Chapter 14: SQL Injection Flashcards Preview

CEH - Certified Ethical Hacker > Chapter 14: SQL Injection > Flashcards

Flashcards in Chapter 14: SQL Injection Deck (24)
Loading flashcards...
1
Q

SQL

A

language for specifying DB queries

2
Q

SQL Injection

A

designed to exploit flaws in a website or web application NOT a database

attack works by inserting code into an existing line of code prior to its execution; If SQL injection is successful, attackers can cause their own code run

Goal is submit commands in order to retrieve or manipulate data

Usual cause is improper or absent input validation

3
Q

Batch Execution

A

more then one SQL statement, each separated by a semicolon, to be executed at once

This is typically allowed by Microsoft’s SQL Server & Oracle’s Siebel

4
Q

Results of SQL Injection

A

1) Identity spoofing
2) Alteration of prices in e-commerce apps
3) Alteration of data
4) Escalation of privileges
5) DoS
6) Data extraction and disclosure
7) Corruption of data
8) Eliminating transactions

5
Q

Steps of web application’s working

A

1) User makes a request through web browser from internet to web server
2) web server accepts request and forwards to applicable web application sever
3) web app server performs requested task
4) web app accesses entire db available and responds to web server
5) web server responds back to user once transaction is complete
6) requested info presented on user’s monitor

6
Q

Server-side technology examples

A

ASP, Oracle, SQL,PHP,JSP,etc

7
Q

Define database

A

a hierarchical, structured format for storing info for later retrieval, modification, mgmt, etc

8
Q

types of databases

A

1) RELATIONAL DB //data can be organized and accessed in various ways as appropriate for the situation, for example for a customer table, you can group by zip code, sale price, etc
2) DISTRIBUTED DB //designed to be dispersed or replicated between different locations across a NW
3) OBJECT-ORIENTED PROGRAMMING DB //build around data-defined object classes and subclasses
4) HIERARCHICAL DB //A hierarchical database model is a data model in which the data is organized into a tree-like structure. The data is stored as records which are connected to one another through links. A record is a collection of fields, with each field containing only one value.

9
Q

Structures of a database to allow easy manage, query, and retrieval:

A

1) RECORDS OR ROWS //each record in a DB represents a collection of related data such as information about a person
2) COLUMN //represents one type of data, such as age

10
Q

Locating Databases on the NW

A

SQLPing 3.0 is designed to discover DBs

SQLRecon

After locating a database, SQLPing can be used to crack PWs

11
Q

Steps of an SQL Injection

A

1) Acquire a target //you can use various techniques, but we will use google hacking (use of advanced search query commands) Some queries include (check page 603-604)

2) Look for vulnerabilities //one easy way to determine if a site is vulnerable is to add an apostrophe to the end of the URL 
//if an error returns, it is vulnerable
3) Initiate an attack //learn the structure of the DB by adding "order by" to the end of the URL
//If this code returns any result other than an error, increment the # after the order by, by 1 or any # until an error occurs
//when an error is encountered, it indicates that the last entry that did not return an error is the number of columns in the DB

http: //www.somewebsite.com/default.php?id=1 order by 1
4) Once columns have been determined, you can establish whether you can make queries against the system; do so by appending ‘union select’ on the end of the URL
http: //www.somewebsite.com/default.php?id=-1 union select 8

//notice the hypen after the = sign in id, the 8 is how many columns you determined existed

//Once results of this query are returned, you will see that column #s are returned. The #s that are returned indicate that queries are accepted against these columns, you can now inject further refined SQL statements

5) Lets identify the SQL version in use
@@version OR
version () //to determine version of DB

//you have to target a column

http://www.somewebsite.com/default.php?id=-1 union select 3 @@version

//let’s determine that the DB used is MySQL and the version is at least version 5

The rest of the directions on page 607

12
Q

Altering data w/ SQL injections

A

websites ask for information, you can manipulate this information

an example would be when you have forgotten your password, it will ask you to input your email, when doing this, add a single quote after

name@domain.com’

One of two things will happen: application will sanitize the input by removing the quote; or the application does not have protection in place and accepts the input without sanitizing it; In this case, the SQL is being run by the application

Error message will result in vulnerable DB

could possibly change the emails

UPDATE table
SET email = ‘name@domain.com’
WHERE email = ‘hadona@domain.com’;

13
Q

Injecting Blind

A

perhaps target does not return messages at all; this attack does not depend on error messages;

since no error messages are returned, you can use WAITFOR DELAY command to check the SQL execution status

:; IF EXISTS(SELECT * FROM users) WAITFOR DELAY, ‘time’ (time is Seconds i.e. 0:0:5)

//If the system cannot run this, the system is not vulnerable….wait time indicates vulnerability

14
Q

Evading detection mechanisms

A

EVADE AN IDS // IDS will typically look for common codes used in SQL injection, therefore use hex coding, use of whitespace, use of comments in code to break up statements, concat strings

15
Q

SQL Injection Countermeasures

A

1) USE VALIDATION //using whitelists and blacklists
2) AVOID DYNAMIC SQL //Dynamic statements are generated from the options and choices made on the client side; Such statements should be avoided in favor of using stored procedures or predefined statements
3) PERFORM MAINTENANCE ON SERVER REGULARLY AND UPDATE PATCHES
4) IDS
5) HARDEN A SYSTEM TO INCLUDE OS AND DB //DISABLE UNNEEDED FEATURES, i.e. disable cmd
6) EXERCISE LEAST PRIVILEGE //give only access to what is needed
7) TEST APPS BEFORE DEPLOY INTO PROD
8) AVOID DEFAULT CONFIGS AND PWS
9) DISABLE ERROR MESSAGES OUTSIDE TEST AND DEV ENVIRONMENTS

16
Q

Web applications are used to

a) provide dynamic content
b) stream video
c) apply scripting
d) implement security controls

A

a) provide dynamic content of all types

17
Q

Which of the following challenges can be solved by firewalls?

a) protection against buffer overflows
b) protection against scanning
c) enforcement of privileges
d) ability to use nonstandard ports

A

b) protection against scanning and probing or discovery of a DB

18
Q

Databases can be a victim of code exploits depending on

a) configuration
b) vendor
c) patches
d) client version

A

a) configuration

19
Q

Which of the following is a scripting language?

a) ActiveX
b) Java
c) CGI (common gateway interface)
d) ASP.NET

A

c) CGI is a web scripting interface

20
Q

_____ is used to audit DBs

a) Ping
b) IPConfig
c) SQLping
d) traceroute

A

c) SQLping audits DBs and helps identify issues

21
Q

Which command can be used to access cmd in SQL server?

a) WHERE
b) SELECT
c) xp_cmdshell
d) cmdshell

A

c) xp_cmdshell

22
Q

Which statement is used to limit data in SQL server?

a) cmdshell
b) WHERE
c) SELECT
d) to

A

b) WHERE

23
Q

SQL injection attacks are aimed at which of the following?

a) web applications
b) web servers
c) databases
d) database engines

A

c) SQL injection operates at the database layer and

attacks databases directly.

24
Q

What type of database uses multiple tables linked together in complex relationships?

a) hierarchical
b) relational
c) distributed
d) flat

A

c) relational