Sql injection

5,954 views

Published on

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,954
On SlideShare
0
From Embeds
0
Number of Embeds
34
Actions
Shares
0
Downloads
251
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Sql injection

  1. 1. * HEMENDRA KUMAR (0806413042)
  2. 2. The ability to inject SQL commands into the database enginethrough an existing application * 2
  3. 3. * Many web applications take user input from a form* Often this user input is used literally in the construction of a SQL query submitted to a database. For example: * SELECT productdata FROM table WHERE productname = „user input product name‟;* A SQL injection attack involves placing SQL statements in the user input *
  4. 4. * It is probably the most common Website vulnerability today!* It is a flaw in "web application" development, it is not a DB or web server problem * Most programmers are still not aware of this problem * A lot of the tutorials & demo “templates” are vulnerable * Even worse, a lot of solutions posted on the Internet are not good enough* In pen tests over 60% of web applications are vulnerable to SQL Injection * 4
  5. 5. * Almost all SQL databases and programming languages are potentially vulnerable * MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access, Sybase, Informix, etc* Accessed through applications developed using: * Perl and CGI scripts that access databases * ASP, JSP, PHP * XML, XSL and XSQL * Javascript * VB, MFC, and other ODBC-based tools and APIs * DB specific Web-based applications and API‟s * Reports and DB Applications * 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL) * many more * 5
  6. 6. Common vulnerable login query SELECT * FROM users WHERE login = victor AND password = 123(If it returns something then login!)ASP/MS SQL Server login syntax var sql = "SELECT * FROM users WHERE login = " + formusr + " AND password = " + formpwd + ""; * 6
  7. 7. formusr = or 1=1 – –formpwd = anythingFinal query would look like this: SELECT * FROM users WHERE username = or 1=1 – – AND password = anything * 7
  8. 8. * It closes the string parameter* Everything after is considered part of the SQL command* Misleading Internet suggestions include: * Escape it! : replace with * String fields are very common but there are other types of fields: * Numeric * Dates * 8
  9. 9. SELECT * FROM clientsWHERE account = 12345678AND pin = 1111PHP/MySQL login syntax$sql = "SELECT * FROM clients WHERE " ."account = $formacct AND " ."pin = $formpin"; * 9
  10. 10. $formacct = 1 or 1=1 #$formpin = 1111Final query would look like this: SELECT * FROM clients WHERE account = 1 or 1=1 # AND pin = 1111 * 10
  11. 11. * or " character String Indicators* -- or # single-line comment* /*…*/ multiple-line comment*+ addition, concatenate (or space in url)* || (double pipe) concatenate*% wildcard attribute indicator* ?Param1=foo&Param2=bar URL Parameters* PRINT useful as non transactional command* @variable local variable* @@variable global variable* waitfor delay 0:0:10 time delay * 11
  12. 12. * Using SQL injections, attackers can: * Add new data to the database * Perform an INSERT in the injected SQL * Modify data currently in the database * Perform an UPDATE in the injected SQL * Often can gain access to other user‟s system capabilities by obtaining their password *
  13. 13. * Use provided functions for escaping strings * Many attacks can be avoided by simply using the SQL string escaping mechanism * „  ‟ and “  ” * mysql_real_escape_string() is the preferred function for this* No quotes * Consider: * SELECT fields FROM table WHERE id = 23 OR 1=1 * No quotes here! *
  14. 14. * Check syntax of input for validity * Many classes of input have fixed languages * Email addresses, dates, part numbers, etc. * Verify that the input is a valid string in the language * Sometime languages allow problematic characters (e.g., „*‟ in email addresses); may decide to not allow these * If you can exclude quotes and semicolons that‟s good * Not always possible: consider the name Bill O‟Reilly * Want to allow the use of single quotes in names* Have length limits on input * Many SQL injection attacks depend on entering long strings *
  15. 15. * Scan query string for undesirable word combinations that indicate SQL statements * INSERT, DROP, etc. * If you see these, can check against SQL syntax to see if they represent a statement or valid user input* Limit database permissions and segregate users * If you‟re only reading the database, connect to database as a user that only has read permissions * Never connect as a database administrator in your web application *
  16. 16. *Configure database error reporting * Default error reporting often gives away information that is valuable for attackers (table name, field name, etc.) * Configure so that this information is never exposed to a user*If possible, use bound variables * Some libraries allow you to bind inputs to variables inside a SQL statement *
  17. 17. *

×