SQL Injection. SQL Injection. CSCI 4971 Secure Software Principles. Rensselaer Polytechnic Institute. Spring 2010 ...



Similar documents
Serious Threat. Targets for Attack. Characterization of Attack. SQL Injection 4/9/2010 COMP On August 17, 2009, the United States Justice

PHP/MySQL SQL Injections: Understanding MySQL Union Poisoining. Jason A. Medeiros :: CEO :: Presented for DC619 All Content Grayscale Research 2008

SQL injection: Not only AND 1=1. The OWASP Foundation. Bernardo Damele A. G. Penetration Tester Portcullis Computer Security Ltd

SQL INJECTION TUTORIAL

SQL Injection. Sajjad Pourali CERT of Ferdowsi University of Mashhad

Exposed Database( SQL Server) Error messages Delicious food for Hackers

Understanding Sql Injection

USING MYWEBSQL FIGURE 1: FIRST AUTHENTICATION LAYER (ENTER YOUR REGULAR SIMMONS USERNAME AND PASSWORD)

A Brief Introduction to MySQL

SQL Injection for newbie

database abstraction layer database abstraction layers in PHP Lukas Smith BackendMedia

Automating SQL Injection Exploits

DIPLOMA IN WEBDEVELOPMENT

A table is a collection of related data entries and it consists of columns and rows.

Concepts Design Basics Command-line MySQL Security Loophole

Web Application Security

Getting started with PostgreSQL

Real SQL Programming 1

Zend Framework Database Access

CSCI110 Exercise 4: Database - MySQL

Louis Luke

WebCruiser Web Vulnerability Scanner User Guide

Using a Data Warehouse to Audit a Transactional System

Database: SQL, MySQL

1. Building Testing Environment

Using Multiple Operations. Implementing Table Operations Using Structured Query Language (SQL)

Maintaining Stored Procedures in Database Application

A SQL Injection : Internal Investigation of Injection, Detection and Prevention of SQL Injection Attacks

Chapter 9 Joining Data from Multiple Tables. Oracle 10g: SQL

Web Application Disassembly with ODBC Error Messages By David Litchfield Director of Security

Detecting (and even preventing) SQL Injection Using the Percona Toolkit and Noinject!

Connecting to a Database Using PHP. Prof. Jim Whitehead CMPS 183, Spring 2006 May 15, 2006

SQL INJECTION IN MYSQL

SQL Injection Vulnerabilities in Desktop Applications

SQL - QUICK GUIDE. Allows users to access data in relational database management systems.

Database Administration with MySQL

DETECTION AND PREVENTION OF TAUTOLOGY AND UNION QUERY BASED SQL INJECTION ATTACKS

Database Security. The Need for Database Security

INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY

INSTALLING, CONFIGURING, AND DEVELOPING WITH XAMPP

Advanced Web Security, Lab

External Network & Web Application Assessment. For The XXX Group LLC October 2012

SQL. Short introduction

Oracle Data Redaction is Broken

Financial Data Access with SQL, Excel & VBA

Online shopping store

Sharding with postgres_fdw

Application Security Testing. Generic Test Strategy

CS 145: NoSQL Activity Stanford University, Fall 2015 A Quick Introdution to Redis

Webapps Vulnerability Report

SQL Injection. The ability to inject SQL commands into the database engine through an existing application

Relational Databases and SQLite

Instant SQL Programming

Managing User Accounts

PHP Language Binding Guide For The Connection Cloud Web Services

SAP Business Objects Business Intelligence platform Document Version: 4.1 Support Package Data Federation Administration Tool Guide

SQL Injection Optimization and Obfuscation Techniques

Database Security. Principle of Least Privilege. DBMS Security. IT420: Database Management and Organization. Database Security.

Oracle EBS Interface Connector User Guide V1.4

Lecture 25: Database Notes

In This Lecture. Security and Integrity. Database Security. DBMS Security Support. Privileges in SQL. Permissions and Privilege.

SQL Injection in web applications

DBMS Project. COP Spring Final Submission Report

White Paper. Blindfolded SQL Injection

Web Application Security Part 1

A basic create statement for a simple student table would look like the following.

SQL INJECTION ATTACKS

Chapter 22 Database: SQL, MySQL,

Databases and SQL. The Bioinformatics Lab SS Wiki topic 10. Tikira Temu. 04. June 2013

Database Extension 1.5 ez Publish Extension Manual

SQL 2: GETTING INFORMATION INTO A DATABASE. MIS2502 Data Analytics

Application note: Connecting the to a Database

Knocker main application User manual

Agenda. SQL Injection Impact in the Real World Attack Scenario (1) CHAPTER 8 SQL Injection

An Introduction to SQL Injection Attacks for Oracle Developers. January 2004 INTEGRIGY. Mission Critical Applications Mission Critical Security

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Oracle Database 11g SQL

IP Application Security Manager and. VMware vcloud Air

IT360: Applied Database Systems. Database Security. Kroenke: Ch 9, pg PHP and MySQL: Ch 9, pg

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

Using the SQL Procedure

CHAPTER 5 INTELLIGENT TECHNIQUES TO PREVENT SQL INJECTION ATTACKS

How? $ & developers defeat the most famous web vulnerability scanners or how to recognize old friends

OWASP OWASP. The OWASP Foundation Selected vulnerabilities in web management consoles of network devices

In this session, we use the table ZZTELE with approx. 115,000 records for the examples. The primary key is defined on the columns NAME,VORNAME,STR

B.1 Database Design and Definition

SQL Injection Attack Lab Using Collabtive

How do I share a file with a friend or trusted associate?

Role Based Access Control. Using PHP Sessions

Advanced PostgreSQL SQL Injection and Filter Bypass Techniques

Lab # 5. Retreiving Data from Multiple Tables. Eng. Alaa O Shama

Outline. SAS-seminar Proc SQL, the pass-through facility. What is SQL? What is a database? What is Proc SQL? What is SQL and what is a database

Managing User Accounts

Relational Databases. Christopher Simpkins

SQL Injection. Blossom Hands-on exercises for computer forensics and security

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

EECS 647: Introduction to Database Systems

Transcription:

SQL Injection CSCI 4971 Secure Software Principles Rensselaer Polytechnic Institute Spring 2010

A Beginner s Example A hypothetical web application $result = mysql_query(<<<eot SELECT * FROM users WHERE username = {$_POST[ user } AND password = {$_POST[ pass ]} ; EOT ); if (mysql_num_rows($result) > 0) { $row = mysql_fetch_assoc($result); $_SESSION[ logged_in_as ] = $row[ username ]; }

A Beginner s Example ID Username Password 0 alice d8j2zzjn 1 bob M*ttw2xK 2 eve PsJ2m@ff 3 mallory tw!zubp8

A Beginner s Example User enters username bob and password M*ttw2xK : Query SELECT * FROM users WHERE username = bob AND password = M*ttw2xK ;

A Beginner s Example ID Username Password 0 alice d8j2zzjn 1 bob M*ttw2xK 2 eve PsJ2m@ff 3 mallory tw!zubp8 The query returns 1 row, so the user becomes logged in as bob.

A Beginner s Example Attacker enters username foo OR x = x and password bar : Query SELECT * FROM users WHERE username = foo OR x = x AND password = bar ;

A Beginner s Example ID Username Password 0 alice d8j2zzjn 1 bob M*ttw2xK 2 eve PsJ2m@ff 3 mallory tw!zubp8 Every row matches the query, since x = x is a tautology. So, the attacker becomes logged in as alice.

A Beginner s Example A common mitigation attempt is to run a function like PHP s mysql real escape string on the variables before interpolating them in the query. However, this is not sufficient, since you can have injection where an integer is expected. Consider when foo is 0 OR 1 = 1 : A query without strings SELECT * FROM products WHERE price < $ foo;

Exploiting an Injection in MySQL Let s say you have a form which you believe to have SQL injection, but you don t know the underlying query. How do you exploit it? To start, try something simple like foo OR x = x. In many cases, this should preserve the validity of the query. If it doesn t, we can infer something from the underlying query. For instance, it might not be a string injection, or where you are injecting might be within a function, i.e., LENGTH("$foo").

Exploiting an Injection in MySQL Let s say you have a form which you believe to have SQL injection, but you don t know the underlying query. How do you exploit it? To start, try something simple like foo OR x = x. In many cases, this should preserve the validity of the query. If it doesn t, we can infer something from the underlying query. For instance, it might not be a string injection (i.e., price > $foo ), or where you are injecting might be within a function (i.e., LENGTH("$foo") ).

Exploiting an Injection in MySQL Once you ve worked out where in the query you have injection, you need to start examining the database. First, let s figure out how many columns are being selected. Here s a try: foo ORDER BY 1-- This orders the query result by the first column in the query. If this query does not error, there must be at least 1 column being selected. We find out how many columns there are by incrementing the ordinal until the query fails. Let s say the largest ordinal that succeeds is foo ORDER BY 4--.

Exploiting an Injection in MySQL Now that we have the number of columns, we want to figure out what they are. We can do this with a UNION clause: foo UNION SELECT a, b, c, d, e, f, g FROM mysql.user-- This fetches a row populated with the values a through g. First, we use distinct values for the fields so that we can see where they show up in the output. Second, if an error occurs, we know we probably were selecting the wrong data type into a field (for instance, selecting a string into an integer field).

Exploring the Database Most relational database management systems use a meta-database to describe all of the databases maintained by the system. For instance, this database contains a table of tables, and a table of user privileges. By convention, this database is named INFORMATION SCHEMA. In SQLite, there is a single metatable named SQLITE MASTER.

Exploring the Database Retrieve a list of databases SELECT schema_name FROM information_schema.schemata; Retrieve a list of tables in database foo SELECT table_name FROM information_schema.tables WHERE table_schema = "foo"; Retrieve a list of columns in table foo.bar SELECT column_name, column_type FROM information_schema.columns WHERE table_schema = "foo" AND table_name = "bar" ORDER BY ordinal_position ASC;

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information