1.Tautologies
2.Union
Query
3.Piggy-backed
Queries
4.Inference
5.Illegal/Logically
Incorrect Queries
6.Stored
Procedures
7.Alternate
Encodings
Type: Tautologies
This type of attack injects SQL
tokens to the conditional query statement to be evaluated always true
Example:-
"SELECT * FROM employee WHERE userid = '112' and
password ='aaa' OR '1 '='1”
As
the tautology statement (1=1) has been added to the query statement so it is
always true
Type: Union Queries
The result of Union Query injection
attacks will be a new dataset returned by the database, containing the union of
the first (developer intended) and the second (attacker-intended)
Example:-
"SELECT Name, Phone FROM Users WHERE Id= 1 UNION ALL
SELECT creditCardNumber, 1 FROM Credit CardTable”
This
will join the result of the original query with all the credit card
Type: Piggy-backed Queries
In this attack type, an attacker
tries to inject additional queries into the original query.
In this case, attackers are not
trying to modify the original intended query; instead, they are trying to
include new and distinct queries that “piggy-back” on the original query.
Example:-
“SELECT accounts FROM users WHERE login=‘doe’ AND pass=“0;
DROP database webApp”
Type: Inference
By
this type of attack, intruders change the behavior of a database or application
Blind injection:-
Blind SQL Injection is used when a web application is vulnerable to an SQL
injection, but the results of the injection are not visible to the attacker.
Information is inferred from the behavior
of the page by asking the server true/-false questions. If the injected
statement evaluates to true, the site continues to function normally. If the statement
valuates to false, although there is no descriptive error message, the page
differs significantly from the normally-functioning page.
Timing attacks:- This type of blind SQL injection
relies on the database pausing for a specified amount of time, then returning
the results, indicating successful SQL query executing.
A timing attack allows an attacker
to gain information from a database by observing timing delays in the response
of the database. Attackers structure their injected query in the form of an
if/then statement, whose branch predicate corresponds to an unknown about the
contents of the database. Along one of the branches, the attacker uses a SQL
construct that pause the execution for a known amount of time (e.g. the WAITFOR
keyword). By measuring the response time of the database, the attacker can
infer which branch was taken in his injection and therefore the answer to the
injected question
Type: Illegal/Logically Incorrect Queries
This type is used to trigger syntax
errors (which would be used to identify injectable parameters), type conversion
errors (to deduce the data types of certain columns or extract data from them)
or logical errors (which often reveal names of the tables and columns that
caused the error), in order for the attacker to gather information about the
type and structure of the back end database of a given Web application.
Example:-
" SELECT accounts FROM users WHERE login= AND pass=‘’ AND
pin= convert (int,(select top 1 name from sysobjects where xtype=u))”
Type: Stored Procedure
This
type of attack using stored procedures
Example:-
"
CREATE PROCEDURE DBO.isAuthenticated
@userName varchar2, @pass varchar2, @pin int AS
EXEC("SELECT accounts FROM users WHERE login= ' “
+@userName+ “ ‘and pass=’ “+@password+” ‘and pin=”+@pin); GO”
SELECT accounts FROM users WHERE login='doe' AND pass = ' ';
SHUTDOWN; -- AND pin=
Type: Alternate Encodings
This
attack type is used in conjunction with other attacks. In other words,
alternate encodings do not provide any unique way to attack an application;
they are simply an enabling technique that allows attackers to evade detection
and prevention techniques and exploit vulnerabilities that might not otherwise
be exploitable
“SELECT * FROM userTable WHERE” + “login=‘” + login
+ “' AND pin=” + pin;
Input
pin as “0; declare @a char(20)
select @a=0x73687574646f776e exec(@a)”
“SELECT * FROM userTable WHERE login=‘user' AND pin=
0;declare @a char(20) select @a=0x73687574646f776e exec(@a)”
No comments:
Post a Comment