Title: SQL Injection Automated Tools
Post by: scucci on September 24, 2008, 08:34:50 PM
I'm relatively new to SQL injection attacks and have been reading about them in the CEH material and some web articles. Today our IPS was alerted that we had two sites that were exposed to SQL injection attacks. Here are my questions:
1. How can I find out if I have a vulnerable SQL server?
2. Are there any automated tools that I can scan the sites with to verify that they're susceptible to this type of attack?
3. I'm not very familiar with SQL, what can I do to understand this attack better? Does anyone have any recommended reading?
Title: Re: SQL Injection Automated Tools
Post by: apollo on September 24, 2008, 09:25:22 PM
I think that it may actually be better to approach your questions in reverse order. I would recommend starting with some basics such as here: http://www.securiteam.com/securityreviews/5DP0N1P76E.html (http://www.securiteam.com/securityreviews/5DP0N1P76E.html). Once you understand what's going on, if you have access to the source of the applications that were listed by your IPS as vulnerable and look at the URL's that the IPS reported on. Look for places where input is accepted from a user and then a query is being run against your SQL server without the variable being checked for validity and special characters being escaped. For instance, if your site houses articles, and you request articles by a url like "http://myreallyawesomesite.com/articles.php?articleid=31337" then you would want to validate in your application that it checks to ensure that articleid really is a number.
Before you start running any automated tests, I will start out with a warning. If you don't understand what is happening with the web app you are scanning, proceed with caution. Some applications are not coded well, and if you are running a scanner against a poorly coded application bad things could happen. Just be prepared and if you are not the maintainer of the application, talk to your admins before you start scanning. There is the chance of data destruction or an un-intentional denial-of-service attack when you run the tools. For an example, take the URL from the example above and assume that it is vulnerable. Most applications will try something like add "or 1=1--" to the end of a query string. If the application is taking the results from the query and finding other examples that might interest you, and it does it for every article you could end up causing the database server to chuck for quite a while which might cause website or database degradation.
If you have decided to run a tool, you may want to consider http://www.parosproxy.org (http://www.parosproxy.org). It is quick and simple and essentially you should be able to point your web browser into paros proxy and browser to the applications that your IPS reported and then choose the scan option after clicking on the script and it should generate you a report with problems it has found. http://grendel-scan.com/ (http://grendel-scan.com/) was also released at DEFCON this year, and after playing with it, it does have potential but getting it to only scan select pages is not trivial. There is also http://www.sensepost.com/research/wikto/ (http://www.sensepost.com/research/wikto/) which is also not trivial to configure, but has been around for a good period of time and does detect common misconfigurations and can scan for XSS and SQL injection. There are also commercial tools which are more thorough and more expensive such as http://www.whitehatsec.com (http://www.whitehatsec.com), HP WebInspect, and CORE Impact is now getting into the web-app scanning/exploit market.
Finally you probably want some resources on how to fix the problem. Check out http://www.owasp.org/index.php/Data_Validation (http://www.owasp.org/index.php/Data_Validation), it has some good rules of thumb but you want to look at the abilities contained in whatever language your applications are in to fix the problem and without knowing the language there are too many possibilities to list out here :)
Good luck with your assessment.
Title: Re: SQL Injection Automated Tools
Post by: scucci on September 25, 2008, 08:55:43 AM
Thank you very much for your detailed reply. I'm going to go over the link you sent and a few more articles before asking our DBA for assistance with the scanners.