SQL Injection Series: Exploitation of SQL Injection Techniques

SQL Injection Series

·                 -         Introduction

·         SQL Injection Mechanisms

·         Impact of SQL Injection

·         Exploitation of SQL Injection Techniques

·         Test/Detect SQL Injection

·         Prevention from SQL Injection

Below are some Techniques that we can use for Exploitation of SQL Injection.

Time delay Exploitation technique.
The time delay exploitation technique is very useful when the tester find a Blind SQL Injection situation, in which nothing is known on the outcome of an operation. This technique consists in sending an injected query and in case the conditional is true, the tester can monitor the time taken to for the server to respond. If there is a delay, the tester can assume the result of the conditional query is true.
Using this method, an attacker enumerates each letter of the desired piece of data using the following logic:
If the first letter of the first database's name is an 'A', wait for 10 seconds.
If the first letter of the first database's name is an 'B', wait for 10 seconds. etc.
Microsoft SQL Server http://www.site.com/vulnerable.php?id=1' waitfor delay '00:00:10'--
If the database response took a long time, we may expect that the first user password character with user_id = 1 is character '2'. (CHAR(50) == '2')
Using this method for the rest of characters, it's possible to enumerate entire passwords stored in the database. This method works even when the attacker injects the SQL queries and the content of the vulnerable page doesn't change.
Error based Exploitation technique
An Error based exploitation technique is useful when the tester for some reason can’t exploit the SQL injection vulnerability using other technique such as UNION. The Error based technique consists in forcing the database to perform some operation in which the result will be an error. The point here is to try to extract some data from the database and show it in the error message. This exploitation technique can be different from DBMS to DBMS (check DBMS specific section).
Consider the following SQL query: SELECT * FROM products WHERE id_product=$id_product
Consider also the request to a script who executes the query above: http://www.example.com/product.php?id=10
The malicious request would be (e.g. Oracle 10g): http://www.example.com/product.php?id=10||UTL_INADDR.GET_HOST_NAME( (SELECT user FROM DUAL) )--
In this example, the tester is concatenating the value 10 with the result of the function UTL_INADDR.GET_HOST_NAME. This Oracle function will try to return the host name of the parameter passed to it, which is other query, the name of the user. When the database looks for a host name with the user database name, it will fail and return an error message like: ORA-292257: host SCOTT unknown
Then the tester can manipulate the parameter passed to GET_HOST_NAME() function and the result will be shown in the error message.
Union Exploitation Technique
The UNION operator is used in SQL injections to join a query, purposely forged by the tester, to the original query. The result of the forged query will be joined to the result of the original query, allowing the tester to obtain the values of columns of other tables. Suppose for our examples that the query executed from the server is the following:

SELECT Name, Phone, Address FROM Users WHERE Id=$id

We will set the following $id value:

$id=1 UNION ALL SELECT creditCardNumber,1,1 FROM CreditCardTable
We will have the following query:

SELECT Name, Phone, Address FROM Users WHERE Id=1 UNION ALL SELECT creditCardNumber,1,1 FROM CreditCardTable

Which will join the result of the original query with all the credit card numbers in the CreditCardTable table. The keyword ALL is necessary to get around queries that use the keyword DISTINCT. Moreover, we notice that beyond the credit card numbers, we have selected other two values. These two values are necessary, because the two queries must have an equal number of parameters/columns, in order to avoid a syntax error.
Blind SQL injection
Blind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.
Examples
An attacker may verify whether a sent request returned true or false in a few ways:
Content-based
Using a simple page, which displays an article with given ID as the parameter, the attacker may perform a couple of simple tests to determine if the page is vulnerable to SQL Injection attacks.
Example URL: http://newspaper.com/items.php?id=2
sends the following query to the database: SELECT title, description, body FROM items WHERE ID = 2
The attacker may then try to inject a query that returns 'false': http://newspaper.com/items.php?id=2 and 1=2
Now the SQL query should looks like this: SELECT title, description, body FROM items WHERE ID = 2 and 1=2
If the web application is vulnerable to SQL Injection, then it probably will not return anything. To make sure, the attacker will inject a query that will return 'true': http://newspaper.com/items.php?id=2 and 1=1
If the content of the page that returns 'true' is different than that of the page that returns 'false', then the attacker is able to distinguish when the executed query returns true or false.
Once this has been verified, the only limitations are privileges set up by the database administrator, different SQL syntax, and the attacker's imagination.
In the next part of the SQL Injection Series we will go through the Testing/Detection of SQL Injection