[Kerference] Nefarious SQL - 김동호(KERT)

NEFARIOUS
SQL
일시: 2016-7-23
장소:공대9호관 김동호

1
Explaining what SQL injection really is in depth.
Moreover, why we need to know about SQL Injection
2
What is SQL Injection?
Variety of SQL
Injection Method
Table of
Contents
Explaining different types of SQL Injection method and
how it works.

3
4
5
We are going to go through SQL Injection war game to
explain how SQL injection really works in live
SQL Injection
Tutorial
Ways to prevent
SQL Injection
We will go through how we can prevent SQL Injection
happening to our website
We will just quickly review what we have learned today
Review

What is SQL?
SQL Database & SQL Injection

What is
SQL?
• Structured Query Language (Standard Language)
• Proprietary extension standard language
• Function
• Select
• Insert
• update,
• Find
• Etc.…
• Variety of Dialects
• T-SQL
• PL/SQL
• JET SQL
• Many more

Reason Why
SQL
1 Allows users to access data
in relational database
management systems
2 Allows to embed within other
language using SQL
modules, libraries & pre-
compiers
3 Allows users to set
permissions on tables,
procedures, And views
4 Tons of more reason to use
SQL!!

Process of
SQL
• RDMBS
• SQL Engine
• Components
• Query Dispatcher
• Optimization Engines
• Classic Query Engine
• SQL Query Engine
• Etc.
• Classic Query Engine
• SQL Query Engine

History of
SQL
1970 1974 1978 1986
Dr. Edgar F. “Ted” Codd of
IBM is known as the father of
relational databases. He
described a relational model
for databases
Structured Query Language
appeared
IBM worked to develop
Codd’s ideas and released a
product named System/R
IBM developed the first
prototype of relational
database and standardized
by ANSI. The first relational
database was released by
Relational Software and its
later becoming Oracle

Understanding SQL
query statements

Different types of
Query statements
1
2
3SELECT Statement
INSERT Statement
UPDATE Statement

SELECT
Statements
• Retrieving/selecting certain information from the database
• Commonly used with where statement as well

Update
Statements
• To modify one or more existing rows of data within a table
• Changing Value which it already exist(s)
• Similar to INSERT Statements but it usually contains WHERE statement

INSERT
Statements
• To create new row of data within a table
• Such as new account, audit log, etc….

Additional
Information
• Semicolon
• SQL comment syntax

http://mysite.com/color?colorid=4

What is
SQL Injection?
• Injecting arbitrary pieces of malicious code
• Executed as a piece of code by the back end SQL server
• Giving undesired results
• Executing code through vulnerable input parameters
• Compromising the whole system

History of
SQL Injection
1999 2003 2013 cont
Common Vulnerabilities and
Exposures dictionary has
existed to keep track of and
alert consumers and
developers alike of known
software vulnerabilities
Structured Query Language
appeared on top 10 list of
Common Vulnerabilities and
Exposures dictionary
SQL Injection was top 1
vulnerability chosen by
OWASP
SQL Injection continues to be
on top of the list for
vulnerability on many
organizations

2014 WHS Web
Vulnerability Report

Richard Alan Clarke
If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve
to be hacked
“ “

HOW SQL
INJECTION WORKS
Attacker Sends data containing SQL Fragments
CUSTOM CODE
Database
1
3 Attackers views unauthorized data
Example: $sql= “SELECT*FORM table WHERE id=‘”.$_REQUEST[‘id’].”’”;
Applications sends modified
queries to get the database and
query return values
2

Types of SQL Injection
Union Based
InclusiveError Based
Boolean
Executing
Time
Schema Discovery
Tautology
Single quote

Single Character Injection Test

CarsByCylinders?Cylinders=V12
SELECTED Id, Name FROM Supercar WHERE
Cylinders = ‘V12’

Cylinders = ‘V12’‘
‘
‘

Cylinders = ‘V12’‘
‘ or 1=1--
‘

Cylinders = ‘V12’‘ or 1=1--
‘ or 1=1--
‘

Tautology
A tautology is a formula that is true in every possible
interpretation

Circumventing Access Controls
UserName = johnsmith
Password = p@ssword

UserName = johnsmith
Password = p@ssword
SELECT COUNT (*) FROM Users WHERE
UserName=‘johnsmith’ AND Password=‘p@ssword’

UserName = johnsmith’ or 1=1--
Password = p@ssword
UserName=‘johnsmith’ or 1=1--’ AND Password=‘p@ssword’

UserName = johnsmith’ and 1=1--
Password = p@ssword
UserName=‘johnsmith’ and 1=1--’ AND
Password=‘p@ssword’

UserName = johnsmith’--
Password = p@ssword
UserName=‘johnsmith’--’ AND Password=‘p@ssword’

Modifying Data and DB Objects
UserName= johnsmith’;update users set password=‘foo’--

UserName= johnsmith’;update item set price=price-1--

UserName= johnsmith’;insert into….

UserName= johnsmith’;drop table users--

UserName= johnsmith’;drop table users--
UserName= johnsmith’;create login…

Querying System Objects for schema
discovery

Extracting Schema Details with Union
Injection

Basic Attack Success Criteria
The app needs to return internal exceptions which bubble up
from the underlying database

The app needs to return internal exceptions which bubble up
from the underlying database
The query structure needs to allow the union operator to be
injected and the vector needs to return results to the app

The command executed on the database can be manipulated
by the attacker

Ways to prevent
SQL Injection
1 2
Implement Proper
Error Handling
Validating
Untrusted Data

Implementing Proper
Error Handling

More Prevention
Method
1
2
3
4
Query
Parameterization
Stored Procedures
Object Relational
Mappers
Using an IDS or
WAF

[Kerference] Nefarious SQL - 김동호(KERT)

More Related Content

What's hot

Viewers also liked

Similar to [Kerference] Nefarious SQL - 김동호(KERT)

More from NAVER D2

Recently uploaded

[Kerference] Nefarious SQL - 김동호(KERT)