Hacking and Exploits

INFT1201
Mohamed Elghazouly
Web Application Security –
Injection Attacks
Agenda*
• Injection Attacks
• SQL Injection Attacks
• Types of SQL Injection
1. In-Band SQL Injection
2. Blind/Inferential SQL Injection
3. Out-of-Band SQL injection
• Countermeasures

* Most of the content in this lecture note is adopted from Certified Ethical Hacker (CEH)
Version 11 [1]
Injection Attacks
Injection Attacks
• Key Idea: Input data from the application is executed as code by the interpreter.

• Examples
• SQL injection
• Command injection
• HTML script injection
• Object injection
• Remote file injection
• Format Specifier Injection
• Shell injection
The Fundamental Cause
• Mixing data and code together is the cause of several types of vulnerabilities and
attacks including SQL Injection attack, XSS attack, attacks on the system() function
and format string attacks.
Interacting with Database in Web Application
• A typical web application consists of three major components: Web Browser, Web
Application, and Database Server.
• Users do not directly interact with the database but through a web server.
• If this channel is not implemented properly, malicious users can attack the
database and cause damage.
Attack Classification: Injection

Image Source:
OWASP
Injection Attacks: SQL
Attack Classification: Injection

Image Source:
XKCD
Structured Query Language (SQL)
• Structured Query Language (SQL) is a textual language used
by a database server.

• SQL commands used to perform operations on the

database include INSERT, SELECT, UPDATE, and DELETE.

• Programmers use sequential SQL commands with client-

supplied parameters, making it easier for attackers to inject
commands.
SQL Syntax
• Comments: -- or #
Example: SELECT * FROM ‘table’ # selects all records from table

• Logic: ‘username’=‘admin’
Example: SELECT * FROM `table` WHERE ‘username’=‘admin’

• Multi Statements are separated by a ;

Statement1; Statement2
Example: SELECT * FROM `table`; DROP TABLE `table`;
Injection Type: SQL
▪ SQL injection occurs when a user’s input is not sanitized
before being passed to a database. Three main forms
exist:
1. In-band: The attacker uses the same channel of
communication to launch their attacks and to gather
their results.
2. Inferential (Blind): The attacker sends data payloads
to the server and observes the response and behavior
of the server to learn more about its structure.
3. Out-of-band: The attacker can only carry out this
form of attack when certain features are enabled on
the database server used by the web application.
In-Band SQL Injection
In-Band SQL Injection
In-Band SQL Injection: An attacker uses the same
communication channel to perform the attack and
retrieve the results.
• Error-based SQL Injection: The attacker use
the data provided by error messages to gather
information about the structure of the
database.

• UNION SQL Injection: A type of injection that

combines the results of two or more SELECT
statements into a single result using the
UNION operator to get more information from
the database.
Vulnerable Code - Example # 1
$conn = mysql_connect("localhost","username","password");

$query = "SELECT id, name FROM users

WHERE name = $_POST[‘username’]
AND password = $_POST[’password’] ";

$result = mysql_query ($query);

$numrows = mysql_num_rows($result);

if($numrows != 0) { header("Location:admin.php"); } else { die('Invalid username or

password.'); }
Vulnerable Code - Password Field Injection
$conn = mysql_connect("localhost","username","password");

$query = "SELECT id, name FROM users WHERE

name = $_POST[‘username’] AND password =
$_POST[’password’] ";

User Input:

$_POST = admin
$_POST = pass ‘ OR ‘1’=‘1

Query Result:

“SELECT id, name FROM users WHERE name=‘admin’ AND password=‘pass’ OR ‘1’=‘1’ “
Vulnerable Code: Username Field Injection
$conn = mysql_connect("localhost","username","password");

$query = "SELECT id, name FROM users

WHERE name = $_POST[‘username’]
AND password = $_POST[’password’] ";

User Input:
$_POST = “admin’ OR ‘1’=‘1 ”
$_POST = “pass“
Why does this work
more often?
Query Result:
“SELECT id, name FROM users WHERE name=‘admin’ OR ‘1’=‘1’ AND password=‘pass’ “
Error-based SQL Injection - Example # 2

Image Source: CEH [1]

Error Based SQL Injection Example # 3
https://www.example.com/items.php?id=2'

Stack Based
 UNION Select SQL Injection - Example # 5
https://www.example.com/items.php?id=2'

https://example.beaglesecurity.com/report.php?id=23 order by 5--

https://example.beaglesecurity.com/report.php?id=23 union select 1,2,3,4,5--
Blind/Inferential SQL Injection
Blind/Inferential SQL Injection
• Blind/Inferential SQL Injection: the attacker has no error messages from the
system to work with.
• The attacker simply sends a malicious SQL query to the database.
• Time Based
• Boolean Based
• Heavy Query
Blind SQL Injection – Time-Based
• This technique forces the database to wait for a while before responding after the
query is submitted. Examples:

Image Source: CEH [1]

Blind SQL Injection – Boolean-Based
• This technique forces different responses to get from the application, depending
on whether the query returns correct or incorrect results by sending queries to
the database.
Blind SQL Injection - Heavy Query
• An attacker can use heavy queries to perform a time delay SQL injection attack
without using time delay functions.

• A heavy query retrieves a massive amount of data, and it will take a long time to
execute on the database engine.

• Example:
• SELECT count(*) FROM all_users A, all_users B,
all_users C
Out-of-Band SQL injection
Out-of-Band SQL injection
• Out-of-Band SQL Injection: Attackers
use different communication channels
(such as database email functionality
or file writing and loading functions) to
perform the attack and obtain the
results.
Countermeasures
How to Defend Against SQL Injection Attacks

Example of defending SQL Injection attacks [1]

Countermeasures: Prepared Statement (1/3)
• Fundamental cause of SQL injection: mixing data and code
• Fundamental solution: separate data and code.
• Main Idea: Sending code and data in separate channels to the database server.
• How: using prepared statement
Countermeasures: Prepared Statement (2/3)
• Prepared Statement: we send an SQL statement template to the database, with
certain values called parameters left unspecified.
• The database parses, compiles and performs query optimization on the SQL
statement template and stores the result without executing it.
• We later bind data to the prepared statement.
Countermeasures: Prepared Statement (3/3)
• Parameterized queries force the developer to first define all the SQL code, and
then pass in each parameter to the query later.

• This coding style allows the database to distinguish between code and data,
regardless of what user input is supplied.

• Prepared statements ensure that an attacker is not able to change the intent of a
query, even if SQL commands are inserted by an attacker.
Prepared Statements – Example
$conn = getDB();
• When the execute function $sql = "SELECT name, local, gender
is called, the prepared FROM USER_TABLE
statement is combined WHERE id = $id AND password =’$pwd’ ";
with the parameter values $result = $conn->query($sql))
you specify.
$conn = getDB();
$stmt = $conn->prepare("SELECT name, local, gender
• The parameter values are FROM USER_TABLE
WHERE id = ? and password = ? ");
combined with the
// Bind parameters to the query
compiled statement, not a
$stmt->bind_param("is", $id, $pwd);
SQL string. $stmt->execute();
$stmt->bind_result($bind_name, $bind_local, $bind_gender);
$stmt->fetch();
Why Are Prepared Statements Secure?
• Trusted code is sent via a code channel.
• Untrusted user-provided data is sent via data channel.
• Database clearly knows the boundary between code and data.
• Data received from the data channel is not parsed.
• Attacker can hide code in data, but the code will never be treated as code, so it
will never be executed.
* SQL Injection Myths and Fallacies by Bill Karwin, for the complete presentation refer to https://www.slideshare.net/billkarwin/sql-injection-myths-and-fallacies
Some good sites to learn more
▪ Prevention guide (with sample code in many languages): http://bobby-
tables.com/
▪ Tutorials:
1. (webinar) http://www.percona.com/webinars/2012-07-25-sql-injection-
myths-and-fallacies
2. http://www.unixwiz.net/techtips/sql-injection.html
▪ Cool site that let’s you try out attacks on a sample DB and explains why they work
http://sqlzoo.net/hack/
▪ Research paper on how to retrofit existing websites to combat SQL injection
attacks http://lersse-dl.ece.ubc.ca/record/205/files/paper.pdf
Summary
• Injection Attacks
• SQL Injection Attacks
• Types of SQL Injection
1. In-Band SQL Injection
2. Blind/Inferential SQL Injection
3. Out-of-Band SQL injection
• Countermeasures
Questions?
References
[1] EC-Council. (2020). Certified Ethical Hacker (CEH) Version 11 eBook w/ iLabs
(Volumes 1 through 4). [VitalSource Bookshelf]. Retrieved
from https://bookshelf.vitalsource.com/#/books/9781635675160/

[2] Hand-on Security https://www.handsonsecurity.net/index.html

[3] Chuck Easttom. Network Defense and Countermeasures: Principles and

Practices, 3rd Edition. Published April 16, 2018 by Pearson IT Certification. eBook:
ISBN-10: 0-7897-5996-9, ISBN-13: 978-0-7897-5996-2

[4] Computer Security: A Hands-on Approach Paperback – Oct. 12 2017

by Wenliang Du , ISBN-10: 154836794X, ISBN-13: 978-1548367947
References
[5] Walker, M. (2019). CEH Certified Ethical Hacker All-in-One Exam Guide, Fourth Edition.
[VitalSource Bookshelf]. Retrieved
from https://bookshelf.vitalsource.com/#/books/9781260454567/

[6] Web Application Security and Scanning: Explanation and Deep Dive
https://www.rapid7.com/fundamentals/web-application-security/

[7] Google’s Web Security Update https://connectionsmarketing.com/prepare-site-google-

web-security-update/

[8] SQL Injection (SQLI) https://medium.com/iocscan/sql-injection-sqli-90414fca6664

References
[9] Web Application Security Fundamentals https://docs.microsoft.com/en-
us/previous-versions/msp-n-p/ff648636(v=pandp.10)?redirectedfrom=MSDN

[10] For description and example of SWL injection types:

https://www.w3resource.com/sql/sql-injection/sql-injection.php