Upload
pratik-raj-singh
View
225
Download
0
Embed Size (px)
Citation preview
7/28/2019 SQL Inections Issa
1/31
6/21/2013SQL Injections Intro.Greg Bugaj, SCJP
ISSADC 405
7/28/2019 SQL Inections Issa
2/31
2
Disclaimer
What are SLQ Injection
Into to SQL
Attack Vectors
Bypassing filters Demos
Countermeasures
Questions
Agenda
7/28/2019 SQL Inections Issa
3/31
3
Disclaimer
All code shown today is for educational and research
purposes only
In many countries it is illegal to use this type of attack Demonstrated Website owners have been notified of
the problem
7/28/2019 SQL Inections Issa
4/31
7/28/2019 SQL Inections Issa
5/31
7/28/2019 SQL Inections Issa
6/31
6
Basic SQL
Select
Insert
Update
DeleteUnion
SQL statement breakdown
7/28/2019 SQL Inections Issa
7/31
7
SQL - Select
1. Select Information from a table
SELECT * FROM table where field=1
7/28/2019 SQL Inections Issa
8/31
8
SQL - Insert
1. Add new records to database
INSERT INTO tablename (id, name) values(10, Greg)
7/28/2019 SQL Inections Issa
9/31
9
SQL - Update
1. Updating existing records
UPDATE table set fieldA=123 WHERE somefield=2323
UPDATE table set fieldB=Greg
7/28/2019 SQL Inections Issa
10/31
10
SQL - Delete
1. Delete records
DELETE FROM tableA where somefield=1221
DELETE FROM tableA
7/28/2019 SQL Inections Issa
11/31
7/28/2019 SQL Inections Issa
12/31
12
Terminators
; Semi colon ends current SQL query and starts a new one
SELECT * FROM users ; DROP TABLE users
Stacked Query
-- Double dash ignores remaining query string Select * FROM users --limit 10
Can be used in conjunction
SELECT * FROM users WHERE id=''; DROP TABLE users; -- '
AND password=''
7/28/2019 SQL Inections Issa
13/31
13
Where Clause Pruning
Powerful SQL technique
SQL trick for allowing a query to return either a full
set or a specified subset
1=1 == TRUE
SELECT * FROM users
WHERE (id = :id) OR (-1 = :id))
7/28/2019 SQL Inections Issa
14/31
14
SQL Injection Cause
Executed via front end of the Web Application
GET URL parameter
http://host.com/item.php?cat=1&id=11
Form POST fields
7/28/2019 SQL Inections Issa
15/31
15
Techniques
Normal SQL Injections
Errors & Exception
Unexpected output
O'Reilly != O\'Reilly
Blind SQL Injections
No errors
A lot of guesswork
Introduction of a delay as part of a malicious SQL statement
7/28/2019 SQL Inections Issa
16/31
16
SQL Injection Types
Passive
Exposing database information
Information retrieval
Active
Altering database information
Insertion
Deletion
7/28/2019 SQL Inections Issa
17/31
17
Testing for Vulnerability
Manual
Time consuming
Automated SQL injection scanners only scan for known
vulnerabilities
Incorrect syntax near
7/28/2019 SQL Inections Issa
18/31
18
Toolbox
SQLIer
SQLbftools
SQLibf
SQLBrute
BobCat
SQLMap
Absinthe
SQL Injection Pen-testing Tool
SQID
SQLNinja FJ-Injector Framwork
Automagic SQL Injector
NGSS SQL Injector
7/28/2019 SQL Inections Issa
19/31
19
Identifying Vulnerable Site
Given unexpected input site behaves oddly
Single Quote
Double Quote
1 Single Quote one
a Single Quote a ; Single Quote semicolon
Input > Satans little minion
Nothing found forSatan\s little minion You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right
syntax to use near '\'
7/28/2019 SQL Inections Issa
20/31
7/28/2019 SQL Inections Issa
21/31
21
Bypassing Filters
Escaping entities
%26%23039 == ' == (single quote)
%26 == &
%23 == #
039 Entity number
Select * FROM users WHERE username=secret%26%23039 OR%26%23039X%26%23039=%26%23039X
Evaluated as > Select * FROM users WHERE username=secret OR X = X
This evaluates to always true
Char function
Char(83,101,108,101,99,116,32,42,32,102,114,111,109,32,117,115,101,114,115
)
Select * from users
Concat & Hex functions
CONCAT('0x', HEX('/var/log/messages'))
0x2F7661722F6C6F672F6D65737361676573
7/28/2019 SQL Inections Issa
22/31
22
Bypassing Filters
Injecting AND 1=(SELECT
LOAD_FILE('var/log/messages') )
MySQL Error'\'var/log/messages\') ) limit 5 = 1
order by average desc limit 10' at line 1)
7/28/2019 SQL Inections Issa
23/31
23
Bypassing Filters
1=(SELECT LOAD_FILE('var/log/messages') )
MySQL Error: 1064 (You have an error in your SQL syntax; check themanual that corresponds to your MySQL server version for the right
syntax to use near '\'var/log/messages\') ) limit 5 -- = 1 order by average
desc limit 10' at line 1)
Char
Hex
1=(SELECT
LOAD_FILE(0x2F7661722F6C6F672F6D65737361676573)
7/28/2019 SQL Inections Issa
24/31
24
Bypassing Blacklists
What are Blacklists
Blacklist (DELETE, EXEC)
DEL/**/ETE
/**/ D/**EVIL**/ELE/**/TE
7/28/2019 SQL Inections Issa
25/31
25
Escape Characters
%26%23039 OR
%26%23039X%26%23039=%26%23039X
OR X = X
7/28/2019 SQL Inections Issa
26/31
26
Demos
Prerecorded demos
7/28/2019 SQL Inections Issa
27/31
27
Countermeasures
System Administrators
White List / Blacklist Input Validation
Least Privileges
Application firewalls
Developer
Stored Procedures Parameterized queries
Exception handling
7/28/2019 SQL Inections Issa
28/31
7/28/2019 SQL Inections Issa
29/31
29
Least Privileges
Enforce least privileges
CREATE / DELETE
Does not guarantee security
Access to portion of data
Create views
7/28/2019 SQL Inections Issa
30/31
30
Application Firewalls
Software
Easy to install and maintain
Hardware
Expensive
Plug and Play
Examples:
dotDefender
webApp.SECURE SonicWALL
WatchGuard
7/28/2019 SQL Inections Issa
31/31
31
References
http://www.owasp.org/index.php/OWASP_Testing_Guide_Ap
pendix_C:_Fuzz_Vectors#Passive_SQL_Injection_.28SQP.29
http://upload.wikimedia.org/wikipedia/en/a/aa/SQL_ANATOMY_wiki.svg
http://www.cisco.com/web/about/security/intelligence/sql_injec
tion.html
http://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectorshttp://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectorshttp://upload.wikimedia.org/wikipedia/en/a/aa/SQL_ANATOMY_wiki.svghttp://upload.wikimedia.org/wikipedia/en/a/aa/SQL_ANATOMY_wiki.svghttp://www.cisco.com/web/about/security/intelligence/sql_injection.htmlhttp://www.cisco.com/web/about/security/intelligence/sql_injection.htmlhttp://www.cisco.com/web/about/security/intelligence/sql_injection.htmlhttp://www.cisco.com/web/about/security/intelligence/sql_injection.htmlhttp://upload.wikimedia.org/wikipedia/en/a/aa/SQL_ANATOMY_wiki.svghttp://upload.wikimedia.org/wikipedia/en/a/aa/SQL_ANATOMY_wiki.svghttp://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectorshttp://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors