Sql Injection also known as SQLi is a type of application attack that falls under injection attacks in the OWASP TOP 10 vulnerabilities list.It basically involves a user trying to pass in arguments/input that will alter with the final query that will be executed on the database.
Other types of injection attacks are:
Code injection
Command injection
ORM injection
IDS(Intrusion Detection System) — is a system that is used to monitor anormallies in a network and give notifiaction when it detects such. This helps the security personel to identify any suspicious activity and act accordingly. For there to be efficiency in the same, an IPS(Intrusion Prevention System) is integrated into the network. The advantage of IPS is that it not only gives alerts when in detects abnormal activity but it can also be configured based on certain policy to perform some action on behalf of the security personel.
In this part we will set a simple IDS that will be used to monitor and alert against any type of sql injection attack, i.e. Manually or by use a tools to automate the process.
To accomplish this, we will make use of snort, which is an open-source Network Intrusion Detection System(NIDS). More on snort:
To begin with we require 3 machines…
- the attacking machine (kali linux).
- the machine which will host snort(ubuntu).
- the machine with the web application we will be attacking(metasploitable web server).
For this activity, I have installed the three machines on a virtual environment (VMware). feel free to use any hypervisor of your choice e.g virtual box e.t.c
Procedure:
Step 1: Installation of snort
We will begin by checking whether snort is installed and if it’s not ensure you install the latest version. check the version by typing the following command in the machine you have installed snort (ubuntu machine).The command below can be used to install snort.
sudo apt install snort
NB:During the installation of snort it will prompt you to set up a network address with which you want it to capture your traffic. Ensure you enter the correct address, otherwise it will not function. However, this can be changed later as we will see.
snort — — version ….. the output on your machine may not be exactly the same as the image shown on figure 1.1
Step 2:Setting up Snort
Upon downloading snort, it comes with already some preconfigured rules which are located in the location /etc/snort/snort.conf which can be accessed either throght the terminal or by GUI.
To access using GUI ensure you download nautilus which you will run as root.
sudo apt install nautilus → installing nautilus
sudo nautilus → running nautilus.
running the above commands will open a window as shown on figure 2.1 below.
click on other locations, then click on computer, after which it will display a list of directories. locate etc directory and open it, after which you locate another directory called snort. open the directory and it should contain contents similar to the ones shown on figure 2.2 below.
NOTE: Before proceeding to make any changes, make a copy of the snort.conf file. You will have another added file by the name snort(copy).conf as seen above. The puporse of the extra copy is to act as a back up file that one can use in the scenario you mess up with the original copy.
Step 2 a):Setting the Network address
After successfully completing the above, open the snort.conf file and locate a line with the statement “Step #1:Set the network variables” and navigate to the line written ipvar HOME_NET any , edit the line by replacing the word any with the network address with which you want snort to caputure traffic. The final result should appear as shown in figure 2.3 below:
After successfully doing this, save the changes made and exit.
Step 2 b):Validation of configuration
Navigate to a new terminal and type the following command as root user:
snort -T -c /etc/snort/snort.conf
The command will be used to validate the configurations. the output should appear similar to the image shown in figure 2.5
After running the above command
this shows that snort has validate the configurations that we have made.
Step 2 c:Starting snort
Testing. We will now set up snort to listen for any traffic and it will give alerts according to the already preconfigured rules.
on a new terminal, type the following command to start snort:
sudo snort -A console -q -c /etc/snort/snort.conf -i ens33
- -A is used to specify where the alerts should be displayed. In this case, the output will be displayed on the console/terminal.
- -q is to prevent output of unecessary traffic.
- -c shows the path with which the configurations are located.
- -i shows the network interface that snort is listening
Step 3:Testing
navigate to the attacking machine (kali Linux) and try to perform an basic nmap scan to the machine with snort. The output should look close to the one shown in figure 3.1 below.
From the above, we see that snort is functioning as expcted. with this we can now add our custom rules to detect any attempt of sql injection attack.
Step 4: Configuration of custom rules on snort.
To configure custome rules, use the method used to access the snort.conf file but now in this case instead of using snort.conf file, open the directory by the name rules …it is in the same location as snort.conf file as shown in figure 2.2 . Locate the file indicated local.rules and open it. This is where we are going to add our own custom rules.
Below are the rules you will add in the file. (Feel free to add other rules of your choice).
Further information about how to write snort rules:
#Rule to to detect possible sql injection using inline comments.
alert tcp any any -> any any (msg:”Possible SQL Injection — Inline Comments Detected”; flow:to_server,established; content:”GET”; nocase; http_method; content:”/”; http_uri; pcre:”/\?.*( — |#|\/\*)/”; sid:1000001;)
#Rule to detect boolean based sql injection
alert tcp any any -> any any (msg:”Possible Boolean-based Blind SQL Injection Attempt”; flow:to_server,established; content:”GET”; nocase; http_method; content:”/”; http_uri; pcre:”/\?.*(\bselect\b|\bunion\b|\band\b|\bor\b)(?:[^=]*=){2}[^&]*’/i”; sid:1000002;)
#Rule to detect manual injection
alert tcp any any -> any 80 (msg:”Possible SQL Injection — UNION keyword detected”; flow:to_server,established; content:”UNION”; nocase; http_uri; sid:1000003;)
#Rule to detect manual injectin using the word or
alert tcp any any -> any 80 (msg:”Possible Manual Injection detected”; flow:to_server,established; content:”GET”; http_method; content:”?parameter=malicious_keyword”; http_uri; sid:1000004;)
from the above,
- sid is the unique identifier for each rule. By default snort has rules assigned ids up to sid:1000000; and as a result we begin our rules with sid:1000001;
- assigning rules the same sid will result to an error.
After typing the above, save the file and then repeat step 2b to check validation of the configurations & step 2c to start snort to capture traffic based on the custom rules.
Step 5: Performing Sql Injection Attack
In this section, ensure your metasploitable web server is running. get it ip address and paste it to the kali machine on a browser, then access the mutillidae web application.
After this, access the lab on SQLi-Extact Data by navigating to OWASP Top 10, select A1 Injection, SQLi-Extract Data, User info. A Page similar to figure 5.3 will be loaded.
We will begin by testing whether snort will detect manual injection attack. To do this ensure that snort is running then navigate to the above page and try to type any sql payload in the name and password fields and check the alert that snort will give.
In this case a simple payload like ‘ OR ‘1’=’1 — — in both the input fields.
by clicking View Account Details , and then snort generates some alerts based on the custom rules we set as show in figure 5.5
try another payload like using the union key word…
Payload ‘UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL — — (apply to both input fields.)
from the above snort generated more alerts as shown in the figure 5.6 below
check to see you can see the alerts from the custom rules you added
Hurray!!!We have successfully created a simple IDS to detect sql injection.
Feel free to add your own rules and try out even using tools such as sql map to perform sql injection and see whether any alerts will be generated.
