What are Injection attacks : SQL Injection over MySQL
What is SQL Injection?
SQL Injection is an injection attack wherein an attacker can execute malicious SQL statements that control a web application’s database server. Since an SQL Injection vulnerability could possibly affect any website or web application that makes use of an SQL-based database, the vulnerability is one of the oldest, most prevalent and most dangerous of web application vulnerabilities. SQL Injection can also be used to add, modify and delete records in a database, affecting data integrity. SQL Injection can provide an attacker with unauthorized access to sensitive data including, customer data, personally identifiable information (PII), trade secrets, intellectual property and other sensitive information.Types of SQL Injection Attacks
- Code injection:- Adding more SQL statements to an SQL statement in an attempt to obtain access rights or some sensitive information is termed as code injection. This is type of SQL injection attack take advantage of some kind of bug that appears in the computer system due to invalid data processing.
- Function call injection:- In this attacker inserts a call. The attacker may also get permission for making system calls through function call injection.
- SQL Manipulation:- If an application directly passes login credentials database, its prone to an SQL injection attack through SQL manipulation for e.g. We can take addition of a certain condition to the WHERE CLAUSE in an SQL query. This may skip the authentication procedure, and thus may give access to all activities that user can perform.
SQL Injection Implementation
Lets see how SQL Injection is performed with following exampleConsider following SQL Statement
$username=$_POST["username"];
statement = "SELECT * FROM users WHERE name = '" + $userName + "';"
In above Statement user input is not filtered for escape characters and it directly passed into an SQL statement. This SQL statement display records of specified username from users table. However if usename variable is crafted in a specific way by an attacker, the SQL statement may do more than the code author intended.For Example
If usename is set as $username=' OR '1'='1 then the Above SQL statement become
SELECT * FROM users WHERE name = '' OR '1'='1';If this SQL statement is used in authentication procedure then it will return data of every users rather than one specific user as code intended because '1'='1' is always true.
Preventing SQL Injection
Above example is Incorrectly filtered escape characters SQL Injection attack. We can handle all escape characters smartly in scripting languages. The MySQL provides the function called mysql_real_escape_string() to escape input characters that are special MySQL Keywords$username = mysql_real_escape_string($_POST['username']);
statement = "SELECT * FROM users WHERE name = '" + $userName + "';"
There are other functions for many database types in PHP such as pg_escape_string() for PostgreSQL. The function addslashes(string $str) works for escaping characters, and is used especially for querying on databases that do not have escaping functions in PHP. It returns a string with backslashes before characters that need to be quoted in database queries, etc.
Risk associated with SQL injection attacks
Privilege Escalation performance:- A malicious person can take advantage of the flaws preRemote commands execution:- SQL injection attacks can be used to execute commands remoter the attackers may execute arbitrary commands on a database.
Authentication bypass:- manipulation of SQL statements may result in by passing the authentication process thereby providing the attacker with access to database.
Database Fingerprint:- Determining the type of database being used at backend may help attacker in quenching database specific attacks through SQL injection, the attackers may determine database that an organization user.
Denial of services in an SQL injection attack, the database service can be flooded with requested by attacker. There’re, it would state rejecting the requests of segments users.
Comments
Post a Comment