Attacking Appliions: SQL Injection and Buffer Overflows(A Complete Overview)

SQL injection and buffer overflows are techniques used to wknesses in

appliions. When programs are written, some parameters used in the crtion of the appliion

can lve wknesses in the program erally, the purpose of SQL injection is to convince

the appliion to run SQL that was not intended.


Both SQL Server injection and buffer overflow vulnerabilities are caused by the same issue:

invalid parameters that are not verified by the appliion. If programmers don’t take the time

to validate the variables a user can enter into a variable field, the results can be serious and

unpredictable. Sophistied s can this vulnerability, causing an execution fault

and shutdown of the system or appliion, or a command shell to be executed for the .


This article will detail how to perform a SQL injection and a buffer overflow attack and

explore the best countermsures to prevent the attack.

What is SQL injection?





SQL injection occurs when an appliion processes user-provided data to crte a

SQL statement without first validating the input. The user input is then submitted to a web

appliion database server for execution. When successfully ed, SQL injection can

give an attacker access to database content or allow the to remotely execute system

commands.The impact of a SQL injection attacks depends on where the vulnerability is in

the , how sy it is to the vulnerability, and what level of access the appliion

has to the database.Web appliions are sy targets because by their very nature they are open

to being accessed from the Internet. During a web appliion SQL injection attack, malicious

is inserted into a web form field or the website’s to make a system execute a command

shell or other arbitrary commands.

Finding a SQL Injection Vulnerability
Before launching a SQL injection attack, the determines whether the configuration

of the database and related tables and variables is vulnerable. The steps to determine the

SQL Server’s vulnerability are as follows:

1. Using your web browser, srch for a website that uses a login page or other database

input or query fields (such as an “I forgot my ” form). Look for web pages that display

the POST or GET HTML commands by checking the site’s source .

2. Test the SQL Server using single quotes (‘’). Doing so indies whether the user input

variable is sanitized or interpreted literally by the server. If the server responds with an error

message that says use 'a'='a' (or something similar), then it’s most likely susceptible to a SQL

injection attack.

3. Use the SELECT command to retrieve data from the database or the INSERT command to

add information to the database.

Here are some examples of variable field text you can use on a web form to test for SQL

vulnerabilities:

Blah’ or 1=1--
Login:blah’ or 1=1--
::blah’ or 1=1--
http://srch/index.asp?id=blah’ or 1=1--

These commands and similar variations may allow a user to bypass a login depending on the

structure of the database. When entered in a form field, the commands may return many rows

in a table or even an entire database table because the SQL Server is interpreting the terms

literally. The double dashes nr the end of the command tell SQL to ignore the rest of the

command as a comment.

Here are some examples of how to use SQL commands to take control:

To get a directory listing, type the following in a form field:

Blah‘;exec master..xp_cmdshell “dir c:\*.* /s >c:\directory.txt”--

To crte a file, type the following in a form field:

Blah‘;exec master..xp_cmdshell “echo -was-here > c:\.txt”--

To ping an IP address, type the following in a form field:

Blah‘;exec master..xp_cmdshell “ping 192.168.1.1”--

The Purpose of SQL Injection
SQL s will produce valuable user data stored in the database, and some are just

precursors to other attacks. The following are the most common purposes of a SQL injection

attack:

Identifying SQL Injection Vulnerability:The purpose is to probe a web appliion to discover

which parameters and user input fields are vulnerable to SQL injection.

Performing Database Finger-Printing :The purpose is to discover the type and version of

database that a web appliion is using and “fingerprint” the database. Knowing the type

and version of the database used by a web appliion allows an attacker to craft databasespecific

attacks.

Determining Database Schema:To correctly extract data from a database, the attacker

often needs to know database schema information, such as table names, column names,

and column data types. This information can be used in a follow-on attack.

Extracting Data:These types of attacks employ techniques that will extract data values

from the database. Depending on the type of web appliion, this information could be

sensitive and highly desirable to the attacker.

Adding or Modifying Data:The purpose is to add or change information in a database.

Performing Denial of Service These attacks are performed to shut down access to a web

appliion, thus denying service to other users. Attacks involving locking or dropping

database tables also fall under this egory.

Evading Detection:This egory refers to certain attack techniques that are employed to

avoid auditing and detection.

Bypassing Authentiion:The purpose is to allow the attacker to bypass database and

appliion authentiion mechanisms. Bypassing such mechanisms could allow the

attacker to assume the rights and privileges associated with another appliion user.

SQL Injection Using Dynamic Strings
Dynamic SQL is an enhanced form of SQL that, unlike standard SQL, facilitates the automatic

eration and execution of program statements. Dynamic SQL is a term used to mn SQL

that is erated by the web appliion before it is executed. Dynamic SQL is a flexible

and powerful tool for crting SQL strings.

A can attack a web-based authentiion form using SQL injection through the

use of dynamic strings. For example, the underlying for a web authentiion form on

a web server may look like the following:

SQLCommand = “SELECT Username FROM Users WHERE Username = ‘“
SQLCommand = SQLComand & strUsername
SQLCommand = SQLComand & “‘ AND = ‘“
SQLCommand = SQLComand & str
SQLCommand = SQLComand & “‘“
strAuthCheck = GetQueryResult(SQLQuery)

A can the SQL injection vulnerability by entering a login and in

the web form that uses the following variables:

Username: kimberly
: graves’ OR ‘’=’

The SQL appliion would build a command string from this input as follows:

SELECT Username FROM Users
WHERE Username = ‘kimberly’
AND = ‘graves’ OR ‘’=’’

This is an example of SQL injection: this query will return all rows from the user’s database,

regardless of whether kimberly is a rl username in the database or graves is a legitimate

.This is due to the OR statement appended to the WHERE clause. The comparison

‘’=’’ will always return a true result, making the overall WHERE clause evaluate to true for all

rows in the table. This will enable the to log in with any username and .


You can use Scrawlr to test for SQL injection vulnerabilities.

Using ’s Scrawlr to Test for SQL Injection Vulnerabilities

1. Download Scrawlr from www..com.

2. Install Scrawlr on your lab PC.

3. Open the Scrawlr program.

4. Type a target web address in the URL Of Site To Scan field:




5. Click the Start button to start the audit of the website for SQL injection vulnerabilities.

6. Once the SQL injection vulnerability scan is complete, Scrawlr will display additional

hosts linked from the scanned site. It is a best practice to scan the linked sites as well

as the main site to ensure no SQL injection vulnerabilities exist.


SQL Injection Countermsures

When implementing SQL injection countermsures, review source for the following

programming wknesses:

* Single quotes

* Lack of input

The first countermsures for preventing a SQL injection attack are minimizing the

privileges of a user’s connection to the database and enforcing strong s for SA and

Administrator accounts. You should also disable verbose or explanatory error messages so no

more information than necessary is sent to the ; such information could help them

determine whether the SQL Server is vulnerable. Remember that one of the purposes of SQL

injection is to gain additional information as to which parameters are susceptible to attack.

Another countermsure for preventing SQL injection is checking user data input and

validating the data prior to sending the input to the appliion for processing.

Some countermsures to SQL injection are

* Rejecting known bad input

* Sanitizing and validating the input field

Buffer OverflowsBuffer overflows are s that s use against an operating system or appliion;
like SQL injection attacks, they’re usually targeted at user input fields. A buffer overflow
causes a system to fail by overloading memory or executing a command shell or
arbitrary on the target system. A buffer overflow vulnerability is caused by a lack of
bounds checking or a lack of input- sanitization in a variable field.
The two types of buffer overflows are stack based and based
The stack and the are storage loions for user-supplied variables within a running
program. Variables are stored in the stack or until the program needs them. Stacks are
static loions of memory address space, whers s are dynamic memory address spaces
that occur while a program is running. A -based buffer overflow occurs in the lower
part of the memory and overwrites other dynamic variables

Stack Based OverFlow Attack


The following are the steps a uses to execute a stack-based buffer overflow:
1. Enter a variable into the buffer to exhaust the amount of memory in the stack.
2. Enter more data than the buffer has alloed in memory for that variable, which
causes the memory to overflow or run into the memory space for the next process.
Then, add another variable, and overwrite the return pointer that tells the program
where to return to after executing the variable.
3. A program executes this malicious variable and then uses the return pointer to
get back to the next line of executable . If the successfully overwrites the
pointer, the program executes the ’s instd of the program .

Performing a Buffer Overflow Attack Using Metasploit

1. Open the Metasploit Framework.

2. Start the test machine running Server with IIS.

3. From Metasploit, run the IIS Buffer Overflow attack against the test machine running IIS.


4. Choose a payload to deliver to the IIS target system via the buffer overflow .

Buffer Overflow Countermsures
If an intrusion detection system (IDS) is present on the network, it can thwart a
who sends a series of NOP instructions to forward to the instruction pointer.
Programmers should not use the built-in strcpy(), str(), and strdd() C/C++

functions because they are susceptible to buffer overflows. Alternatively, Java can be used

as the programming language since Java is not susceptible to buffer overflows.

Disclaimer: Plse do not use this information to harm anyone, this article is for eduion purpose only.