1 / 35

SQL Injection Attacks John Sweetnam

SQL Injection Attacks John Sweetnam. Introduction. What is an SQL injection attack What is SQL How an SQL injection works What can you do to databases with it Defenses Current real world examples. SQL Injection.

mona-deleon
Download Presentation

SQL Injection Attacks John Sweetnam

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SQL Injection AttacksJohn Sweetnam

  2. Introduction • What is an SQL injection attack • What is SQL • How an SQL injection works • What can you do to databases with it • Defenses • Current real world examples

  3. SQL Injection • The ability to inject SQL commands into the database engine through an existing application • Code injection technique • Exploits vulnerability in the database layer of web applications

  4. SQL • Structured Query Language • Database computer language • Designed to manage data in relational database management systems(RBMS) • Scope • Data insertion, query, update and deletion • Schema creation and modification • Data access control

  5. SQL examples • Similar to simple sentences • Many versions of SQL • All support several key words • SELECT, FROM, WHERE, AND, CREATE, DELETE, ALTER TABLE, ADD, DROP, AND, OR, ... • Follows simple grammatical rules that allow users to specify what information they are looking for

  6. SQL Examples • SELECT lastName FROM nameTable WHERE firstName = 'Bob' • SELECT name, region, population FROM countriesTable • SELECT * FROM infoTable • SELECT name FROM countriesTable WHERE population > 20000000

  7. SQL Examples • CREATE TABLE tableName (num INTEGER PRIMARY KEY, name VARCHAR(30)) • DROP TABLE tableName • ALTER TABLE tableName ADD columnName INTEGER • ALTER TABLE tableName DROP COLUMN columnName

  8. 2 types of SQL vulnerability • 1. Improper filtering of user input for string literal escape characters • 2. User input isn't strongly typed

  9. Vulnerable Login Query • An SQL injection has the potential to bypass login procedures • Common vulnerable query: • SELECT * FROM users WHERE login = 'userInput1' AND pwd = 'userInput2' • If something is returned from the users table, then the user is allowed login • Line of code is Statement = “SELECT * FROM 'users' WHERE login = ' ” + userInput1 + “ ' AND pwd = ' “ + userInput2 + “ ' ”

  10. Bypass authentication • User input for login and pwd • ' OR '1' = ' 1 • Alters the condition of the SELECT statement to read: • SELECT * FROM users WHERE login = 'userInput1' OR '1' = '1' AND pwd = 'userInput2' OR '1' = '1'

  11. Alternate Authentication Bypass • Other potential user inputs are: • ' OR '1' = '1' -- ' • ' OR '1' = '1' ({ ' • ' OR '1' = '1' /* ' • This changes the SQL query into: SELECT * FROM users WHERE login = '' OR '1' = '1' • These would only be put into the login field • The --, ({, and /* comment out the rest of the query, allowing you to remove some of the conditions

  12. Table modification at login • It is also possible to not bypass authentication but still alter and obtain information from the tables • Exploit input: • Whatever' ; DROP TABLE 'users'; SELECT * FROM 'userInfo' WHERE '1' = '1 • Leaving the apostrophe off the beginning and the end allow it to fit multiple commands seamlessly into what should be a single query

  13. Incorrect Type Handling • User supplied fields are not checked properly for the type constraints. • Code: • Statement = “SELECT * FROM 'userinfo' WHERE 'idNumber' = “ + variable_x + “;” • variable_x is clearly intended to be a number • However... • 1;DROP TABLE 'userinfo'

  14. Blind SQL Injection • When there is a web application vulnerable to SQL injection but the attacker is unable to see the results of the injection • The page may not display data but the page itself will display differently based on the results of injected logical statements • Can be very time intensive • New statements must be constantly recrafted

  15. Blind SQL Injection 3 Types of blind SQL injections 1) Conditional Responses 2) Conditional Errors 3) Time Delays

  16. Conditional Responses • Changes what the page displays the user upon evaluation of a logical statement • Inserting ' AND '1' = '1 • Should lead to a normal page being displayed • Inserting ' AND '1' = '2 • Can only return false • If the page displays differently than before, then the web application is most likely vulnerable to SQL injection

  17. Conditional Errors • Force an SQL error by making the database evaluate a faulty query if the WHERE condition is true • For example... • SELECT 1/0 FROM 'users' WHERE 'username' = 'Bob' • Division of zero causes error, giving the attacker info about the contents of the username column in the users table

  18. Time Delays • Force database to execut long running queries or time delay statements • Amount of time required for the page to load allows the user to determine if the statement was true or not

  19. Steps to Running a SQL Injection on MySQL 1. Check for vulnerability • Use a conditional response • Or, simply insert a character that doesn't belong, such as ', and see if an error is thrown for incorrect SQL syntax 2. Discover the number of columns • Use the ORDER BY command to iterate through all column numbers until an error is returned 3.Test the UNION function • Allows you to combine SELECT queries and pull more information

  20. Steps to Running a SQL Injection on MySQL 4. Obtain the mySQL version number Achievable using @@version or version() Based on the version number, there are two options for proceeding 5.a) if mySQL version < 5 • Table and column names must be guessed • Brute force the most common names, varies depending on what you are looking for, but looking for users or passwords could grant you access to others 5. b) if mySQL version > 5 • There is an information_schema that can be used to obtain table and column names

  21. Steps to Running a blind SQL Injection on MySQL 1. Run a conditional response with a false condition and see if the page changes • If yes, the site is vulnerable 2.Obtain the version number • Best way is to insert substring(@@version,1,1) = 4 or 5 • Compares first character of version number until page loads normally 3. Test out subselect and locate the users table • Subselecting is used to further isolate data when selecting it from the database • This can be used to determine what tables names are based on proper page loading

  22. Steps to Running a blind SQL Injection on MySQL 4. Pull information from the database • Using substring() and subselecting, you can pull the first character of the username out of the user table • By converting this character to ascii, you can compare it against ascii values • Compare the ascii value as larger than a low ascii character number, and increment your way up until the page no longer returns normally • This lets you know what ascii value the character is • You can then iterate through until you have the username/password

  23. Defenses • Essentially, all that is needed is some form of filtering or checking to sanitize inputs • Several types of possible filtering • Parameterized Statements • Enforcement at the database level • Enforcement at the coding level • Escaping • Strong typing

  24. Parameterized Statements • Works with parameters instead of embedding user input into the statement • Example: Statement stat = prepareStatement(“SELECT * FROM users where username=? AND password=?”); stat.setString(1,username); stat.setString(2,password); stat.executeQuery();

  25. Enforcement at the database level • Some database engines come with the ability to enforce parameterization of query • Can cause issues

  26. Enforcement at the coding level • Use object-relation mapping libraries • Object oriented libraries can have parameterization of SQL statements built into the code.

  27. Escaping • Straightforward but fallible method of preventing injections • Simple escape out any characters that have special meaning in the version of SQL being run • Requires blacklist of every special character for SQL • Easy to forget

  28. Strong Typing • Placing very severe restrictions on intermixing of types • Variety of definitions for it • At compile or run time, all functions that disregard types are cast as erroneous • Any type-matching failures are immediately flagged with errors during runtime

  29. Defense summary • In the end, it all comes down to sanitizing inputs • There are a variety of ways to do it, but it is all just filtering of one kind or another • Very easy to forget • As seen by how prevalent SQL injection attacks have been and still are

  30. Real World Examples • November, 2005: high school student in Taiwan broke into information security magazine's database and stole customer data • June, 2007: Microsoft's U.K. webpage is defaced • January, 2008: tens of thousands of computers are infected by automated SQL injection through Microsoft SQL Server

  31. Real World Examples • April, 2008: Over 10,000 social security numbers are stolen from the Sexual and Violent Offender Registry of Oklahoma • April – August, 2008: around 500,000 websites were hit by a SQL injection attack that referenced a malware Java file and corrupted all text columns without having to guess names • September, 2010: someone attempts to hand write SQL injection onto a write in ballot in the Swedish general election

  32. Real World Examples • November, 2010: British Royal navy's website is exploited • February, 2011: HBGary, a technology security firm, was broken into by Anonymous • March 27, 2011: MySQL.com is broken into via a blind SQL injection

  33. Real World Example

  34. Questions?

  35. Sources • http://xkcd.com/327/ • http://en.wikipedia.org/wiki/SQL_injection • http://thehackerlounge.blogspot.com/2009/05/full-sql-injection-tutorial-mysql.html • http://www.hackingtricks.in/2011/03/mysqlcom-hacked-using-blind-sql.html

More Related