Today all Web applications are accessed using the Internet and therefore face the risk of being exposed to manipulation. Most of the Web applications rely on Relational Database Management System (RDBMS) servers, representing a possible vulnerability to SQL injection attacks arising from direct integration of user input into SQL statements without appropriate validation or filtering.
The basis of this vulnerability lies in the creation of SQL commands with character strings. Attackers are successful if they are able to change the semantics of an SQL statement for their benefit or are able to insert their own statements into the application. Entry points can be, for example, input boxes in Web forms or URLs. The results could be unauthorized information access, information disclosure, unauthorized data modification, or data loss.
SQL Manipulation
SQL manipulation can take place as follows:
Examples
Example Code 1:
Original SQL Statement
SELECT fieldlist FROM table1 WHERE field = 'userinput'.
Examples for SQL Injection Attack
SELECT fieldlist FROM table1 WHERE field = 'UNION ALL SELECT other_field FROM other_table WHERE '='.
Example Code 2:
Original SQL Statement
SELECT fieldlist FROM table WHERE field = 'userinput'.
Examples for SQL Injection Attack
SELECT fieldlist FROM table WHERE field = 'anything' OR 'x'='x''. SELECT fieldlist FROM table WHERE field = 'x' AND email IS NUL; --'.
Code Injection
Code injection can take place as follows:
Examples
Example Code 1:
Original SQL Statement
SELECT * FROM table WHERE name = 'userinput'.
Examples for SQL Injection Attack
SELECT * FROM table WHERE name = ' a'; DROP TABLE users; SELECT * FROM table1 WHERE name = '%''.
Functional Call Injection
Functional call injection is the insertion of various database function calls into vulnerable SQL code.
Several known attack strings listed in the table below may be a part of the SQL injection code to manipulate the original query. Hackers try various input combinations to force SQL statements into an error message. The following list of malicious inputs may or may not give the same results depending on the server. Therefore try all the inputs.
Possible Attack Strings
' |
Bad value' |
' OR ' |
' OR |
; |
9,9,9 |
...; SELECT |
^\n |
exec() |
|
|
|
' or 0=0 -- |
" or 0=0 -- |
or 0=0 -- |
' or 0=0 # |
" or 0=0 # |
or 0=0 # |
' or 'x'='x |
" or "x"="x |
') or ('x'='x |
' or 1=1-- |
" or 1=1-- |
or 1=1-- |
" or "a"="a |
') or ('a'='a |
") or ("a"="a |
hi" or "a"="a |
hi" or 1=1 -- |
hi' or 1=1 -- |
You need to take into account the different output of possible vulnerable metacharacters in SQL statements. Characters could be displayed as ASCII, HEX, escaped ASCII, and escaped HEX. These four potential notations reveal the complexity of such SQL injection attacks.
Possible Characters to be used in SQL Code Injection
ASCII | HEX |
---|---|
SPACE |
%20 |
\SPACE |
\%20 |
\' |
\%27 |
' |
%27 |
\" |
\%22 |
" |
%22 |
-- |
%2D%2D |
\-\- |
\%2D\%2D |
\= |
\%3D |
= |
%3D |
\; |
\%3B |
; |
%3B |
\# |
\%23 |
# |
%23 |
Examples of Combinations of ASCII and HEX-Characters Used Within Malicious Code
ASCII / HEX-Characters | Explanation |
---|---|
\w* |
Zero or more alphanumeric or underscore characters. |
(\%27)|\' |
The ubiquitous single quote or its hex equivalent. |
(\%6F)|o|(\%4F))((\%72)|r|(\%52) |
The word 'or' with various combinations of its upper- and lower-case hex equivalents. |
((\%2F)|\/)* |
The forward slash for a closing tag or its hex equivalent. |
[a-z0-9\%]+ |
The alphanumeric string inside the tag, or hex representation of these. |
(\%3C)|<) |
The opening angled bracket or hex equivalent. |
((\%3E)|>) |
The closing angled bracket or hex equivalent. |
(\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47) |
The letters 'img' in varying combinations of ASCII, or upper or lower case hex equivalents. |
String wcl = request.getParameter("para"); if ( ! (wcl == null) ) { wcl = "where key1 = '" + wcl + "'"; } else { wcl = "where key1 = ''"; } try { Context ctx = new InitialContext(); DataSource ds = (DataSource) ctx.lookup("java:comp/env/TMP_MYTABLE"); Connection conn = ds.getConnection(); Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery( "select key1,nonkey from TMP_MYTABLE " + wcl); while (rs.next()) { … Write the results to HTML-output } }
String wcl = request.getParameter("para"); // method to validate input stream -> validateInput if ( validateIput(wcl) ) if ( (wcl == null) ) { wcl = ""; } try { Context ctx = new InitialContext(); DataSource ds = (DataSource)ctx.lookup("java:comp/env/TMP_MYTABLE"); Connection conn = ds.getConnection(); String stmt = "select key1,nonkey from TMP_MYTABLE where key1 = ?"; PreparedStatement ps = conn.prepareStatement(stmt); ps.setString(1,wcl); ResultSet rs = ps.executeQuery(); while (rs.next()) { … write output to HTML code } } } else { … write security alert … }
As mentioned above, the information in Relational Database Management Systems is stored and retrieved with SQL statements. Therefore the following general rules may be helpful to circumvent SQL injection attacks:
If the developer allows unfiltered user input values to be taken for a SELECT statement, any attack may be possible to read almost the whole database.