342 Chapter 14 ■ SQL Injection
Information Gathering
Understanding SQL is important to the process of gathering further and more detailed
information about a target. Being able to skillfully create and formulate SQL statements
allows you to manipulate and access information better than without this skill.
In our earlier example, you used SQL code to determine the version and type of database
in your target. You also used code to generate error messages that allowed you to gather
more information about the environment. This information helps guide the later steps
and helps you determine how to better attack the database. You can find out what kind of
database is used, what version is being used, user privilege levels, and various other things.
Different databases require different SQL syntax.Information from Error Messages
As you saw earlier, error messages can reveal information that may not be readily obvious.
It is through these error messages that additional attacks can be developed. In our example
you saw one way to extract information from error messages, but there are other methods
as well:Grouping Error Messages Use the HAVING command to further refine a query by basing it
on grouped fields. The error message will reveal information about which fields in the data-
base have not been grouped:'group by columnnames having 1=1 - -VType Mismatch Try to insert strings into numeric fields; the error message will show you
the data that could not be converted:'union select 1,1,'text',1,1,1 - -
'union select 1,1,bigint,1,1,1 - -Blind Injection Use time delays or error signatures to extract information:if condition waitfor delay '0:0:5 ' - -
1; union select if (condition) , 1 , 1 , 1 ,! ;Evading Detection Mechanisms
One mechanism that can protect databases is an intrusion detection system (IDS). An IDS
monitors network and host activity, and some can monitor database applications. IDSs are
effective at detecting activities that may indicate an attack.
To evade an IDS, you can use a multitude of techniques, each designed to fool an IDS
or to prevent detection by the device. In many cases IDSs use signature-based detection
systems, which means that many attacks will seek to avoid resembling known attacks. If an
attack matches a known pattern, it will trigger an alert to the administrator.
The most common way to avoid detection is through careful and deliberate
manipulation of input strings to thwart matching. Some common ways to do this include: