SANS @Night Talk: SQL Injection Exploited
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

SANS @Night Talk: SQL Injection Exploited

on

  • 374 views

This presentation was given at the SANS Rpcky Mountain Conference in Denver, CO June 2014. The presentation had a rather large portion that was demo. That is not captured here. Sorry.

This presentation was given at the SANS Rpcky Mountain Conference in Denver, CO June 2014. The presentation had a rather large portion that was demo. That is not captured here. Sorry.

Statistics

Views

Total Views
374
Views on SlideShare
365
Embed Views
9

Actions

Likes
0
Downloads
4
Comments
0

1 Embed 9

https://twitter.com 9

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • As a senior infosec engineer, I mentor junior staff. <br /> <br /> They ask “How can I contribute?” “What can I do…I don’t have my [insert cert here]?” <br /> <br /> I tell them…

SANS @Night Talk: SQL Injection Exploited Presentation Transcript

  • 1. SQL Injection Exploited MICAH HOFFMAN 1
  • 2. SQL Injection in the News SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 2
  • 3. Who am I? ◦ Infosec Engineer / Pentester ◦ NoVA Hacker ◦ PwnWiki.io Curator ◦ Recon-ng module Writer ◦ SANS Instructor (SEC542) ◦ Hiker / Backpacker 3 Novahackers.com SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER
  • 4. Great Expectations oWhat is SQL Injection (SQLi)? oWhat can an attacker exploiting SQLi do? oTools to exploit SQLi oAppropriate places to practice SQLi exploitation oDemo of SQLi exploitation oHow do you prevent SQLi? SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 4
  • 5. What is SQL Injection (SQLi)? oWeb application vulnerability oAttacker runs commands on the database server through the vulnerable web app SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 5 SQLi here Gets an attacker in here
  • 6. This is SQL Injection Normal URL ◦ http://example.com/user.php?name=admin&password=a ◦ Web application sends the following SQL to the database: ◦ SELECT * FROM accounts WHERE user='admin' AND password='a' ◦ Returns 1 record SQL Injection Example URL ◦ http://example.com/user.php?name=admin' or 1=1 -- &password=a ◦ SELECT * FROM accounts WHERE user='admin' or 1=1 -- ' AND password='a' ◦ Returns all records because 1 always equals 1 SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 6
  • 7. Would SQLi Exploitation in License Plates Actually Work? SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 7
  • 8. What can an attacker do? Not all SQL injection is the same – some allow greater access Things an attacker can do by exploiting SQLi ◦ Inside the database server ◦ Read records in databases / Steal records (Confidentiality/Authorization) ◦ Write to records in databases (Integrity) ◦ Delete records in databases (Availability) ◦ Circumvent authentication (if SQLi is found in the authentication mechanism) ◦ On the database server’s underlying system ◦ Read/Write files to/from the server file system ◦ Execute commands on the server operating system ◦ Compromise the server ◦ Pivot into internal network and attack other systems SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 8
  • 9. SQLi Discovery and Exploitation Tools COTS ◦ App Scanners - Acunetix / Netsparker / NTO Spider ◦ Vuln Scanners - Nessus / Nexpose / Qualys / Metasploit / Core Impact Free ◦ Sqlmap ◦ Sqlninja ◦ BBQSQL SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 9
  • 10. “Safe” Testing Targets Samurai Web Testing Framework (SamuraiWTF) - FREE ◦ http://www.samurai-wtf.org/ ◦ VMWare image and ISO ◦ Attack tools and many web application victim targets ◦ Has SamuraiWTF “Course” PDF ◦ Used by SANS Web App Hacking (SEC542) course Individual Vulnerable Apps ◦ WebGoat ◦ Mutillidae ◦ Gruyere ◦ McAfee HacMe SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 10
  • 11. Demo using SamuraiWTF SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 11
  • 12. Preventing SQLi through Education System Administrator ◦ Ensure database is running as a user/service account with least privilege ◦ Ensure operating system and applications are patched and hardened Database Administrator ◦ Ensure each application has its own account in the database ◦ Ensure each account has the explicit permissions required for the app ◦ Ensure the server is hardened and risky options are disabled Application Developer ◦ Sanitize, filter and validate all data before sending to database ◦ Use SQLi-prevention mechanisms (parameterized queries, stored procedures) correctly Testing ◦ Perform security assessments, penetration testing, against your systems SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 12 SANS Administrator: ◦ SEC464 – Security Baseline SANS Developer: ◦ DEV522 – Defending Web Apps ◦ DEV536 – Secure Coding SANS Defender: ◦ SEC434 – Log Management ◦ SEC440 – Crit. Sec. Controls ◦ SEC502 – Perimeter Protection SANS Attacker: ◦ SEC504 – Hacker Techniques ◦ SEC542 – Web App Pentest ◦ SEC560 – Net Pentest
  • 13. Questions? Resources ◦ Information about web app vulnerabilities, how to test and remediate - OWASP – http://owasp.org ◦ SQL Injection Cheat Sheet - http://websec.ca/kb/sql_injection Key Testing Tools ◦ Sqlmap - sqlmap.org ◦ Docs are on the http://github.com/sqlmapproject/sqlmap/wiki page ◦ SamuraiWTF ◦ http:// www.samurai-wtf.org and http://sourceforge.net/projects/samurai/files/ My Blog: http://webbreacher.blogspot.com SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 13