It is possible to view, modify or delete database entries and tables
Possible Causes
Sanitation of hazardous characters was not performed correctly on user input
Technical Description
Web applications often use databases at the backend to interact with the enterprise data warehouse.The de-facto standard language for querying databases is SQL (each major database vendor has its own dialect). Web applications often take user input (taken out of the HTTP request) and incorporate it in an SQL query, which is then sent to the backend database. The query results are then processed by the application and sometimes displayed to the user.
This mode of operation can be exploited by an attacker if the application is not careful enough with its treatment of user (attacker) input. If this is the case, an attacker can inject malicious data, which when incorporated into an SQL query, changes the original syntax of the query into something completely different. For example, if an application uses user‘s input (such as username and password) to query a database table of users‘ accounts in order to authenticate the user, and the attacker has the ability to inject malicious data into the username part of the query (or the password part, or both), the query can be changed into a different data yanking query, a query that modifies the database, or a query that runs shell commands on the database server.
Typically, the attacker achieves this goal in steps. He/she will first learn the structure of the SQL query, and then use this knowledge to thwart the query (by injecting data that changes the query syntax) into performing differently than intended. Suppose the query in question is:
SELECT COUNT(*) FROM accounts WHERE username=‘$user‘ AND password=‘$pass‘
Where $user and $pass are user input (collected from the HTTP request which invoked the script that constructs the query - either from a GET request query parameters, or from a POST request body parameters). A regular usage of this query would be with values $user=john, $password=secret123. The query formed would be:
SELECT COUNT(*) FROM accounts WHERE username=‘john‘ AND password=‘secret123‘
The expected query result is 0 if no such user+password pair exists in the database, and >0 if such pair exists (i.e. there is a user named ‘john‘ in the database, whose password is ‘secret123‘). This would serve as a basic authentication mechanism for the application. But an attacker can alter this query in the following way:
By providing an input consisting of a single apostrophe character (‘), the attacker can cause the database to emit an error message, which usually contains valuable information regarding the SQL query. The attack would simply involve sending a request with the user value ‘ and a password with any value (e.g. foobar). The result would be the following (malformed) SQL query:
SELECT COUNT(*) FROM accounts WHERE username=‘‘‘ AND password=‘foobar‘
This may yield the following error message (depending on the specific database in use at the backend): Syntax error (missing operator) in query expression ‘username = ‘‘‘ AND password = ‘foobar‘‘. The attacker is informed that the query is built around the expression username=‘$user‘ AND password=‘$pass‘. This crucial information is needed to exploit the SQL query at hand. When the attacker understands the format of the query, his next step would simply be to use:
user = ‘ or 1=1 or ‘‘=‘
password = foobar
The resulting query is:SELECT COUNT(*) FROM accounts WHERE username=‘‘ or 1=1 or ‘‘=‘‘ AND password=‘foobar‘
This means that the query (in the SQL database) will return TRUE for every record of the table "accounts", since the expression 1=1 is always true. Therefore, the query will return the number of records in "accounts", and thus the user (attacker) will be considered valid. There are several variants of this probing method, such as sending ‘; or \‘ (it should be remembered that almost all vendors have their own unique SQL ‘dialect‘). Specifically sending ‘ having 1=1 is also known to produce error messages that reveal information about column names. In some cases, the user input is not incorporated in a string context (encompassed in apostrophes), but rather in numeric context, that is, embedded as-is. Thus the input string 1 having 1=1 can be used in such cases.
* Blind SQL injection techniques:
A common way to reduce the risk of being attacked by SQL injection is to supress detailed SQL error messages, which are usually used by attackers (as explained in the examples above) to easily locate scripts that are susceptible to SQL Injection. This (security through obscurity) solution can be bypassed by using a technique called "Blind SQL injection", in which the hacker locates scripts, which are susceptible to SQL injection, without having to depend on the returning SQL error messages.
The technique calls for sending requests whose vulnerable parameter (the parameter that gets embedded in the SQL query) is modified in such way that the response indicates whether the data is used in SQL query context or not. The modification involves the use of an AND boolean expression with the original string, which evaluates once as true and once as false. In one case, the net result should be identical to the original result (e.g. a successful login), and in the other case, the result should be different (e.g. failed login). An OR expression which evaluates as true may also be useful for some rare cases.
If the original data is numeric, then a simpler trick can be played. The original data (say, 123) can be replaced with 0+123 in one request, and with 456+123 in another. The result of the first request should be identical to the original result, whereas the result of the second request should be different (as the number is evaluated as 579). For some cases, we still need a version of the attack described above (using AND and OR), but without escaping from string context. The concept behind blind SQL injection is that it is possible, even without receiving direct data from
the database (in the form of an error message, or leaked information), to extract data from the database, one bit at a time, or to modify the query in a malicious way. The idea is that the application
behavior (result identical to the original result, or result different than the original result) can provide a single bit of information about the evaluated (modified) query, meaning, it‘s possible for the attacker to formulate an SQL Boolean expression whose evaluation (single bit) is compromised in the form of the application behavior (identical/un-identical to the original behavior).
