What is SQL injection?

SQL injection is a technique by which a malicious user alters your SQL statements to serve a different purpose than what was originally intended. This can include deleting, updating, or adding records to your database, which would then be reflected on your web page. Any vulnerable dynamic pages on your website that access database records to display content could be altered to:

• Show content that is not yours
• Delete, update, or add content
• Redirect users to another website using JavaScript

How SQL injection works

In many applications, developers use GET and POST variables to build up SQL commands that are executed on the server. (GET variables are passed via the URL and POST variables are sent via form submissions.)

Hackers will modify these variables, assigning them values that the website developer never intended. Variables in Get (variables that are past along the URL) or Post (typically variables in form submissions) have SQL commands which are added to them which in turn are run when you include these variables in your SQL code.

Using this technique, hackers can expose database table names by causing your database calls to error out. For example, when a particular SQL call requires a number and it is passed a string, the call will result in an error. In some cases, the hacker can use SQL injection techniques to discover all of your table names and initiate JavaScript redirects.

How to test your site to see if it is vulnerable to SQL Injection

SQLFury is a developer tool written for the Adobe AIR runtime. It performs SQL injection scans of a target website to identify any SQL injection vulnerabilities.

How database table names can be exposed

Consider a website that uses the URL to pass an ID, which will be referenced to select a particular brand of car from the database. Here is an example URL:

http://localhost/cars.cfm?id=75

In ColdFusion, you might use a query like the one below on the cars.cfm page to find all car models with that ID:

<cfquery name="models" datasource="cars">
   Select pkID, strModelName, strModelDescription from Models where pkID=#url.id#
</cfquery>

If a malicious user changed the URL parameter to a string (for example: http://localhost/cars.cfm?id=hello) this would cause a database error, and the subsequent error report would expose the table name and several field names (see Figure 1).

Figure 1. A database query error message.

Now the malicious user knows there is a table named "Models" and fields named "pkID", "strModelName", and "strModelDescription". With this information, the user could construct a more sophisticated URL, for example:

http://localhost/cars.cfm?id=75%20union%20select%20BASE_SCHEMA_VER%20as%20pkid,
name%20as%20strmodelname,%20name%20as%20strModelDescription
%20from%20sysobjects

This will cause cars.cfm to append the following to the SQL query:

union select BASE_SCHEMA_VER as pkid,name as strmodelname, name
as strModelDescription from sysobjects

The resulting query could expose all the tables within the database, depending on how the data is outputted to the end user.

These steps can be automated in a script, allowing hackers to search many sites for vulnerabilities with little effort. Now you may be thinking to yourself this requires a lot of work, but someone doing this could run a script which will spider your site and look for vulnerabilities.

Page 2 of 5

Previous Page

Next Page