SQL server attacks: mechanisms you must know

SQL server attacks are one of the most painful attacks organizations can suffer. An organization's database is one of its softest spots, with a wide surface area susceptible to attacks. This results in it being an attractive target of attackers. Neglecting your organization's SQL server security is equivalent to having a bomb ticking in your organization's IT infrastructure.

Adopting comprehensive security measures and following SQL security best practices are crucial for data security in organizations using Microsoft SQL Server databases.

In June 2023 there was an increase in unsecured MSSQL servers falling victim to the Mallox Ransomware attack. The ransomware group behind the attack, known as Mallox, targets unsecured MS-SQL servers to infiltrate victims' systems and distribute the ransomware.

There are different ways to protect your SQL server from firewalls to ensure secure configurations. This article will present two of the most popular attacks and database breaching methods: SQL injection and SQL Obfuscation.

How to Protect Your Microsoft Server

SQL injection:

SQL Injection is a code injection technique used to attack applications. It can be used in a range of ways to cause serious problems. Attackers can use tools, scripts, and even browsers to insert SQL statements into application fields. The statements are then executed by the database engine. Such attacks are usually used to:

Spoof identity
Tamper with existing data
Steal data
Destroy data
Change database permissions
Execute commands on the operating system.

The data behind an application is usually mission-critical, which is why SQL Injection attacks are considered very severe.

SQL Injection can be classified into three major categories - In-band SQLi, Inferential SQLi, and Out-of-band SQLi.

In-band SQLi (Classic SQLi)

In-band SQL Injection is the most common and easy-to-exploit of SQL Injection attacks. in this kind of attack, the attacker can use the same communication channel to both launch the attack and gather the results.

Inferential SQLi (Blind SQLi)

Inferential SQL Injection may take longer for an attacker to exploit; however, it is just as dangerous as any other form of SQL Injection. In an inferential SQLi attack, no data is actually transferred via the web application. The attacker would see the results like in the in-band attack (which is why such attacks are commonly referred to as "blind SQL Injection attacks"). Instead, the attacker is able to change the database structure by sending payloads, observing the web application's response and the resulting behavior of the database server.

Out-of-band SQLi

Out-of-band SQL Injection attack depends on enabled features on the database server, thereby it is not very common. the attacker will choose this type of attack when he is unable to use the same channel to both launch the attack and gather the results. Out-of-band SQLi techniques would rely on the database server's ability to make DNS or HTTP requests to deliver data to an attacker.

SQL Obfuscation:

Obfuscation is one of the main tools for bypassing pattern-based security mechanisms such as web application firewalls (WAF). By tricking the firewall into thinking our attacks are legitimate traffic, we can successfully initiate, for example, an SQL injection attack without being detected by the WAF.

SQL obfuscation techniques are deployed to conceal malicious activities within SQL databases, making it challenging for security mechanisms to identify and thwart potential threats.

There are several methods that can be used to obfuscate our injections:

Fuzzers:

fuzzing is the process of finding hackable bugs by randomly feeding different permutations of data into a target program until one of those permutations reveals a vulnerability. It is important for firewall developers to be fully aware of all the database specifications and oddities. While some of them are documented, others can only be found through fuzzing. One example of peculiarities discovered through the use of fuzzers are the permitted whitespace characters for each type of database. Each different RDBMS allows a variety of different whitespace characters instead of the usual 0x20. By switching the standard whitespace with other allowed whitespace characters, the attacker can make his injection unrecognizable to certain firewalls allowing him to effectively bypass them.

Actively monitor failed logins and unusual database access patterns, as these might indicate attempts at SQL obfuscation through fuzzers. Implementing strong passwords and managing user accounts diligently further bolster the server database's defenses.

Hardening IIS server guide

Encodings:

Encodings are another tool to use when bypassing WAFs. The web application may see the data in one way, while the proxy, firewall or database might interpret the data differently. It is because of these discrepancies between layers that encodings may work to bypass the WAF.

URL encode- URL Encoding is used to transform "special" characters, so they can be sent over HTTP. Characters get transformed into their hexadecimal equivalent, prefixed by a percent sign.

Double URL encode- Applying URL encode two times on the characters.

Unicode encode- Unicode is an industry-standard for representing over 110,000 symbols and characters for a wide range of languages. This encoding generally works against IIS servers or applications built in ASP or .NET.

UTF-8 encode- UTF-8 is a form of encoding each one of the code points in the Unicode character set. The number of blocks required to represent a character varies from 1 to 4.

Nibble encode- a nibble corresponds to a single hexadecimal digit. Since every character from ASCII range 0-255 can be represented in 1 byte, we can URL encode the 4 most significant bits, the 4 least significant bits or both of them.

Invalid Percent encode- this method is specific to .NET/IIS applications. The percent sign is added in between nonvalid hex characters so that the IIS will strip them and make the data valid. Any firewall that is unaware of this IIS behavior, won't change the percent sign. This will allow mangling the SQL syntax, making it undetectable to the firewall.

Invalid Hex encode- this method isn't exactly an encoding method. It is a way of affecting how applications convert hexadecimal to decimal. This method creates invalid hex that has the same decimal value as valid hex.

It's crucial for those in sysadmin roles to understand encoding methodologies and be proficient in writing SQL queries that are secure and resilient to obfuscation attacks, thereby safeguarding the SQL database.

SQL Security Best Practices for SysAdmins

Your SQL doesn’t have to be the breaking point of your network. Basic SQL security best practices starts with hardening it by configuring it in the most secure fashion. Not so complex when you have a small infrastructure, but extremely difficult in organizations with tangled IT infrastructure.

Here are four of the most fundamental and critical SQL security best practices:

Least Privilege Principle: Grant users and applications the minimum necessary permissions to perform their tasks. Avoid giving excessive privileges to prevent unauthorized access or unintended data modifications.

Parameterized Queries: Use parameterized queries or prepared statements to prevent SQL injection attacks. This practice ensures that user input is treated as data and not executable code, making it more difficult for attackers to manipulate SQL statements.

Regular Updates and Patching: Keep your database management system (DBMS) and related software up to date with the latest security patches. Vulnerabilities in outdated software can be exploited by attackers, so patch management is crucial.

Data Encryption: Implement encryption to protect data both at rest and in transit. Use technologies like SSL/TLS for securing data in transit and mechanisms like Transparent Data Encryption (TDE) for protecting data at rest.

Changing the server’s configurations might result in production outages. In order to avoid it, dependencies in the system must be understood. But even after testing the outcomes of every change, mistakes might happen that will lead to damaging application function. CalCom Hardening Suite (CHS) solves this problem for you. With CHS you can implement your desired policy directly on your production. CHS will learn your system’s dependencies and will do the impact analysis for you. After implementing the policy, CHS will ensure you avoid configuration drifts by informing you about any unauthorized change in the server.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.