Chapter 3. SQL Server – Stored Procedure Attacks
Information in this Chapter
The acronym SQL actually stands for Structured Query Language, which is the standard programming language utilized to access and manipulate databases. For example, from a security perspective, you probably have heard of “SQL Injection”[A] as a form of attack against SQL databases. Because of the name SQL Server, you may think that this is a Microsoft-specific vulnerability; however, the SQL in SQL Injection is actually referring to the language rather than Microsoft's product. This makes it a valid attack against all databases that allow SQL queries rather than a vulnerability specific to the Microsoft product.
A SQL Injection is discussed in detail in Mike Shema's Seven Deadliest Web Application Attacks (Syngress, ISBN: 978-1-59749-543-1) and Clarke's, SQL Injection Attacks and Defense (Syngress, ISBN: 978-1-59749-424-3) as well as in conjunction with stored procedures later in this chapter.
Microsoft's SQL Server application has been around for a long time and has become more secure with each new release. Although SQL Server has had many versions, there are really only five versions that you may run into today; these are versions 6.5, 7.0, 2000, 2005, and 2008. As you would expect, each version has its own quirks, which include both features to use and vulnerabilities that can be exploited. In all cases, the Microsoft developers have included the ability to leverage reusable code to perform functions through the use of procedures stored within the database application itself. In the SQL Server world, these pieces of reusable code are known as stored procedures.
Stored procedures are a series of SQL statements that perform predefined tasks. This programming style is based on creating programming code to perform some specific task or function and storing it for use by your programs. This saves the developer's time and effort when writing new programs because instead of having to repetitively write all of the code to perform some task, they are able to call existing functions to get the desired results.
alt1 Note
Like so many other Microsoft products, SQL Server did not begin its life with Microsoft. Sybase was the original author of SQL Server and Microsoft was brought in with Ashton-Tate as partners to assist in porting it to OS/2. Ashton-Tate eventually stepped aside and Microsoft ended up porting the product to Windows NT on its own. In 1993, the partnership agreement between Microsoft and Sybase ended. Sybase continued development for UNIX, eventually renaming it to Adaptive Server Enterprise (ASE) with Microsoft keeping the original name for its Windows-only product.
Think about it in terms of your real life. Washing clothes used to be a time-consuming and boring task. To wash your incredibly prolific T-shirt collection featuring the characters of Star Trek: The Next Generation (or “TNG” as the cool insiders call it), you would have had to fill up a tub with water and soap; drop in your “Picard > Kirk,” “What happens on the Holodeck, stays on the Holodeck,” and “Just say NO to assimilation” T-shirts and wash them in the soapy water (usually by rubbing each one against a wash board to get out all of the dirt, grime, and salsa stains); then refill the tub with clean water and rinse each individual T-shirt to get out the soap. Today, you just drop these clothes into a machine that performs all of the washing functions by just turning it on. Not only does this save you the effort of having to wash the clothes yourself, it also provides you with a repeatable process that you can now use for your set of Battlestar Galactica gym shorts.
By implementing stored procedures, the developer is not only able to perform a specific task or function with a single call, but also able to increase the performance of their applications. This is the case because instead of sending a long query string to the database over a network, the developer sends a short statement, which executes the stored commands locally on the server. Finally, since stored procedure calls are embedded into many precompiled programs, the developer can change the results of many programs by just changing the programming of the stored procedure itself.
In addition to providing the ability for developers to create and store their own procedures for reuse, SQL Server comes prepackaged with stored procedures from Microsoft that allows a user to administer the database itself. These well-known procedures should specifically concern you as a security practitioner rather than custom-stored procedures created by your own database administrators (DBAs) or developers. Although custom procedures can be just as powerful as those provided by Microsoft (or well-known applications that run on top of SQL Server), attackers generally don't want to waste time figuring out what these functions are until all other avenues of attack have failed. Discovering you are running SQL Server, however, or an application that relies on SQL Server and stored procedures for its own use, the attacker may identify an attack vector he can use to either steal data directly from the database or escalate his privileges.