SQL Injection A database stores data and organizes it in some sort of logical manner. Oracle and Microsoft SQL are popular examples of database management systems that allow users to create multiple types of databases used to store, query, and organize data in creative ways. Structured Query Language, which is better known as SQL, is the underlining common programing language that is understood by most database management systems. It provides a common way for application to access the data in the database by using a common set of commands the database can understand. Attackers exploit these databases by making them output information that they should not be displaying.
SQL Injection in Web Application Penetration Testing
Sometimes this is as simple as the attacker asking for privileged information from the database management system. Other times, it is taking advantage of poor configurations by database administrators. Attackers may also take advantage of a vulnerability in the database management system that allows the attacker to view or write privileged commands to and from the database. Attackers typically send malicious code through forms or other parts of a webpage that have the ability to accept user input. For example, an attacker may enter random characters, as well as long statements, with the goal of identifying weakness in how the input variables and parameters are designed. If an input field is set to only accept usernames up to 15 characters long, an error message may appear revealing details about how the database is configured. The Firefox plugin HackBar will let you test SQL queries and inject your own queries for changing SQL requests. The HackBar plugin will also let a Penetration Tester examine HTTP post information.
SQL Injection Many web applications store data in a backend, SQL-based database. For example, we encountered a SQL database during our network penetration test, when we found an open MySQL database through phpMyAdmin in the XAMPP install on the Windows XP target on page 186. We then used a SQL query to write a simple PHP command shell to the web server. We typically won’t have direct access to run SQL queries on a site’s backend database from a web application. However, if a developer fails to sanitize user input when interacting with the database, you may find that you can perform a SQL injection attack to manipulate the queries sent to it. Successful SQL injection attacks can read data from the database, modify data, shut down or destroy the database, and, in some cases, even run commands on the underlying operating system (which can be especially powerful because database servers often run as privileged users). A natural place to look for SQL injection issues is in the login page. Many web applications store user data in a database, so we can use a SQL query to pull out the correct user, based on the username and password provided by the user. When developers don’t sanitize user input, we can build SQL queries to attack the database. An example of an injectable SQL statement that could be leveraged by an attacker is shown here:
EmoticonEmoticon