Weitere ähnliche Inhalte
Ähnlich wie How to Hack Your App Using SQL Injection (20)
Kürzlich hochgeladen (20)
How to Hack Your App Using SQL Injection
- 1. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
How to Hack Your App
Using SQL
Chris Saxon, Oracle Developer Advocate, @ChrisRSaxon, @SQLDaily
www.youtube.com/c/TheMagicofSQL
blogs.oracle.com/sql
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 2. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
It's2018!
...do we really need to talk about this?
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 3. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
https://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 4. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 5. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
http://www.bbc.co.uk/news/technology-34963686
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 6. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record-
400-000-fine-for-failing-to-prevent-october-2015-attack/
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 7. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
SQL Vulnerabilities
Wordpress Jan 2017
https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
Jul 2017
https://www.scmagazineuk.com/sql-injection-vulnerability-found-in-popular-wordppress-plug-in-again/article/672839/
Oct 2017
https://www.theregister.co.uk/2017/10/31/wordpress_security_fix_4_8_3/
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 8. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
codecurmudgeon.com/wp/sql-injection-hall-of-shame/
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 9. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
https://haveibeenpwned.com/
- 10. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
DEMO
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 11. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Pixabay
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 12. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Pixabay
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 13. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Pixabay
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 14. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Principle of
Least
Privilege
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 15. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Pixabay
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Least Privilege
- 16. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Pixabay
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Least Privilege
- 17. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Pixabay
Least Privilege
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 18. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Data
Red*****n
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 19. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Data
Red*****n
Can still
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 21. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
String sql =
"select * from users
where username = '" + name + "'
and password = '" + pass + "'";
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 22. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
select full_name from users
where username = 'chris'
and password = 'chris';
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 23. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
select full_name from users
where username = '' or 1 = 1 --'
and password = 'chris';
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 24. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
select full_name from users
where username = '' or 1 = 1 --'
and password = 'chris';
Always
true!
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 25. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
select full_name from users
where username = 'chris'
and password = '' union all
select owner || '.' || table_name
from all_tables where 1='1';
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 26. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
select full_name from users
where username = 'chris'
and password = '' union all
select owner || '.' || table_name
from all_tables where 1='1';
Everything you
can select
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 27. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
String sql =
"select * from users
where username = ?
and password = ?";
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 28. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
String sql =
"select * from users
where username = ?
and password = ?";
Value
placeholder
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 29. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
String sql =
"select * from users
where username = ?
and password = ?";
Value
placeholder
Inputs never part of SQL =>
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 31. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
begin
select *
into user_rec
from sqlinjection.users u
where u.username = l_name
and u.password = l_pass;
end;
These are
bind variables
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 32. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
execute
Pixabay
Least Privilege
plsql f (x)
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 33. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
I write dynamic
SQL
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 34. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
String sql =
"select * from users where 1 = 1 ";
if param_1 is not null then
sql = sql + " and c1 = ? ";
end if;
if param_2 is not null then
sql = sql + " and c2 = ? ";
end if;
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
can still bind
- 35. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
…but I accept
identifiers
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 36. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Sanitize input!
Pixabay
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 37. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Sanitize input!
Pixabay
DBMS_assert
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 38. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Change User Passwords
execute immediate 'alter user ' ||
dbms_assert.schema_name ( user ) ||
' identified by "' ||
replace(
dbms_assert.enquote_literal ( pass ), ''''
) || '"';
Can't have single
quotes (') in password!
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 39. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
I develop an
internal app
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 40. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Gratisography
employees
can has
your dataz?
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 41. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Pixabay
How secure is
your network?
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 42. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 42
Web Browser Web Server Database
SSL
TDE
Encryption
here is
overkill,
right?
Transparent
Data
Encryption?
SSL?
- 44. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 44
Web Browser Web Server Database
SSL
TDE
Native
Encryption
See doc for more details
- 45. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
I don't have time
to review all
code
- 46. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Test
Deploy
Build
Run sqlmap
Test in CI/CD Process
- 47. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Virtual Private Database
Restrict access at source
Employee Name Manager Name Salary SSN
Kevin Mourgos Steven King 5800 650-123-5234
Shanta Vollman Steven King 6500 650-123-4234
Payam Kaufling Steven King 7900 650-123-3234
Adam Fripp Steven King 8200 650-123-2234
Matthew Weiss Steven King 8000 650-123-1234
Girard Geoni Matthew Weiss 2800 650-507-9879
Martha Sullivan Matthew Weiss 2500 650-507-9878
Jean Fleaur Matthew Weiss 3100 650-507-9877
Winston Taylor Matthew Weiss 3200 650-507-9876
Steven Markle Matthew Weiss 2200 650-124-1434
- 48. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Virtual Private Database
Restrict access at source
Employee Name Manager Name Salary SSN
Kevin Mourgos Steven King
Shanta Vollman Steven King
Payam Kaufling Steven King
Adam Fripp Steven King
Matthew Weiss Steven King 8000 650-123-1234
Girard Geoni Matthew Weiss 2800
Martha Sullivan Matthew Weiss 2500
Jean Fleaur Matthew Weiss 3100
Winston Taylor Matthew Weiss 3200
Steven Markle Matthew Weiss 2200
- 49. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
How at risk am I?
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 50. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
DBSAT
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 51. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
DBSAT
My Oracle Support 2138254.1
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 52. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Pixabay
PL/SQL
Least Privilege
Data R*******n
Bind Variables
Sanitize inputs
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Security Layers
- 53. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
It's2018!
no excuses...
... your data!
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
- 54. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Gratisography
sqlmap.org
#MakeDataGreatAgain
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon