Apache Security - Ivan Ristic [154]
Though the examples so far included only the SELECT construct, INSERT and DELETE statements are equally vulnerable. The only way to avoid SQL injection problems is to avoid using simple string concatenation as a way to construct queries. A better (and safe) approach, is to use prepared statements. In this approach, a query template is given to the database, followed by the separate user data. The database will then construct the final query, ensuring no injection can take place.
Union
We have seen how SQL injection can be used to access data from a single table. If the database system supports the UNION construct (which MySQL does as of Version 4), the same concept can be used to fetch data from multiple tables. With UNION, you can append a new query to fetch data and add it to the result set. Suppose the parameter customerid from the previous example is set as follows:
http://www.example.com/view_customer.php?customerid=1%20UNION%20ALL
%20SELECT%20balance%20FROM%20accounts%20WHERE%20customerid%3D2
the query becomes:
SELECT username FROM customers WHERE customerid = 1
UNION ALL SELECT balance FROM accounts WHERE customerid=2
The original query fetches a username from the customers table. With UNION appended, the modified query fetches the username but it also retrieves an account balance from the accounts table.
Multiple statements in a query
Things become really ugly if the database system supports multiple statements in a single query. Though our attacks so far were a success, there were still two limitations:
We had to append our query fragment to an existing query, which limited what we could do with the query.
We were limited to the type of the query used by the programmer. A SELECT query could not turn into DELETE or DROP TABLE.
With multiple statements possible, we are free to submit a custom-crafted query to perform any action on the database (limited only by the permissions of the user connecting to the database).
When allowed, statements are separated by a semicolon. Going back to our first example, here is the URL to remove all customer information from the database:
http://www.example.com/view_customer.php?customerid=1;DROP%20
TABLE%20customers
After SQL injection takes place, the second SQL query to be executed will be DROP TABLE customers.
Special database features
Exploiting SQL injection flaws can be hard work because there are many database engines, and each engine supports different features and a slightly different syntax for SQL queries. The attacker usually works to identify the type of database and then proceeds to research its functionality in an attempt to use some of it.
Databases have special features that make life difficult for those who need to protect them:
You can usually enumerate the tables in the database and the fields in a table. You can retrieve values of various database parameters, some of which may contain valuable information. The exact syntax depends on the database in place.
Microsoft SQL server ships with over 1,000 built-in stored procedures. Some do fancy stuff such as executing operating system code, writing query output into a file, or performing full database backup over the Internet (to the place of the attacker's choice, of course). Stored procedures are the first feature attackers will go for if they discover an SQL injection vulnerability in a Microsoft SQL server.
Many databases can read and write files, usually to perform data