Download to read offline
![Automating ISP Networks Using Ansible and IPAM as a Source of Truth [SoT]](https://cdn.slidesharecdn.com/ss_thumbnails/automatingispnetworksusingansibleandipamasasourceoftruthsot-v25-1-251124105117-d7d4ca24-thumbnail.jpg?width=640&height=640&fit=bounds)
Sql injection
- 1.
- 2. What is SQLInjection • Web based vulnerability -> interfere with the queries an application makes with its back-end database. • Allows attacker to view, edit or delete hidden data. • Data could include products, user credentials, passwords or any tables linked to the app. • Exploits are commonly escalated to compromise server’s on the back end. Common in DoS attacks! • Fundamentally compromises CIA.
- 3. Impact • Confidentiality ->Simple access: • Unauthorized access to sensitive data including: User info, credit cards, medical info, passwords etc. • Integrity -> Editting data: • Data can be modified or altered. • DB Corruption. • False stock levels • Availability: • Deleting data effects consumers and suppliers. • DoS Attacks • Most user input fields that are connected to a DB can be exploited.
- 4. Scouting for confidentialdata • Manipulate SQL query to review additional search results. • Amazon - If we search for tools the query might resemble: • https://amazon.com/products?category=Tools • SELECT * FROM products WHERE category = ‘Tools’ AND released = 1 • Released = 1: Hides certain products logically where Released = 0 • Can circumvent using ‘—- (tells SQL to ignore rest of query): • https://amazon.com/products?category=Tools'-- • This simple URL manipulation returns all products
- 5. Scouting for confidentialdata - continued • Taken one step further: • To display all products in all categories we can add the following: • https://amazon.com/products?category=Tools'+OR+1=1-- • SELECT * FROM products WHERE category = 'Gifts' OR 1=1--' AND released = 1 • Returns all products where category = Tools OR 1 = 1 • This always returns true!
- 6. Subverting Logic • Username:doeJ / Password: lucky • Results in the following query: • SELECT * FROM users WHERE username = 'doeJ' AND password = ‘lucky' • If details returned -> login success! • We can use a comment to circumvent the password: • SELECT * FROM users WHERE username = ‘admin/doeJ'--' AND password = ‘ ‘ • Commonly performed after attacker retrieves data from User tables…
- 7. Retrieving data tables •We can use UNION’s to call data from tables for example: • If an app executes: • SELECT username, desc FROM products WHERE category = ‘Tools’ • A hacker could input: • UNION SELECT username, password FROM users - - • Returns all username’s, passwords, names, products and descriptions.
- 8. • We cananalyze DB architecture if we know the DB type • SELECT * FROM v$version (returns DB version) • SELECT * FROM information_schema.tables (Commonly returns all tables) • DES hashes can be cracked using checkpwd in oracle 8, 9 and 10
- 9. • SELECT @@version •SELECT user FROM mysql.user; — priv • MySQL hashes can be cracked using John the Ripper in oracle 8, 9 and 10 • SELECT schema_name FROM information_schema.schemata;
- 10. Finding vulnerabilities • Automatically: •Burp Suite vulnerability scanner identifies most. • SQLMap • Vega. • Manually, common practice includes: • Submit (‘) and check anomalies. • Submit Boolean expressions (1=1 etc.) • Submit SQL syntax + compare to standard value/response. • Execute payloads to enable out of bound network interactions or check response times.
- 11. Prevention • Use parameterizedstatements… No strings! • String exampleQuery = "SELECT * FROM products WHERE category = ‘ "+ userInput + “ ‘ “; • Instead parse the input through a function: • Whitelist user input validation (accepted values) • Store common operating procedures.
- 12. Bibliography • http://pentestmonkey.net/cheat-sheet/sql- injection/oracle-sql-injection-cheat-sheet • http://pentestmonkey.net/cheat-sheet/sql- injection/mysql-sql-injection-cheat-sheet •https://portswigger.net/web-security/sql-injection • https://www.w3schools.com/sql/sql_injection.asp