SQL injection is a security exploit in which an attacker injects SQL parameters into a Web form, allowing he or she to send database queries and ultimately gain access. SQL injection is not a direct database problem but rather an application issue that indirectly affects your database systems. Then again, no matter how you look at it, it's still a database problem in the end.
Manual testing for SQL injection used to be the only way to determine if your database was vulnerable. Rooting through returned error messages, adding apostrophes and trying to guess database structure information was a long and arduous process. In fact, it was nearly impossible to do. It also didn't guarantee that you'd find all SQL injection vulnerabilities, much less be able to view or extract data.
Check out these resources for manual SQL injection testing:
- Step-by-step: Testing for SQL injection
- Advanced SQL injection testing for SQL Server applications
Several automated SQL injection tools are available to carry out attacks. Offering features from front-end Web application and database footprinting to vulnerability detection and the actual extraction of database tables, there are plenty of free and commercial hacking tools to choose from. Given the complexity of our information systems and the fact that we don't have unlimited time, using automated tools to find and exploit SQL injection is the only reasonable way to go about doing it.
If you have a Web application with a backend database that allows dynamic user input supported by ASP.NET, Java, or similar languages, odds are that it's susceptible to SQL injection. In typical ethical hacking fashion, what you can do is perform automated SQL injection attacks against your own systems to identify just what can be compromised from the outside world. No more "SELECT" this or "apostrophe" that – you can let your tools do the work for you.
Testing your own systems for SQL injection vulnerabilities in an automated fashion is a two-step process. Here's what you need to do:
Step 1: Scan for vulnerabilities
First, you must scan your site with a Web application vulnerability scanner to see if any input filtering or other SQL injection-specific holes exist. Since I'm always in a time crunch and need good reporting capabilities, I like using commercial tools such as Acunetix Web Vulnerability Scanner or WebInspect software from Hewlett-Packard (HP). Both are great at finding SQL injection holes. HP also offers a free tool called Scrawlr. There's also the Perl-based SQLiX tool – an open source SQL injection scanner supported by OWASP. An example of SQL injection vulnerabilities discovered by Acunetix Web Vulnerability Scanner is shown in Figure 1.
Figure 1. Acunetix Web Vulnerability Scanner (click to enlarge)
Step 2: Begin SQL injection
Once you determine whether or not your target system is vulnerable to SQL injection, your next step is to carry out the SQL injection process and determine just what can be gleaned from the database.
My favorite tool for automating the actual SQL injection process is HP's SQL Injector (which comes with WebInspect). You can also use Absinthe, shown in Figure 2.
Both tools allow you to perform basic and blind SQL injection. As a side note, both types of tests should be performed -- especially if basic SQL injection doesn't return any results. These tools can query and extract data very quickly in an automated fashion, easily dumping large tables in just a matter of minutes.
Other options include a free Web services testing framework from called Foundstone WSDigger from McAfee, Inc. that can generate basic SQL injection attacks against Web services. There's also Automagic SQL Injector, which you can use to perform automated SQL injection queries against SQL Server-based systems. Finally, if you want to get some hands-on practice outside of your live systems and learn more about SQL injection and other front-end Web application vulnerabilities that can lead to database compromise, I highly recommend you check out WebGoat and Foundstone's Hacme tools.
In the end, however, it doesn't matter which tools you use for automating your SQL injection tests as long as you're comfortable with how they work and are getting the expected results. Just do something -- the bad guys certainly are!
ABOUT THE AUTHOR
Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored several books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.