Chapter 8. Performing Database Attacks

 < Day Day Up > 

As a general rule, the most successful man in life is the man who has the best information.

Benjamin Disraeli

Practically every successful company in existence uses a database. Having the ability to store information about your business in some kind of logical order means that answering a question like "How many laptops do we have in stock?" does not involve going out to the store room and physically counting them or rummaging through a pile of delivery notes and purchase orders to get the answer.

Databases are everywhere. Every time you use a search engine, call Directory Assistance for a phone number, or buy clothes in a department store, you are indirectly accessing and perhaps updating data held in a database.

A database in its simplest terms is a container to hold data. It is physically structured into one or more files, but to the user, the data is presented as tables containing rows and columns. (See Figure 8-1.)

Figure 8-1. Logical View of a Database Table


To retrieve data, a user or process uses a programming language called Structured Query Language (SQL), which can address the data by its rows and columns. For example:

SELECT Manufacturer, Model, Memory FROM Laptops WHERE Price < 1000

From the table in Figure 8-1, you can see that this query tries to return the data in the Manufacturer, Model, and Memory columns from the Laptops table, which has a value in the Price column of less than 1000.

You might expect the results to look something like this:

Manufacturer   Model           Memory Acer           TravelMate      256 Dell           Inspiron        512 Sony           Vaio            512

Often, a database is not queried directly by a user typing SQL statements, but by running an application that sends SQL queries to the database in response to a user action. If you were to visit a website that sold laptops online, you might use a search facility to view details of the laptops you are interested in. In the Maximum Price field, you enter 1000 and click Go, which tells the web application to submit a SQL statement to the database.

Note

The current ANSI standard is SQL:2003. However, the National Institute of Standards and Technology abandoned conformance testing in 1996. Since that time, the standard has become less effective.


Although variations exist in the SQL syntax that different database engines support, these variations comply loosely with an underlying standard: ANSI SQL-92. Table 8-1 lists some common and useful SQL commands.

Table 8-1. Common SQL Commands

Command

Description

ALTER DATABASE

Alters the properties of the database

ALTER TABLE

Alters a database table by adding, removing, or changing columns

CREATE TABLE

Creates a new database table

CREATE PROCEDURE

Creates a new stored procedure

CREATE SCHEMA

Creates a schema within a database

DELETE

Deletes one or more rows of data from a table

DROP DATABASE

Permanently removes an entire database and all its contents from the server

DROP PROCEDURE

Deletes a stored procedure

DROP TABLE

Deletes a database table

INSERT

Adds one or more rows to a database table

SELECT

Selects columns from one or more tables for viewing

UPDATE

Changes existing data in a database table


A database is fundamentally designed to make it easy for a user to retrieve the data he needs. To be of use, a database must present some kind of "window to the world." Unfortunately, this can also leave the database exposed to a hacker with time on his hands and a little SQL knowledge.

Databases are susceptible to attack for several reasons:

  • Data theft Probably the most obvious reason someone would attack a database would be to get his hands on the data it contains. Credit card details are undoubtedly stored in a database table, and that data is of interest. However, database hacking also plays a part in industrial espionage. Other data, such as customer lists that can be highly valuable to a competing business, is similarly at risk.

  • Data manipulation Besides stealing data to use or sell, changing the data that an organization holds is useful. Being able to boost your bank balance, clear off credit card debt, or maybe give yourself a pay raise are just some of the things that would be financially beneficial to you. The commercial gains of damaging competitor data could be huge.

  • Denial of service (DoS) A database is often the foundation on which a business is built. You can achieve DoS in several ways, including deleting or amending data, removing user accounts, or shutting down a database server completely.

  • System-level exploitation Databases can be a backdoor to other systems on a network. Database systems such as SQL Server offer several routes for the would-be hacker not only to attack and compromise the database, but also to gain administrative access to the server and ultimately to the whole network.

     < Day Day Up > 


    Penetration Testing and Network Defense
    Penetration Testing and Network Defense
    ISBN: 1587052083
    EAN: 2147483647
    Year: 2005
    Pages: 209

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net