SQL Injection

Tags

exploit

A form of attack which [see page 11, exploits] a failure to properly escape SQL keywords in a user-submitted query. Allows attacker to access more data than initially intended.

SELECT * FROM foo WHERE username = 'QUERY';

Where the query is set to bar' OR 1 == 1 OR ' results in:

SELECT * FROM foo WHERE username = 'bar' OR 1 = 1 OR '';

This query will return every row in the table foo, which lets users quickly [see page 15, accumulate] information including perhaps private or sensitive data.

See the [see page 12, ANPR SQL Injection Attack] which attacks an automatic-number-plate parser for a car by simply snapping an image of the query attached to the front of the car.

Attacks

Predicate Erasure

We can also include a -- in the query to comment out any trailing or further conditions in the query.

For example a basic auth system like:

SELECT * FROM foo where username = 'bar' and password = 'baz';

Can use the username field to erase the password predicate by substituting bar' -- for the username.

SELECT * FROM foo where username = 'bar' -- and password = 'baz';

Subquery Evaluation

Perform destructive operations by adding subexpression, for example in the query:

SELECT * FROM foo where username = 'bar';

We can replace bar with bar'; DROP TABLE Users.

SELECT * FROM foo where username = 'bar'; DROP TABLE Users;

Countermeasures

SQL Injection is a consequence of intermixing data and code. The main countermeasure is clearly separating the data and the code using [see page 32, prepared-statements] or stored-procedures.