SQL Injection – Help, my site has been hacked
|
A Quick review on SQL injection
|
Of late there has been a noted increase in the number of SQL injection based attacks on the web. SQL Injection is a simply but effective exploit that occurs independent of platform, technology or data layer. This article aims to educate both the end user and developer on how such an attack occurs and the steps one can take to prevent it.
So, let’s take a look at the problem at hand. SQL injection, as the name might suggest uses SQL. The most common condition for injection is when a SQL statement is constructed dynamically on a web page without the use of correctly encoded parameters. For example, let’s take a look at the following .asp script:
|
Dim strProductID
Dim SQLQuery
strProductID = Request.QueryString("ProductID")
SQLQuery = "SELECT * FROM Products WHERE ProductID = ‘" & strProductID & "’"
----Onwards to executing the query and doing stuff----
|
An arbitrary bit of code, requesting details on a Product based on ID in what can be assumed is some form of shopping cart system. Hence, if the url to the code listed in the above code was:
http://www.2dayDeveloper.com/products/details.asp?ProductID=11
the SQL query becomes:
SQLQuery = "SELECT * FROM Products WHERE ProductID = ‘11’"
As the developer expects, this code will search his Products table for all information where the ProductID is 11. Now, lets assume that we have either guessed (not too great a stretch of the imagination – "Products") or ascertained by some other nefarious method, the name of the table we want to manipulate.
So, lets change our Query String a bit.
http://www.2dayDeveloper.com/products/details.asp?ProductID=11’;DROP TABLE Products --
|
This makes our new SQL Query look like:
SQLQuery = "SELECT * FROM Products WHERE ProductID = ‘11’;DROP TABLE Products --’"
|
Unfortunately, it is that simple. The ";" character causes the current SQL statement to end and a new one begin – in this case a drop command, destroying the table in question. The "--" comments out the rest of the current SQL statement.
This of course can extend to other things like replacing/inserting/deleting records in a table... There have also been cases where the SQL code its used to generate JavaScript or rewrite physical pages within the site, so corruption of the site in itself is quite possible.
|
Solutions include:
|
Sanitizing the input from query strings and form inputs/hidden fields (which can result in form injection) where the developer strips out any suspicious or unexpected characters from the input as the SQL Query is built. This however is a sub optimal means of dealing with the problem as a manual check against every SQL input will be required.
The better methods are creating bound parameters or using well formed stored procedures or views. That said, even stored procedures can be injected into if they are coded badly or the parameters are all set as very liberal types.
It is also recommendable that the application be set up with a custom error page, it won’t stop hack attempts, but being able to view the page errors is one method of gaining information on the database structure – forcing the page to break and give an error often reveals information that can be used in injection attempts.
|
|
- 2Day Development |