SQL Injection

Transcript

1. BY BHASKAR MACHCHA

2. What is SQL?  SQL Stands for Structured Query Language.

    Allows us to access the Database.  SQL Can:  Executes a queries against database.  Retrieve data from database.  Insert new records in database.  Delete record from database.

3. What is SQL Injection? The ability to Inject SQL commands

   into the database engine through an existing application…

4. How common it is?  It is probably the most

   common Website vulnerability today!  It is a flaw in "web application" development, it is not a DB or web server problem  In our pen tests over 60% of our clients turn out to be vulnerable to SQL Injection

5. Vulnerable Applications…  All most all the databases are vulnerable..

    MS SQL Server  Oracle  MySQL  Postgres  DB2  MS Access  Sybase, etc.

6. How it Works?  Common vulnerable login query SELECT *

   FROM users WHERE login = 'victor' AND password = '123' (If it returns something then login!)  ASP/MS SQL Server login syntax var sql = "SELECT * FROM users WHERE login = '" + formusr + "' AND password = '" + formpwd + "'";

7. Injecting through Strings. formusr = ' or 1=1 – –

   formpwd = anything  Final query would look like this: SELECT * FROM users WHERE username = ' ' or 1=1 – – AND password = 'anything'

8. The Power of ‘  It closes the string parameter.

    Everything after is considered part of the SQL command  Misleading Internet suggestions include:  Escape it! : replace ' with ' ‘  String fields are very common but there are other types of fields:  Numeric  Dates

9. If it were numeric? SELECT * FROM clients WHERE account

   = 12345678 AND pin = 1111  PHP/MySQL login syntax $sql = "SELECT * FROM clients WHERE " . "account = $formacct AND " . "pin = $formpin";

10. Injecting Numeric Field? $formacct = 1 or 1=1 # $formpin

    = 1111  Final query would look like this: SELECT * FROM clients WHERE account = 1 or 1=1 # AND pin = 1111

11. SQL Injection Characters…  ' or " character String Indicators

     -- or # single-line comment  /*…*/ multiple-line comment  + addition, concatenate (or space in url)  || (double pipe) concatenate  % wildcard attribute indicator  ?Param1=foo&Param2=bar URL Parameters  PRINT useful as non transactional command  @variable local variable  @@variable global variable  waitfor delay '0:0:10' time delay

12. Inserting Data into Db.  By using the following code

    you can insert the data in the Database of website… B’; insert into <tablename> values (<col1,col2...>); --  Example: B’; insert into signup values(55,’Abc’,’xxx’,’yyy’); --

13. Updating the data..  By using the following code we

    can update the passwords of all the users…  Syntax: X’; update <tablename> set pass=‘<yourvalues>’; --  Example: X’; update signup set pass=‘nnn’; --

14. Dropping the tables  You can also drop the tables

    of the victims web application..  Syntax: X’; drop table <tablename>; --  Example: X’; drop table signup; --

15. Tools  Havij

16.  SQLMap  BackTrack 5 OS Utility  SQL Injector

17. Impact of SQL Injections  Leakage of sensitive information. 

    Reputation decline.  Modification of sensitive information.

18.  Loss of control of db. server.  Data loss.

     Denial of service.

19. SQL Injection Attacks are Serious Threat OSWAP Vulnerabilities (2004) OSWAP

    Vulnerabilities (2006) Card Systems security breach(2006): 263,000 customer credit card numbers stolen, 40 Million more exposed

20. Preventing SQL Injection  Use parameterized Select sql = "select

    * from Users where user = @user and pwd = @pwd"; SqlCommand cmd = new SqlCommand(sql,con); cmd.Parameters.Add("@user",User.Text); cmd.Parameters.Add("@pwd",Password.Text);  Use Stored Procedures

21. Continued..  Restrict Function access from PUBLIC to PRIVATE 

    Don't display error messages that tell everything about the database.  Password Hash Codes  Database Specific User Privileges

22. Continued..  Turn on Magic-Quotes  New Technique: SQL Firewalls

23. Proxy Server (Filtering is Done)

24. Demonstration

25. Conclusion  SQL Injection continues to evolve with new technologies

     Dangerous Effects  Access to critical information  Updating data not meant to be updated  Exploiting DBMS to directly affect the server and its resources  Prevention of SQL Injection  Input Validation and Query Building  Permissions and Access Rights  Variable Placeholders (Prepare) and Stored Procedures
26. None
27. None