SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
2.
SQL Query Poisoning
• Parameters from the URL or input fields get
used in SQL queries.
• An instance of Input Validation attacks.
• Data can be altered to extend the SQL query.
– e.g. http://server/query.asp?item=3+OR+1=1
• Execution of stored procedures.
• May even lead to back-end database server
compromise.
3.
Identify candidate parameters
• Determine what parameters seem to be
passed to the database.
• Usually some selection criteria.
• Results have a uniform template, but varying
data content.
4.
Force SQL errors
• Insert meta-characters around or within the
parameters.
• Range testing - BOF or EOF.
• Changing the data type.
• Premature query termination:
– quotation marks - ‘ or “
– trailing hyphens --
• Look for error messages generated from the
database.
5.
SQL Query Poisoning
• Insecure code (ASP):
roduct_id = request.querystring(“ID”)
onn.Open
uery = "select * from items where product_id = " &
product_id
et result = conn.execute(query)
6.
SQL Query Poisoning
• How the query gets assembled
http://192.168.7.120/details.asp?id=http://192.168.7.120/details.asp?id= 33
select * from items where product_id =select * from items where product_id = 33
DB
7.
Identifying SQL errors
• Try and force error messages from database
servers.
• Gives us an idea how the SQL query is being
created and used.
• Tamper the input parameter.
– Change data type
– Premature termination by ‘ “ etc…
• If the SQL query fails, we have a candidate for
SQL injection.
8.
Identifying SQL errors
• Identify which resources contain SQL
interfaces.
• Identify the offending parameters which cause
the SQL queries to break.
• Root cause of all SQL query poisoning is lack of
input sanitization.
• Strip off meta-characters.
9.
http://192.168.7.120/details.asp?id=
Identifying SQL errors
• Forcing SQL errors.
• Ideal for identifying database interfaces!
‘3
select * from items where product_id = ‘3
DB
10.
Identifying SQL errors
• Premature SQL query termination:
We now have an
SQL injection point.
11.
Identifying SQL errors
Example: PHP + MySQL error message
14.
Retrieve all rows
• Retrieve excessive data
http://192.168.7.120/details.asp?id= 3+OR+1=1
select * from items where product_id = 3 OR 1=1
DB
15.
Executing Stored Procedures
• SQL Injection attacks can be extended beyond
excessive data retrieval.
• Stored procedures, if known, and accessible,
can also be invoked.
– For example Microsoft SQL Server’s extended
stored procedures.
• Use the SQL “EXEC” statement.
16.
EXEC master..xp_cmdshell ‘dir’
Executing Stored Procedures
• How the query gets assembled:
http://192.168.7.120/details.asp?id= 3%01EXEC+master..xp_cmdshell+’dir’
select * from items where product_id = 3
DB
17.
Executing Stored Procedures
• Viewing the results of execution: