Does Your Web Site Do Math?

Posted: October 18, 2011 in Random pontifications
Tags: , , , ,

I know that I’ve been kind of lazy in posting lately. I’ve gotten sucked into the sappy, emotional whirlwind that is re-watching the remastered Neon Genesis Evangelion movies.

I know…I’m a complete dork (in case it wasn’t evident from reading anything else on this site). That being said, I’m slightly out of my funk and today I’m going to talk about SQL injection in web applications.

For this discussion we’re going to take a typical Ubuntu Server 10.04.3 with a LAMP stack and the WordPress content management system, and we’re going to illustrate how SQL injection works and why it’s important to defend against it.

What is SQL Injection

SQL injection is the art of injecting data into a DBMS back-end via a vulnerable application. Applications that do not properly validate user input to the database are vulnerable to SQL injection.

SQL injection can yield credentials, allow an attacker to alter content on a web site, and in more rare cases gain remote control of the system. SQL injection can be present in other applications besides web applications, for instance ProFTP is rather easy to configure with a SQL injection vulnerability.

SQL Injection in Practice

Below we will explore SQL injection on a vulnerable web application.

The vulnerable web app

So here we have a vulnerable web application, this is a pretty standard WordPress 3.1.2 install with a couple of addons. Addons are where most WordPress users get into trouble with their web application security.

typical wordpress install with a few plugins.

Here we are manually confirming our vulnerable application by making it throw an error by using the following query'

dbms giving an error due to failure to properly use encapsulating 's

Now we can complete the injection here using the following query.,current_user%28%29,version%28%29--

properly formed union select shows dbms user and dbms version

What did this yield?

As you can see from the last image we were able to determine the current user of the dbms and the dbms version. We could also attempt to use something like sqlmap to enumerate more data against this vulnerability

sqlmap blind sql injection

What does it look like from the victim’s point of view?

If you are the victim of this type of attack you will likely see something quite similar to this in your /var/log/apache2/access.log - - [18/Oct/2011:02:34:14 -0400] "GET /wp-content/plugins/gd-star-rating/export.php?ex=user%27%29%20UNION%20ALL%20SELECT%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%23%20AND%20%28%27wrWF%27%3D%27wrWF HTTP/1.1" 200 347 "-" "sqlmap/1.0-dev (r4009) ("

Defending against SQL Injection

The obvious method to defending against SQL injection is to write good code. Validate user input and make sure it is properly sanitized. Obviously, if you are not a software developer and simply a system administrator you have another alternative. If you are running Apache, you can use mod-security.

Mod-security is a web application firewall which will match potentially malicious queries against known dangerous activities and respond properly. This will effectively eliminate the threat of SQL injection in web applications, provided that your rules are sufficient to mitigate techniques used for bypassing web application firewalls.

To learn more about installing mod-security on apache under Ubuntu 10.04 click here.


SQL Injection is one of the most common attack vectors against internet facing web sites, it is a threat that should be taken seriously, and can be relatively easy countered by the use of a web application firewall. It occurs in even the most popular web applications (wordpress being the example).

I hope everyone has a great week!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s