SQL Injection. The ability to inject SQL commands into the database engine through an existing application



Similar documents
What? Me, Worry? I've Already Been Hacked. Haven't You?

SQL Injection January 23, 2013

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

CTF Web Security Training. Engin Kirda

SECURING APACHE : THE BASICS - III

SQL INJECTION ATTACKS By Zelinski Radu, Technical University of Moldova

Oracle Database 10g: Introduction to SQL

SQL Injection. Sajjad Pourali CERT of Ferdowsi University of Mashhad

A Brief Introduction to MySQL

ASP.NET Programming with C# and SQL Server

UQC103S1 UFCE Systems Development. uqc103s/ufce PHP-mySQL 1

Short notes on webpage programming languages

Advanced PostgreSQL SQL Injection and Filter Bypass Techniques

Oracle 10g PL/SQL Training

Oracle Database 10g Express

Oracle Database 12c: Introduction to SQL Ed 1.1

A basic create statement for a simple student table would look like the following.

Webapps Vulnerability Report

A SQL Injection : Internal Investigation of Injection, Detection and Prevention of SQL Injection Attacks

Retrieving Data Using the SQL SELECT Statement. Copyright 2006, Oracle. All rights reserved.

How to Improve Database Connectivity With the Data Tools Platform. John Graham (Sybase Data Tooling) Brian Payton (IBM Information Management)

Oracle SQL. Course Summary. Duration. Objectives

Serious Threat. Targets for Attack. Characterization of Attack. SQL Injection 4/9/2010 COMP On August 17, 2009, the United States Justice

Oracle Database: SQL and PL/SQL Fundamentals

SQL - QUICK GUIDE. Allows users to access data in relational database management systems.

Database Schema Deployment. Lukas Smith - lukas@liip.ch CodeWorks PHP on the ROAD

Check list for web developers

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

SQL injection: Not only AND 1=1. The OWASP Foundation. Bernardo Damele A. G. Penetration Tester Portcullis Computer Security Ltd

SQL. Short introduction

SQL Injection. By Artem Kazanstev, ITSO and Alex Beutel, Student

Web Applications Security: SQL Injection Attack

Understanding Sql Injection

Project 2: Web Security Pitfalls

Web Development using PHP (WD_PHP) Duration 1.5 months

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Oracle Database: SQL and PL/SQL Fundamentals NEW

1. INTRODUCTION TO RDBMS

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

SQL Server Database Coding Standards and Guidelines

Live Hacking. Threats & Countermeasures in Action (SEC411) Ofer Maor CTO Hacktics Ltd.

php tek 2006 in Orlando Florida Lukas Kahwe Smith

Oracle Database: SQL and PL/SQL Fundamentals

Oracle Database 11g SQL

Security and Control Issues within Relational Databases

SQL Injection for newbie

Database 10g Edition: All possible 10g features, either bundled or available at additional cost.

Database Administration with MySQL

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Auditing Data Access Without Bringing Your Database To Its Knees

Oracle Database: Introduction to SQL

SQL Injection Attack Lab

D61830GC30. MySQL for Developers. Summary. Introduction. Prerequisites. At Course completion After completing this course, students will be able to:

Enhanced Model of SQL Injection Detecting and Prevention

White Paper. Blindfolded SQL Injection

Oracle Database: Introduction to SQL

Choosing a Data Model for Your Database

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva

Duration Vendor Audience 5 Days Oracle End Users, Developers, Technical Consultants and Support Staff

Database Query 1: SQL Basics

SQL SERVER Anti-Forensics. Cesar Cerrudo

SQL Injection Attack Lab Using Collabtive

Using SQL Server Management Studio

Guarding Against SQL Server Attacks: Hacking, cracking, and protection techniques.

A table is a collection of related data entries and it consists of columns and rows.

Maintaining Stored Procedures in Database Application

Testing Web Applications for SQL Injection Sam Shober

USING MYWEBSQL FIGURE 1: FIRST AUTHENTICATION LAYER (ENTER YOUR REGULAR SIMMONS USERNAME AND PASSWORD)

1. What is SQL Injection?

Web Application Disassembly with ODBC Error Messages By David Litchfield Director of Security

CSCI110 Exercise 4: Database - MySQL

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

AUTHENTICATION... 2 Step 1:Set up your LDAP server... 2 Step 2: Set up your username... 4 WRITEBACK REPORT... 8 Step 1: Table structures...

PHP Tutorial From beginner to master

Agenda. SQL Injection Impact in the Real World Attack Scenario (1) CHAPTER 8 SQL Injection

Lab 2: PostgreSQL Tutorial II: Command Line

SQL Server An Overview

Analysis of SQL injection prevention using a proxy server

Concepts Design Basics Command-line MySQL Security Loophole

CMP3002 Advanced Web Technology

WebCruiser Web Vulnerability Scanner User Guide

Oracle Database: Introduction to SQL

Oracle Database: SQL and PL/SQL Fundamentals NEW

ICAB4136B Use structured query language to create database structures and manipulate data

Finding XSS in Real World

5. CHANGING STRUCTURE AND DATA

"SQL Database Professional " module PRINTED MANUAL

Setting Up ALERE with Client/Server Data

AUTOMATE CRAWLER TOWARDS VULNERABILITY SCAN REPORT GENERATOR

Connecting to a Database Using PHP. Prof. Jim Whitehead CMPS 183, Spring 2006 May 15, 2006

Detecting (and even preventing) SQL Injection Using the Percona Toolkit and Noinject!

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

CHAPTER 1 Overview of SAS/ACCESS Interface to Relational Databases

An Introduction to SQL Injection Attacks for Oracle Developers. January 2004 INTEGRIGY. Mission Critical Applications Mission Critical Security

Talking to Databases: SQL for Designers

Transcription:

SQL Injection The ability to inject SQL commands into the database engine through an existing application 1 What is SQL? SQL stands for Structured Query Language Allows us to access a database ANSI and ISO standard computer language The most current standard is SQL99 SQL can: execute queries against a database retrieve data from a database insert new records in a database delete records from a database update records in a database 2 1

SQL is a Standard - but... There are many different versions of the SQL language They support the same major keywords in a similar manner (such as SELECT, UPDATE, DELETE, INSERT, WHERE, and others). Most of the SQL database programs also have their own proprietary extensions in addition to the SQL standard! 3 SQL Database Tables A relational database contains one or more tables identified each by a name Tables contain records (rows) with data For example, the following table is called "users" and contains data distributed in rows and columns: userid Name LastName Login Password 1 John Smith jsmith hello 2 Adam Taylor adamt qwerty 3 Daniel Thompson dthompson dthompson 4 2

SQL Queries With SQL, we can query a database and have a result set returned Using the previous table, a query like this: SELECT LastName FROM users WHERE UserID = 1; Gives a result set like this: LastName -------------- Smith 5 Data Manipulation Language (DML) SQL includes a syntax to update, insert, and delete records: SELECT - extracts data UPDATE - updates data INSERT INTO - inserts new data DELETE - deletes data 6 3

Data Definition Language (DDL) The Data Definition Language (DDL) part of SQL permits: Database tables to be created or deleted Define indexes (keys) Specify links between tables Impose constraints between database tables Some of the most commonly used DDL statements in SQL are: CREATE TABLE - creates a new database table ALTER TABLE - alters (changes) a database table DROP TABLE - deletes a database table 7 How common is SQL injection? It is probably the most common Website vulnerability today It is a flaw in "web application" development, it is not a Database or web server problem Most programmers are still not aware of this problem Many tutorials and demo templates are vulnerable Even worse, a lot of solutions posted on the Internet are not good enough 8 4

Vulnerable Applications Almost all SQL databases and programming languages are potentially vulnerable MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access, Sybase, Informix, etc Accessed through applications developed using: Perl and CGI scripts that access databases ASP, JSP, PHP XML, XSL and XSQL Javascript VB, MFC, and other ODBC-based tools and APIs DB specific Web-based applications and API s Reports and DB Applications 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL) 9 How does SQL Injection work? Common vulnerable login query SELECT * FROM users WHERE login = 'victor' AND password = '123' (If it returns something then login!) ASP/MS SQL Server login syntax var sql = "SELECT * FROM users WHERE login = '" + formusr + "' AND password = '" + formpwd + "'"; 10 5

Injecting through Strings formusr = ' or 1=1 formpwd = anything Final query would look like this: SELECT * FROM users WHERE username = ' ' or 1=1 AND password = 'anything' 11 The power of ' It closes the string parameter Everything after is considered part of the SQL command Misleading Internet suggestions include: Escape it : replace ' with '' String fields are very common but there are other types of fields: Numeric Dates 12 6

If it were numeric? SELECT * FROM clients WHERE account = 12345678 AND pin = 1111 PHP/MySQL login syntax $sql = "SELECT * FROM clients WHERE ". "account = $formacct AND ". "pin = $formpin"; 13 Injecting Numeric Fields $formacct = 1 or 1=1 # $formpin = 1111 Final query would look like this: SELECT * FROM clients WHERE account = 1 or 1=1 # AND pin = 1111 14 7

Evasion Techniques Input validation circumvention and IDS Evasion techniques are very similar and rely on "signatures" Signatures can be evaded easily Input validation, IDS detection AND strong database and OS hardening must be used together 15 IDS Signature Evasion Evading ' OR 1=1 signature ' OR 'unusual' = 'unusual' ' OR 'something' = 'some'+'thing' ' OR 'text' = N'text' ' OR 'something' like 'some%' ' OR 2 > 1 ' OR 'text' > 't' ' OR 'whatever' IN ('whatever') ' OR 2 BETWEEN 1 AND 3 16 8

SQL Injection Characters ' or " character String Indicators -- or # single-line comment /* */ multiple-line comment + addition, concatenate (or space in url) (double pipe) concatenate % wildcard attribute indicator?param1=foo&param2=bar URL Parameters PRINT useful as non transactional command @variable local variable @@variable global variable waitfor delay '0:0:10' time delay 17 Input validation Some people use PHP addslashes() function to escape characters single quote ('), double quote ("), backslash (\), NUL (the NULL byte) This can be easily evaded by using replacements for any of the previous characters in a numeric field IDS and input validation can also be circumvented by encoding URL encoding Unicode/UTF-8 Hex enconding char() function 18 9

MySQL Input Validation Circumvention using Char() Inject without quotes (string = "%"): ' or username like char(37); Inject without quotes (string = "root"): ' union select * from users where login = char(114,111,111,116); 19 Defending against SQL injections Sanitize all input. Assume all input is harmful. Validate user input that contains dangerous keywords or SQL characters, such as xp_cmdshell, - -, and ;. Consider using regular expressions to remove unwanted characters. This approach is safer than writing your own search and replace routines. Run with least privilege. Do not execute an SQL SELECT statement as sa. Create low-privilege accounts to access data. Use SQL permissions to lock down databases, stored procedures, and tables. Remove unused stored procedures. 20 10

Defending against SQL injections Do not allow clients to view ODBC/OLE DB error messages. Handle these errors with your own code. By default, ASP pages returns error messages to clients. Enable logging of all user access, and set alerts to log all failed attempts to access objects. Do not use string concatenations to build SQL queries. Instead, use parameterized queries or parameterized stored procedures, because they explicitly define input and output values and do not process multiple statements as a batch. 21 Back to a previous example var sql = "SELECT * FROM users WHERE login = '" + formusr + "' AND password = '" + formpwd + "'"; is replaced by SqlConnection objconnection=new SqlConnection(_ConnectionString); objconnection.open(); SqlCommand objcommand = new SqlCommand( "SELECT * FROM User WHERE login = @Name AND password = @Password", objconnection); objcommand.parameters.add("@name", NameTextBox.Text); objcommand.parameters.add("@password", PasswordTextBox.Text); SqlDataReader objreader = objcommand.executereader(); if (objreader.read()) {... Why is it safer? Because the SQL server knows that the value of the parameter is not actual code to execute, but data 22 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information