TEA Blog


What makes the threat of SQL injection attacks so dangerous is the ease in which they can be launched and how many are vulnerable to them.

Attackers often use large botnets to systematically seek out vulnerable to attack with little work being done on their part. Pair this with the fact that the number of sites vulnerable to this type of attack grows each year and it is clear to see why it remains at the top of the most critical vulnerabilities.


Even with the ease that an automated SQL injection attack can be carried if the attackers stood to gain nothing this threat would soon disappear. Unfortunately, those who successfully compromise vulnerable can find that this vulnerability can be quite profitable as they give the attacker access to the database so information can be sold or data can be deleted. More advanced techniques can also be used to give the attacker unrestricted access to the system through a backdoor. SQL injection can also be used in tandem with other exploits, such as cross-site scripting, to manipulate how data is displayed to a web sites visitors.

Not preventing SQL Injection attacks leaves your business at great risk of:

  • Changes to or deletion of highly sensitive business information.

  • Steal customer information such as social security numbers, addresses, and credit card numbers.

  • Financial losses

  • Brand damage

  • Theft of intellectual property

  • Legal liability and fines

How does an attacker compromise your SQL server?

Before a can be compromised, an attacker needs to find applications that are vulnerable to SQL injection using queries to learn the SQL application methods and its response mechanisms.

The attacker has two ways to identify SQL injection vulnerabilities:

1. Error messages: the attacker constructs the correct SQL syntax based on errors messages propagated from the SQL server via the front-end web application. Using the errors received, the hacker learns the internal SQL database structure and how to attack by injecting SQL queries via the Web application parameters.
2. Blindfolded Injection: this technique is utilized by hackers in situations where no error messages or response content is returned from the database. In these cases, the attacker lacks the ability to learn the backend SQL queries in order to balance the SQL injection query. In the lack of database content output within the Web application, the attacker is also challenged with finding a new way of retrieving the data.

Identifying the database

When the attacker knows how each database is reacting he or she can identify the database type and the server that is running it.

There are several techniques the attacker uses to identify database objects in statement.

Using a concatenation string:
1. select f1+f2
from t1
2. Using a semicolon or cash sign ($)

Compromising the SQL server

Once the attacker has all information he can build the exploit code.

Some techniques used to execute SQL Injection attacks are:

  • Terminating queries using quotes, double-quotes, SQL comments

  • Using stored procedures

  • Database manipulation commands such as TRUNCATE, DROP

  • Using CASE WHEN, EXEC to run nested queries

  • Utilizing SQL injection to create Buffer Overflow attacks within the database server

  • Delivering SQL queries via XML and Services

  • Blindfolded SQL Injection techniques:

- Blindfolded injection techniques using Boolean queries and WAITFOR DELAY
- Comparison queries using commands such as BETWEEN, LIKE, ISNULL

  • IDS signature evasive SQL Injection techniques:

- Using CONVERT & CAST commands to mask the attack payload Using Null bytes to break the signature pattern
- Using HEX encoding mixtures
- Using SQL CHAR() to represent ASCII values as numbers

For example, the attacker decides to go with a basic attack using:
1 = 1-

What happens when this is entered into an input box is that the server recognizes 1 = 1 as a true statement. Since - is used for commenting, everything after that is ignored making it possible for the attacker to gain access to the database. You can see precisely how this attack works on our SQL injection example page.

The Need to Avoid SQL Injection Attacks

SQL injection techniques have been around for over 10 years now, but recent years have seen a dramatic increase in both number of attacks and the extent of damage caused by them. In fact, a sweep of attacks in the second quarter of 2008 alone resulted in over 500,000 exploited web pages that were compromised to deliver password-stealing malware to users' computers. In more recent studies, security firms report attempted attacks reaching totals of 450,000 per day.

The tragedy is that these threats can be mitigated, or even prevented, with the proper tools and knowledge.

The attacker identifies vulnerabilities and obtains database access SQL (Structured Query Language) provides an interface to facilitate access to and interaction with a database. A database usually stores data in tables and procedures.

SQL Injection is a security exploit method in which the attacker aims at penetrating a back-end database to manipulate, steal or modify information in the database. The SQL Injection attack method exploits the Web application by injecting malicious queries, causing the manipulation of data. Almost all SQL databases and programming languages are potentially vulnerable and over 60% of websites turn out to be vulnerable to SQL Injection.

The threat posed by SQL injection attacks are not solitary. Combined with other vulnerabilities like cross-site scripting, path traversal, denial of service attacks, and buffer overflows the need for owners and administrators to be vigilant is not only important but overwhelming.


  • Stored procedure names

  • Comparison queries using commands such as BETWEEN, LIKE, ISNULL

  • Database manipulation commands such as TRUNCATE, DROP

  • Reserved words such as CASE WHEN, EXEC

  • Blindfolded injection techniques such as Boolean queries and WAITFOR DELAY

  • Database-unique attacks relating to Oracle, MySQL, MS-SQL

  • Signature evasion techniques such as using CONVERT & CAST

  • Buffer overflow attacks via SQL Injection

  • XML and Web-Services encapsulating SQL Injection techniques

  • Null byte signature evasion

  • HEX encoding mixtures for signature evasion

  • Using SQL CHAR() for signature evasion

  • Zero-day protection against MS-SQL stored procedure attacks such as MS08-040

ARTICLE SOURCE: This factual content has not been modified from the source. This content is syndicated news that can be used for your research, and we hope that it can help your productivity. This content is strictly for educational purposes and is not made for any kind of commercial purposes of this blog.