SQL INJECTION

09-15-16
SIDDARTH SENTHILKUMAR
CLUB NEWS

 CSAW CTF: THIS WEEKEND!!

 6PM Friday – if you want to be awesome, you’ll stop by
 10AM Saturday
 Tacos, Food, Fun, Hacking, Coolness, etc.
 If you join our team, YOU could get excused from your classwork to compete in the finals!!

 Next week Cisco

 Car hacking
 Email list issues, our bad
 Join #thedeepestweb on freenode IRC to chill with past GreyHat alumni and talk to really
cool people
OTHER COOL NEWS

 Google says bye to HTTP

 No Patch from Oracle yet!
3 TYPES OF SQL INJECTION

Simple
Error based
Blind
NETWORK SECURITY BASICS

OWASP – Open Web Application Security Project

Everyone uses the internet
But how does it “work”?
WEB SERVER ARCHITECTURE
LANGUAGES

 Web Browser
 HTML/CSS
 JavaScript
 JSON

 Web Server
 Python
 PHP
 ASP
 Perl
 Ruby

 Database
 SQL
 NoSQL
SQL IS A QUERY LANGUAGE

 You don’t “program” in SQL – not intended to be able to write for loops, complex if/else
structures, etc.
 Databases are organized as tables. Column
name

Row of
data - a
tuple

Table
Name

ADDRESS
SQL 101

 Structured Query Language

 Standard programming language for interacting with databases
 Example Commands:
 SELECT – retrieve data
 DROP – delete table
 INSERT – add row to table
 UPDATE – modify row in a table
 DELETE – remove row from table
 -- Comments are written with a dash dash space in front
SAMPLE SQL STATEMENTS

>SELECT FIRST_NAME FROM

ADDRESS WHERE
LAST_NAME=‘Mouse’;

<Mickey>

>SELECT * FROM ADDRESS

WHERE AGE>60;

<Mickey, Mouse, 123 Fantasy

Way, Anaheim, 73>
<Donald, Duck, 555 Quack
Street, Mallard, 65>
<Wiley, Coyote, 999 Acme Way, >SELECT * FROM ADDRESS WHERE TRUE;
Canyon, 61>
HOW USERS INTERACT WITH THE DATABASE
SQL INJECTION

 Inject SQL commands with unsanitized user data

 Steal, modify, destroy data
 What does unsanitized mean?
 Sanitization – cleaning
 Clean input by removing all special characters; disallow certain characters, etc.
 Very dangerous to directly process user input without sanitizing it first.
 LET’S TAKE ANOTHER LOOK AT THAT SCRIPT

Important part:
cursor.execute(“select * from user where username=‘” + name + “’ and password = ‘”
+ password + “’;”)

The input NAME and PASSWORD are not sanitized at all! They interact DIRECTLY with
HOW CAN WE ATTACK THIS INPUT
 cursor.execute(“select * from user where username=‘” + name + “’ and password = ‘” +
password + “’;”)
 Can we input text into the username field to execute arbitrary SQL code?
 Let’s say we want this statement to be run:
 select * from user where username=‘’ OR TRUE; --

 What do we input into the username?

select * from user where username=‘’ OR TRUE; -- ‘ AND
 ‘ OR TRUE; --
password = ‘????’;
 The result?
 cursor.execute(“select * from user where username=‘’ OR TRUE; -- ’ and password=‘???’;
 This gives us all the tuples in that table!
QUICK EASY EXAMPLE

https://2013.picoctf.com/problems/injection/i
ndex.php
 ERROR BASED SQL INJECTION
 Maybe a normal query to the database for a website looks like this:
 What happens if we do this?
 X = 1 is not valid SQL syntax iff there is no column in the database called X
 So the server may throw an error message like this:

 This is terrible! The server is leaking internal database information to the user via an error, making this the perfect
target for error based SQL injection.
 Write more complicated SQL statements that leak details such as table names, column names, and even data types
OK, THE WEB APP DEVELOPER GOT A BIT SMARTER

 He fixes the problem by creating a default error page –

perhaps just a blank page. Whenever the site experiences
an internal error due to a request, it serves up the default
error page.
 Is it secure now?
BLIND SQL INJECTION

 Form queries resulting in Boolean values, and interpreting the output HTML pages
 Happens when web app configured to show generic error messages but still not mitigated
SQLi vulnerable code.
 When database doesn’t output the data from the database, attacker steals data by asking
database true/false questions about it.
 Blackhat guy - “Blind attacks are essentially playing 20 questions with web server”
 Sped up with automation tools.
 Burpsuite
 SQLmap

 8 letter username takes ~56 requests

CHEAT SHEETS
BLIND SQL INJECTION DEMO

http://web2014.picoctf.com/injection4/
OTHER ATTACKS

 Time based SQL Injection attacks

 Instead of figuring HTML output, inject:
waitfor delay '00:00:10'--
 Encoding based
 More
SQL INJECTION IS A VERY COMMON ATTACK

 Oracle
 MySpace
 LinkedIn
 JP Morgan
 Ashley Madison
 Sony
 Any time you read in the news “x million usernames and passwords stolen from ____”, it
was probably SQLi
DISCLAIMER

 Companies don’t tend to like when you purposefully attack their websites. (selfish, right?)
 Using automated tools is “noisy” – easily detectable.
 Don’t test these things on websites unless you explicitly have permission from the site
owner to do so.
 If you want to practice:
 CTF problems
 http://www.codebashing.com/sql_demo
 Google “SQL Injection practice” – demo vulnerable web servers available for download
 OverTheWire
MITIGATION

 Always sanitize your inputs!

 Never trust the user!
 Don’t leak implementation to user!
QUESTIONS?

xkcd
Did I really give a presentation on SQLi if I didn’t show you this
comic?