Embed Size (px)
Citation preview
Cruel (SQL) Intentions - An analysis of malicious intentions behind real world SQL injection attacks
Ezra Caltum – Sr. Security Researcher Akamai
Mysql> SELECT title FROM talk;
Mysql> SELECT author FROM talk;
• The Platform• 167,000+ Servers• 2,300+ Locations• 750+ Cities• 92 Countries• 1,227+ Networks
• The Data• 2 trillion hits per day• 780 million unique IPv4
addresses seen quarterly
• 13+ trillion log lines per day
• 260+ terabytes of compressed daily logs
15 - 30% of all web traffic
Mysql> SELECT COUNT(DISTINCT days) FROM research_data;
+-------+| days |+-------+| 7 |+-------+
Mysql> SELECT COUNT(DISTINCT apps) FROM research_data;
+-------+| apps |+-------+| 2000 |+-------+
Mysql> SELECT COUNT(DISTINCT injections) FROM research_data;
+--------------+| injections |+--------------+| 8,425,489 |+--------------+
Mysql> SELECT COUNT(DISTINCT injections) as injections, COUNT(DISTINCT injections)/8425489 as percentage FROM research_data WHERE category =
'SQL INJECTION PROBING AND INJECTION TESTING';
+------------+-----------------------+|injections | percentage |+------------+-----------------------+| 5,021,240 | 59.59% |+------------+-----------------------+
Mysql> SELECT COUNT(DISTINCT injections) as injections, COUNT(DISTINCT injections)/8425489 as percentage, COUNT(DISTINCT injections)/3406249 as norm_perc FROM research_data WHERE category =
'ENVIROMENT PROBING AND TESTING';
+------------+-----------------------+| injections | percentage | norm_perc|+------------+-----------------------+| 1,308,681 | 15.5% | 38.42% |
+------------+------------+----------+
Mysql> SELECT COUNT(DISTINCT injections) as injections, COUNT(DISTINCT injections)/8425489 as percentage, COUNT(DISTINCT injections)/3406249 as norm_perc FROM research_data WHERE category =
'DATABASE CONTENT RETRIEVAL';
+------------+-----------------------+| injections | percentage | norm_perc|+------------+-----------------------+| 129,814 | 1.5403% | 3.811054%|+------------+-----------------------+
Mysql> SELECT COUNT(DISTINCT injections) as injections, COUNT(DISTINCT injections)/8425489 as percentage, COUNT(DISTINCT injections)/3406249 as norm_perc FROM research_data WHERE category =
'CREDENTIAL THEFT';
+------------+-----------------------+| injections | percentage | norm_perc|+------------+-----------------------+| 1,950,749 | 23.14745% |57.269712%|+------------+-----------------------+
Mysql> SELECT COUNT(DISTINCT injections) as injections, COUNT(DISTINCT injections)/8425489 as percentage, COUNT(DISTINCT injections)/3406249 as norm_perc FROM research_data WHERE category =
'LOGIN BYPASS';
+------------+-----------------------+| injections | percentage | norm_perc|+------------+-----------------------+| 5,467 | 00.064871%|00.160499%|+------------+-----------------------+
Mysql> SELECT COUNT(DISTINCT injections) as injections, COUNT(DISTINCT injections)/8425489 as percentage, COUNT(DISTINCT injections)/3406249 as norm_perc FROM research_data WHERE category =
'DATA FILE EXTRACTION';
+------------+-----------------------+| injections | percentage | norm_perc|+------------+-----------------------+| 24 | 0.00028% |0.0007% |+------------+-----------------------+
Mysql> SELECT COUNT(DISTINCT injections) as injections, COUNT(DISTINCT injections)/8425489 as percentage, COUNT(DISTINCT injections)/3406249 as norm_perc FROM research_data WHERE category =
'DENIAL OF SERVICE';
+------------+-----------------------+| injections | percentage | norm_perc|+------------+-----------------------+| 326 | 0.00387% | 0.009571%|+------------+-----------------------+
Mysql> SELECT COUNT(DISTINCT injections) as injections, COUNT(DISTINCT injections)/8425489 as percentage, COUNT(DISTINCT injections)/3406249 as norm_perc FROM research_data WHERE category =
'DATA CORRUPTION';
+------------+-----------------------+| injections | percentage | norm_perc|+------------+-----------------------+| 2,238 | 0.026556% | 0.065702%|+------------+-----------------------+
Mysql> SELECT COUNT(DISTINCT injections) as injections, COUNT(DISTINCT injections)/8425489 as percentage, COUNT(DISTINCT injections)/3406249 as norm_perc FROM research_data WHERE category =
'DEFACEMENT AND CONTENT INJECTION';
+------------+-----------------------+| injections | percentage | norm_perc|+------------+-----------------------+|8,156 | 0.096778% |0.239442% |+------------+-----------------------+
Mysql> SELECT COUNT(DISTINCT injections) as injections, COUNT(DISTINCT injections)/8425489 as percentage, COUNT(DISTINCT injections)/3406249 as norm_perc FROM research_data WHERE category =
'RCE';
+------------+-----------------------+| injections | percentage | norm_perc|+------------+-----------------------+| 794 | 0.00942% | 0.023310%|+------------+-----------------------+
Mysql> SELECT summary FROM talk
+------------+-----------------------+| summary+------------+-----------------------+|Malicious actors use a variety of ||of techniques. ||Not only data exfiltration, but: ||Elevate privileges, execute commands,||infect or corrupt data, deny service | +------------+-----------------------+
DROP /**/ TABLE talk;
Twitter: @aCaltumhttp://ezra.c.com.mx
http://www.stateoftheinternet.com
SELECT questions FROM attendees WHERE (used_time +
question_time) <= 15;
