Todd Keup ::magnifisites.comWhat Every WebmasterShould Know About CodeInstallationCracking and HackingTodd Keup@toddkeup
Todd Keup ::magnifisites.comCracker versus hacker
Todd Keup ::magnifisites.comOverview• Motivation• Tools of the trade• Common attacks• Defending yourself
Todd Keup ::magnifisites.comMotivation• Drop links or cookies• Steal logins, blackmail people• Building botnets• Redirect ...
Todd Keup ::magnifisites.comTools of the trade• Basic hacking became easier• Portscanners, evil software suites areavailab...
Todd Keup ::magnifisites.comCommon attacks• SQL injection• Additional software problems• How to protect yourself• Your che...
Todd Keup ::magnifisites.comSQL Injection• How it looks• What happens when it succeeds• Recovery– Cleanup– Plugging the ho...
Todd Keup ::magnifisites.comSQL Injection
Todd Keup ::magnifisites.comSQL Injection<form method="post" action="process">Username: <input name="username" type="text"...
Todd Keup ::magnifisites.comSQL InjectionIncorrectly filtered escape charactersquery = "SELECT * FROM users WHEREname = " ...
Todd Keup ::magnifisites.comSQL InjectionIncorrectly filtered escape characters<?php$offset = $_GET[start];$query = "SELEC...
Todd Keup ::magnifisites.comSQL InjectionIncorrectly filtered escape charactersquery = "UPDATE users SET pwd=$pwd WHERE ui...
Todd Keup ::magnifisites.comSQL InjectionImage courtesy of http://xkcd.com/327/
Todd Keup ::magnifisites.comSQL InjectionCleanup, aisle nineCheck your access logsCheck file modification timeRevert to ba...
Todd Keup ::magnifisites.comSQL InjectionCasting a type value$ticket = (integer) $_POST[ticketnumber];Properly filtering d...
Todd Keup ::magnifisites.comSQL InjectionMonitor and DiscoverAudit your site regularly• Log form submissions• Monitor chan...
Todd Keup ::magnifisites.comSQL InjectionMonitor and Discover• Never connect to the database as asuperuser or as the datab...
Todd Keup ::magnifisites.comBotnets
Todd Keup ::magnifisites.comThank YouTodd Keuptodd@magnifisites.com@toddkeup
Upcoming SlideShare
Loading in …5
×

Pubcon Las Vegas 2012 SQL Injection

309 views

Published on

How to crack into a website using sql injection so you know how to stop it from happening to you. To see more on the topic you can review the 2011 presentation by Ralf Schwoebel and Todd Keup which includes this information on recognition, understanding and prevention but also monitoring and server setup best practices.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Pubcon Las Vegas 2012 SQL Injection

  1. 1. Todd Keup ::magnifisites.comWhat Every WebmasterShould Know About CodeInstallationCracking and HackingTodd Keup@toddkeup
  2. 2. Todd Keup ::magnifisites.comCracker versus hacker
  3. 3. Todd Keup ::magnifisites.comOverview• Motivation• Tools of the trade• Common attacks• Defending yourself
  4. 4. Todd Keup ::magnifisites.comMotivation• Drop links or cookies• Steal logins, blackmail people• Building botnets• Redirect advertising• Crush competition• Steal credit cards• Abuse your server (email, attacks, etc.)
  5. 5. Todd Keup ::magnifisites.comTools of the trade• Basic hacking became easier• Portscanners, evil software suites areavailable to the public• SARA, brutus, etc.: endless list
  6. 6. Todd Keup ::magnifisites.comCommon attacks• SQL injection• Additional software problems• How to protect yourself• Your checklist
  7. 7. Todd Keup ::magnifisites.comSQL Injection• How it looks• What happens when it succeeds• Recovery– Cleanup– Plugging the hole (prevention)• Monitoring and discovery
  8. 8. Todd Keup ::magnifisites.comSQL Injection
  9. 9. Todd Keup ::magnifisites.comSQL Injection<form method="post" action="process">Username: <input name="username" type="text" value="">Password: <input name="password" type="password" value=""><input name="submitform" type="submit" value="Submit"></form>Incorrectly filtered escape charactersquery = "SELECT * FROM users WHEREname = " + username + " AND pass = " + password + ";"
  10. 10. Todd Keup ::magnifisites.comSQL InjectionIncorrectly filtered escape charactersquery = "SELECT * FROM users WHEREname = " + username + " AND pass = " + password + ";"Renders:query = "SELECT * FROM users WHEREname = OR 1=1 -- AND pass = doesNotMatter;"
  11. 11. Todd Keup ::magnifisites.comSQL InjectionIncorrectly filtered escape characters<?php$offset = $_GET[start];$query = "SELECT id, name FROM products ORDER BY nameLIMIT 20 OFFSET $offset;";$result = pg_query($connection, $query);?>// cracker encodes the following into the "start" value of the url0;insert into pg_shadow(usename,usesysid,usesuper,usecatupd,passwd)select cracker, usesysid, yes,yes,jackfrom pg_shadow where usename=postgres; --
  12. 12. Todd Keup ::magnifisites.comSQL InjectionIncorrectly filtered escape charactersquery = "UPDATE users SET pwd=$pwd WHERE uid=$uid;";// user enters: OR name LIKE %admin%; -- and it renders:UPDATE users SET pwd=abc WHERE uid=me OR name LIKE %admin%; -- ;Incorrect type handlingquery = "SELECT * FROM students WHERE id = " + expectedInteger + ";"// user enters: 1;DROP TABLE studentsSELECT * FROM students WHERE id = 1;DROP TABLE students;
  13. 13. Todd Keup ::magnifisites.comSQL InjectionImage courtesy of http://xkcd.com/327/
  14. 14. Todd Keup ::magnifisites.comSQL InjectionCleanup, aisle nineCheck your access logsCheck file modification timeRevert to backup?Change passwordsPatch the hole
  15. 15. Todd Keup ::magnifisites.comSQL InjectionCasting a type value$ticket = (integer) $_POST[ticketnumber];Properly filtering data$query =sprintf("SELECT * FROM Users WHERE user=%s AND pass=%s",mysql_real_escape_string($user),mysql_real_escape_string($pass));mysql_query($query);
  16. 16. Todd Keup ::magnifisites.comSQL InjectionMonitor and DiscoverAudit your site regularly• Log form submissions• Monitor changes to user files• Use your system tools• Use the same tools crackers employ• Identify access patterns of automated tools• Blacklist hosts that initiate attacks
  17. 17. Todd Keup ::magnifisites.comSQL InjectionMonitor and Discover• Never connect to the database as asuperuser or as the database owner.• Check expected data type• Escape user supplied values• Do not print out any database specificinformation, especially about the schema• Do not dump raw errors to the display
  18. 18. Todd Keup ::magnifisites.comBotnets
  19. 19. Todd Keup ::magnifisites.comThank YouTodd Keuptodd@magnifisites.com@toddkeup

×