1 / 10

SQL Injection

SQL Injection. Error-based SQL Injection. Error-based SQL Injection. Typical modern Web application. Client. Web Server. Web Server may host eBusiness applications Database Server hosts databases including customers accounts, payments info, etc. Database Server.

cseal
Télécharger la présentation

SQL Injection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SQL Injection Error-based SQL Injection

  2. Error-based SQL Injection • Typical modern Web application Client Web Server • Web Server may host eBusiness applications • Database Server hosts databases including customers accounts, payments info, etc. Database Server

  3. Error-based SQL Injection • Typical user login (authentication) 1 4 Client Web Server • Client submits login request (username and password) • Web application “sanitizes” the login request and creates an SQL query that is passed to the Database Server • The Database Server replies • The Web app authenticates the user or sends an error-message 2 3 Database Server

  4. SQL Injection • An SQL query asking if there is a matching pair of username and password looks like: SELECT id FROM users WHERE username = 'aillia' AND password = 'xyx@#$' • This SQL query should return a result like this Row id 1 154 • SQL has a syntax. Using special characters including single quotes to pass values like 'aillia' is part of the syntax • SQL Injection is a result of braking SQL syntax (e.g. misusing the special characters) and bad programming.

  5. SQL Injection • Braking SQL syntax generates runtime errors • Runtime errors play a key role in SQL Injection • Example of SQL query with broken syntax SELECT id FROM users WHERE username = 'aillia ' 'AND password = 'xyx@#$' • Example of runtime error: msg ORA-00103, Level 15, Row 1, Line 1 Incorrect syntax near = 'xyx@#$' msg ORA-00105, Level 15, Row 1, Line 1 Unclosed quotations after string '' .

  6. SQL Injection • In order for SQL Injections to succeed, …… • Attackers must brake SQL syntax by “smuggling” special characters in SQL queries they type in online forms. • The poisonous SQL must modify the Web application behavior to make it do what the attacker wants. • Example: aillia ' Errormessage shown in attackers browser with part of the SQL query revealed Oracle Enterprise 9g error '80040e14' Unclosed quotation mark after the character string like 'aillia' AND cust_password = ' ' . /portal/default.asp, line 20

  7. SQL Injection • Once the attacker gets a runtime error message revealing part of the SQL query, it’s an indication that there is “hole” in the Web application • The attacker can, then, try to bypass the authentication by entering something like this at login: • As a result, the user may be authenticated as the first user from the top of the list (first row) Row id 1 154 aillia ' OR 1=1 -- --

  8. SQL Injection: What happens behind the scene • Attacker’s login (aillia ' OR 1=1 -- ) becomes: SELECT id FROM users WHERE username = 'aillia ' OR 1=1 -- AND password = ‘xxxxx' Which is a “true” statement because: • 1 = 1 is True and • -- is a symbol used for comments in SQL syntax.

  9. SQL Injection: determining the DBMS version • To get the DBMS version, the attacker may enter the following at login: • The result may be an error message like the following that can reveal the DBMS version: aillia ' OR 1=(SELECT @@version) -- -- Error when converting the nvarchar value Oracle Enterprise 10g Release 2: 10.2.0.1-2010 on Windows 2003 Server R2 to data type int. /portal/default.asp, line 20

  10. SQL Injection: Extracting data from a database • To extract multiple rows from the database, the attacker may enter the following at login: • The result may be an error message revealing more data. • But to automate extraction of more data, tools like Burp Suiteor SQL Map aillia ' OR 1=(SELECT top 1 name FROM master…sysdatabases WHERE name NOT IN (SELECT top 0 name FROM master..sysdatabases)) -- --

More Related