1. Introduction to Database Management Systems
In this section we’ll talk about the core concepts of databases. The basic concepts of a database and database management system will also discuss the different types of databases, database vulnerabilities and exploits we’ll discuss injecting database attacks. In other words, SQL injection, direct attacks, buffer overflows methods to secure the database.
2. Overview of Databases, Types of Databases, Relations of Databases
In this section we’re going to talk about database servers and the role that they play in storing our data and basically our information. Now, Database Server is an organized collection of data. Data are typically organized to model relevant aspects of reality in a way that supports processes requiring that information. For example, modeling the availability of rooms in a hotel in a way that supports finding a hotel with vacancies. A database schema is the layout of the physical structure of how the data is described and supported. It’s a formal language that’s supported by the database management system and refers to the organization of data as a blueprint of how a database is constructed.
In other words, a database is divided into database tables. In the case of relational databases, database management systems are specifically designed software applications that interact with the user or with the application that they’re used by, and the database itself to capture and analyze this data. A general purpose database management system is a software system designed to allow the definition, creation, querying, update and administration of databases. Well known database administration systems include MySQL, Mariadb, Postgres, SQL, SQL Lite, Microsoft SQL Server, Oracle SAP, Hana, Dbase, Fox Pro, IBM, DB Two, and the like.
A database is not generally portable across different database management systems, but different database management systems can interoperate by using standards such as SQL ODBC to allow a single application to work with more than one database. Database management systems were invented by a team lead at IBM called Dr. Edmund Cod. It was funded by IBM in the early 1970s and based on principles of relational algebra. Now of course, there are different types of databases. There are four main databases in a database management system and these are based upon their management of database structures. Here’s what’s called a hierarchical database management system.
A database management system is said to be hierarchical if the relationships among the data in the database are established in such a way that one data item is presented as subordinate to another item. Here, the subordinate means that the items have a parent child relationship among them. Then we have what’s called a network database management system. A database management system is said to be network database management. If the relations among data in a database are of a type mini to many, the relationships among many to many appears in the form of a network.
Thus, the structure of a network database is extremely complicated because these many to many relationships in which one record can be used as the key of the entire database. Then finally we have a relational database management system. A database management system is said to be relational or RDMs if the database relationships are treated in the form of a table. There are three keys on the relational database management system relation, domain and attributes. A network means it contains a fundamental construct sets or records contained to oneto many relationship records contain fields. Statistical table that is compromised of rows and columns is used to organize the database and its structure is actually two dimension array in the computer memory.
A number of relational database management systems are available. Some popular examples are Oracle Cybase ingress inframix Microsoft SQL Server and let’s don’t forget our flat type database, which could be likened to a spreadsheet. Let’s give you an overview of a database server. It’s going to consist of tables. Tables are a subset of a database. A database consists of one or more tables in relational databases and flat file databases. A table is an organized set of data elements, in other words, values using a model of vertical columns which are identified by their name and horizontal rows, the cell being the unit where the row and column intersect.
A table has a specified number of columns but can have any number of rows. Each row is identified by the values appearing in a particular column subset which has been identified as unique. Key index. A record set is a data structure that consists of a group of database records and can either come in the form of a base table or as a result of a query to that table. An attribute is a specification that defines a property of an object, an element or a file. It may also refer to the set, a specific value for a given instance of such. And finally, a domain describes the set of possible values for a given attribute and may be considered a constraint value on the attribute.
Data normalization is to reduce and even eliminate redundant data, an important consideration for application developers because it is incredibly difficult to store objects in a relational database that maintain the same information in several places. Finally, the language that we typically use to manipulate these is called SQL, or better known as a structured query language. It’s a special purpose programming language designed for maintaining data held in a relational database management system. A unique key, or primary key is a key that uniquely identifies the characteristic of each row. The primary key has to consist of characteristics that cannot be collectively duplicated by any other row. A foreign key is a field in a relational table that matches the primary key column of another table.
The foreign key could be used to cross reference tables. Foreign keys need not have unique values in the referencing relation. Foreign keys effectively use the attributes in the reference section to restrict the domain of one or more of the attributes in that referring section. In database theory, a view is a result of a set of stored query on the data which the database users can query just as they would in a persistent database collection. This pre established query command is kept in what’s called a database dictionary. So our relational databases where one primary key would look up a record where the foreign key is located. So this primary key would consist consist of these two records. This one would not have a corresponding record but this one would have one record.
3. View of DBMS, Injecting a DBMS, Why SQL Injection, SQL Connection Properties
Now, let’s quickly talk about the views of a database server or a database management system. A database management system provides three views of the database data. One called an external view, which defines how each group of end users sees the organization of the data in the database management system, a single database can have any number of views at the external level. The conceptual level identifies various external views into a compatible global view. It provides a synthesis of all external views, so it’s out of the scope of various database end users and it’s rather of interest to database application developers and database administrators. Now, the internal level or physical level is the internal organization of data inside a database management system.
It’s concerned with cost, performance, scalability and other operational matters. It deals with storage, the layout of data using storage structures such as indexes in order to enhance performance. Occasionally it stores data of individual views, in other words, a materialized view, one that’s computed from generic data. But really it’s the accumulation of the data in a various format so it can be easily viewed. It balances all the external views, performance requirements possibly conflicting, in an attempt to optimize overall performance across all activities. Lastly, we want to talk about the storage view, which is nothing more than how the data that’s in the database is stored on some type of media.
And we typically protect this with access control lists that are part of the storage media themselves. The whole reason that I explained all of this information is because of this concept. You had to have a better idea of an SQL Server or a database management system in order for you to understand what SQL Injection is. SQL Injection is a code injection technique used to attack data driven applications in which malicious SQL statements are inserted in an entry field for execution. In other words, the database management system has a hard time determining what is data and what is a command. This is the problem with a database management system. SQL injection must exploit a security vulnerability in the application software.
For example, when a user input is either incorrectly filtered for a string literal escape, characters embedded in the SQL statement or user input is not strongly typed and unexpected execution happens. SQL injection is known as an attack vector for websites, but can be used to attack any type of SQL database. Now, the primary way that we test this is by putting in a single quote. If you put in a single quote and you come up with some kind of an error, then you’re more than likely prone to a database injection. So in this example, we’re going to give you an example of code that could be running on the server.
So for example, I’m going to take the SQL statement, select name, phone address, bank details from a table called table logins where name is equal to some value and password is equal to some value. The white boxes refer to the user input fields of the database front end, although it’s actually a variable containing some value. So if I put in select name, phone address, bank details from table logins where name is equal to ampersand variable name and password is equal to ampersand variable name. The data that we put in there, if it’s not strongly filtered, I can put in an SQL command. For example, if I put in single quote or some true value because remember, the database management system is nothing but a boolean table. So it says is this true? It returns data, if it’s false, it doesn’t.
So single quote or something true semicolon which tells us to start a new command and bypasses the rest of the login authorization. So it never even sees this portion. So consequently this right here would be the primary way of injecting the database. So selecting the name, phone address, bank details from table logins where name is equal to nil or true, something or true is always going to be true semicolon starting a new command and comments out the rest of the line so it doesn’t get processed. So the server wants a balance between the value name and the user input. So we give it something true, one equals one. So that’s what it sees as a balance and logs a storm.
As the first account in the Table SQL injection has other possibilities that we’ll see in just a second. Now, every time we connect to a database we have to have some type of a login. This includes web front end, the page itself has to authenticate with a username and password. A lot of these properties determine the level of privileges that a user connects to the database with and therefore your privileges, your SQL statements are processed as. There was a huge flaw in Microsoft’s SQL Server where most database administrators connected with the SA account, which stands for Systems Administrator. The SA account, yes, it gave you full access to the database, but if it was injected, it gave the perpetrator full access to the database as well.
4. SQL Injection Types, Stored Procedures, Shutdown, Locating SQL, Sensitive Info
So here in this next couple of slides, we’re going to talk about the SQL injection types and the way I like to put it. There are three main types, but there are some subtypes as well, which we’ll talk about we can put in illegally or logically incorrect queries. We can do something called a union based query. We’re trying to put more than one table together and we can do something called lined SQL injection. Let me briefly explain each one. Illegal or logically based incorrect queries we typically know as error based SQL injection, where it returns an error and the error is what we actually use to determine things. As you’re going to see in just a few minutes, union based tries to put more than one database together to get it to reveal information.
And if we know that our errors are giving away information, we can turn the errors off or not let the users see these errors. Then we can use something called blind SQL injection. Some people may refer to this as inference. Blind SQL injection is typically used by basing timings on how something comes back. If it comes back. If something is true, we tell it not to come back for 10 seconds. If it’s false, come back immediately. And by inferring those two, we’re able to determine whether the statement is true or not. Now, if you think this is a little tedious, well, you’re right. We also have something called piggybacked queries. We put one query on top of another. Stored procedures which you’re going to see in a couple of slides can be very advantageous, or sometimes they can be very detrimental.
And then finally, alternate coatings. Let’s say, for example, we know that we are escaping some particular character. When I say escaping, I’m talking about filtering it out. We’re not allowing that character to be thrown down to the database. I could code it or say it in a different way. You might think of this as saying it in another language. So let’s say I typed in select star from login where user is equal to car open parent 39. Comma 97. Comma 39 closed parent. This is basically the same thing as doing an SQL injection, but in this case I may not have filtered those particular items out. So this is an alternate coding of the mechanism. Here’s where we have our extended stored procedures.
Now, stored procedures can be a very good thing if they’re used correctly and they allow the database server perform powerful functions like communicate with the operating system, do certain things for us. There are several extended store procedures that can cause permanent damage to our system as well. We can execute a stored procedure by using any input form with an injected command. Let’s say, for example, our web page is webpage ASP where city is equal to Edinburgh. All right, single quote semicolon which starts a new command execute master Dbo, XP command shell and we tell it to reset the SQL Server. This basically passes a Dos type command to the operating system.
And since the SQL Server runs under the administrator account, it has the power to do this. This all has to do with how we log in to the SQL Server, as we saw in a couple of slides before. So logging in as the proper user makes a huge difference. Another one that we could do at the stored procedure is SP make Web Task. What this is going to do is it’s going to simply do some web task. In this case, what I’m going to tell it is I want to execute a stored procedure, make web Task and write it to init pub route out htm and I want to select name password from Master dbo sysx logins, which is where we keep our user ID and password. Now when we do this, it will come back with nothing, but if we navigate out to out htm here, we have every user and every password in our table.
All we would have to do is take this into SQL, BF or Cane Enable or some other password cracking mechanism and crack the password hash. We can also shut down the SQL Server by using one of the very powerful commands called Shutdown with no weight. It causes it to immediately stop processing the Windows service, causing a denial of service attack. In here you can see semi quote start a new command shut down with no weight. Semicolon comment out the rest of the line. If it is set up correctly, this shouldn’t work. First off, we shouldn’t be able to run this command. Second off, the command should not have the power to be able to do this.
If we log in correctly as somebody other than, let’s say, SA account or Administrator account, we wouldn’t be able to do this. Also, if we filter out the command, we wouldn’t be able to do this as well. So it’s kind of a double edged sword. Now, in order to attack the database server, we have to find them. Most of our database servers operate on popular ports. Microsoft SQL Server operates on TCP port 1433 and UDP port 1434. You can hide the SQL Server. Not many people do this, but some do, which means it operates on TCP port 24 33 oracle 1521 MySQL 33 six Cybase 5000 SQL anywhere TCP 1498. So where do we typically keep sensitive information in our SQL Server? Well, we typically keep it in our tables that have our user IDs and passwords.
Now, there are actually three ways that you can connect, and I’m going to talk about Microsoft for just a moment. We can connect to the SQL Server itself using its master dbo Sysx logins. We can connect to a Sam database that’s in a workgroup, which would be using Microsoft’s Sam database account, or we can connect to one that’s in an active directory using microsoft’s Active Directory, and each one has its pros and cons. The pro for using the database table, if it’s used correctly, is we can limit what we want to do inside the database. We won’t have to rely as much on the operating system. If you get access to the Sam database, you’ve compromised that particular server.
But if you get access to the Active Directory, you could compromise the entire domain. And so there are different ways that we may want to do this. Now, Microsoft SQL Server keeps its information at the database level from master dbo Sysx logins. Oracle keeps it in Sys DB users, and MySQL keeps theirs in master dbo Syslogins. We can crack the password hashes once we obtain them with a number of different tools. Kenable is one. Oracle PWGS sqlbf. These are just some common password crackers that you can use. Finally, let’s talk real quickly about what we need to do to harden our database servers.
Now, as you can imagine, the database server itself is not the culprit of SQL injection. It’s the programmer or the systems administrator who has set it up. First thing we need to do only install what’s required change default usernames and passwords. Oracle if you install everything, it can have 600 default accounts and passwords, depending upon what’s installed. Microsoft, as we said, has the infamous SA account. This has diminished in recent years, but there are still a lot of SQL servers that are still using SSL and enforce password management, enable data dictionary protection, and then naturally, we need to filter out characters that could be nefarious.
