Scribd
Upload
67 views31 pages

SQL Inections Issa

This document provides an introduction to SQL injections, including what they are, common attack vectors, techniques for bypassing filters, and demonstrations. It discusses the basics of SQL (select, insert, update, delete, union) and how injections work by exploiting vulnerabilities in application database layers. The document outlines countermeasures like input validation, parameterized queries, access control, and application firewalls to help prevent SQL injection attacks.

Uploaded by

Waheed Gul
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
67 views31 pages

SQL Inections Issa

This document provides an introduction to SQL injections, including what they are, common attack vectors, techniques for bypassing filters, and demonstrations. It discusses the basics of SQL (select, insert, update, delete, union) and how injections work by exploiting vulnerabilities in application database layers. The document outlines countermeasures like input validation, parameterized queries, access control, and application firewalls to help prevent SQL injection attacks.

Uploaded by

Waheed Gul
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 31

SQL – Injections Intro.

12/08/21

Greg Bugaj, SCJP

ISSA
DC 405
Agenda

• Disclaimer
• What are SLQ Injection
• Into to SQL
• Attack Vectors
• Bypassing filters
• Demos
• Countermeasures
• Questions

2
Disclaimer

• All code shown today is for educational and research


purposes only
• In many countries it is illegal to use this type of attack
• Demonstrated Website owners have been notified of
the problem

3
SQL Injections

• SQL injection
– code injection technique that exploits a security
vulnerability in application
– occurs at the database layer of an application.

• SQL - Structured Query Language


– Used to communicate with the database
– ANSI-compliant SQL

4
SQL Injections

• Authentication Bypass
• Information Disclosure
• Compromised Data Integrity
• Compromised Availability of Data
• Remote Command Execution

5
Basic SQL

Select
Insert
Update
Delete
Union

• SQL statement breakdown

6
SQL - Select

1. Select Information from a table

SELECT * FROM table where field=1

7
SQL - Insert

1. Add new records to database

INSERT INTO tablename (id, name) values(10, “Greg”)

8
SQL - Update

1. Updating existing records

UPDATE table set fieldA=123 WHERE somefield=2323

UPDATE table set fieldB=‘Greg’

9
SQL - Delete

1. Delete records

DELETE FROM tableA where somefield=1221

DELETE FROM tableA

10
SQL - Union

1. Combine two or more SELECT statements.

SELECT column_name(s) FROM table_name1


UNION
SELECT column_name(s) FROM table_name2

11
Terminators

• ; Semi colon ends current SQL query and starts a new one
– SELECT * FROM users ; DROP TABLE users
• Stacked Query
• -- Double dash ignores remaining query string
– Select * FROM users -- limit 10
• Can be used in conjunction
– SELECT * FROM users WHERE id=''; DROP TABLE users; -- '
AND password=''

12
Where Clause Pruning

• Powerful SQL technique


– SQL trick for allowing a query to return either a full
set or a specified subset
– 1=1 == TRUE

• SELECT * FROM users


WHERE (id = :id) OR (-1 = :id))

13
SQL Injection Cause

• Executed via front end of the Web Application


– GET URL parameter
• http://host.com/item.php?cat=1&id=11
– Form POST fields
• <form action=“some.php” method=“post”>
<input name='name'/>
<input type='password' name='passwd'/>
</form>

14
Techniques

• Normal SQL Injections


– Errors & Exception
– Unexpected output
• O'Reilly != O\'Reilly

• Blind SQL Injections


– No errors
– A lot of guesswork
– Introduction of a delay as part of a malicious SQL statement

15
SQL Injection Types

• Passive
– Exposing database information
• Information retrieval

• Active
– Altering database information
• Insertion
• Deletion

16
Testing for Vulnerability

• Manual
– Time consuming

• Automated
– SQL injection scanners only scan for known
vulnerabilities

• Google
– Incorrect syntax near

17
Toolbox

• SQLIer
• SQLbftools
• SQLibf
• SQLBrute
• BobCat
• SQLMap
• Absinthe
• SQL Injection Pen-testing Tool
• SQID
• SQLNinja
• FJ-Injector Framwork
• Automagic SQL Injector
• NGSS SQL Injector

18
Identifying Vulnerable Site

Given unexpected input site behaves oddly


– ‘ Single Quote
– “ Double Quote
– ‘1 Single Quote one
– ‘a Single Quote a
– ‘; Single Quote semicolon

• Input > Satan’s little minion


– Nothing found for Satan\’s little minion
– You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right
syntax to use near '\'
19
Identifying Vulnerable Site

• ' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a

20
Bypassing Filters

• Escaping entities
– %26%23039 == &#039 == ‘ (single quote)
• %26 == &
• %23 == #
• 039 Entity number
– Select * FROM users WHERE username=‘secret%26%23039 OR %26%23039X
%26%23039=%26%23039X
– Evaluated as > Select * FROM users WHERE username=‘secret ‘ OR ‘X’ = ‘X’
• This evaluates to always true
• Char function
– Char(83,101,108,101,99,116,32,42,32,102,114,111,109,32,117,115,101,114,115)
– Select * from users

• Concat & Hex functions


– CONCAT('0x', HEX('/var/log/messages'))
– 0x2F7661722F6C6F672F6D65737361676573

21
Bypassing Filters

• Injecting AND 1=(SELECT


LOAD_FILE('var/log/messages') )

– MySQL Error '\'var/log/messages\') ) limit 5 = 1


order by average desc limit 10' at line 1)

22
Bypassing Filters

• 1=(SELECT LOAD_FILE('var/log/messages') )
– MySQL Error: 1064 (You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right
syntax to use near '\'var/log/messages\') ) limit 5 -- = 1 order by average
desc limit 10' at line 1)

• Char

• Hex
– 1=(SELECT
LOAD_FILE(0x2F7661722F6C6F672F6D65737361676573)

23
Bypassing Blacklists

• What are Blacklists


• Blacklist (DELETE, EXEC)
– DEL/**/ETE
– /**/ D/**EVIL**/ELE/**/TE

24
Escape Characters

• %26%23039 OR %26%23039X%26%23039=
%26%23039X
– ‘ OR ‘X’ = ‘X’

25
Demos

• Prerecorded demos

26
Countermeasures

• System Administrators
– White List / Blacklist Input Validation
– Least Privileges
– Application firewalls

• Developer
– Stored Procedures
– Parameterized queries
– Exception handling

27
Whitelist Input validation

• UrlScan v3.0
– restricts the types of HTTP requests that IIS will process
[SQL Injection Headers]
AppliesTo=.asp,.aspx

[SQL Injection Headers Strings]


--
@ ; also catches @@
alter
delete
drop
exec
insert

• SNORT
– Create rule to check for SQL attack
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"SQL Injection "; flow:to_server,established;
uricontent:".php | .aspx | .asp";
pcre:"/(\%27)|(\')|(\-\-)|(%23)|(#)/i";
classtype:Web-application-attack; sid :9099; rev:5;)

28
Least Privileges

• Enforce least privileges


– CREATE / DELETE
– Does not guarantee security

• Access to portion of data


– Create views

29
Application Firewalls

• Software
– Easy to install and maintain

• Hardware
– Expensive
– Plug and Play

• Examples:
– dotDefender
– webApp.SECURE
– SonicWALL
– WatchGuard

30
References

• http://www.owasp.org/index.php/OWASP_Testing_Guide_App
endix_C:_Fuzz_Vectors#Passive_SQL_Injection_.28SQP.29
• http://upload.wikimedia.org/wikipedia/en/a/aa/SQL_ANATOM
Y_wiki.svg
• http://www.cisco.com/web/about/security/intelligence/sql_injec
tion.html

31

You might also like