Dogan Genc ⚡️
SQL INJECTION

SQL INJECTION


WEB Attack Method SQL

  SQL (Structured query language) Injection, attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. SQL injections attacks injected into data-plane inputs in order to affects database while execution of the input. A successful SQL injection exploit can;

  • Read sensitive data from the database;
  • Modify database data (Insert/Update/Delete);
  • Execute administration operations on the database (such as shutdown the DBMS);
  • Recover the content of a given file present on the DBMS file system;
  • In some cases, issue commands to the operating system.

alt text

TYPES OF SQL INJECTION

  SQL injections typically fall under three categories: In-band SQLi (Classic), Inferential SQLi (Blind) and Out-of-band SQLi. You can classify SQL injections types based on the methods they use to access backend data and their damage potential

In-band SQLi

  The attacker uses the same channel of communication to launch their attacks and to gather their results. In-band SQLi’s simplicity and efficiency make it one of the most common types of SQLi attack. There are two sub-variations of this method:
  • Error-based SQLi-the attacker performs actions that cause the database to produce error messages. The attacker can potentially use the data provided by these error messages to gather information about the structure of the database.
  • Union-based SQLi-this technique takes advantage of the UNION SQL operator, which fuses multiple select statements generated by the database to get a single HTTP response. This response may contain data that can be leveraged by the attacker. 

Inferential (Blind) SQLi

  The attacker sends data payloads to the server and observes the response and behavior of the server to learn more about its structure. This method is called blind SQLi because the data is not transferred from the website database to the attacker. Blind injections rely on the response and behavioral patterns of the server so they are typically slower to execute but may be just as harmful.
  • Boolean-that attacker sends a SQL query to the database prompting the application to return a result. The result will vary depending on whether the query is true or false. Based on the result, the information within the HTTP response will modify or stay unchanged. The attacker can then work out if the message generated a true or false result.
  • Time-based-attacker sends a SQL query to the database, which makes the database wait (for a period in seconds) before it can react. The attacker can see from the time the database takes to respond, whether a query is true or false

    • Out-of-band SQLi

    Out-of-band SQLi-is performed when the attacker can’t use the same channel to launch the attack and gather information, or when a server is too slow or unstable for these   actions to be performed. These techniques count on the capacity of the server to create DNS or HTTP requests to transfer data to an attacker.

    Consequences of a Successful SQL Injection Attack

    • Exposes Sensitive Company Data
    • Compromise Users’ Privacy:
    • Give an attacker administrative access to your system
    • Give an Attacker General Access to Your System
    • Compromise the Integrity of Your Data

    DEFENSE OPTIONS

    • Defense Option 1: Prepared Statements
    • Defense Option 2: Stored Procedures
    • Defense Option 3: Allow-list Input Validation
    • Defense Option 4: STRONGLY DISCOURAGED: Escaping All User-Supplied Input

    EXAMPLE

    alt text At this code if the hacker enters itemname as “name’ DELETE FROM items;— The executed code will be turn into code shown in the below. alt text

    *THE ACCELLION ATTACK*

    How Did The Accellion Breach Happen?

      Threat actors combined multiple zero-day exploits and a new web shell targeting the legacy file transfer application (FTA) from Accellion. Attackers used SQL injection and os command injection together.
      The primary purpose behind the attack appears to be financially motivated. The threat actors extort organizations by threatening to sell their data online if a ransom payment is not made.
      In connection with the Accellion breach, the following CVEs have been published:
    • CVE-2021–27101 — SQL injection through a forged Host header in a request to document root.html affects Accellion FTA 9 12 370 and earlier. FTA 9 12 380 and later are the fixed versions.
    • CVE-2021–27102 — OS command execution through a local web service call affects Accellion FTA 9 12 411 and earlier. FTA 9 12 416 and later are the fixed versions.
    • CVE-2021–27103 — Accellion FTA 9 12 411 and earlier are vulnerable to SSRF via a crafted POST request to wmProgressstat.html. FTA 9 12 416 and later are the fixed versions. Accellion FTA 9 12 411 and earlier are vulnerable to SSRF via a crafted POST request to wmProgressstat.html.
    • CVE-2021–27104 — OS command execution via a crafted POST request to different admin endpoints affects Accellion FTA 9 12 370 and earlier. FTA 9 12 380 and later are the fixed versions
    © 2024