SQLi attack

 

What is a SQL injection attack?

   SQL Injection is a common attack vector that uses malicious SQL code to manipulate a back-end database to access information that was not intended to be displayed.

    This data may contain some sensitive business information, private customer information or user list. A successful SQL injection can result in the eradication of entire databases, the unauthorized use of sensitive data, and the unintentional granting of administrative rights to the database.

                      

 

 

How does a SQL injection attack work?

1. Using SQLi to authenticate as admin:-

        Consider an authentication system using a username and password database table. The user's POST request will provide a username and password variable that will be inserted into the SQL statement.

 

sql = "SELECT id FROM users WHERE username='" + username + "' AND password='" + password + "'"

 

 The problem is that the SQL statement uses concatenation to join the data. An attacker can provide a string like this instead of a pass variable:

 

password” OR 2 = 2

 

The resulting SQL query will be run against the database:

 

SELECT id FROM users where username = 'username' AND password = 'password' OR 2 = 2'

 

Because 2=2 is a condition that always evaluates to true, the entire WHERE statement will be true regardless of the username or password provided. The WHERE statement returns the first ID from the users table, which is usually the administrator. This means that an attacker can access the application without authentication and also has administrator privileges.

 

2. Using SQLi to access sensitive data:

In this given example, the following code gets the new/current user name and searches for elements matching a certain element name where the current/new user is the owner.

 

. . .

string userName = ctx.getAuthenticatedUserName();

string query = "SELECT" * FROM items WHERE owner = " ' " + username + "' AND itemname = ' " ItemName.Text + "'";

...

This code has the same weakness as the previous example - the use of concatenation. After combining the username and item name, the code creates the following query.

 

SELECT * FROM items WHERE owner = AND itemname = ;

 

If the attacker provides the following string for the item name;

                                 

Widget' OR 2 = 2

 

The SQL statement becomes:

 

SELECT * from items WHERE owner = "John" AND itemname = "Widget" OR 2 = 2;

 

Which is the same as : SELECT * from items;

 

This means that the query will return the entire table's data, giving an attacker unauthorized access to sensitive data.

 

Types of SQLi attack:

 

1. In-band SQLi:

        In-band SQL Injection is the most common and easily exploitable SQL Injection attack. In-band SQL injection occurs when an attacker is able to use a common communication channel to both initiate an attack and obtain results.

        The two most common types of in-band SQL Injection are a fault-based SQL Injection attack and a Union-based SQL Injection attack.

 

2. Inferential SQLi (Blind SQLi):

        Inferential SQL injection may take longer to exploit for an attacker, but it is just as harmful as any other form of SQL injection. In this attack, the attacker is able to rebuild the database structure by sending a data payload, monitoring the response of the web application and the resulting behavior of the database server.

        There are two types of Inferential SQL Injection, which are Blind-boolean-based SQLi and Blind-time-based SQLi.

3. Out-of-band SQLi:

        Out-of-band techniques are very rare and mostly because they depend on features enabled on the database server used by the web application. Out-of-band SQL Injection usually occurs when an attacker is unable to use the same channel to launch an attack.

Examples of Real-Life SQl Injection Attacks :-

 

GhostShell Attack – Hackers from APT Team GhostShell attacked 53 universities via SQL injection, stealing and publishing 36,000 personal records of students, faculty and staff.

 

Turkish Government - Another APT group, the RedHack collective, used SQL injection to compromise a Turkish government website and erase debt owed to government agencies.

 

7-Eleven Breach - A team of attackers used SQL injection to penetrate the enterprise systems of several companies, primarily the retail chain 7-Eleven, and stole 130 million credit card numbers.

 

Tesla Vulnerability – In 2014, security researchers disclosed that they were able to compromise Tesla's website using SQL injection, gain administrative privileges, and steal user data.

 

Cisco Vulnerability – In 2018, a SQL injection vulnerability was found in Cisco Prime License Manager. The vulnerability allowed attackers to gain shell access to systems on which the license manager was deployed. Cisco has patched this vulnerability.

 

How can we prevent SQL Injection Attacks?

    Preventing SQL injection attacks is a lot about making sure that none of the fields are vulnerable to invalid input and running the application. Some of the important points in preventing SQL injection attacks are:

1. Continuous scanning and penetration testing: An automated web application scanner has long been the best choice for pointing out web application vulnerabilities. Now that SQL injections are smarter at exploiting logic errors, website security professionals should explore manual testing with the help of a security vendor.

 

2. Permission Restrictions: This is more of a database management feature, but enforcing specific permissions on specific accounts helps prevent blind SQL injection attacks. Start with no account with no permissions and progress to "read only", "edit", "delete" and similar permission levels.

3. Use query parameters:- Dynamic queries create many problems for security professionals. They have to deal with changing vulnerabilities in each application, which only gets worse with updates and changes. It is recommended to prepare parameterized queries.

4. Immediate protection:- Most organizations fail due to issues like outdated code, lack of resources to test and make changes, no knowledge of application security and frequent application updates. For those, web application protection is the best solution.

 

Case Study – Fortnite Vulnerability

In 2019, an SQL injection attack was performed on Epic Game's server, affecting around 80 million fornite user accounts. According to security research firm Check Point, numerous flaws were found in the online game. Cybercriminals could easily take over individual accounts to view their account information, make purchases, and record in-game and home conversations in the background.

Check Point researchers found two old subdomains vulnerable to SQL injection and XSS attacks. This vulnerability redirected traffic from the main Epic Games login page to another older vulnerable subdomain.

In order to exploit this vulnerability, attackers would first need to send phishing links to Fornite accounts. Once users click on the link, Epic Games will request a SSO or (SSO) token from various platforms such as Facebook, Google+, PlayStation, Xbox or Nintendo. After the SSO token was obtained, the page was redirected to a malicious URL. This URL then contained an XSS data part that re-requested the token. Finally, the authentication token was sent to the attacker. The authentication token was simply hijacked from the single sign-on without the Fornite players providing their credentials.

The vulnerability comes from Fortnite's generic SSO system, which worked on multiple platforms associated with the game. Single sign-on allows users to easily sign in to different websites and services using the same credentials.