SQL injection attack show-and-tell

SQL injection has, for a long time now, found its way to the top places of the list of favorite attack vectors of cyber criminals. Its popularity is, without a doubt, due to the relative ease of use and high success rate.

For those who are not familiar with how an attack of this kind looks like in practice, here is an interesting story coming from Rafael Los, one of HP’s application security experts.

His tale begins at a typical educational lecture during which he was talking to a group of people about security vulnerabilities and possible financial consequences to the companies. He was trying to convince them that these thins are not just theory, but that they do exist in many online websites.

One of the listeners expressed doubt about his company’s developers doing a poor job at writing code. “Well, if these issues are so prevalent, let’s see if they exist on one of our sites,” another one said.

Los obliged. Being given a URL, it took him five seconds after loading the page to notice that something was wrong – the site presented an SQL error that was evidence that someone had already tampered with the site.

After being given the permission to continue, he added to the URL “the tell-tale test for SQL Injection, the single tick ‘ “, and the SQL statement failed and SQL explained how and why:

After that, he wanted to see if the SQL injection bug was exploitable, so after various tries, he struck gold with adding ” ‘ OR ‘1’ = ‘1 ” to the original URL, which didn’t result in an error, but gave him evidence that the database was “broken”.

Using an “SQL Injector” tool, he managed to download the entire database on his laptop. Having done this, he noticed that many of the fields in the database were changed, and the database and the website were distributing malware – a dropper script for the ZeuS bot:

Quite a wake-up call, don’t you think?