Sunday, August 12, 2007

SQL injection is surpisingly easy

This Slashdot article talks about how the United Nations website was hacked via an SQL injection bug (as I write this, the defaced web pages have been removed but the SQL injection bug still exists). The article says that the existence of such an easily exploitable bug is "quite surprising to find in such a high profile site".

No, it's not surprising. SQL injection vulnerabilities are all over the Internet, including all over high profile sites. They are so prevalent that I will often do "real-time" hacking. During a presentation, I can find a completely new website and demonstrate that it's (almost certainly) vulnerable to SQL injection in under a minute.

The reason SQL injection works is that whereas most systems separate code and data, SQL combines them together. All a hacker needs to do is include some of his own code with the data he sends to a website, then he can gain control of the website.

Such code often starts with the single quote (') character. SQL interprets this as the boundary between code and data. It assumes that anything following a quote is code that it needs to run. Therefore, you can quickly tell if a website is vulnerable to SQL injection by simply typing a single-quote in the URL or within a field in the webpage. Security professionals inadvertently find such sites all the time because the quote ['] key is right next to the [Enter] key on American Qwerty keyboards. (Curious security professionals make this typing error with unusual frequency :-).

The above article points to the following webpage on the U.N.'s website:

In the picture, hackers have added a single-quote (') to the end of the last field "statID" in the URL. As you can see, the server responds with an SQL error message telling us it attempted to interpret that single-quote as code. Therefore, we can be fairly certain that this site is vulnerable to SQL injection. (Note that we cannot be absolutely certain without successfully hacking the site, but such error messages are 99.9% reliable in determining whether a website is vulnerable).

Let's do some real-time hacking. I went to Google and typed in "allinurl:statID" (using the same field as in the U.N. site). I went to the second result returned by Google, typed the single-quote (') character in the 'statid' field, and was rewarded with the following error message:
OraOLEDB error '80004005'
ORA-01756: quoted string not properly terminated
/app/contents.asp, line 1470

This is why people talk about "Google Hacking" - if you want to find a website to hack with SQL injection, you can use Google to find vulnerable websites for you. Curiously, the vulnerable United Nations website is the seventh result returned by my Google query. There appear to be many other vulnerable sites in the returned results, including one that might give me access to some SCADA systems.

One of the eternal mysteries of hacking is how can it be so easy? Hundreds of thousands of teenagers have the skills to hack these sites. You would therefore expect that such sites would have been hacked already, and once hacked, they would be fixed. Basic economics tells us that easily hacked websites should quickly be removed from the net, leaving only those that are hard to hack. Yet, the evidence says otherwise. I really have no answer to this question.



mokum von Amsterdam said...

I wonder how many people will start whining about you showing something far too easy :P
SQL injection has been the preferred method of entry for about every second pen tester I come across. It is just one of those flaws that 'programmers' love to ignore.

random said...

Nice write-up Robert. I always thought that SQLi is some kind of voodoo magic :)

Anyway, I am wondering how did the attackers actually inserted the message into the web site. What was the query they used? How did they find the right database table?

No, I will not re-deface the UN site :)

Unknown said...

For one, I think collectively there is a little more consciousness about ramifications of hacking than there was, say, 10 or even 5 years ago. Random defacements and hacking just doesn't seem nearly as prevalent. Then again, most people don't care as much about that; it's not quite as funny and cool with peers who have "moved on." Zone-H may be better to see numbers on...

Or maybe public defacements are not as interesting as quiet data theft.

Maybe they are getting hacked, but they just fix the defacement without fixing the holes.

It is a good question, and it almost makes ya want more rogue kids poking at these easy holes so that those sites can become stronger...

c1p1 said...

I come from indonesia, your presentation really make surprise for me :)

Seb said...

SQLi is indeed rampant. Some security firms put forward the figure of 70% of websites being SQLi-vulnerable. That is compounded by how unreactive website owners - the number of flaws I've actually reported to webmasters, who went completely under the carpet...
It's just one whole accident waiting to happen.

Meanwhile, I've been trying to educate a few people through a blog, not in the tone that "security vulns are there", but more in the exact details of them, how they work, and how to start securing stuff. Feel free to check it out.

Also, @LonerVamp: public defacement is obvious. Data leaks are not. Also, most SQL queries vulnerable to injections are SELECT queries, which are very easy to re-forge into something a bit more...dangerous.