This is my power point slides for the OWASP Cairo Chapter event held in (Information Technology Institute) on 16/3/2019.
It's focused on SQL Injection attack, command and code injection and their mitigation, also at the last minutes in the presentation I made a demo on the blind sql injection attack using one of pentesterlab vulnerable machines.
3. What’s OWASP?
• Open Web Application Security Project aims to increase the
awareness of the application security.
• Everyone is free to participate in OWASP
• We are OWASP Egypt – Cairo Chapter
4. OWASP Projects
• OWASP Top 10 security vulnerabilities project
• OWASP ZAP Project
• OWASP Juice Shop
• More on the following link:
https://www.owasp.org/index.php/Category:OWASP_Project
11. What is the type of this query?
• $dbhostname=‘127.0.0.1';
• $dbuser=‘admin';
• $dbpassword='password';
• $dbname='database';
• $connection = mysqli_connect($dbhostname, $dbuser, $dbpassword, $dbname);
$query = "SELECT Name, Description FROM Products WHERE ID='3' UNION SELECT
Username, Password FROM Accounts;";
12. What about this?
$id = $_GET['id'];
$connection = mysqli_connect($dbhostname, $dbuser, $dbpassword,
$dbname);
$query = "SELECT Name, Description FROM Products WHERE ID='$id';";
$results = mysqli_query($connection, $query);
display_results($results);
13. A1 – SQL Injection
• The first checked by hackers
• Once found, ready to be
exploited : )
14. Injection
• What is the SQL & Types
• Concept
• Injection Issue
• Attack
• CRUD
17. SQL Injection Scenario
Yahoo! Sports blind injection
• Stefano entered Yahoo! Web site with the following URL:
http://sports.yahoo.com/nfl/draft?year=2010&type=20&round=2
• He tried to put a comment after the year 2010 and noticed what
happen
• So it will be like this:
http://sports.yahoo.com/nfl/draft?year=2010--&type=20&round=2
18. SQL Injection Scenario
Yahoo! Sports blind injection
• Original Query:
SELECT * FROM PLAYERS WHERE YEAR = 2010 AND TYPE = 20 AND ROUND = 2;
• By inserting the dashes, Stefano essentially made it act like:
SELECT * FROM PLAYERS WHERE YEAR = 2010;
21. SQL Injection Scenario
SQLi to RCE
• Ibrahim Raafat (Egyptian Researcher) could exploit a SQLi
vulnerability to have full control on the server.
• He was doing purchase when he noticed the following URL and tried
to inject it with SQLi payload in each parameter until one succeeded.
• Union based SQL injection in order_id parameter POST:
order_id=-116564954 union select 1337,2,3,4,5,6,7,8,9,10,11,12,13,14,15– –
&first_name=aaaa&last_name=sssss&street1=ddddddddddd&street2=ddddddd&city=fffffff&state=ff&postal
_code=12547&country_code=US&phone=45454545457&method=flickr.products.orders.setShippingAddress
&csrf=1365645560%3Acmj2m0s5jvyrpb9%kld65d65d54d54d55d45dsq&api_key=3c7ab2846f4183ecg56s96
d5d5w4e644268&format=json&hermes=1&hermesClient=1&reqId=q3oovqa&nojsoncallback=1
27. Exploiting SQLi
SELECT Name, Description FROM Products WHERE ID='$id‘ and
PASSWORD=‘$password’;
Attacker input: ‘ or ‘a’=‘a #
SELECT Name, Description FROM Products WHERE ID='' OR 'a'='a#‘and
PASSWORD=‘$password’;
28. SQL Injection Types
• Inband:-
• Error Based Injection
• Blind Injection
• Time Based
• Boolean Based (True/false)
• Out-Of-Band
46. Demo – SQLi in request headers
• Perform full scan on the victim
• Finding the injection point
• Exfiltration
• Get the reassure : )
47. SQLmap
• A tool used to automate SQLi slow
exfiltration and to identify potential SQLi
injection points.
• Ready with a great number of scripts to
be executed
• Could be integrated with other tools such
as Burpsuite, Metasploit
48. SQLmap Basics
• -u : pass a URL to SQLmap
• --dbs: sort all the databases in the system
• --banner: Grap the database banner
• --threads 7: increase the number of threads in blind injections
• --tables: grap the db tables
• -T table: choose table
• --dump: dump all the data in a table of db
• --level: sets a level from 1 to 5 for the number of injection points (headers
and parameters)
• --risk: sets a level from 1 to 3 for the type of test made
• --batch: run sqlmap defaults
Presentation Tier:
View to the user
Translates the user requests to HTTP request – sends it to the logic tier
Rendering HTML Code to graphical view
Logic Tier:
Web server which stores the code of the app
Middleware which makes the processing tasks
Loads, compiles, executes scripts
Translates the HTTP request to Database query and sends it to the storage tier
Storage:
Execute database query
Then the logic tier pulls the result back, formats it, sends it back to the presentation tier
The injection issue is the lack of the sanitization for user input (Much confidence)
The attack leverages from the ability of an attacker to inject a malicious SQL/ database queries to the logic tier in order to execute it at the database and returns the result to the attacker.
CRUD: Create, Read, Update, Delete