Sql Injection Attacks Siddhesh


Published on

Preventing SQL Injection attacks

Published in: Technology
  • Be the first to comment

Sql Injection Attacks Siddhesh

  1. 1. SQL Injection Attacks Siddhesh Bhobe
  2. 2. SQL Injection Attack… <ul><li>… &quot;injects&quot; or manipulates SQL code using “string-building” techniques. </li></ul><ul><li>By adding unexpected SQL to a query, it is possible to manipulate a database in many unanticipated ways. </li></ul><ul><li>Attacks are successful due to poor input validation at code layer </li></ul>
  3. 3. Example 1: HTML Form <ul><li>Consider the following HTML form for Login: </li></ul><ul><li><form name=&quot;frmLogin&quot; action=&quot;login.asp&quot; method=&quot;post&quot;> Username: <input type=&quot;text&quot; name=&quot;userName&quot;> Password: <input type=&quot;text&quot; name=&quot;password&quot;> <input type=&quot;submit&quot;> </li></ul><ul><li></form> </li></ul>
  4. 4. Example 1: ASP Script <ul><li><% </li></ul><ul><li>… </li></ul><ul><li>userName = Request.Form(&quot;userName“ </li></ul><ul><li>password = Request.Form(&quot;password&quot;) </li></ul><ul><li>query = &quot;select count(*) from users where userName='&quot; & userName & &quot;' and userPass='&quot; & password & &quot;'“ </li></ul><ul><li>… </li></ul><ul><li>%> </li></ul>
  5. 5. Sample Input <ul><li>Login =john, Password = doe </li></ul><ul><li>select count(*) from users where userName='john' and userPass='doe' </li></ul>
  6. 6. Now check this! <ul><li>Login = john, Password = ' or 1=1 -- </li></ul><ul><li>select count(*) from users where userName='john' and userPass='' or 1=1 --' </li></ul><ul><li>Password check is nullified </li></ul><ul><li>-- used to prevent ASP from reporting mismatched quotes </li></ul>
  7. 7. And what about this? <ul><li>Username: ' or 1=1 -- and Password: [Empty] </li></ul><ul><li>select count(*) from users where userName='' or 1=1 --' and userPass='' </li></ul>
  8. 8. Example 2 <ul><li>Username: ' having 1=1 -- , Password: [Empty] </li></ul><ul><li>select userName from users where userName='' having 1=1 </li></ul>
  9. 9. You get a column name… <ul><li>You will get the following error message: </li></ul><ul><li>Microsoft OLE DB Provider for SQL Server (0x80040E14) Column ' users.userName ' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause. </li></ul><ul><li>/login.asp, line 16 </li></ul>
  10. 10. The Attack… <ul><li>Username: ' or users.userName like 'a%' -- </li></ul><ul><li>select userName from users where userName='' or users.userName like 'a%' --' and userPass='' </li></ul><ul><li>Logged In As admin!!! </li></ul>
  11. 11. Use of Semi-colon <ul><li>Semi-colon allows multiple queries to be specified on one line. </li></ul><ul><li>Submitted as one batch and executed sequentially </li></ul><ul><li>select 1; select 1+2; select 1+3; </li></ul>
  12. 12. Can you guess what happens? <ul><li>Username: ' or 1=1; drop table users; -- </li></ul>
  13. 13. Table dropped! <ul><li>Username: ' or 1=1; drop table users; -- and Password: [Anything] </li></ul><ul><li>Firstly, it would select the userName field for all rows in the users table. </li></ul><ul><li>Secondly, it would delete the users table </li></ul>
  14. 14. SHUTDOWN WITH NOWAIT!! <ul><li>… causes SQL Server to shutdown, immediately stopping the Windows service </li></ul><ul><li>Username: '; shutdown with nowait; -- </li></ul><ul><li>select userName from users where userName=''; shutdown with nowait; --' and userPass='' </li></ul>
  15. 15. Products.asp <ul><li>http://localhost/products.asp?productId=1 </li></ul><ul><li>returns </li></ul><ul><li>Got product Pink Hoola Hoop </li></ul><ul><li>But what about this? </li></ul><ul><li>http://localhost/products.asp?productId=0;insert%20into%20products (prodName)%20values(left(@@version,50)) </li></ul>
  16. 16. Wham! <ul><li>Here's the query without the URL-encoded spaces: </li></ul><ul><li>http://localhost/products.asp?productId=0;insert into products(prodName) values(left(@@version,50)) </li></ul><ul><li>Runs an INSERT query on the products table, adding the first 50 characters of SQL server's @@version variable as a new record in the products table. </li></ul>
  17. 17. Effects <ul><li>Privilege Level: sa </li></ul><ul><li>Total control of SQL Server </li></ul><ul><li>OS Shell at privilege of MSSQLServer service using xp_cmdshell </li></ul><ul><li>Ability to read, write, mutilate all data </li></ul>
  18. 18. Effects <ul><li>Privilege Level: db_owner </li></ul><ul><li>Read/write all data in affected database </li></ul><ul><li>Drop tables </li></ul><ul><li>Create new objects </li></ul><ul><li>Take control of the database </li></ul>
  19. 19. Effects <ul><li>Privilege Level: normal user (no fixed server or database roles) </li></ul><ul><li>Access objects to which permission is given </li></ul><ul><li>At best, only some few stored procedures </li></ul><ul><li>At worst, read/write access to all tables </li></ul><ul><li>Recommended! </li></ul>
  20. 20. Testing for Vulnerability <ul><li>Disable error handling so that errors are displayed </li></ul><ul><li>Input single quotes to see if the application fails </li></ul><ul><li>Failure indicates poor validation and corruption of SQL </li></ul>
  21. 21. Preventing SQL Injection Attacks <ul><li>Limit User Access </li></ul><ul><li>Escape Quotes </li></ul><ul><li>Remove culprit characters </li></ul><ul><li>Limit length of user input </li></ul>
  22. 22. Limit User Access <ul><li>Do not use “sa” account </li></ul><ul><li>Removed extended SPs if you are not using them. The following are couple of the most damaging ones: </li></ul><ul><ul><li>xp_cmdshell </li></ul></ul><ul><ul><li>xp_grantlogin </li></ul></ul><ul><li>Use SPs to abstract data access </li></ul>
  23. 23. Escape Quotes <ul><li>Convert single quotes to double quotes </li></ul><ul><li><% function stripQuotes(strWords) stripQuotes = replace(strWords, &quot;'&quot;, &quot;''&quot;) end function </li></ul><ul><li>%> </li></ul><ul><li>Converts </li></ul><ul><li>select count(*) from users where userName='john' and userPass='' or 1=1 --' </li></ul><ul><li>...to this: </li></ul><ul><li>select count(*) from users where userName='john'' and userPass=''' or 1=1 --' </li></ul>
  24. 24. Drop culprit characters <ul><li>Drop character sequences like ; , -- , insert and xp_ </li></ul><ul><li>select prodName from products where id=1; xp_cmdshell 'format c: /q /yes '; drop database myDB; -- </li></ul><ul><li>becomes </li></ul><ul><li>select prodName from products where id=1 cmdshell ''format c: /q /yes '' database myDB </li></ul>
  25. 25. Restrict length of user input <ul><li>Limit length in the form field </li></ul><ul><li>Use validating functions for numeric input </li></ul><ul><li>Use POST, not GET </li></ul>
  26. 26. Thanks! <ul><li>Original Article: </li></ul><ul><li>http://www. webmasterbase .com/article. php ?aid=794& pid =0 </li></ul><ul><li>Also on Reismagos… </li></ul>