Classification of SQL Injection vulnerabilities
22:42 30.12.2008This is English version of my Classification of SQL Injection vulnerabilities article.
SQL Injection are serious vulnerabilities, which are widespread in modern web applications. And they can lead to full compromise of web sites.
There are next types of SQL Injection vulnerabilities:
- Reflected SQL Injection.
- Persistent SQL Injection.
Reflected SQL Injection - these are regular SQL Injections, which often happen in web applications which are working with DB. To make an attack in case of this type of SQL Injection, it’s needed to send request to vulnerable web application, which contains SQL commands for execution. For new execution of commands it’s needed to send new request.
Example of request (for retrieving information from DB):
http://site/script?id=-1+or+1=1
Example of request (for conducting DoS attack):
http://site/script?id=1+and+benchmark(10000000,benchmark(10000000,md5(now())))
Persistent SQL Injection, which I wrote about earlier - this is new type of SQL Injection, which I found in December 2008. This type of SQL Injection less widespread than reflected, but also happens in web applications. To make an attack in case of this type of SQL Injection, it’s needed to send to vulnerable web application a request with SQL commands for execution, which will save in DB. After that they will be taken from DB and executed (i.e. not right away during request, but during work process of web application).
It’s needed to send just one request, after that SQL commands will be executed all the time (while they will be in DB) during work process of the system. Such SQL Injections are convenient to use for conducting attacks, when constant execution of some code is needed, e.g. for DoS attacks.
Example of request (for conducting DoS attack):
http://site/script?param=1+and+benchmark(10000000,benchmark(10000000,md5(now())))
P.S.
In 2010 I’ve published the article Encoded SQL Injection vulnerabilities, in which I’ve discribed new, the third, class of SQL Injection vulnerabilities, which I’ve found in 2009.
