A SQL injection is a code injection technique that allows an adversary to execute arbitrary commands on a SQL database serving a web application. Typically, a vul- nerable application builds a SQL query based on input provided by a user. For exam- ple, the application might validate a user name and password combination against a database and therefore sends a query to the database including the user name and password provided by the user. If the user’s input is not correctly filtered for escape characters, the user might maliciously manipulate the SQL query built by the appli- cation. In the example of the user name and password check, a malicious user might circumvent the check by crafting a SQL query that evaluates to true even when the correct password is missing.
Exploiting this kind of vulnerability allows an adversary to read, insert or modify sensitive data in the database. As a result, adversaries may spoof identities, tamper with existing data (such as changing account balances), destroy data, and in this sense become the database administrator. It is not hard to imagine the damage that can occur, especially when the database contains sensitive data like users’ creden- tials. In general, SQL injections constitute a serious threat with high impact.
Consider the following vulnerable PHP code fragment:
$name = request.getParameter("id");
$query = "SELECT * FROM users WHERE username =’$name’";
In this code the SQL query is composed of a SQL statement where the variable name is received as part of a URL (e.g., using a GET request) like the following: http://test.org/applications/userinfo?id=Miller
Unfortunately, there is no restriction on what is accepted as input for the variable name. So an adversary might even input SQL statements that would change the effect of the original statement.
In the original statement, the WHERE clause is used to restrict the query to only those records that fulfill the specified criterion. However, an adversary could insert a criterion fulfilled by any record. An example is shown in the following request:
This request would result in a SQL statement that returns all records in the database instead of only that of a single user with a given name. The resulting SQL statement would look like this:
SELECT * FROM users WHERE username =’’ or ’1’=’1’.
This command returns all records contained in the table users and could be used by an adversary to access records of other users.
To test whether an application is vulnerable to SQL injections, one typically in- puts statements such as ’ or ’1’=’1 or simply ’-- (SQL’s comment tag, followed by an empty space) and observes the server’s answer. Sometimes one must guess the structure of the SQL request that processes the input in order to successfully inject working code.
Published on Tue 02 March 2010 by Hatty Jenkins in Security with tag(s): sql injection