The document discusses SQL injection exploitation. It begins with an introduction of the presenter and an overview of topics to be covered, including what SQL injection is, what an attacker can do with it, tools to exploit it, safe places to practice, and how to prevent it. It then defines SQL injection as a web application vulnerability where an attacker can run database commands through a vulnerable web application. The document demonstrates SQL injection with an example and discusses how an attacker could read and write database records, bypass authentication, and compromise the server. It recommends tools for discovery and exploitation, suggests the Samurai Web Testing Framework as a safe target practice environment, and shows an exploitation demo. It concludes with recommendations for developers, administrators, and test
2. SQL Injection in the News
SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 2
3. Who am I?
â—¦ Infosec Engineer / Pentester
â—¦ NoVA Hacker
â—¦ PwnWiki.io Curator
â—¦ Recon-ng module Writer
â—¦ SANS Instructor (SEC542)
â—¦ Hiker / Backpacker
3
Novahackers.com
SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER
4. Great Expectations
oWhat is SQL Injection (SQLi)?
oWhat can an attacker exploiting SQLi do?
oTools to exploit SQLi
oAppropriate places to practice SQLi exploitation
oDemo of SQLi exploitation
oHow do you prevent SQLi?
SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 4
5. What is SQL Injection (SQLi)?
oWeb application vulnerability
oAttacker runs commands on the database server through the vulnerable web app
SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 5
SQLi here
Gets an
attacker in
here
6. This is SQL Injection
Normal URL
â—¦ http://example.com/user.php?name=admin&password=a
â—¦ Web application sends the following SQL to the database:
â—¦ SELECT * FROM accounts WHERE user='admin' AND password='a'
â—¦ Returns 1 record
SQL Injection Example URL
â—¦ http://example.com/user.php?name=admin' or 1=1 -- &password=a
â—¦ SELECT * FROM accounts WHERE user='admin' or 1=1 -- ' AND
password='a'
â—¦ Returns all records because 1 always equals 1
SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 6
7. Would SQLi Exploitation in License Plates
Actually Work?
SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 7
8. What can an attacker do?
Not all SQL injection is the same – some allow greater access
Things an attacker can do by exploiting SQLi
â—¦ Inside the database server
â—¦ Read records in databases / Steal records (Confidentiality/Authorization)
â—¦ Write to records in databases (Integrity)
â—¦ Delete records in databases (Availability)
â—¦ Circumvent authentication (if SQLi is found in the authentication mechanism)
◦ On the database server’s underlying system
â—¦ Read/Write files to/from the server file system
â—¦ Execute commands on the server operating system
â—¦ Compromise the server
â—¦ Pivot into internal network and attack other systems
SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 8
12. Preventing SQLi through Education
System Administrator
â—¦ Ensure database is running as a user/service account with least privilege
â—¦ Ensure operating system and applications are patched and hardened
Database Administrator
â—¦ Ensure each application has its own account in the database
â—¦ Ensure each account has the explicit permissions required for the app
â—¦ Ensure the server is hardened and risky options are disabled
Application Developer
â—¦ Sanitize, filter and validate all data before sending to database
â—¦ Use SQLi-prevention mechanisms (parameterized queries, stored procedures)
correctly
Testing
â—¦ Perform security assessments, penetration testing, against your systems
SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 12
SANS Administrator:
◦ SEC464 – Security Baseline
SANS Developer:
◦ DEV522 – Defending Web Apps
◦ DEV536 – Secure Coding
SANS Defender:
◦ SEC434 – Log Management
◦ SEC440 – Crit. Sec. Controls
◦ SEC502 – Perimeter Protection
SANS Attacker:
◦ SEC504 – Hacker Techniques
◦ SEC542 – Web App Pentest
◦ SEC560 – Net Pentest
13. Questions?
Resources
◦ Information about web app vulnerabilities, how to test and remediate - OWASP – http://owasp.org
â—¦ SQL Injection Cheat Sheet - http://websec.ca/kb/sql_injection
Key Testing Tools
â—¦ Sqlmap - sqlmap.org
â—¦ Docs are on the http://github.com/sqlmapproject/sqlmap/wiki page
â—¦ SamuraiWTF
â—¦ http:// www.samurai-wtf.org and http://sourceforge.net/projects/samurai/files/
My Blog: http://webbreacher.blogspot.com
SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 13
Hinweis der Redaktion
As a senior infosec engineer, I mentor junior staff.
They ask “How can I contribute?” “What can I do…I don’t have my [insert cert here]?”
I tell them…