Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)

475 views

Published on

Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.

Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml

Published in: Education
  • Be the first to comment

  • Be the first to like this

CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)

  1. 1. CNIT 129S: Securing Web Applications Ch 9: Attacking Data Stores
  2. 2. Data Stores • Most common types are SQL, XML, and LDAP • High-value target for attackers • SQL injection is the #1 vulnerability in Web apps • Responsible for more than 90% of all stolen data
  3. 3. Injecting into Interpreted Contexts
  4. 4. Interpreted Languages • Code is not compiled • It's executed line-by-line • Many core languages used in Web apps run interpreted • SQL, LDAP, Perl, PHP
  5. 5. Code Injection
  6. 6. Compiled Languages • Code injection vulnerabilities are more rare • Injection has to be written in machine language • Higher skill level required
  7. 7. Bypassing a Login • Authentication code • Enter username of • admin' • and any password • Logs in as admin
  8. 8. If Admin Username is Unknown • Enter this username • Query becomes • Log in as first user in the database, typically the administrator
  9. 9. The UNION Operator • Combines two SELECT statements to produce a single result set
  10. 10. Single SELECT Query
  11. 11. Using UNION
  12. 12. # for Comments • Note: some apps use different comment characters • Try all of these at the end of your injection • -- • # • /*
  13. 13. Requirements for UNION • The two result sets must have the same structure • Number of fields and data types • Attacker must know the name of the table of interest and its column names
  14. 14. Wrong # of Columns
  15. 15. Different Data Types • This works because the numerical data is converted to strings • It would fail if the first row were numbers, and the others strings
  16. 16. Hack Steps
  17. 17. Find the Number of Columns • NULL matches any data type • Query will fail until the # of columns is correct
  18. 18. Using NULL
  19. 19. Find a String Column • If query succeeds, the 'a' column is string
  20. 20. Find Database Version
  21. 21. Finding Version
  22. 22. Vulnerable SF College • I notified them in 2013; years later, they fixed it • Link Ch 8b
  23. 23. Example: MS-SQL
  24. 24. Search Address Book for "Matthew"
  25. 25. Single Column
  26. 26. 5 Columns
  27. 27. Find String Column
  28. 28. Get Table and Column Names
  29. 29. Get Credentials

×