In a SQL injection attack, an attacker takes advantage of forms or elements in a web application that accept user input for interaction with a SQL database to insert, or "inject," commands that are meaningful to SQL into a SQL statement. It is my intention to show the dangers of SQL injection attacks in order to make security professionals, and hopefully some database administrators, aware of the significance of SQL injections.
I do not want to jump into a discussion about SQL injections without first giving a brief overview of SQL:
What is SQL? SQL is the "Structured Query Language." SQL is a type of programming language that is used for interacting with databases through a DBMS. A SQL statement is a line of code that is meaningful in SQL. Examples from the MySQL tutorial at http://dev.mysql.com/doc/refman/5.6/en/tutorial.html follow:
A simple SQL statement to show databases available
A SQL statement to grant permissions on a database to a user from a specified location
What is a DBMS? A DBMS is a "Database Management System." The majority of databases currently in use are relational databases, so it is also common to hear a DBMS referred to as a RDBMS, or Relational Database Management System. Databases Management Systems are organized by the functionality and accessibility that they provide. For example, Microsoft Access is a personal DBMS because it may only have one or two users, databases are small in comparison to enterprise DBMSs, and databases are stored on a user's desktop or laptop. MySQL, Oracle, and MSSQL are examples of enterprise DBMSs because they provide support for multiple (possibly dozens) of users, databases may contain millions of records, and records are stored on a server, or multiple servers, whose only function is to store databases and provide for interaction of the data within the databases.
What is a record? I used the term "record" a few times now, so it is probably a good point to discuss some terms used in the world of databases.
Database: A collection of information. In IT, information and data are defined separately: data is meaningless if it is not organized, presented in a timely manner, or relative to the context at hand. Information is data that is presented or available in a meaningful way. Given the definitions that I have provided for data and information, I believe that it is fair to say that a database is more than just a collection of data--a database is a collection of information.
Record: A record is another term for a row in a database.
Table: A collection of information that is related, and tables are sometimes called relations. Data stored in tables are arranged by records and columns.
(The above definitions are my own, but some very technical definitions can be found at "A Comprehensive Dictionary of Database Terms")
There are many commands, or keywords, used in SQL; I will not attempt to cover them except where applicable to the sample attacks shown.
Setting up a test environment: My studies in college have focused primarily on networking and telecommunications, but has also included a heavy dose of data forensics, hacker techniques and countermeasures, intrusion detection systems, and information security management. On my own time, I conduct a significant amount of security research--offensive and defensive, though primarily offensive. In order to conduct my research of attacker tools, techniques, and methodologies, I have found it advantageous (i.e. necessary) to set up a test environment. My personal test environment consists of Cisco routers and switches, Linux and Windows virtual machines, and some physical Linux servers. I have been fortunate in that I have had several physical machines donated because they were "old and not worth repair." I use VMware Workstation for virtualization, though you could use VirtualBox, VMware Player, or whatever you are most comfortable with.
Backtrack is the most popular platform for penetration testing but there are many other excellent options. In June, I participated in the US Cyber Challenge in Virginia (The team that I was on won the CTF event, but there were many skilled competitors). The first four of the five days involved with the USCC was devoted to classes taught by SANS instructors. Justin Searle, a lead developer of Samurai WTF, taught web application attacks using Samurai WTF (http://samurai-wtf.org/). One approach to building a test environment would be to install DVWA (http://sourceforge.net/projects/dvwa/) from OWASP, but DVWA, WebGoat, and several other target web applications are already built into Samurai, which is an attack environment as well as a target environment combined. An advantage of Samurai over Backtrack is that it can be downloaded, booted up in a virtual environment, and it is ready to send and receive attacks.
I will be using Samurai WTF for the sample attacks that I will be covering.
No comments:
Post a Comment