1

I'm having trouble figuring out what SQL injection attacks are, or in more general terms, what injection attacks are. Most explanations out there on the internets are kinda hard to understand. Could someone explain, in layman terms, what an injection attack is, and specifically an SQL injection? Also, what are ways to defend against these?

Thanks

APCoding
  • 241
  • 1
  • 7
  • "sending code directly to the server that gets interpreted by the server as commands" Are you with me this far? – schroeder Oct 04 '15 at 03:19
  • @schroeder Yes, but why can't this easily be patched by not accepting commands from clients? – APCoding Oct 04 '15 at 03:47
  • The problem arises when you can't tell the commands from the strings the clients are supposed to send (like a username or a password). If the strings are well constructed, they may unintentionally become commands to the server. – Valmiky Arquissandas Oct 04 '15 at 04:38
  • @APCoding Eg. in a scenario with a website being served by a PHP program, the commands are actually executed on the server by a PHP program, after receiving them from the client. The DB can't know where the PHP program got the commands from, so the DB can't prevent it. Fixing the PHP program is easy, but sadly many PHP "programmers" don't understand it's necessary and/or how to do it properly. ... It all boils down to the stupidity of the program creator. – deviantfan Oct 04 '15 at 04:39
  • ...or even more layman-ish: Patching is easy, but a) there is no universal patch, each software needs something different, so eg. the operating system vendors (Linux, Windows...) can't solve that; and b) it's not hard to patch it, but (too) many (bad) programmers don't know how to do it or don't take the threat seriously [yes, even nowadays such *** exist] – deviantfan Oct 04 '15 at 04:59
  • Have you already read [How can I explain SQL injection without technical jargon?](http://security.stackexchange.com/q/25684/539) – Gumbo Oct 04 '15 at 06:25

2 Answers2

3

In layman terms:

Typical web applications are three-tiered(browser +web server + backend databases). When a user accesses a website, his browser receives html and js which is product of static web pages as well as dynamically generated ones using server side code (e.g. php, asp). When you login, for instances, you send your password and username to the web server, which processes such parameters and applies the pre-programmed authentication logic (in php,asp).Such logic requires verifications using a database that stores users data and allows the simple verification: username matches password. So, the server side logic takes your arguments and queries the database (e.g. MySQL).

SELECT * FROM Users WHERE username='your_supplied_username' AND password='your_supplied_password';

The database processes this and returns (if the database is correctly designed) only one (username and password match) or zero (wrong password) matches which "represent you".

What about SQL Injection Bro?

I am not your bro, bro :P. A sloppy developer would take the parameters sent by you and put them directly on the your_supplied_* fields. If the user wasn't malicious, this would be no problem at all. Yet, for a malicious attacker, this opens a huge door for attacks. If you are familiar with SQL, you know that AND requires both left and right expressions to evaluate to true. Also, in SQLi, the comment character "--" is an helpful friend so, what if i write my_username';--?

SELECT * FROM Users WHERE username='your_supplied_username';--' AND password='your_supplied_password';

Server side code will take my input, apply it to the stringed query and send it to the database. The database will interpret "--" as a comment which will exclude:

' AND password='your_supplied_password';

while keeping:

SELECT * FROM Users WHERE username='your_supplied_username'

This is a valid query which will easily evaluate to true. Now, the behavior here varies. If the username is unique (typically it is), there will only be one record returned. If it isn't, multiple records will be returned and the web server code (e.g. php) will typically pick the first. If you are familiar with SQL, you may now get creative and chain queries, use wildcards and get wild. Now the question is:

As a developer, what can i do?

Now, this depends on the server side language you are using but the coding primitives are typically named alike. You can escape special sequences using php (http://php.net/manual/en/mysqli.real-escape-string.php) or use prepared statements (http://php.net/manual/en/mysqli.quickstart.prepared-statements.php).

How do i know if the server suffers from SQLi? You can run tools such as SQLMap or SQLNinja. You can also go to the forms and write

'gibberish where the ' will hopefully confuse the php query parser and leak an error shown on your browser (SQL statement error). There are other techniques such as injecting a sleep statement on queries to check if the database hangs for a few seconds before returning. As a defense mechanism, you should always process your SQL errors on the server side code before sending them to the user to avoid intel leakage.

Stay safe ;)

BrunoMCBraga
  • 476
  • 4
  • 12
  • Wow, I'm impressed. This must be the only InfoSec forum out there that supplies this in detail and useful answers. – APCoding Oct 04 '15 at 13:47
0

SQL injection attacks are essentially a way for an attacker to obtain access to a database's contents by exploiting vulnerabilities or misconfigurations in the way the application handles certain strings of characters (particularly string escape characters).

The easiest way I can think of to describe it is you have a web form that takes user input to complete a survey. Under normal circumstances, the user will enter their information in the form and submit it. However, if the web application does not sanitize the input properly by removing certain special characters, an attacker, instead of typing of typing in the expected data, can enter a command which is a SQL command to extract data. There are some examples of commonly used SQL injection methods and techniques available at http://www.w3schools.com/sql/sql_injection.asp

There are several ways to mitigate the damage a SQL injection can cause. Sanitizing input can prevent an attacker from entering special characters necessary to execute SQL commands, and limiting the privileges of the web database account can prevent the data a SQL injection can gather.

koluke
  • 41
  • 5