SQL Interjection Attack

posted onMarch 18, 2002

by hitbsecnews

Basic Information:

It is assumed that the reader is familiar with the concept of dynamic driven websites and
speficially with server-side languages that deliver content from a datebase. A slight
knowledge of SQL and how database interact with the server is helpful. A deep
understanding isn't required for this document.

Test Enviorment:

Server:

Apache/1.3.22 (Darwin) PHP/4.0.6 mod_ssl/2.8.5 OpenSSL/0.9.6b

Database:

MySQL 3.23.36

Premise:

Dynamicaly direven website can be open to attack by not validating the commands they send
to thier database.

Main:

Many websites populate their pages with dynamic content from database and use this to fill
in html templets. (examples: google.com, slashdot.org) This is very helpful for search
engines and news site but also can leave security holes. A webpage will ask a database
for certain content through a server side program (perl/cgi, php, coldfusion, asp). It is
how this server side program handles the interaction that can cause the problem. If a
website wants to grab all of tthe information from a table (my_table)in a database using a
command similar to "SELECT * FROM my_table;". This will return all of the records in
my_table. Often sites will store sensitive information about users/customers in their
database in another table (customers) and use a different SQL command to only get that users
content, "SELECT user_name, password,e-mail FROM customers WHERE user_name LIKE
AND password LIKE ;" This is comparing database records that use variables
from an html login form.

The problem appears when a webpage stores the SQL command in a common variable name ($SQL)
and doesn't validate the command before sending it to the database.

Example:

The sql command can be overloaded with the url. This command will cause the sql server to
select all of the records about all of the customers and display them on the website, giving
you private information about the users.

login.php?sql=drop%20table%20customers
This command will completely drop the table and make them restore it from backup, this can be
very usefull if you already know a users old password or the default password

Conclusion:

This is very fun but also damaging and illegal, although you are simply asking the webpage for
information and it gives out the sensitive information to you. You can be cought and convicted
of being the little terrorist* you are!

*Thanks to the PATRIOT act for considering geeks the same as terrorist and silecing scientist
with the DMCA, that'll really make us safer.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

1.) The Linux Hackers Intro to assembly language (Pt. 1) - argc
2.) Intro to PGP on Windows - madirish
3.) Hacking Windows Shares from Linux with Samba - madirish
4.) DVD Ripping the Right Way - A
5.) SAM Files and NT Password Hashes - Grifter
6.) SQL Interjection Attack - Fiend
7.) Raw Socket Access in Windows XP - Tierra
8.) The Tuxtendo's Tuxkit Rootkit Analysis - Spoonfork