What is SQL Injection?
Exploiting the weakness of Server Side
Using SQL Injection techniques to gain access
to a system
SQL Injection Scripts
Attacking Microsoft SQL Servers
MSSQL Password Crackers
Prevention and Countermeasures
Introduction - SQL Injection
OLE DB Errors
The user filled fields are enclosed by single quotation marks
('). So a simple test of the form would be to try using (') as
Lets us see what happens if we just enter ' in a form that is
vulnerable to SQL insertion.
If you get this error, then we can try
SQL injection techniques.
Input Validation attack
Input validation attack occurs here on a website
Login Guessing & Insertion
The attacker can try to login without a password.
Typical usernames would be 1=1 or any text within
The most common problem seen on Microsoft MS-SQL
boxes is the default <blank>sa password.
The attacker can try to guess the username of an
account by querying for similar user names (ex: „ad%‟ is
used to query for “admin”).
The attacker can insert data by appending commands or
Shutting Down SQL Server
One of SQL Server's most powerful commands is
SHUTDOWN WITH NOWAIT, which causes it to
shutdown, immediately stopping the Windows service.
Username: ' ; shutdown with nowait; --
This can happen if the script runs the following query:
select userName from users where
userName='; shutdown with nowait;-' and
Extended Stored Procedures
There are several extended stored procedures that can
cause permanent damage to a system.
We can execute an extended stored procedure using our
login form with an injected command as the username
Username: ' ; exec master..xp_xxx; --
Username: ' ; exec master..xp_cmdshell ' iisreset' ; --
SQL Server Talks!
This command uses the 'speech.voicetext' object, causing
the SQL Server to speak:
Hacking Tool: SQLDict
"SQLdict" is a dictionary
attack tool for SQL Server.
It lets you test if the
accounts are strong enough to
resist an attack or not.
Hacking Tool: SQLExec
This tool executes commands on compromised MIcrosoft SQL Servers
using xp_cmdshell stored procedure.
It uses default sa account with NULL password. But this can be modified
USAGE: SQLExec www.target.com
Hacking Tool: sqlbf
Sqlbf is a SQL Sever Password Auditing tool. This tool should
be used to audit the strength of Microsoft SQL Server
passwords offline. The tool can be used either in BruteForce
mode or in Dictionary attack mode. The performance on a
1GHZ pentium (256MB) machine is around 750,000
To be able to perform an audit, one needs the password hashes
that are stored in the sysxlogins table in the master database.
The hashes are easy to retrieve although you need a privileged
account to do so, like an sa account. The query to use would be:
select name, password from master..sysxlogins
To perform a dictionary attack on the retrieved hashes:
sqlbf -u hashes.txt -d dictionary.dic -r
Hacking Tool: SQLSmack
SQLSmack is a Linux based Remote Command
Execution for MSSQL.
The tool allows when provided with a valid username
and password on a remote MS SQL Server to execute
commands by piping them through the stored
Hacking Tool: SQL2.exe
SQL2 is a UDP Buffer Overflow Remote Exploit hacking
Minimize Privileges of Database Connection
Disable verbose error messages
Protect the system account „sa‟
Audit Source Code
• Escape Single Quotes
• Allow only good input
• Reject known bad input
• Restrict length of input
SQL Injection is an attack methodology that targets the
data residing in a database through the firewall that
It attempts to modify the parameters of a Web-based
application in order to alter the SQL statements that are
parsed to retrieve data from the database.
Database footprinting is the process of mapping out the
tables on the database and is a crucial tool in the hands
of an attacker.
Exploits occur due to coding errors as well as
inadequate validation checks .
Prevention involves enforcing better coding practices
and database administration procedures.