Chapter – 4 Classification Of SQL Injection Attacks

CHAPTER - 4
CLASSIFICATION OF SQL INJECTION ATTACKS

4.1 Introduction
Internet is increasing day by day at an exponential rate. Most of the businesses are done
through internet like online banking, communication, exams etc. To provide this
functioning security is also needed. Internet security plays an important role in these
functioning. Even though a fistful of knowledge about tools and techniques to protect
networks is available, marshaled information is still eluded. Many researchers have
discussed about Internet security attacks and SQL Injection. This situation hampers the
effectiveness of security [84]. This chapter thus is an attempt to categorize the SQL
injection and Internet security attacks in order to comprehend the attacks more gently.
The chapter presented in pattern to permits internet security attacks lie under different
classes of security attacks that help the developer to analysis or to avoid the causes of
occurrence attack in easiest and simplest way. Thus, the purpose of this chapter is to
represent an idea about Classification of Internet Security Attacks and SQL injection. I
have classified security attack into two main types: Passive attack and Active attack and
also categorize it further. The various techniques used in Interception which come under
passive attack viz. Release of Message Contents, Traffic analysis, Sniffing and Key
loggers. Active attack is categorized into three parts i.e. Interruption, Fabrication, and
Modification. The techniques that can be used under the heading interruption are DoS,
DDoS, DRDoS and SQL injection attack. Replay attack and masquerading are
techniques that lie under fabrication. The technique for Modification attack is man in the
middle attack. I also discuss the principles of security which help us to determine the
security threats and possible security to tackle them. The principles of security are
availability, accuracy, access control, confidentiality, integrity, identification &
authentication and non-repudiation. Each principle has its own importance. Thus
internet security threats will continue to be an issue as long as information is shared

58
 Chapter – 4 Classification Of SQL Injection Attacks

across the world using internet. The efforts to devise more security techniques will
continue in future to further improve the efficiency of e-commerce and communications.
4.2 Principle Of Security
The main principles of security are [84]:
4.2.1 Accuracy:
Information is accurate when it is free from flaws and it has the value that the user
expects.
4.2.2 Availability:
Computer resources accessible for and to authorized persons whenever required.
Resources are always available for authorized person to access the data.
4.2.3 Authentication & identification:
Authentication of information show’s that the given information is genuine or original
rather than fabrication. Information is authenticated when it is originally created, placed,
or transferred .The data’s receiver must be able to determine its origin.
4.2.4 Access Control:
In this principle, administrator provides control to other who should be able to access
“what”. For example user A can only read the database, but B can read as well as update
the database.
4.2.5 Confidentiality:
Any unauthorized person must not be able to access other’s data or other computing
assets.
4.2.6 Integrity:
It is related with the accuracy of data. Only authorized persons are enabled to create,
edit, and delete data as per agreed terms and conditions.
4.2.7 Non repudiation:
This principle does not allow the sender or a message to refute the claim of not sending
that message. It provides protection against denies by one of the entities involved in a
communication of having participation in part of communication.

59
 Chapter – 4 Classification Of SQL Injection Attacks

4.3 Classification of Internet Security Attacks

Figure 4.1 Classification of Internet Security Attacks

4.3.1 Passive Attack:

Passive attacks are those, where the attacker aims to obtain the information. They do not
wish to modify the content of original message. It is very difficult to detect as it does not
alter the data. Releases of message, traffic analysis, sniffing and key loggers are some
techniques of passive attacks [71][72].
Interception:
Interception is a type of attack that is done without the permission or knowledge of the
users. It breaks the rules of confidentiality in the principle of security. In simple words, I
can say interception causes loss of message confidentiality. It is a type of passive attack.
It is further categorize into two sub types i.e. Traffic analysis and Release of message
contents. It is of four types:-
I. Release of Message:
When you send a message to you friend, you want that only that person can read the
message. Using certain security mechanism, I can prevent release of message contents.
For example I can encode the message using algorithm.

60
 Chapter – 4 Classification Of SQL Injection Attacks

II. Traffic Analysis:

If many message are passes through a single channel then user get confused can give
some information to attacker as it think that message is come from the his party.
III. Sniffing:
Sniffing is a method to sniff the transferred data that was send by the sender. It just tries
to find out what type of message or data is transferred by sender without the permission
of sender.
IV. Keyloggers:
It is a program that runs in the background, recording all the keystrokes. Once
keystrokes are logged, they are hidden in the machine for later retrieval, or shipped raw
to the attacker. The attacker then peruses them carefully in the hopes of either finding
passwords, or possibly other useful information that could be used to compromise the
system or be used in a social engineering attack. For example, a keylogger will reveal
the contents of all e-mail composed by the user. Keylogger is commonly included in the
rootkits.[81]
4.3.2 Active Attack:
Active attacks are attacks which make some modification in the original message or
creation of some false message. These attacks are very complex and cannot prevent
easily. It can further categorize into 3 types: Interruption, Fabrication, and Modification.
Under these categorize Denial of service (DoS), DDoS, DRDoS, SQL Injection, Replay
attack, Masquerading, Man in Middle Attacks are some common attacks[71][72].
4.3.2.1. Interruption:
Interruption attacks are active attack. In this attack an authorized entity pretends to be
another entity. For example, there are three users A, B & C. User A might be pose as
user C and send a message to user B. User B believe that message came from user C.
Interruption puts the availability of resource in danger. It is classified into four types:
I. Denial of Service (DoS):
When a system receiving the requests becomes busy trying to establish a return
communication path with the initiator (which may or may not be using a valid IP
address) and remains in a wait condition due to which legitimate users are denied to
access.[73] [74][78].

61
 Chapter – 4 Classification Of SQL Injection Attacks

II. Distributed Denial of Services (DDoS):

On the internet, a distributed denial-of-service (DDoS) attack is one in which a
multitude of compromised systems attack a single target, thereby causing denial of
service for users of the targeted system. The flood of incoming messages to the target
system essentially forces it to shut down, thereby denying service to the system to
legitimate users [73][74][78].
III. Distributed DoS with Reflectors (DRDoS):
It consists a reflector that helps the attacker to execute a more effective and secure
attack. It results in increase of damage and decrease the risk of being traced back
[74][78].
IV. SQL Injection Attack:
SQL injection is a security vulnerability that occurs in the database layers of an
application. It is the act of passing SQL code into interactive web applications that
employ in database services [82].
4.3.2.2 Fabrication:
In this attack users use some accessing service, which they are not eligible for. It is
possible in the absence of proper authentication mechanisms [72][83][84]. Under these
two attack technique used.
I. Replay Attack:
A replay attack is a form of active attack in which a valid data transmission is
maliciously repeated or delayed. A attacker captures the authorized data and resends
them to his personal use. For example User A wants to transfer some amount to User
C’s Bank account. Both User A & C have account with Bank B. User A send a
electronic message to Bank B, requesting a fund transfer. User C could capture this
message, and send a second copy to Bank B but Bank B could not have idea that this is
an unauthorized message. Thus User C would get benefit of fund transfer twice. A
replay attack can be prevented using strong digital signatures that include time stamps
and inclusion of unique information from the previous transaction such as the value of a
constantly incremented sequence number.

62
 Chapter – 4 Classification Of SQL Injection Attacks

II. Masquerading:
Masquerading attack is a type of attack in which one system assumes the identity of
another. It’s a technique used by attacker to pretend himself as an authorized person in
order to gain access of confidential information in illegal manner [83].
4.3.2.3 Modification
Modification causes losses of integrity principle. For example a person did an online
transaction of Rs. 100. But the attacker hack this and modify it to Rs.1000. This is a
case of integrity. Under this attack technique is man of the middle attack [72][77][84].
Man of the middle attack:
It is abbreviated as MITM. It is an active internet attack that attempts to intercept, read
and alter the information hovering between the user of a public network and any
requested website. The attacker uses the illegally gained information for identity theft
and other types of fraud [77].
4.4 Classification of SQL Injection Attacks
SQL Injection is a method of exploiting the database of web application. It is done by
injecting the SQL statements as an input string to gain an unauthorized access to a
database. SQL injection is a serious vulnerability that leads to a high level of
compromise - usually the ability to run any database query. It is a web-based application
attack that connects to database back-ends and allows the bypass of firewall. The
advantage of insecure code and bad input validation is clinched by the attacker to
execute unauthorized SQL commands [85][86][87][88].
The objective of SQL Injection Attack (SQLIA) is to shaft the database system into
running harmful code that can reveal confidential information. Hence I can say that SQL
injection attack is an unauthorized access of database. In this chapter I tried an attempt
to classify the type of SQL Injection Attacks in order to enhance the security of database
[85].
I build an attack repository, to evaluate the classification scheme, by collecting SQL
injection attacks from white papers, technical reports, web advisories, hacker on-line
communities, web sites, and mailing lists. This repository can help the developer to
understand SQL injection attacks more thoroughly. It can also be used in the evaluation
of defensive coding practices and intrusion detection systems.

63
 Chapter – 4 Classification Of SQL Injection Attacks

Classification of SQL Injection Attacks

4.4.1 Order Wise:
4.4.1.1 First Order Injection Attack:
First-order Injection Attacks are when the attacker receives the desired result
immediately, either by direct response from the application they are interacting with or
some other response mechanism, such as email etc.
4.4.1.2 Second Order Injection Attack:
Second Order injection Attack is the realization of malicious code injected into an
application by an attacker, but not activated immediately by the application [89]. The
malicious inputs are seeded by the attacker into a system or database. This is used to
indirectly trigger an SQLIA which is used at later time. The attacker usually relies on
where the input will be subsequently used and thus crafts his attack. Second order
injection leaves a ticklish job of detection and prevention. This is because the point of
injection is different from the point where the attack actually manifests it.

Figure 4.2 Classification of SQL Injection Attacks

64
 Chapter – 4 Classification Of SQL Injection Attacks

4.4.1.3 Lateral Injection Attack:

This is a technique that is used to compromise Oracle databases remotely. The attack
exploits some common data types, including DATE and NUMBER, which do not take
any input from the user and so are not normally considered to be exploitable. The
database can be manipulated by an attacker just by using a bit of creative coding [90].
4.4.2 Classical SQL injection Attack:
The classical exploitation of SQL injection vulnerabilities provides an opportunity to
merge two SQL queries. This redeems the purpose to gain additional data from a certain
table. To access the information from the Database Management System would become
easier with the help of classical SQL injection [91].
4.4.3 Blind SQL Injection Attack:
When web application is vulnerable to an SQL injection but the results of the injection
are hidden to the attacker, blind SQLA is used. The displayed page may be different
from the original one. This depends on the results of a logical statement injected into the
legitimate SQL statement called for that page. The blind SQLIA allows the threat agent
to infer the construct of the database through evaluating expressions that are coupled
with statements that always evaluate to true and statements that always evaluate to false
[86][92]. The Blind SQL injection can further be classified as:
4.4.3.1 Standard Blind:
Sometimes it is impossible to exploit an SQL Injection vulnerability using classical
technique that involves application of <union> operator and separator<”;”>. In this
situation, Standard Blind SQLIA is implemented [91]. It allows one to write and read
files and get data from tables provided only the entries are read symbol-by-symbol. This
kind of attack can further be classified as:
4.4.3.1.1 Classical Based Blind SQL Injection:
This attack is based on analysis of true/ false logical expression. If the expression is true,
then the web application will return certain content, and if it is false, the application will
return content [91].
4.4.3.1.2 Error-Based Blind SQL Injection:
The error based blind SQL Injection is the quickest technique of SQL Injection
exploitation. The august of this method is that the valuable information of various

65
 Chapter – 4 Classification Of SQL Injection Attacks

DBMSs can be stored into the error messages in case of receiving illegal SQL
expression. This technique can be used if any error of SQL expression processing
occurred in the DBMS is returned back by the vulnerable application [91].
4.4.3.2 Double Blind SQL Injection:
Double blind SQL Injection is a technique in which all error messages and vulnerable
queries are excluded from the page returned by the web application and the request
results do not influence the returned page. Exploitation of this kind of vulnerability uses
only time delays under SQL query processing; i.e., it is false if an SQL query is
executed immediately, but if it is executed with an N-second delay, then it is true[91].
4.4.4 Against Database:
On the basis of attack against the database management system, SQL injection attack
can be classified as:
4.4.4.1 SQL Manipulation:
The most common type of SQL Injection attack is SQL manipulation. The attacker
attempts to modify the existing SQL statement [93]. This SQL manipulation attack can
be classified as:
4.4.4.1.1 Tautology:
The aim of a tautology-based attack is to inject code in one or more conditional
statements such that the evaluation is always true. In this type of SQLIA, an attacker
exploits an injectable field that is used in a query’s WHERE conditional i.e. the queries
always return results upon evaluation of a WHERE conditional parameter. All the rows
in the database table targeted by the query are returned while transforming the
conditional into a tautology. Example: In this example, an attacker submits “ ’ or 1=1 - -
” for the login input field (the input submitted for the other fields is irrelevant). The
resulting query is:
SELECT accounts FROM users WHERE
login=’’ or 1=1 -- AND pass=’’ AND pin=
The code injected in the conditional (OR 1=1) transforms the entire WHERE clause into
a tautology [87] [88] [94][95][96].

66
 Chapter – 4 Classification Of SQL Injection Attacks

4.4.4.1.2 Inference:
In this attack, the query is being modified into the form of an action which is executed
based on the answer to a true/-false question about data values in the database. In this
type of injection, attacker try to attack a site that is enough secured not to provide
acceptable feedback via database error messages when an injection has succeeded. The
attacker must use a different method to obtain the response from the database since
database error messages are unavailable to him. In this situation, the attacker injects
commands into the site and then observes how the function/response of the website
changes. By carefully observing the changing behavior of the site , attacker can
extrapolate not only vulnerable parameters, but also additional information about the
values in the database. Researchers have reported that with these techniques they have
been able to achieve a data extraction rate of 1B/s .
Example: Consider two possible injections into the login field. The first being
“legalUser’ and 1=0 - -” and the second, “legalUser’ and 1=1 - ”.These injections result
in the following two queries:
SELECT accounts FROM users WHERE login=’legalUser’
and 1=0 -- ’ AND pass=’’ AND pin=0
SELECT accounts FROM users WHERE login=’legalUser’
and 1=1 -- ’ AND pass=’’ AND pin=0
In the first scenario, the application is secure and the input for login is validated
correctly. In this case, both injections would return login error messages, and the
attacker would know that the login parameter is not vulnerable. In the second scenario,
application is insecure and the login parameter is vulnerable to injection. The attacker
submits the first injection and, gets a login error message, because it always evaluates to
false. However, the attacker does not know if this is because the application validated
the input correctly and blocked the attack attempt or because the attack itself caused the
login error. The attacker then submits the second query, which always evaluates to true.
If in this case there is no login error message, then the attacker knows that the attack
went through and that the login parameter is vulnerable to injection. [86][88][87].

67
 Chapter – 4 Classification Of SQL Injection Attacks

4.4.4.1.3 Basic Union Queries:

With this technique malicious user tricks the server to return data that were not intended
to be returned by the developers. In this attack, an attacker exploits a vulnerable
parameter to change the data set returned for a given query. Attackers do this by
injecting a statement of the form: UNION SELECT <rest of injected query>.Since the
attacker control the second/injected query completely, they can use it to retrieve
information from a specified table. The result of this attack causes the database to
returns dataset that is the union of the results of the original first query and the results of
the injected second query [86][87][88][94][96].
4.4.4.1.4 Piggy-Backed Queries:
In this SQLIA, attackers do not aim to modify the query instead; they try to include new
and distinct queries into the original query. This result database to receive multiple SQL
queries and can be proved extremely harmful. Example: If the attacker inputs “’; drop
table users - -” into the pass field, the application generates the query:
SELECT accounts FROM users WHERE login=’doe’ AND
pass=’’; drop table users -- ’ AND pin=123
After execution of first query, the database would recognize the query delimiter (“;”)
and proceed for the injected second query. The execution of second query would lead to
drop table ‘users’, which would likely damage valuable information
[86][87][88][94][96].
4.4.4.2 Code Injection:
Code injection attacks attempt to add additional SQL statements or commands to the
existing SQL statement. This type of attack is frequently used against Microsoft SQL
Server applications, but seldom works with an Oracle database [93]. This attack can be
classified as:
4.4.4.2.1 LIKE Queries:
The attacker attempts to manipulate the SQL statement using like queries.
Consequently, user input incorporated into a LIKE query parameter can subvert the
query, complicate the LIKE match, and in many cases, prevent the use of indices, which
slows a query substantially. With a few iterations, a compromised LIKE query could
launch a Denial of Service attack by overloading the database [85][98].

68
 Chapter – 4 Classification Of SQL Injection Attacks

Example: $sub = mysql_real_escape_string (“%something”); // still

%something
mysql_query (“SELECT * FROM messages WHERE subject LIKE ‘{$sub}%’”);
4.4.4.2.2 Column Number Mismatch:
To accumulate the knowledge of this type of injection, consider a random example. Let
the original query is:
SELECT product_name FROM all_products WHERE product_name like '&Chairs&'
Then the attack would be:
SELECT product_name FROM all_products WHERE product_name like '' UNION ALL
SELECT 9,9 FROM SysObjects WHERE ‘’ = ‘’
Above query would give errors that indicate that there is mismatch in the number of
columns and their data type in the union of SysObjects table and the columns that are
specified using 9. The error “Operand type mis-match” is mainly because the data type
mis-match in the Union clause caused by the injected string. Another error I might see is
“All queries in an SQL Statement containing a UNION operator must have an equal
number of expressions in their target list” is because the number of columns is not
matching. After multiple trial and errors a statement like this may succeed.
SELECT product_name FROM all_products WHERE product_name like '' UNION ALL
SELECT 9,9, 9,’ Text’, 9 FROM SysObjects WHERE ‘’ = ‘’
Result set of the above query will show all the rows in the SysObjects table and will
also show constant row values for each row in the SysObjects table defined in the query
[15].
4.4.4.2.3 Additional WHERE Clause:
The case arises where there may be additional WHERE condition in the SL statement
that gets added after the injected string.
SELECT firstName, LastName, Title from Employees
WHERE City = ’ “& strCity &” ‘ AND Country = ‘INDIA’ “
On the first attempt after injecting the string the resulting query would look like:
SELECT firstName, LastName, Title from Employees WHERE City = ‘NoSuchCity’
UNION ALL Select OtherField from OtherTable WHERE 1 = 1 AND Country = ‘USA’

69
 Chapter – 4 Classification Of SQL Injection Attacks

Above query will result in a Error Message like this: Invalid column Name ‘Country’
because ‘OtherTable’ does not have a column called ‘Country’. In case the backend is
MS SQL Server, the problem can be solved using “;--“ to get rid of the rest of the query
string [85].
4.4.4.2.4. Insert – Subselect Query:
The use of advanced insert query can help the attacker to access all the records of the
database.
Example: INSERT INTO tableName values (‘ “ ‘ + (SELECT TOP 1 Fieldname
FROM tableName ) + ’ ‘ , ‘xyz@xyz.com’ , ‘240402364’).
Where ever this information displayed to the user typically places like pages where the
users are allowed to edit user information. In the above attack the first value in the
FieldName will be displayed in place of the user name. If TOP 1 is not used , there will
be an error message “subselect returned too many rows”. Attacker can go through all the
records using NOT in clause [85].
4.4.4.3 Functional Call Injection:
Function call injection is the insertion of database functions into a vulnerable SQL
statement. These function calls can be used to make operating system calls or
manipulate data in the database [93]. This can be classified as:
4.4.4.3.1 Role Foundation:
Press Releases are provided through their portal in many companies. Typically the user
requests for a press release would look like:
http://www.somecompany.com/PressRelase.jsp?PressRealeaseID=5
The corresponding SQL statement used by the application would look like:
Select title, description, releaseDate, body from pressRelease WHERE pressRelaseID=5
All the information requested corresponding to the 5th press release is returned by the
database server. This information is formatted by the application in an HTML page and
provided to the user.
If injected string is 5 AND 1 = 1 and application still returns the same document then
application is susceptible to SQL injection attack [85].

70
 Chapter – 4 Classification Of SQL Injection Attacks

4.4.4.3.2 System Stored Procedures:

In this type of SQLIAs the attacker tries to execute stored procedures present in the
database. If the running backend server is known, the attacker perpetrates his attack to
exploit the stored procedure. If he is able to inject SQL string successfully then stored
procedures are no safer. The access to the system store procedures depends on the
access privileges of the application user on the database. Most of the time, output may
be absent on the screen as would in case of a normal SQL statement when a stored
procedure is executed successfully [85][86][87].
4.4.4.4 Buffer Overflow :
In several databases Buffer overflows have been identified. Some database functions are
susceptible to buffer overflows that can be exploited through a SQL injection attack in
an un-patched database. Most application and web servers are unable to handle the loss
of a database connection due to a buffer overflow. Usually, the web process hangs until
the connection to the client is terminated, thus making this a very effective denial of
service attack [93].

71