SQL Injection Attack

Size: px

Start display at page:

Download "SQL Injection Attack"

Milton Powers
8 years ago
Views:

1 SQL Injection Attack Modus operandi... Sridhar.V.Iyer Department of Computer & Informations Sciences Syracuse University, Syracuse, NY SQL Injection Attack p. 1

edu Department of Computer & Informations

2 SQL What is SQL? SQL Injection Attack p. 2

3 SQL What is SQL? Where is it used? SQL Injection Attack p. 2

4 SQL What is SQL? Where is it used? Why do we use it? SQL Injection Attack p. 2

5 Web Technologies Platform: Linux, OpenBSD, FreeBSD, Solaris and... Windows. SQL Injection Attack p. 3

6 Web Technologies Platform: Linux, OpenBSD, FreeBSD, Solaris and... Windows. Web Servers: Apache, LightTPD, Yaws, Tux, IIS SQL Injection Attack p. 3

7 Web Technologies Platform: Linux, OpenBSD, FreeBSD, Solaris and... Windows. Web Servers: Apache, LightTPD, Yaws, Tux, IIS Databases: MySQL, PostgreSQL, Firebird, MSSQL server SQL Injection Attack p. 3

8 Web Technologies Platform: Linux, OpenBSD, FreeBSD, Solaris and... Windows. Web Servers: Apache, LightTPD, Yaws, Tux, IIS Databases: MySQL, PostgreSQL, Firebird, MSSQL server Scripting Languages: Php, CGI/Perl, SmallTalk, ASP.NET SQL Injection Attack p. 3

9 Web Technologies Platform: Linux, OpenBSD, FreeBSD, Solaris and... Windows. Web Servers: Apache, LightTPD, Yaws, Tux, IIS Databases: MySQL, PostgreSQL, Firebird, MSSQL server Scripting Languages: Php, CGI/Perl, SmallTalk, ASP.NET Other Alternatives: J2EE/JSP etc. SQL Injection Attack p. 3

PostgreSQL, Firebird, MSSQL server Scripting Languages: Php, CGI/Perl,

10 Modus Operandi... Steve Friedl s way Know your enemy SQL Injection Attack p. 4

11 Modus Operandi... Steve Friedl s way Know your enemy Find his/her weakness SQL Injection Attack p. 4

12 Modus Operandi... Steve Friedl s way Know your enemy Find his/her weakness Attack his/her weakness SQL Injection Attack p. 4

13 Modus Operandi... Steve Friedl s way Know your enemy Find his/her weakness Attack his/her weakness SQL Injection Attack p. 4

14 Anatomy of the Attack The constructed SQL should be like SELECT list FROM table WHERE field= $ ; SQL Injection Attack p. 5

15 Anatomy of the Attack The constructed SQL should be like SELECT list FROM table WHERE field= $ ; What if I give my own and complete the query for form? SELECT list FROM table WHERE field= neo@zion.com ; SQL Injection Attack p. 5

my own email and complete the query for form?

16 Anatomy of the Attack The constructed SQL should be like SELECT list FROM table WHERE field= $ ; What if I give my own and complete the query for form? SELECT list FROM table WHERE field= neo@zion.com ; What is the output? SQL Injection Attack p. 5

17 Lets dig deeper... Lets create a valid query SELECT list FROM table WHERE field= something or x = x ; SQL Injection Attack p. 6

18 Lets dig deeper... Lets create a valid query SELECT list FROM table WHERE field= something or x = x ; Result? Your login information has been mailed to agent.smith@matrix.com Dont recognize that address Server error!! SQL Injection Attack p. 6

19 Lets behave ourselves Schema field mapping: Figure out the tentative field list SELECT list FROM table WHERE field= x AND IS NULL; ; SQL Injection Attack p. 7

20 Lets behave ourselves Schema field mapping: Figure out the tentative field list SELECT list FROM table WHERE field= x AND IS NULL; ; Find out as many fields as possible in a similar fashion. SQL Injection Attack p. 7

field= x AND email IS NULL; ; Find out as many fields

21 Lets behave ourselves Schema field mapping: Figure out the tentative field list SELECT list FROM table WHERE field= x AND IS NULL; ; Find out as many fields as possible in a similar fashion. Find out the table name. How? SQL Injection Attack p. 7

22 Lets behave ourselves We can try the query SELECT COUNT(*) FROM tablename; SELECT... = x AND 1=(SELECT COUNT(*) FROM tablename); ; SQL Injection Attack p. 8

23 Lets behave ourselves We can try the query SELECT COUNT(*) FROM tablename; SELECT... = x AND 1=(SELECT COUNT(*) FROM tablename); ; Again educated guess is required. The sites wont have cryptic table names. SQL Injection Attack p. 8

24 Lets behave ourselves We can try the query SELECT COUNT(*) FROM tablename; SELECT... = x AND 1=(SELECT COUNT(*) FROM tablename); ; Again educated guess is required. The sites wont have cryptic table names. Are we interested in this table? SELECT list FROM table WHERE field= x AND members. IS NULL; ; SQL Injection Attack p. 8

25 If the database wasn t readonly?? Bazoooooka SELECT... = x ; DROP TABLE members; ; SQL Injection Attack p. 9

26 If the database wasn t readonly?? Bazoooooka SELECT... = x ; DROP TABLE members; ; Add a new member SELECT... = x ; INSERT INTO members{... } VALUES {... }; ; SQL Injection Attack p. 9

27 If the database wasn t readonly?? Bazoooooka SELECT... = x ; DROP TABLE members; ; Add a new member SELECT... = x ; INSERT INTO members{... } VALUES {... }; ; Mail me the password SELECT... = x ; UPDATE members SET =neo@zion.com WHERE =agent.smith@matrix.com ; SQL Injection Attack p. 9

28 Other Methods Use xp_cmdshell: Something like Macro for MS Word Map Database structure: Do more of the stuff we already discussed for just one form SQL Injection Attack p. 10

29 Time for some action SQL Injection Attack p. 11

30 How not to do the wrong thing Sanitize the Input SQL Injection Attack p. 12

31 How not to do the wrong thing Sanitize the Input Quotesafe the Input SQL Injection Attack p. 12

32 How not to do the wrong thing Sanitize the Input Quotesafe the Input Use bounded parameters SQL Injection Attack p. 12

33 How not to do the wrong thing Sanitize the Input Quotesafe the Input Use bounded parameters Limit Database Permission and segregate users SQL Injection Attack p. 12

34 How not to do the wrong thing Sanitize the Input Quotesafe the Input Use bounded parameters Limit Database Permission and segregate users Use Stored procedures for database access SQL Injection Attack p. 12

35 How not to do the wrong thing Sanitize the Input Quotesafe the Input Use bounded parameters Limit Database Permission and segregate users Use Stored procedures for database access Isolate the Webserver SQL Injection Attack p. 12

36 How not to do the wrong thing Sanitize the Input Quotesafe the Input Use bounded parameters Limit Database Permission and segregate users Use Stored procedures for database access Isolate the Webserver Configure Error Reporting SQL Injection Attack p. 12

37 DISCLAIMER Any actual or imagined resemblance to our far more civilized world today is unintentional and purely coincidental The purpose of this presentation is purely educational SQL Injection Attack p. 13

38 Reference Php Manual. MySQL Manual. Google... ofcourse. This site has been created using prosper package on L A T E X SQL Injection Attack p. 14

39 Questions? Thanks SQL Injection Attack p. 15

Web Applications Security: SQL Injection Attack

Web Applications Security: SQL Injection Attack S. C. Kothari CPRE 556: Lecture 8, February 2, 2006 Electrical and Computer Engineering Dept. Iowa State University SQL Injection: What is it A technique