Wednesday, January 23, 2013

SQL Injection In Oracle

I post earlier about database threats, but today i will go more deeply and start describe these threats.
SQL injection is a type of security exploit in which the attacker injects Structured Query Language (SQL) code through a web form input box, to gain access to resources, or make changes to data,Attackers can execute arbitrary SQL commands through the web application.

It enables an attacker to execute unauthorized SQL commands,For example, when a user logs onto a web page by using auser name and password for validation, a SQL query is used. what do you need ? just web browser.

to start using SQL Injection you need to look for  search page, Login page or even comment ( feedback), also you should be familiar with HTML for example Which Way page POST or GET commands, If POST is used, you cannot see the parameters in the URL check the below :

Some Programming language not take any method, most of them new Language such as ASP, PHP and JSP.

check simple example how attackers try to hack the below website, remember that below website doesn't exists:

http:// www.hackme.com /index.asp?id=1
But the attackers change it to be :
http://www.hackme.com/index.asp?id=blah’ or 1=1--

The above is simple example describe how sql injection works, also another way to know if the website is vulnerable to an SQL injection attack if just insert (') and press Enter. you will get error regarding to ODBC Access.

There's lot of way to use SQL Injection i will not mention them all , just few method to know the basic , the purpose of this article is to learn how secure database and code against database threats.

The Simplest way to generate SQL injection attack is by run one of the below :
• “ or 1=1--
• ‘ or ‘a’=‘a
• “ or “a”=“a
• ‘) or (‘a’=‘a)
For Example:

http://www.hackme.com/index.asp?id=blah’ or 1=1--

SQL Injection can be perform On oracle using the below:
  • Insert,Updates and select.
  • Union 
  • Sub Select.
for complex SQL Injection you can use also OS Command Line using stored procedures like master..xp_cmdshell.

For Example :
Ping a server
• blah‘;exec master..xp_cmdshell ping 10.10.1.2” --

to avoid SQL injection :
  • Minimize the privileges of database connections
  • Disable verbose error messages
  • Protect the system account “System Administrator"
  • Reject known bad input
  • Never trust user input
  • Never use dynamic SQL
  • Do not store secrets in plain text
I just Describe Small Section of this topic to avoid SQL injection, read this topic and understand it will avoid attacker to get into your system and start miss around.

Thank you
Osama Mustafa

7 comments:

  1. I am not a programmer but I have this SQL subject this session and have to prepare for it. What all topics should be covered in it?
    And has anyone studied from this course www.wiziq.com/course/125-comprehensive-introduction-to-sql of SQL tutorial online?? or tell me any other guidance...
    would really appreciate help

    ReplyDelete
    Replies
    1. SQL INJECTION is big topics to cover here, i gave hint to share what the effect of this attacks , to cover SQL injection you need to describe what is it ? Examples starting with simple one after this goes wit complex, as LPT i faced lot of cases in this way of attack and you could read my article about database threats i post it here also , any help you can find me here .

      Delete
    2. Hi Osama
      I attended a session in Dublin recently with Tom Kyte where he talked about SQL Injection and the latest db version. This is a useful additional information, thanks
      Aidan.

      Delete
    3. No need ... i will post other topics and articles about SQL injections Soon

      Delete
  2. Oracle's Database Firewall (now bundled with Audit Vault) can detect and block SQL injections and other exploits before it reaches the database. It's great if you have apps that you don't own code, or don't have a good security test suite to deploy new systems.

    ReplyDelete
  3. this article is a good booster to my hacking skills. i really liked you artice
    Born 2 hack

    ReplyDelete