Introducing SQL Injection, SQL Attacks in Action And Results of SQL Injection
The acronym SQL(pronounced sequel) stands for Structured Query Language, a language for specifying database queries. SQL was developed in the early 1970s by personnel working for IBM. In the late 1970s the company that later became Oracle developed the language for one of their own products. Soon after, IBM and Oracle both had SQL products on the market. Today, SQL is used in many products, including Microsoft’s SQL server.
Introducing SQL Injection
SQL injection has been around for at least 20 years, but it is no less powerful or dangerous than any other attack we have covered so far. It is designed to exploit flaws in a website or web application. The attack works by inserting code into an existing line of code prior to its being executed by a database. If SQL injection is successful, attackers can cause their own code to run.
- SQL injection is typically a result of flaws in the web application or website and is not an issue with the database.
- SQL injection at the source of many of the high-level or well-known attacks on the internet.
- The goal of attacks of this type is to submit commands through a web application to a database in order to retrieve or manipulate data.
- The usual cause of this type of flaws is improper or absent input validators, thus allowing code to pass unimpeded to the database without being verified.
From the attacker’s side, vulnerability to SQL injections is very easy to detect. Visiting a suspect site and getting it to generate error message can indicate a potential vulnerability to this type of attack. In addition, the availability of automated and effective tools has increased, setting the bar even lower for successful execution of the attack. Finally, this type of attack is very attractive for an attacker to perform because of the value of the information that can be obtained. Information, especially personal information, can be sold on the black market for considerable amounts of money depending on what it is.
Real World Scenario
SQL Attacks in Action
In 2011, Sony Corporation was the victim of a SQL injection that compromised a multitude of account (estimated to be over one million emails, username, and passwords). The attack was the results of a known vulnerability that could have been discovered through pen testing.
In 2013, the U.S. Department of Energy (DoE) and the U.S Army also found themselves victims of SQL injection. The FBI revealed that a minimum of 100,000 records, including social security numbers of current and former federal employees, were compromised. In addition, 2,800 of the records obtained included bank account numbers.
When investigated this attack, the FBI revealed that not only the DoE and the army were impacted NASA, the U.S missile Defense Agency, and the Environmental Projection Agency were also affected. Details of these attacks have not been fully released as of this writing.
SQL injection is achieved through the insertion of character into existing SQL commands with the intention of altering the intended behavior. The Following example illustrates SQL injection in action and how it is carried out. The example also reveals the impact of altering the existing values and structure of a SQL query.
In the following example, and attacker with the username link inserts their name after the = sign following WHERE owner, which used to include the string ‘name’; DELETE FROM items; — for itemName, into an existing SQL commands, and the query becomes the following two queries:
SELECT * FROM items
WHERE owner = ‘link’
AND itemname = ‘name’;
DELETE FROM items;–
Many of the common database products such as Microsoft’s SQL server and Oracle’s Siebel allow several SQL statements separated by semicolons to be executed at once, This technique, Known as batch execution, allows an attacker to execute multiple arbitrary commands against a database, in other database, this technique will generate an error and fail, so knowing the database you ar attacking is essential.
If an attacker enter the string ‘name’; DELETE FROM items; SELECT * FROM items WHERE ‘a’ = ‘a’, the following threee valid statements will be created:
SELECT * FROM items
WHERE owner = ‘link’
AND itemname = ‘name’;
DELETE FROM items;
SELECT * FROM items WHERE ‘a’ = ‘a’;
A good way to prevent SQL injection attack is to use input validation, which ensures that only approved character are accepted. Use whitelists, which dictate safe characters and blacklists, which unsafe character.
Results of SQL Injection
What can be accomplished as a result of a SQL injection attack? Well, there are a huge number of possibilities, which are limited only by the configuration of the system and he skill of the attacker.
If an attacker is successful, a host of problems could result. Consider the following simple of the potential outcomes:
- Identity spoofing through manipulating database to insert bogus or misleading information such as email addresses and contact information
- Alteration of prices in e-commerce applications. In this attack, the intruder once again alters data but does so with the intention of changing price information in order to purchase products or services at a reduced rate.
- Alternation of data or outright replacement of data in existing database with information created by the attacker.
- Escalation of privileges to increase the level of access an attacker has to the system, up to and including full administrative access to the operating system
- Denial of service, performed by flooding the server with request designed to overwhelm the system
- Data extraction and disclosure of all data on the system through the manipulation of the database
- Destruction of corruption of data through rewriting, altering, or other means
- Eliminating or altering transactions that have been or will be committed
Warning: – Don’t forget one of the most prized pieces of information that can be obtained through a SQL injection, personally identifiable information (Pll). Disclosure of Pll is a massive problem when it occurs, and therefore it should never be taken lightly. Be aware of what you are storing in the database and its sensitivity. Store only those things that need to be stored and nothing else. For example, if you don’t have a reason to store credit card data, don’t! If you don’t have a reason to ask for social security numbers, don’t! storing this information places huge amounts of responsibility and liability on your shoulders should you lose control of it to an unauthorized third party.
DOWNLOAD SQL INJECTION MASTER TRAINING COURSE
DOWNLOAD Udemy- THE COMPLETE SQL BOOT-CAMP
DOWNLOAD SQL BASICS FOR BEGINNERS
Please use 7Zip/WinRAR/Universal Extractor to EXTRACT FILES
If You Like This Torrent Support the Authors by Purchasing It!.. Thank You
It’s therefore only for educational purposes and all rights reserved to Udemy.com & the Authors of this Courses.