How to Hack Your App Using SQL Injection

Transcript

1. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

   | How to Hack Your App Using SQL Chris Saxon, Oracle Developer Advocate, @ChrisRSaxon, @SQLDaily www.youtube.com/c/TheMagicofSQL blogs.oracle.com/sql blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

2. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

   | It's 2018! ...do we really need to talk about this? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

3. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

   | https://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

4. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

   | https://www.bbc.com/news/technology-46401890 blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

5. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

   | http://www.newindianexpress.com/cities/hyderabad/2018/may/09/french-researchers-highlight- security-flaws-in-indian-railways-portals-1812279.html blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

6. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

   | http://www.newindianexpress.com/states/telangana/2018/feb/27/hacker-exposes-major-security- flaw-in-telangana-governments-nrega-website-1779451.html blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

7. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

   | SQL Vulnerabilities Wordpress Jan 2017 https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/ Jul 2017 https://www.scmagazineuk.com/sql-injection-vulnerability-found-in-popular-wordppress-plug-in-again/article/672839/ Oct 2017 https://www.theregister.co.uk/2017/10/31/wordpress_security_fix_4_8_3/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

8. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

   | codecurmudgeon.com/wp/sql-injection-hall-of-shame/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

9. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

   | blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon https://haveibeenpwned.com/

10. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

11. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | DEMO blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

12. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

13. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

14. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

15. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | Principle of Least Privilege blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

16. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Least Privilege

17. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Least Privilege

18. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | Pixabay Least Privilege blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

19. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | Data Red*****n blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

20. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | Data Red*****n Can still blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

21. Use Bind Variables! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

22. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | String sql = "select * from users where username = '" + name + "' and password = '" + pass + "'"; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

23. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | select full_name from users where username = 'chris' and password = 'chris'; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

24. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | select full_name from users where username = '' or 1 = '1' -- and password = 'chris'; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

25. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | select full_name from users where username = '' or 1 = '1' -- and password = 'chris'; Always true! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

26. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | select full_name from users where username = 'chris' and password = '' union all select owner || '.' || table_name from all_tables where 1='1'--; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

27. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | select full_name from users where username = 'chris' and password = '' union all select owner || '.' || table_name from all_tables where 1='1'--; Everything you can select blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

28. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | String sql = "select * from users where username = ? and password = ?"; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

29. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | String sql = "select * from users where username = ? and password = ?"; Value placeholder blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

30. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | String sql = "select * from users where username = ? and password = ?"; Value placeholder Inputs never part of SQL => blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

31. PL/SQL is automatically bound blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

32. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | begin select * into user_rec from sqlinjection.users u where u.username = l_name and u.password = l_pass; end; These are bind variables blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

33. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | execute Pixabay Least Privilege plsql f (x) blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

34. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | I write dynamic SQL blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

35. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | Sanitize input! Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

36. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | Sanitize input! Pixabay DBMS_assert blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

37. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | Change User Passwords execute immediate 'alter user ' || dbms_assert.schema_name ( p_user ) || ' identified by "' || replace( dbms_assert.enquote_literal ( p_pass ), '''' ) || '"'; Can't have single quotes (') in password! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

38. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | I develop an internal app blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

39. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | Gratisography employees can has your dataz? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

40. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | Pixabay How secure is your network? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

41. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | I don't have time to review all code

42. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Test Deploy Build Run sqlmap Test in CI/CD Process

43. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | https://pixabay.com/en/cat-animal-pet-kitty-cats-kitten-1143396/ Oracle Audit Vault & Database Firewall ' or 1 = '1

44. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | Real Application Security & Virtual Private Database Employee Name Manager Name Salary SSN Kevin Mourgos Steven King 5800 650-123-5234 Shanta Vollman Steven King 6500 650-123-4234 Payam Kaufling Steven King 7900 650-123-3234 Adam Fripp Steven King 8200 650-123-2234 Matthew Weiss Steven King 8000 650-123-1234 Girard Geoni Matthew Weiss 2800 650-507-9879 Martha Sullivan Matthew Weiss 2500 650-507-9878 Jean Fleaur Matthew Weiss 3100 650-507-9877 Winston Taylor Matthew Weiss 3200 650-507-9876 Steven Markle Matthew Weiss 2200 650-124-1434

45. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | Real Application Security & Virtual Private Database Employee Name Manager Name Salary SSN Kevin Mourgos Steven King 5800 650-123-5234 Shanta Vollman Steven King 6500 650-123-4234 Payam Kaufling Steven King 7900 650-123-3234 Adam Fripp Steven King 8200 650-123-2234 Matthew Weiss Steven King 8000 650-123-1234 Girard Geoni Matthew Weiss 2800 650-507-9879 Martha Sullivan Matthew Weiss 2500 650-507-9878 Jean Fleaur Matthew Weiss 3100 650-507-9877 Winston Taylor Matthew Weiss 3200 650-507-9876 Steven Markle Matthew Weiss 2200 650-124-1434

46. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | Real Application Security & Virtual Private Database Employee Name Manager Name Salary SSN Kevin Mourgos Steven King Shanta Vollman Steven King Payam Kaufling Steven King Adam Fripp Steven King Matthew Weiss Steven King 8000 650-123-1234 Girard Geoni Matthew Weiss 2800 Martha Sullivan Matthew Weiss 2500 Jean Fleaur Matthew Weiss 3100 Winston Taylor Matthew Weiss 3200 Steven Markle Matthew Weiss 2200

47. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | How at risk am I? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

48. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | DBSAT blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

49. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | DBSAT My Oracle Support 2138254.1 blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

50. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | Pixabay Data R*******n Least Privilege VPD Bind Variables Sanitize inputs blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Security Layers

51. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | It's 2018! no excuses... ... your data! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

52. Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    | Gratisography sqlmap.org #MakeDataGreatAgain blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon