Wednesday, May 25, 2016
Attacking Appliions: SQL Injection and Buffer Overflows(A Complete Overview)
SQL injection and buffer overflows are techniques used to wknesses in
appliions. When programs are written, some parameters used in the crtion of the appliion
can lve wknesses in the program erally, the purpose of SQL injection is to convince
the appliion to run SQL that was not intended.
Both SQL Server injection and buffer overflow vulnerabilities are caused by the same issue:
invalid parameters that are not verified by the appliion. If programmers don’t take the time
to validate the variables a user can enter into a variable field, the results can be serious and
unpredictable. Sophistied s can this vulnerability, causing an execution fault
and shutdown of the system or appliion, or a command shell to be executed for the .
This article will detail how to perform a SQL injection and a buffer overflow attack and
explore the best countermsures to prevent the attack.
What is SQL injection?
SQL injection occurs when an appliion processes user-provided data to crte a
SQL statement without first validating the input. The user input is then submitted to a web
appliion database server for execution. When successfully ed, SQL injection can
give an attacker access to database content or allow the to remotely execute system
commands.The impact of a SQL injection attacks depends on where the vulnerability is in
the , how sy it is to the vulnerability, and what level of access the appliion
has to the database.Web appliions are sy targets because by their very nature they are open
to being accessed from the Internet. During a web appliion SQL injection attack, malicious
is inserted into a web form field or the website’s to make a system execute a command
shell or other arbitrary commands.
Finding a SQL Injection Vulnerability
Before launching a SQL injection attack, the determines whether the configuration
of the database and related tables and variables is vulnerable. The steps to determine the
SQL Server’s vulnerability are as follows:
1. Using your web browser, srch for a website that uses a login page or other database
input or query fields (such as an “I forgot my ” form). Look for web pages that display
the POST or GET HTML commands by checking the site’s source .
2. Test the SQL Server using single quotes (‘’). Doing so indies whether the user input
variable is sanitized or interpreted literally by the server. If the server responds with an error
message that says use 'a'='a' (or something similar), then it’s most likely susceptible to a SQL
injection attack.
3. Use the SELECT command to retrieve data from the database or the INSERT command to
add information to the database.
Here are some examples of variable field text you can use on a web form to test for SQL
vulnerabilities:
Blah’ or 1=1--
Login:blah’ or 1=1--
::blah’ or 1=1--
http://srch/index.asp?id=blah’ or 1=1--
These commands and similar variations may allow a user to bypass a login depending on the
structure of the database. When entered in a form field, the commands may return many rows
in a table or even an entire database table because the SQL Server is interpreting the terms
literally. The double dashes nr the end of the command tell SQL to ignore the rest of the
command as a comment.
Here are some examples of how to use SQL commands to take control:
To get a directory listing, type the following in a form field:
Blah‘;exec master..xp_cmdshell “dir c:\*.* /s >c:\directory.txt”--
To crte a file, type the following in a form field:
Blah‘;exec master..xp_cmdshell “echo -was-here > c:\.txt”--
To ping an IP address, type the following in a form field:
Blah‘;exec master..xp_cmdshell “ping 192.168.1.1”--
The Purpose of SQL Injection
SQL s will produce valuable user data stored in the database, and some are just
precursors to other attacks. The following are the most common purposes of a SQL injection
attack:
Identifying SQL Injection Vulnerability:The purpose is to probe a web appliion to discover
which parameters and user input fields are vulnerable to SQL injection.
Performing Database Finger-Printing :The purpose is to discover the type and version of
database that a web appliion is using and “fingerprint” the database. Knowing the type
and version of the database used by a web appliion allows an attacker to craft databasespecific
attacks.
Determining Database Schema:To correctly extract data from a database, the attacker
often needs to know database schema information, such as table names, column names,
and column data types. This information can be used in a follow-on attack.
Extracting Data:These types of attacks employ techniques that will extract data values
from the database. Depending on the type of web appliion, this information could be
sensitive and highly desirable to the attacker.
Adding or Modifying Data:The purpose is to add or change information in a database.
Performing Denial of Service These attacks are performed to shut down access to a web
appliion, thus denying service to other users. Attacks involving locking or dropping
database tables also fall under this egory.
Evading Detection:This egory refers to certain attack techniques that are employed to
avoid auditing and detection.
Bypassing Authentiion:The purpose is to allow the attacker to bypass database and
appliion authentiion mechanisms. Bypassing such mechanisms could allow the
attacker to assume the rights and privileges associated with another appliion user.
SQL Injection Using Dynamic Strings
Dynamic SQL is an enhanced form of SQL that, unlike standard SQL, facilitates the automatic
eration and execution of program statements. Dynamic SQL is a term used to mn SQL
that is erated by the web appliion before it is executed. Dynamic SQL is a flexible
and powerful tool for crting SQL strings.
A can attack a web-based authentiion form using SQL injection through the
use of dynamic strings. For example, the underlying for a web authentiion form on
a web server may look like the following:
SQLCommand = “SELECT Username FROM Users WHERE Username = ‘“
SQLCommand = SQLComand & strUsername
SQLCommand = SQLComand & “‘ AND = ‘“
SQLCommand = SQLComand & str
SQLCommand = SQLComand & “‘“
strAuthCheck = GetQueryResult(SQLQuery)
A can the SQL injection vulnerability by entering a login and in
the web form that uses the following variables:
Username: kimberly
: graves’ OR ‘’=’
The SQL appliion would build a command string from this input as follows:
SELECT Username FROM Users
WHERE Username = ‘kimberly’
AND = ‘graves’ OR ‘’=’’
This is an example of SQL injection: this query will return all rows from the user’s database,
regardless of whether kimberly is a rl username in the database or graves is a legitimate
.This is due to the OR statement appended to the WHERE clause. The comparison
‘’=’’ will always return a true result, making the overall WHERE clause evaluate to true for all
rows in the table. This will enable the to log in with any username and .
You can use Scrawlr to test for SQL injection vulnerabilities.
Using ’s Scrawlr to Test for SQL Injection Vulnerabilities
1. Download Scrawlr from www..com.
2. Install Scrawlr on your lab PC.
3. Open the Scrawlr program.
4. Type a target web address in the URL Of Site To Scan field:
5. Click the Start button to start the audit of the website for SQL injection vulnerabilities.
6. Once the SQL injection vulnerability scan is complete, Scrawlr will display additional
hosts linked from the scanned site. It is a best practice to scan the linked sites as well
as the main site to ensure no SQL injection vulnerabilities exist.
SQL Injection Countermsures
When implementing SQL injection countermsures, review source for the following
programming wknesses:
* Single quotes
* Lack of input
The first countermsures for preventing a SQL injection attack are minimizing the
privileges of a user’s connection to the database and enforcing strong s for SA and
Administrator accounts. You should also disable verbose or explanatory error messages so no
more information than necessary is sent to the ; such information could help them
determine whether the SQL Server is vulnerable. Remember that one of the purposes of SQL
injection is to gain additional information as to which parameters are susceptible to attack.
Another countermsure for preventing SQL injection is checking user data input and
validating the data prior to sending the input to the appliion for processing.
Some countermsures to SQL injection are
* Rejecting known bad input
* Sanitizing and validating the input field
Buffer OverflowsBuffer overflows are s that s use against an operating system or appliion;
like SQL injection attacks, they’re usually targeted at user input fields. A buffer overflow
causes a system to fail by overloading memory or executing a command shell or
arbitrary on the target system. A buffer overflow vulnerability is caused by a lack of
bounds checking or a lack of input- sanitization in a variable field.
The two types of buffer overflows are stack based and based
The stack and the are storage loions for user-supplied variables within a running
program. Variables are stored in the stack or until the program needs them. Stacks are
static loions of memory address space, whers s are dynamic memory address spaces
that occur while a program is running. A -based buffer overflow occurs in the lower
part of the memory and overwrites other dynamic variables
Stack Based OverFlow Attack
The following are the steps a uses to execute a stack-based buffer overflow:
1. Enter a variable into the buffer to exhaust the amount of memory in the stack.
2. Enter more data than the buffer has alloed in memory for that variable, which
causes the memory to overflow or run into the memory space for the next process.
Then, add another variable, and overwrite the return pointer that tells the program
where to return to after executing the variable.
3. A program executes this malicious variable and then uses the return pointer to
get back to the next line of executable . If the successfully overwrites the
pointer, the program executes the ’s instd of the program .
Performing a Buffer Overflow Attack Using Metasploit
1. Open the Metasploit Framework.
2. Start the test machine running Server with IIS.
3. From Metasploit, run the IIS Buffer Overflow attack against the test machine running IIS.
4. Choose a payload to deliver to the IIS target system via the buffer overflow .
Buffer Overflow Countermsures
If an intrusion detection system (IDS) is present on the network, it can thwart a
who sends a series of NOP instructions to forward to the instruction pointer.
Programmers should not use the built-in strcpy(), str(), and strdd() C/C++
functions because they are susceptible to buffer overflows. Alternatively, Java can be used
as the programming language since Java is not susceptible to buffer overflows.
Disclaimer: Plse do not use this information to harm anyone, this article is for eduion purpose only.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment