SQL Injection for newbie



Similar documents
Exposed Database( SQL Server) Error messages Delicious food for Hackers

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Serious Threat. Targets for Attack. Characterization of Attack. SQL Injection 4/9/2010 COMP On August 17, 2009, the United States Justice

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

HTML Form Widgets. Review: HTML Forms. Review: CGI Programs

Check list for web developers

Webapps Vulnerability Report

CMP3002 Advanced Web Technology

Criteria for web application security check. Version

Exploits: XSS, SQLI, Buffer Overflow

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Web Application Security

Understanding Sql Injection

Thick Client Application Security

Testing Web Applications for SQL Injection Sam Shober

SQL INJECTION ATTACKS By Zelinski Radu, Technical University of Moldova

Database 10g Edition: All possible 10g features, either bundled or available at additional cost.

SQL Injection Vulnerabilities in Desktop Applications

USING MYWEBSQL FIGURE 1: FIRST AUTHENTICATION LAYER (ENTER YOUR REGULAR SIMMONS USERNAME AND PASSWORD)

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

Using Foundstone CookieDigger to Analyze Web Session Management

SQL Injection. SQL Injection. CSCI 4971 Secure Software Principles. Rensselaer Polytechnic Institute. Spring

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Application Design and Development

Web Application Security Considerations

Application Security Testing. Generic Test Strategy

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Real SQL Programming 1

Web Application Security

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Security features of ZK Framework

AREA RICERCA Ufficio Dottorati di Ricerca Nazionali ed Internazionali

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Web Application Disassembly with ODBC Error Messages By David Litchfield Director of Security

Fortigate SSL VPN 4 With PINsafe Installation Notes

SQL Injection January 23, 2013

SECURING APACHE : THE BASICS - III

Retrieving Data Using the SQL SELECT Statement. Copyright 2006, Oracle. All rights reserved.

Talking to Databases: SQL for Designers

Web Application Vulnerabilities and Avoiding Application Exposure

7. In the boxed unlabeled field, enter the last 4 digits of your Social Security number.

Web Application Guidelines

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Web Applications Security: SQL Injection Attack

MySQL Manager. User Guide. July 2012

A Tokenization and Encryption based Multi-Layer Architecture to Detect and Prevent SQL Injection Attack

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

An Anatomy of a web hack: SQL injection explained

1. Building Testing Environment

SQL Injection Attack Lab Using Collabtive

Fortigate SSL VPN 3.x With PINsafe Installation Notes

Penetration Test Report

Pervasive Data Integrator. Oracle CRM On Demand Connector Guide

Advanced Tornado TWENTYONE Advanced Tornado Accessing MySQL from Python LAB

Configuration Guide - OneDesk to SalesForce Connector

econtrol 3.5 for Active Directory & Exchange Self-Service Guide

Project 2: Web Security Pitfalls

Broker Portal Tutorial Broker Portal Basics

AUTOMATE CRAWLER TOWARDS VULNERABILITY SCAN REPORT GENERATOR

Introduction. Buffer Overflow. SQL Injection. Cross-Site Scripting. Software Security I. Overview. Source: SearchsoftwareQuality.techtarget.

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

Last update: February 23, 2004

White Paper BMC Remedy Action Request System Security

Application Intrusion Detection

White Paper. Blindfolded SQL Injection

HTTPParameter Pollution. ChrysostomosDaniel

A Tale of the Weaknesses of Current Client-side XSS Filtering

Configuring Cisco CallManager IP Phones to Work With IP Phone Agent

Agenda. SQL Injection Impact in the Real World Attack Scenario (1) CHAPTER 8 SQL Injection

HTML Forms and CONTROLS

Why Web Applications are making a hackers life easy. Presented by Jon Grew BT SBS

An Introduction to SQL Injection Attacks for Oracle Developers. January 2004 INTEGRIGY. Mission Critical Applications Mission Critical Security

Analysis of SQL injection prevention using a proxy server

1. What is SQL Injection?

SQL Injection. By Artem Kazanstev, ITSO and Alex Beutel, Student

SQL Injection Attack Lab

SQL Injection. The ability to inject SQL commands into the database engine through an existing application

Common Security Vulnerabilities in Online Payment Systems

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Token Sequencing Approach to Prevent SQL Injection Attacks

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

Security Awareness For Website Administrators. State of Illinois Central Management Services Security and Compliance Solutions

CSCI110 Exercise 4: Database - MySQL

SOAP Web Services Attacks

Cloud Portal Guest Invitations 4.0

Perl In Secure Web Development

DIPLOMA IN WEBDEVELOPMENT

CSSEA Helpdesk User Guide

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Transcription:

SQL Injection for newbie SQL injection is a security vulnerability that occurs in a database layer of an application. It is technique to inject SQL query/command as an input via web pages. Sometimes we accept input from the web user and pass that input as parameter to construct a database query dynamically in the backend to perform search operation in database. Here the question of SQL injection comes. A intelligently crafted input may produce a result that the application is not supposed to do. First we need to identify the possible area in an application where SQL can be injected. The area may be login page, search field, feedback, URL of the page ( in case of GET request ) etc. Let us discuss it with examples. Log in page : In this page there are two fields, username and password. User will give her login credentials and gain access to her account. Imagine situation where anybody can have access to other s account with out proper user credentials. Yes, this is possible if the programmer do not take care about it. The most crucial part of the code for login page is string sql = select * from User_login where username= +username+ and password= +password+ User_login is the name of the table in the database where username and password are stored. I am giving here the different situation with SQL injection attacks using username and password field. Situation 1 : The log in page uses POST method to submit the data to server and there is no client or server side validation. Inputs : Username : hi or 1=1;-- Password : < As you wish > Behind the sense : select * from User_login where username = hi or 1=1;-- and password = < As you wish > The query portion in blue will be operational and rest part of the query is commented using - - ( marked in red ).This convention is used through out the article. Result : Successful log in into someone s account. Reason : Since 1=1 is always true and OR is used, the query always return some record. Hence successful log in. Situation 2: The log in page uses POST method to submit the data to server and there is client side validation ( using java script ) but no server side validation is done. Now the job is little bit

difficult but possible. You have to see the source code of the log in page and manipulate the source code. Most important part of source code : The coding part inside form tag. < form id= from_login method= post action = /abc/ login.asp > <table> <tr > <td> Username : </td> <td> <input type="text" id="login-username" name="user_id" maxlength="255"/> </td> <td> Password : </td> <td> <input type="password" id="login-password" name="passwd" maxlength="32" /></td> <td><input type="submit" id="login-submit" class="button" name="submit" value="login" onclick= Login_validate() language= javascript /> </td> </table> </form> We are interested in action attribute of from tag and onclick attribute of the submit button. It may be the other attributes used to call java script functions. Our main intension is to bypass the client side validation ( java script ) and submit the form. Manipulation of source code : Save the source code in your local computer with a name say login.html. Now edit action attribute and delete onclick like below. Save the form. < form id= from_login method= post action = http://example/abc/ login.asp > <table> <tr > <td> Username : </td> <td> <input type="text" id="login-username" name="user_id" maxlength="255" value= hi or 1=1;-- /> </td> <td> Password : </td> <td> <input type="password" id="login-password" name="passwd" maxlength="32" value= <As you wish> /></td> <td><input type="submit" id="login-submit" class="button" name="submit" value="login" /></td> </table> </form> Open the page from local drive and click submit.

Behind the sense : select * from User_login where username = hi or 1=1;-- and password= < As you wish > Result : Successful log in. Reason : Again SQL injection but bypassing the client side validation. Search field : The query related to the search field is most likely to be like following. String sql = select * from Product where product_name like + product_name + % Input_1 : ; SHUTDOWN;-- Input_2 : ; +SHUTDOWN;-- Behind the sense : select * from Product where product_name like ;SHUTDOWN;-- % Result : The remote database will shutdown. Reason : SHUTDOWN is a database command and we are trying to insert that to shutdown the database from remote computer. Sometimes Input_1 do not work, then you should try Input_2. Search engine generally tokenize input into separate pieces to process them as individual criteria. + character typically force a search engine to treat input as one keyword, so the Input_2 works. Some databases provide the privilege to fire two back to back query. Here we exploit that privilege and insert the SHUTDOWN command. This attack is called Denial of Service ( DoS ). User FeedBack Field : If you know the table structure and the datatype of individual field of table then it is possible to insert a row in that table. By producing database error message it is possible to know the table details. Let s not get into that. Here we assume that you already know the data schema. Input : Hi I am here ); insert into Table_Name ( field_1,field_2,field_3,field_4) values ( values in field_1, values in field_2, values in field_3, values in field_4 );-- Result : One row is added to the table. Reason : Again we are firing two back to back query. NOTE : To know the data schema, a series of Sql injection is required. If you are interested to know the attacks,you can read my another article Exposed SQL Server Error Messages -- Food for Hackers in Stickymind.com with URL http://www.stickyminds.com/s.asp?f=s11795_art_2

Email Password field ( forgot password ) : This field is used to email the password of the user. Generally this facility is given with the forgot password link. Let s see how can we use this field for SQL injection attack. String sql = select user_name,password from Login_details where email_id = +email_id+ Input_1: hi or 1=1;-- Behind the sense : select user_name, password from Login_details where email_id = hi or 1=1;-- < something > Result : Log in details is send to the random.user@example.com and someone in this world will rise her voice. Reason : Since the clause 1=1 is always true, the query will return a random record from the database. Input_2 : hi ; Drop table Table_Name ;-- Behind the sense : select user_name, password from Login_details where email_id = hi ; Drop table Table_Name ;-- <something> Result : The table Table_Name is deleted from the database Reason : Table is dropped due to second query. SQL injection using URL : If you can t find any such fields ( above mentioned ) then concentrate on the URL. Some application uses GET method to submit the data and the data is directly append at the end of the URL along with the name of the parameter. Here is an example of URL when searching for product of category toy. http://example/products/search.asp?product_name = toy The associated query is : String sql = select * from Product where product_name like + product_name + % Manipulated URL : http://example/products/search.asp?product_name = toy or 1=1 Behind the sense : select * from products where product_name like toy or 1=1 -- % Result : All the product will be listed. Reason : Since clause 1=1 is always true and OR is used, the query returns all the records.

There is no hard and fast rule that a particular type of SQL injection attacks only work with a particular field in a web application. If you find a single sql injection vulnerable field then you may be able to execute different sql injection attack using that field. One thing we must keep in our mind that sql injection is all about the manipulation of database query from the font end and execute it. Now let s see how can we prevent SQL Injection. Recommended Preventive Action : 1. Assume all end-user input is hostile. 2. Turn off the detailed error messaging. Less information might make the job of The hacker a bit harder. 3. Maintain a customized error page though it is not a permanent solution. 4. Don t forget to remove the debugging information ( comments ) before release. 5. Replace the input single quote 6. Allow only good inputs and minimize the input data length. 7. Don t depends on the client side validation. Client side validation can be bypassed. 8. Limit the right of database user that the web application uses. 9. Write store procedure instead of inline SQL statement and store it in database server. But writing store procedure for every sql statement may not be feasible. If you are using JSP, use PreparedStatement. Both store procedure and PreparedStatement are precompiled and hence impossible to penetrate. 10. Keep an open eye to the new types of SQL Injection attacks. Prepared By Sandipan Pramanik Mindfire Solutions ( www.mindfiresolutions.com )

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information