Monday, April 2, 2018

SQL Injection (I): Authentication bypass


- Layout for this exercise:


- An SQL injection attack consists of insertion or "injection" of either a partial or complete SQL query via the data input or transmitted from the client (browser) to the web application.

- A successful SQL injection attack can read sensitive data from the database, modify database data (insert/update/delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file existing on the DBMS file system or write files into the file system, and, in some cases, issue commands to the operating system. 

- SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.

- A successful SQL Injection attack requires the attacker to craft a syntactically correct SQL Query. 

- If the application returns an error message generated by an incorrect query, then it may be easier for an attacker to reconstruct the logic of the original query and, therefore, understand how to perform the injection correctly. 

- However, if the application hides the error details, then the attacker must be able to reverse engineer the logic of the original query.


- This type of SQL Injection tries to gain access to a database by inserting SQL Queries within the input fields of a login application, so that the security mechanism is bypassed. 

- Let's take as victim example this demo banking account login page:

- Because it is a demo webpage we know in advance that this database holds a record like this:

- Let's start by examining an usual login SQL query:

SELECT account FROM USERS WHERE username = 'admin' AND password = 'admin'

- The boolean statement username = 'admin' AND password = 'admin' is only TRUE when both boolean operators are TRUE (1 AND 1 = 1).

- In this way, entering the correct credentials admin/admin for both the username and password fields the access is correct:

- However, if one the operators is FALSE (password = '12345') the whole statement falls to FALSE (1 AND 0 = 0):

SELECT account FROM USERS WHERE username = 'admin' AND password = '12345'

- So, entering incorrect credentials like admin/12345 the login process fails:

- By the way, entering a simple quotation mark character (') is a good way to discover if the application is prone to SQL Injection, like it is the case:

- Taking advantage of the SQL query boolean structure, we can forge the credentials so that the whole statement becomes TRUE. For instance:

SELECT account FROM USERS WHERE username = 'admin' AND password = 'x' or 'a'='a'

- Let's notice that 'x' or 'a'='a' is always TRUE (x OR 1 = 1), so the whole statement again would be TRUE (1 AND 1 = 1)

- Checking that a crafted password like x' or 'a'='a gives access to the database:

- Even more, using x' or 'a'='a both for username and password (x' or 'a'='a / x' or 'a'='a) also does the trick of giving access to the database:

- In this final case what we actually have is this:

SELECT account FROM USERS WHERE username =  'x' or 'a'='aAND password = 'x' or 'a'='a'

- The SQL query always falls to TRUE, because both AND operators are TRUE (1 AND 1 = 1). In other words: