Question

An idea is to use the SQL injection attack to turn one SQL statement into two, with the second one being the update or delete statement. In SQL, semicolon (;) is used to separate two SQL statements. Please describe how you can use the login page to get the server run two SQL statements. Try the attack to delete a record from the database, and describe your observation.

The login page is based on the SEED labs run on Ubuntu 16.04.

Answer 1

SQL Injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements (also commonly referred to as a malicious payload) that control a web application’s database server (also commonly referred to as a Relational Database Management System – RDBMS). Since an SQL Injection vulnerability could possibly affect any website or web application that makes use of an SQL-based database, the vulnerability is one of the oldest, most prevalent and most dangerous of web application vulnerabilities.

By leveraging an SQL Injection vulnerability, given the right circumstances, an attacker can use it to bypass a web application’s authentication and authorization mechanisms and retrieve the contents of an entire database. SQL Injection can also be used to add, modify and delete records in a database, affecting data integrity.

To such an extent, SQL Injection can provide an attacker with unauthorized access to sensitive data including, customer data, personally identifiable information (PII), trade secrets, intellectual property and other sensitive information.

SQL Injection Based on Batched SQL Statements

Most databases support batched SQL statement.

A batch of SQL statements is a group of two or more SQL statements, separated by semicolons.

The SQL statement below will return all rows from the "Users" table, then delete the "Suppliers" table.

Example

SELECT * FROM Users; DROP TABLE Suppliers

Look at the following example:

Example

txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;

And the following input:

User id: 105;DROP TABLE Suppliers

The valid SQL statement would look like this:

Result

SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers;

Thus, as seen from above attacker can cause deletion of a table by only filling the user id with batched SQL statements,

Lets have some more examples to see how log in page is used by attackers to breach security :

Executed SQL query when username is tom and password is tom:

SELECT * FROM users WHERE name='tom' and password='tom'

When a user enters a user name and password, a SQL query is created and executed to search on the database to verify them. The above query searches in the users table where name is tom and password is tom. If matching entries are found, the user is authenticated.

In order to bypass this security mechanism, SQL code has to be injected on to the input fields. The code has to be injected in such a way that the SQL statement should generate a valid result upon execution. If the executed SQL query has errors in the syntax, it won't featch a valid result. So filling in random SQL commands and submitting the form will not always result in succesfull authentication.

Executed SQL query when username is tom and password is ' or '1'='1:

SELECT * FROM users WHERE name='tom' and password='' or '1'='1'

If the username is already known, the only thing to be bypassed is the password verification. So, the SQL commands should be fashioned in the similar way.

The password='' or '1'='1' condition is always true, so the password verification never happens. It can also be said that the above statement is more or less equal to

SELECT * FROM users WHERE name='tom'.

THANKYOU ! If found helpfull , please leave feedback , its valuable.