SQL Injection Attacks

Dear readers,

In this month’s edition, we present various tutorials and guides about SQL injection attacks. It’s one of the most common web hacking techniques that can be highly effective. While reading articles you will take a closer look at different types of SQL, such as Blind SQL, SQL Server, NoSQL, and in each article you will learn how to perform an attack. For beginners, one of the first articles The ART of Injecting will give you a great explanation of the topic, along with a tutorial to show you how it works in practice. Don’t forget to check Reverse Shell and Privilege Escalation with SQL Injection, where the author demonstrates attacks on examples. Further articles have more advanced content, we especially recommend reading Exploiting Out-Of-Band (OOB) SQL injections in HTTP Headers and Time-based SQL Injection. Offensive security is a big part of this edition, however, we also have some articles that you will help you secure your system.

As we know SQL injection might destroy your database, how to protect yourself from it? In the article about detection and prevention, you will see examples of how you can stop this attack from happening or at least minimize the damage. Countermeasures of SQLi will give you an overview of the best methods to use to secure your database and explain how they work.

We also have two articles unrelated to SQL injection. Taking Over Employee Accounts and a simple IDOR is a write up about a Bug Bounty collected by the author. He discovered a flaw in the system and exploited it. Why IT Security Departments (alone) cannot guarantee Secure Applications is an interesting article that shows how cooperation between various departments can guarantee the safety of the company. How it increases the effectiveness when all teams work together and communication between them is clear.

We would like to send a big thank you to all contributors that joined this edition! Without you, this amazing issue wouldn’t be possible. Special thanks to all the reviewers and proofreaders involved in the process of creating this issue.

Enjoy the reading,

Hakin9 Editorial Team

---

TABLE OF CONTENTS

---

Reverse Shell and Privilege Escalation with SQL Injection

Joas Antonio

Attacks on web applications are quite common today, mainly due to the high migration of services to web applications, and when talking about the main vulnerabilities according to OWASP-TOP 10, many already think about the SQL injection attack, as it is a security breach that causes major impacts that many web applications around the world remain vulnerable to.

---

SQLi - The ART of Injecting

Staford Titus

No lab-setup is required to try out the following SQLi attacks since you are only going to make use of the Natas wargame available for free, though you would still need either Burp Suite or Zap for a few attacks that might prove futile on manual work. If you still, though, prefer to work in a lab environment, then you could download the Metasploitable virtual image that contains several labs you could try within Mutillidae and DVWA.

---

Time-based SQL Injection

Mukul Kantiwal

This paper is focused on understanding time-based SQL injection.  Time-based SQLi is considered one of the more difficult types of SQLi attacks in today’s world. The reason why it is considered an advanced form of SQL injection is because time-based SQLi is very difficult to find by any automated scanner present in today’s world and no one is interested to identify/exploit the vulnerability manually when they know that it is going to take a whole lot of time. I am not saying that the automated scanners cannot identify it but there are too many variables to consider working on time-based SQL injection using an automated scanner. For example, a delay in the response due to the network issues can sometimes cause a false positive for being a time-based SQLi.

---

Exploiting Out-Of-Band (OOB) SQL injections in HTTP Headers

Eduardo Parra San Jose

The idea of the article is not just making an informal introduction on how to perform out-of-band exploitation in MariaDB (MySQL), but also raising the awareness when it comes to test any kind of injection in HTTP Headers. The SQL injection we are going to exploit is in the User-Agent HTTP Header.

---

A Detection and Prevention Technique on SQL Injection Attacks

Mohammed Boulmalf, Anass Sebbar

The paper presents an approach that detects a query token with a reserved words-based lexicon to detect SQLIA. The approach consists of two highlights: the first one creates the lexicon and the second step tokenizes the input query statement and each string token was detected by a predefined word lexicon to prevent SQLIA. In this article, detection and prevention technologies of SQL injection attacks have experimented and the results are satisfactory.

---

Countermeasure of SQL Injection Attacks

Sunghyuck Hong

SQL Injection attacks are known as an easy technique, but countermeasures are easy. A lot of efforts are made to avoid SQL attacks on web pages that require a lot of logins, but some sites are still vulnerable to SQL attacks. Therefore, this study suggests effective defense measures through analysis of SQL hacking technology cases and contributes to preventing web hacking and providing a secure information communication environment.

---

SQL Server Database Encryption Choices

Sourav Mukherjee

To help protect the public rights and safety, the European Union had to come up with strict rules and regulations of GDPR (General Data Protection Regulation) this year. Now, this regulation is confined to the EU Economic Area and Territory. I’m sure other developed and developing countries will also bring their own territorial rules and guidelines sooner or later to strictly adhere to the data privacy rules in protecting confidential customer details. Anyway, this article is not related to the discussion about GDPR. The focus of this article is to talk about some of the excellent features developed by Microsoft to handle data encryption, that is, how to implement more security features to the SQL Server software bundle (except the last feature).

---

Blind SQL Injection Attack Algorithm

Satria Mandala, Aldebaran Bayu Nugroho

The process of generating a blind SQL injection attack is complicated. As a result, a pentester often requires a long time to penetrate the database server. This research provides solutions to the problems above by developing the automation of a blind SQL injection attack. The method used in this research is to generate keywords, such as the database name and table name so that the attacker can retrieve information about the username and password. This research also compares several search algorithms, such as linear search, binary search, and interpolation search for generating the keywords of the attack.

---

Taking Over Employee Accounts and a simple IDOR

Tushar Bhardwaj (Silent Bronco)

Hello everyone! In this article, I would like to present my bug bounty hunt and how I took over employee accounts and was able to place orders on behalf of the employee.

---

Why IT Security Departments (alone) cannot guarantee Secure Applications

Klaus Haller

Many business and IT professionals consider IT and information security as an incredibly important task – that someone else takes care of. Customers assume that the IT service provider is responsible. The business is sure that the IT department handles it. Software developers see the company’s IT security department in the lead. Such assumptions and mind-sets are dangerous. Every team has to know its responsibility, act accordingly, and collaborate with the rest of the organization.  Therefore, we provide a high-level overview of how various teams can work together to protect the organization’s IT infrastructure, data, and information.