most web applications. They hold
data needed for web applications to deliver specific content to visitors and provide information to
customers, suppliers etc.

SQL Injection is perhaps the most common web-application hacking technique which attempts
to pass SQL commands through a web application for execution by the back-end database. The
vulnerability is presented when user input is incorrectly sanitized and thereby executed.

Checking for SQL Injection vulnerabilities involves auditing your web applications and the best
way to do it is by using automated SQL Injection Scanners. We’ve compiled a list of free SQL
Injection Scanners we believe will be of a value to both web application developers and
professional security auditors.

SQLIer – SQLIer takes a vulnerable URL and attempts to determine all the necessary
information to exploit the SQL Injection vulnerability by itself, requiring no user interaction at
all. Get SQLIer.

SQLbftools – SQLbftools is a collection of tools to retrieve MySQL information available using

a blind SQL Injection attack. Get SQLbftools.

SQL Injection Brute-forcer – SQLibf is a tool for automatizing the work of detecting and
exploiting SQL Injection vulnerabilities. SQLibf can work in Visible and Blind SQL Injection. It
works by doing simple logic SQL operations to determine the exposure level of the vulnerable
application. Get SQLLibf.

SQLBrute – SQLBrute is a tool for brute forcing data out of databases using blind SQL
injection vulnerabilities. It supports time based and error based exploit types on Microsoft SQL
Server, and error based exploit on Oracle. It is written in Python, uses multi-threading, and
doesn’t require non-standard libraries. Get SQLBrute.

BobCat – BobCat is a tool to aid an auditor in taking full advantage of SQL injection
vulnerabilities. It is based on AppSecInc research. It can list the linked severs, database schema,
and allow the retrieval of data from any table that the current application user has access to. Get
BobCat.

SQLMap – SQLMap is an automatic blind SQL injection tool, developed in python, capable to
perform an active database management system fingerprint, enumerate entire remote databases
and much more. The aim of SQLMap is to implement a fully functional database management
system tool which takes advantages of web application programming security flaws which lead
to SQL injection vulnerabilities. Get SQLMap.

Absinthe – Absinthe is a GUI-based tool that automates the process of downloading the schema
and contents of a database that is vulnerable to Blind SQL Injection. Get Absinthe.
SQL Injection Pen-testing Tool – The SQL Injection Tool is a GUI-based utility designed to
examine database through vulnerabilities in web-applications. Get SQL Injection Pen-testing
tool.

SQID – SQL Injection digger (SQLID) is a command line program that looks for SQL injections
and common errors in websites. It can perform the follwing operations: look for SQL injection in
a web pages and test submit forms for possible SQL injection vulnerabilities. Get SQID.

Blind SQL Injection Perl Tool – bsqlbf is a Perl script that lets auditors retrieve information
from web sites that are vulnerable to SQL Injection. Get Blind SQL Injection Perl Tool.

SQL Power Injection Injector – SQL Power Injection helps the penetration tester to inject SQL
commands on a web page. It’s main strength is its capacity to automate tedious blind SQL
injection with several threads. Get SQL Power Injection.

FJ-Injector Framwork – FG-Injector is a free open source framework designed to help find
SQL injection vulnerabilities in web applications. It includes a proxy feature for intercepting and
modifying HTTP requests, and an interface for automating SQL injection exploitation. Get FJ-
Injector Framework.

SQLNinja – SQLNinja is a tool to exploit SQL Injection vulnerabilities on a web application

that uses Microsoft SQL Server as its back-end database. Get SQLNinja.

Automagic SQL Injector – The Automagic SQL Injector is an automated SQL injection tool
designed to help save time on penetration testing. It is only designed to work with vanilla
Microsoft SQL injection holes where errors are returned. Get Automagic SQL Injector.

NGSS SQL Injector – NGSS SQL Injector exploit vulnerabilities in SQL injection on disparate
database servers to gain access to stored data. It currently supports the following databases:
Access, DB2, Informix, MSSQL, MySQL, Oracle, Sysbase. Get NGSS SQL Injector.