• Choose a category
• All
• Classic-Fiction

8. B. Web applications are client-server programs that reside on a web server.

9. A. A countermeasure to a directory-traversal attack is to enforce permissions to folders.

10. B. Command injection involves a hacker entering programming commands into a web form in order to get the web server to execute the commands.

SOL Injection and

Buffer Overflows

CEH EXAM OBJECTIVES COVERED IN THIS CHAPTER:

✓ SQL Injection

What Is SQL Injection?

Understand the Steps to Conduct SQL Injection

Understand SQL Server Vulnerabilities

Describe SQL Injection Countermeasures

✓ Buffer Overflows

Identify the Different Types of Buffer Overflows and Methods of Detection

Overview of Stack-Based Buffer Overflows

Overview of Buffer Overflow Mutation Techniques

SQL injection and buffer overflows are similar exploits in that they're both usually delivered via a user-input field. The input field is where a user may enter a username and password on a website, add data to a URL, or perform a search for a keyword in another application.

Both SQL server injection and buffer overflow vulnerabilities are caused by the same issue: invalid parameters. If programmers don't take the time to validate the variables a user can enter into a variable field, the results can be serious and unpredictable. Sophisticated hackers can exploit this vulnerability, causing an execution fault and shutdown of the system or application, or a command shell to be executed for the hacker.

SQL Injection

As a CEH, it's important for you to be able to define SQL injection and understand the steps a hacker takes to conduct a SQL injection attack. In addition, you should know SQL server vulnerabilities, as well as countermeasures to SQL injection attacks.

We'll discuss these in the following sections.

What Is SQL Injection?

During a SQL injection attack, malicious code is inserted into a web form field or the website's code to make a system execute a command shell or other arbitrary commands. Just as a legitimate user enters queries and additions to the SQL database via a web form, the hacker can insert commands to the SQL server through the same web form field. For example, an arbitrary command from a hacker might open a command prompt or display a table from the database. A database table may contain personal information such as credit card numbers, social security numbers, or passwords. SQL servers are very common database servers and used by many organizations to store confidential data. This makes a SQL server a high value target and therefore a system that is very attractive to hackers.

Understand the Steps to Conduct SQL Injection

Before launching a SQL injection attack, the hacker determines whether the configuration of the database and related tables and variables is vulnerable. The steps to determine the SQL server's vulnerability are as follows:

1. Using your web browser, search for a website that uses a login page or other database input or query fields (such as an "I forgot my password" form). Look for web pages that display the POST or GET HTML commands by checking the site's source code.

2. Test the SQL server using single quotes (' ' ). Doing so indicates whether the user-input variable is sanitized or interpreted literally by the server. If the server responds with an error message that says use `a'=`a' (or something similar), then it's most likely susceptible to a SQL injection attack.

3. Use the SELECT command to retrieve data from the database or the INSERT command to add information to the database.

Understand SQL Server Vulnerabilities

Here are some examples of variable field text you can use on a web form to test for SQL vulnerabilities:

■ Blah' or 1=1--

Login: or 1=1--

Password: or1=1--

http://search/index.asp?id=blah' or 1=1--

These commands and similar variations may allow the bypassing of a login depending on the structure of the database. When entered in a form field the commands may return many rows in a table