0% found this document useful (0 votes)
79 views25 pages

09-15-16 GreyHat SQL Injection

This document provides an overview of SQL injection attacks, including different types (simple, error-based, blind), how they work by injecting SQL commands through unsanitized user input, and ways to mitigate against them such as input sanitization. It discusses the basics of SQL and databases, gives examples of vulnerable code and how attackers can exploit it, and provides resources for learning and practicing SQL injection techniques in a safe environment.

Uploaded by

sabry1605
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
79 views25 pages

09-15-16 GreyHat SQL Injection

This document provides an overview of SQL injection attacks, including different types (simple, error-based, blind), how they work by injecting SQL commands through unsanitized user input, and ways to mitigate against them such as input sanitization. It discusses the basics of SQL and databases, gives examples of vulnerable code and how attackers can exploit it, and provides resources for learning and practicing SQL injection techniques in a safe environment.

Uploaded by

sabry1605
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 25

SQL INJECTION

09-15-16
SIDDARTH SENTHILKUMAR
CLUB NEWS

 CSAW CTF: THIS WEEKEND!!


 6PM Friday – if you want to be awesome, you’ll stop by
 10AM Saturday
 Tacos, Food, Fun, Hacking, Coolness, etc.
 If you join our team, YOU could get excused from your classwork to compete in the finals!!

 Next week Cisco


 Car hacking
 Email list issues, our bad
 Join #thedeepestweb on freenode IRC to chill with past GreyHat alumni and talk to really
cool people
OTHER COOL NEWS

 Google says bye to HTTP


 No Patch from Oracle yet!
3 TYPES OF SQL INJECTION

Simple
Error based
Blind
NETWORK SECURITY BASICS

OWASP – Open Web Application Security Project


Everyone uses the internet
But how does it “work”?
WEB SERVER ARCHITECTURE
LANGUAGES

 Web Browser
 HTML/CSS
 JavaScript
 JSON

 Web Server
 Python
 PHP
 ASP
 Perl
 Ruby

 Database
 SQL
 NoSQL
SQL IS A QUERY LANGUAGE

 You don’t “program” in SQL – not intended to be able to write for loops, complex if/else
structures, etc.
 Databases are organized as tables. Column
name

Row of
data - a
tuple

Table
Name

ADDRESS
SQL 101

 Structured Query Language


 Standard programming language for interacting with databases
 Example Commands:
 SELECT – retrieve data
 DROP – delete table
 INSERT – add row to table
 UPDATE – modify row in a table
 DELETE – remove row from table
 -- Comments are written with a dash dash space in front
SAMPLE SQL STATEMENTS

>SELECT FIRST_NAME FROM


ADDRESS WHERE
LAST_NAME=‘Mouse’;

<Mickey>

>SELECT * FROM ADDRESS


WHERE AGE>60;

<Mickey, Mouse, 123 Fantasy


Way, Anaheim, 73>
<Donald, Duck, 555 Quack
Street, Mallard, 65>
<Wiley, Coyote, 999 Acme Way, >SELECT * FROM ADDRESS WHERE TRUE;
Canyon, 61>
HOW USERS INTERACT WITH THE DATABASE
SQL INJECTION

 Inject SQL commands with unsanitized user data


 Steal, modify, destroy data
 What does unsanitized mean?
 Sanitization – cleaning
 Clean input by removing all special characters; disallow certain characters, etc.
 Very dangerous to directly process user input without sanitizing it first.
LET’S TAKE ANOTHER LOOK AT THAT SCRIPT

Important part:
cursor.execute(“select * from user where username=‘” + name + “’ and password = ‘”
+ password + “’;”)

The input NAME and PASSWORD are not sanitized at all! They interact DIRECTLY with
HOW CAN WE ATTACK THIS INPUT
 cursor.execute(“select * from user where username=‘” + name + “’ and password = ‘” +
password + “’;”)
 Can we input text into the username field to execute arbitrary SQL code?
 Let’s say we want this statement to be run:
 select * from user where username=‘’ OR TRUE; --

 What do we input into the username?


select * from user where username=‘’ OR TRUE; -- ‘ AND
 ‘ OR TRUE; --
password = ‘????’;
 The result?
 cursor.execute(“select * from user where username=‘’ OR TRUE; -- ’ and password=‘???’;
 This gives us all the tuples in that table!
QUICK EASY EXAMPLE

https://2013.picoctf.com/problems/injection/i
ndex.php
ERROR BASED SQL INJECTION
 Maybe a normal query to the database for a website looks like this:
 What happens if we do this?
 X = 1 is not valid SQL syntax iff there is no column in the database called X
 So the server may throw an error message like this:

 This is terrible! The server is leaking internal database information to the user via an error, making this the perfect
target for error based SQL injection.
 Write more complicated SQL statements that leak details such as table names, column names, and even data types
OK, THE WEB APP DEVELOPER GOT A BIT SMARTER

 He fixes the problem by creating a default error page –


perhaps just a blank page. Whenever the site experiences
an internal error due to a request, it serves up the default
error page.
 Is it secure now?
BLIND SQL INJECTION

 Form queries resulting in Boolean values, and interpreting the output HTML pages
 Happens when web app configured to show generic error messages but still not mitigated
SQLi vulnerable code.
 When database doesn’t output the data from the database, attacker steals data by asking
database true/false questions about it.
 Blackhat guy - “Blind attacks are essentially playing 20 questions with web server”
 Sped up with automation tools.
 Burpsuite
 SQLmap

 8 letter username takes ~56 requests


CHEAT SHEETS
BLIND SQL INJECTION DEMO

http://web2014.picoctf.com/injection4/
OTHER ATTACKS

 Time based SQL Injection attacks


 Instead of figuring HTML output, inject:
waitfor delay '00:00:10'--
 Encoding based
 More
SQL INJECTION IS A VERY COMMON ATTACK

 Oracle
 MySpace
 LinkedIn
 JP Morgan
 Ashley Madison
 Sony
 Any time you read in the news “x million usernames and passwords stolen from ____”, it
was probably SQLi
DISCLAIMER

 Companies don’t tend to like when you purposefully attack their websites. (selfish, right?)
 Using automated tools is “noisy” – easily detectable.
 Don’t test these things on websites unless you explicitly have permission from the site
owner to do so.
 If you want to practice:
 CTF problems
 http://www.codebashing.com/sql_demo
 Google “SQL Injection practice” – demo vulnerable web servers available for download
 OverTheWire
MITIGATION

 Always sanitize your inputs!


 Never trust the user!
 Don’t leak implementation to user!
QUESTIONS?

xkcd
Did I really give a presentation on SQLi if I didn’t show you this
comic?

You might also like