SQL injection with a HEX code is a code injection technique which exploits a security vulnerability that occurs in the database layer of the Application. The vulnerability will occur when the user input is either incorrectly validated for the given input string and embedded in SQL statements or the user input is not strongly typed and unexpectedly executed. HEX code SQL injection attacks are also known as SQL insertion attacks.
An attacker can inject a malicious code into your Application in many ways and using Hex code is one of them. For testing purposes, let’s take a SQL query and convert it into Hex code, using the below link:
When we type the URL given below in the Browser, then the screen depicted below will populate, where you can write your own SQL query and if you click on the “Convert” button, then it will give you the Hex code for the given SQL query.
Varchar to Hex
- select cast(cast('select * from Table_DETAILS where PO_NUMBER = 1'' update Table_DETAILS set DESCRIPTION= ''santosh111'' where PO_NUMBER = 1--/' as varchar(max)) as varbinary(max))
Output
In the same way, you can do the reverse engineering as well, which means you can use the URL given below to convert Hex code to Varchar using,
Hex to Varchar
- selectcast(cast(0x73656c656374202a2066726f6d20504f5f5452414e53414354494f4e5f44455441494c5320776865726520504f5f4e554d424552203d2031272075706461746520504f5f5452414e53414354494f4e5f44455441494c5320736574204445534352495054494f4e3d202773616e746f73683131312720776865726520504f5f4e554d424552203d2031202d2d as varbinary(max)) as varchar(max))
Output
- select * from TABLE_DETAILS where PO_NUMBER = 1' update TAABLE_DETAILS set DESCRIPTION= 'santosh111' where PO_NUMBER = 1
A hacker can execute such an injected malicious code in many ways, the sample code is shown below:
- Declare @S VARCHAR(MAX)
- SET @S =(selectcast(cast(0x73656c656374202a2066726f6d20504f5f5452414e53414354494f4e5f44455441494c5320776865726520504f5f4e554d424552203d2031272075706461746520504f5f5452414e53414354494f4e5f44455441494c5320736574204445534352495054494f4e3d202773616e746f73683131312720776865726520504f5f4e554d424552203d2031202d2d as varbinary(max)) as varchar(max)))
- EXEC(@S)
Prevention mechanism
To protect from this kind of injection into your Application, you can use the URL given below to build a regular expression to validat a few special characters and few reserved keywords, as depicted below:
Input character | Meaning in Transact-SQL |
; | Query delimiter. |
' | Character data string delimiter. |
-- | Comment delimiter. |
/* ... */ | Comment delimiters. Text between /* and */ is not evaluated by the server. |
> | |
< | |
% | |
Or | |
xp_ | Used at the start of the name of a catalog-extended stored procedures, such as xp_cmdshell. |
sp_ | |
exec_ | |
To validate the above special characters and the reserved keywords, use the URL given below to form custom regular expressions to validate the above input fields and test with all the inputs to make sure the created regular expression behaves as expected.
http://regexr.com/
Lets say you have created a few regular expressions, as per your need, to validate few special blocked characters and tested with the URL given above to validate and make sure that the created regular expressions behaves as expected. Now, you want to validate a page input control for the blocked characters with the multiple regular expressions. To provide a fix for this kind of requirement, it depends on what kind of the project you are selecting. Let's say you are going to create a new MVC Application, or you have an existing Application which is designed using MVC Application.
To provide a fix for this kind of requirement, we know that MVC supports the data annotation feature and mostly we are using strongly typed views in MVC Application. Hence, it is very easy to provide a fix for this kind of requirement with the steps given below:
Step 1: Create a custom attribute to validate the multiple regular expressions, as shown below:
Step 2: Create a model class and apply the created custom attribute for an Email field, as shown below:
If you want to provide a validation for this kind requirement inan AngularJS Application, then you can do it with the steps given below:
Step 1
Step 2: Now, call the created AngularJS method in your HTML page to validate the control with the code snippet, shown below:
One more good way to protect such injections is given below:
Using QUOTENAME() to Protect Against SQL Injection
QUOTENAME is a function which has been available since SQL Server 2005. This function returns a unicode value with the delimiters added to make the input value; a valid SQL Server delimited identifier.
EX:
The output for this query is as below,
String Default_QuoteName QuoteName_WithQuote Long_String
SQL Server [SQL Server] ‘SQL Server’ NULL
Use of QUOTENAME function to Protect Against SQL Injection
Let me show you a sample SQL Injection. Here is the sample query to demonstrate SQL Injection, shown below:
After you execute the Script code, given above, table t1 will be dropped from the database.
Now, to protect from this kind of injection, use QUOTENAME function.
By using QUOTENAME function, the result will be a single string rather than breaking with ;. Since the complete query will be treated as a single string, the drop table statement will not execute as a separate query.
Note
QUOTENAME functions returns NULL, if the input string has more than 128 characters. For that, you can use the REPLACE function, instead of QUOTENAME function, in order to replace the characters like ; and ' space.