In the last couple of years, SQL injection attacks have become the favorite tactic of pentration testers, cyber criminals and script kiddies alike. But some researchers are taking the technique to a new level. At Black Hat Europe later this month, a British researcher will show off a tactic for using SQL injection to take control of the database behind the Web server.
As Kelly Jackson Higgins writes:
“SQL injection becomes a stepping stone to the real target: the operating system,” says Bernardo Damele Assumpcao Guimaraes, an IT security engineer based in London. “I will focus on exploiting SQL injection in a Web application to get control over the underlying OS,” in addition to the database software, says the researcher, who goes by the surname Damele .
SQL injection is a popular attack vector in Web applications, mainly because it’s one of the most common flaws found in these apps. Web application SQL injection attacks typically target client browsers, infecting them when the victim visits a compromised Website. Another SQL injection attack is on the database itself, via a Web application carrying that vulnerability.
But Damele’s new hack kicks SQL injection up a notch, using it as a first level of attack to gain control of the database server itself, as well as any systems connected to it. That includes other servers in the same LAN, plus the data in the database itself. His attack goes after MySQL, Microsoft’s SQL Server, and PostgreSQL running on Windows or Linux servers. “[This] possible scenario of attack for a SQL injection is the most overlooked and [under]researched,” he says.
The mass SQL injection attacks against thousands of legitimate Web sites last year showed just how prevalent this technique is and how many sites are susceptible to it. And researchers say that’s just the tip of the iceberg; there are hundreds of thousands more vulnerable sites on the Web that haven’t been attacked yet.