09-15-16 GreyHat SQL Injection
09-15-16 GreyHat SQL Injection
09-15-16
SIDDARTH SENTHILKUMAR
CLUB NEWS
Simple
Error based
Blind
NETWORK SECURITY BASICS
Web Browser
HTML/CSS
JavaScript
JSON
Web Server
Python
PHP
ASP
Perl
Ruby
Database
SQL
NoSQL
SQL IS A QUERY LANGUAGE
You don’t “program” in SQL – not intended to be able to write for loops, complex if/else
structures, etc.
Databases are organized as tables. Column
name
Row of
data - a
tuple
Table
Name
ADDRESS
SQL 101
<Mickey>
Important part:
cursor.execute(“select * from user where username=‘” + name + “’ and password = ‘”
+ password + “’;”)
The input NAME and PASSWORD are not sanitized at all! They interact DIRECTLY with
HOW CAN WE ATTACK THIS INPUT
cursor.execute(“select * from user where username=‘” + name + “’ and password = ‘” +
password + “’;”)
Can we input text into the username field to execute arbitrary SQL code?
Let’s say we want this statement to be run:
select * from user where username=‘’ OR TRUE; --
https://2013.picoctf.com/problems/injection/i
ndex.php
ERROR BASED SQL INJECTION
Maybe a normal query to the database for a website looks like this:
What happens if we do this?
X = 1 is not valid SQL syntax iff there is no column in the database called X
So the server may throw an error message like this:
This is terrible! The server is leaking internal database information to the user via an error, making this the perfect
target for error based SQL injection.
Write more complicated SQL statements that leak details such as table names, column names, and even data types
OK, THE WEB APP DEVELOPER GOT A BIT SMARTER
Form queries resulting in Boolean values, and interpreting the output HTML pages
Happens when web app configured to show generic error messages but still not mitigated
SQLi vulnerable code.
When database doesn’t output the data from the database, attacker steals data by asking
database true/false questions about it.
Blackhat guy - “Blind attacks are essentially playing 20 questions with web server”
Sped up with automation tools.
Burpsuite
SQLmap
http://web2014.picoctf.com/injection4/
OTHER ATTACKS
Oracle
MySpace
LinkedIn
JP Morgan
Ashley Madison
Sony
Any time you read in the news “x million usernames and passwords stolen from ____”, it
was probably SQLi
DISCLAIMER
Companies don’t tend to like when you purposefully attack their websites. (selfish, right?)
Using automated tools is “noisy” – easily detectable.
Don’t test these things on websites unless you explicitly have permission from the site
owner to do so.
If you want to practice:
CTF problems
http://www.codebashing.com/sql_demo
Google “SQL Injection practice” – demo vulnerable web servers available for download
OverTheWire
MITIGATION
xkcd
Did I really give a presentation on SQLi if I didn’t show you this
comic?