1 / 21

SQL Injection Jason Dunn

SQL Injection Jason Dunn. SQL Overview. Structured Query Language For use with Databases Purpose is to retrieve information Main Statements Select Insert Update Drop. SQL Statement Format. Select * From [Table] where [ conditions ] Eg. Select grade From Students where pid=‘1234’

viviant
Télécharger la présentation

SQL Injection Jason Dunn

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SQL InjectionJason Dunn

  2. SQL Overview • Structured Query Language • For use with Databases • Purpose is to retrieve information • Main Statements • Select • Insert • Update • Drop

  3. SQL Statement Format • Select * From [Table] where [ conditions ] • Eg. Select grade From Students where pid=‘1234’ • Selects the grade field value from the Students table from every entry where the corresponding pid = 1234 • Update [Table] where [column name 1 = value 1] set [column name 2 = value 2] • Updates the specified table – all records where a value 1 is found in column 1, it will replace column 2’s value with value 2 • Drop Table [Table] • Deletes the given table

  4. Database Basics • Definitions • Table – Collection of records • Column – Specifies a value which will be present in all records • Value – The contents of a specific column in a specific record • Record – One row in the table • Used for storing/organizing data • Used by most businesses in some degree • Typical applications • customer data, banking data, health data, orders, inventory

  5. Example Table Column Record Field Value

  6. SQL Injection Overview • Causes • Basics • Dangers • Detection • Hardening Applications • Implementation Differences • Demo

  7. Causes • Failure to Sanitize Input • Don’t Trust user input • User can put special characters or statements into fields • SQL supports multiple statements per query • Though some connection drivers don’t

  8. Basics • Add in logic to passed parameter • If you have the statement: • Select * from Students where password=‘$pass’ • And your user submits $pass = 1’ or 1=1 • Your statement becomes • Select * from Students where password=‘1’ or 1=1 • Your statement now always resolves to true and every record is displayed • Disclosure of extra data

  9. Dangers • Authentication Bypass • Someone could see data they aren’t authorized to see • Disclosures • Again, you could see all the information in a database • Modification • Students could modify their grade in the computer system • Deletion • Someone could delete a company’s customer records • Execution • A hacker could force your computer to run any program they want it to

  10. Authentication Bypass • Can bypass authentication by changing the statement to always return true • Use the same or similar options as disclosure • 1’ or 1=1 etc.

  11. Modification • Uses the ability to chain multiple statements in a single request • If you have the statement: • Select * from Students where password=‘$pass’ • And your user submits $pass=1’; Update Students where name=you set grade=100 • If the input is not sanitized you have remotely changed your grade ( or any random value on the server, account balance, passwords, etc)

  12. Deletion • If you have the statement: • Select * from Students where password=‘$pass’ • And your user submits $pass=1’; Delete Table Students • If the input is not sanitized you have remotely deleted all records in the Students table

  13. Execution (Specific to certain implementations) • If you have the statement: • Select * from Students where password=‘$pass’ • And your user submits $pass=1’ ;exec master.dbo.xp_cmdshell [some command] • If the input is not sanitized and the exec command is enabled you can run commands at whatever level the servers permission is • Server often runs at admin privilige level • Use exec to download backdoor • Use exec to execute backdoor

  14. Detection • Automated Tools • Manual Testing • Code Review • Hand testing statements

  15. Automated Tools • HP WebInspect • Rational AppScan • SQL Power Injector • Absinthe • Sqlninja

  16. Hardening Applications • Update software • If you are using PHP5 it automatically tries to escape single quotes • Escape the strings manually • mysql_real_escape_string() or other similar methods • Manually check for compound statements • Do not generate statements from the user input, use prepared statements • Check input against result of prepared statements

  17. Implementation Differences

  18. Real Life Example (Her daughters name is help I am trapped in a drivers license factory)

  19. Demo

  20. Sources • www.w3schools.com • www.freewebmasterhelp.com/tutorials/phpmysql • Carey, Mark. Nessus Network Auditing. Burlington, MA. 2008 • McClure, Stuart. Hacking Exposed: 6. McGraw Hill. Chicago, IL. 2009 • Skoudis, Ed. Counter Hack Reloaded. Prentice Hall. Indianapolis, IN. 2002

  21. Questions ?

More Related