The Ethical Hacker Network - Brief anatomy of a SQL Injection

unsupported

Sr. Member

Offline

Posts: 318

Unofficial Newbie Moderator

Brief anatomy of a SQL Injection

« on: February 26, 2010, 08:21:55 AM »

I found a quick write-up on SQL injections, http://threatpost.com/en_us/blogs/anatomy-sql-injection-attack-022510, and the more detailed article, http://www.communities.hp.com/securitysoftware/blogs/rafal/archive/2010/02/25/a-big-case-of-oops.aspx.

Basically, in this write up, someone found a database throwing raw database errors back to the client. Next, he tested the website for SQL injections by using '1=1', which is a true statement in SQL world and will not generate any errors. They also found the site was serving a trojan. JOY!

I never understood why anyone would not, at a minimum sanitize their inputs or require the use of stored procedures for anything coming off the web. At the very least trap database errors and not return it to the client.


	Logged

-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP

zeroflaw

Full Member

Offline

Posts: 184

Re: Brief anatomy of a SQL Injection

« Reply #1 on: February 26, 2010, 09:05:18 AM »

Lol wow, funny story! I also can't believe that people still don't properly filter user input. Any decent book about web development warns you about the dangers of SQL injections. It requires little effort to fix SQL injections bugs.

Looks like most SQL injection exploits rely on information leakage. Well, SQL injection would still be possible of course, but less obvious. Also, lots of developers aren't aware of the fact, that it possibly leads to server compromise.

ZF


	Logged

Ketchup

Hero Member

Offline

Posts: 1006

Re: Brief anatomy of a SQL Injection

« Reply #2 on: February 26, 2010, 09:27:08 AM »

Wow that's a classic.


	Logged

~~~~~~~~~~~~~~
Ketchup

unsupported

Sr. Member

Offline

Posts: 318

Unofficial Newbie Moderator

Re: Brief anatomy of a SQL Injection

« Reply #3 on: February 26, 2010, 09:46:18 AM »

Oh, this would be worth mentioning, Little Bobby Tables.

http://xkcd.com/327/


	Logged

-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP

chrisj

Hero Member

Offline

Posts: 949

Re: Brief anatomy of a SQL Injection

« Reply #4 on: February 27, 2010, 11:03:57 AM »

Quote

I never understood why anyone would not, at a minimum sanitize their inputs or require the use of stored procedures for anything coming off the web. At the very least trap database errors and not return it to the client.

Quote

I also can't believe that people still don't properly filter user input. Any decent book about web development warns you about the dangers of SQL injections.

My experience may be limited, but I've found the people doing the db side usually aren't the guys doing the web side.

I seen one where the person was both, but self taught, and it had to be done quickly, so not every well self taught. He had the whole user table with passwords in clear text in the application.


	Logged

OSWP, Sec+

zeroflaw

Full Member

Offline

Posts: 184

Re: Brief anatomy of a SQL Injection

« Reply #5 on: February 27, 2010, 11:50:48 AM »

Quote from: chrisj on February 27, 2010, 11:03:57 AM

Quote

I also can't believe that people still don't properly filter user input. Any decent book about web development warns you about the dangers of SQL injections.

That may be, but in my opinion everyone that codes a database application should be aware of how the database works. You don't have to be a database guru to understand the dangers.

The database guys should at least set the right permissions, so that the average user can only retrieve data with SELECT statements and such. Preferably using stored procedures.

Even if you don't deal with the database, filtering all input is good practice. No one likes the possibility of other attacks, like XSS for example.


	Logged

Ketchup

Hero Member

Offline

Posts: 1006

Re: Brief anatomy of a SQL Injection

« Reply #6 on: February 27, 2010, 04:23:26 PM »

I think that one of the issues is that there are a lot "old hats" running software development shops. There once was a time when security wasn't a concern. When only the rich and Universities had access to the Internet. That time wasn't long ago. I think that times are changing, slowly but surely.


	Logged

~~~~~~~~~~~~~~
Ketchup

aweSEC

Hero Member

Offline

Posts: 1089

Re: Brief anatomy of a SQL Injection

« Reply #7 on: March 04, 2010, 08:10:11 AM »

Some of my thoughts on this are the same as Ketchup's. There are still quite a few programmers around from an older generation where security was not what it is now. People nowadays get already taught at the very beginning of possible threats and how to avoid them, securing things, validating inputs etc. Also not all companies, especially the smaller ones, have the money to keep their employees updated through courses and classes.


	Logged

zeroflaw

Full Member

Offline

Posts: 184

Re: Brief anatomy of a SQL Injection

« Reply #8 on: March 04, 2010, 08:35:45 AM »

I didn't think of it that way. Ketchup and awesec, you two have good points. But I always thought it was kind of important in the IT field to keep learning and stay up to date. But yea, that costs money and time.


	Logged

apollo

Full Member

Offline

Posts: 142

Re: Brief anatomy of a SQL Injection

« Reply #9 on: March 04, 2010, 03:24:22 PM »

Well part of this is also that when teaching people to program in schools, schools haven't historically focused on things like input validation etc. Whether it is XSS, SQL Injection, or a number of other attacks, input validation is always secondary to functionality. It's more important than just preventing SQL Injection and XSS, as those are talked about quite a bit, but poor input validation also leads to poor data integrity. In most cases, there should be two levels of integrity checking, one enforced at the database layer and one enforced through the application layer and allowing for user feedback and correction.

I wish they taught more of this in school, as I think most people who learn this stuff now on the job or the hard way.


	Logged

CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+

Pages: [1] Go Up

« previous next »