SQL Injection Waleed Bin Shahid
• Differentiate between certificate expiry and revocation. Which do you think is more dangerous • CMS website opens normally with a padlock symbol in Ali’s browser but with a red cross over https in Omar’s browser. What might be the reason? • Can you ensure perfect security against POODLE vulnerability by disabling the browser to connect using SSL 3.0? • Give any two drawbacks of TOR
SQL Injection SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. Trick to find vulnerable page: Add a single quotation mark ' at the end of the URL 1. If page returns SQL error → vulnerable 2. If it loads or redirect to a different page → SQL safe Demo
SQL Injection Consider a web application that enables users to search for a book based on the title, author, publisher and so on. The entire book catalog is held within a database, and the application uses SQL queries to retrieve details of different books based on the search terms supplied by users. Search for a book: Author Title Publisher Year Case 1: User searches for all books published by Iqbal Query: SELECT author,title,year FROM books WHERE publisher = ‘Iqbal’ In response, the database checks every row within the books table, and returns all records where the publisher column has the value Iqbal.
SQL Injection Case 2: User searches for all books published by Al’ Qutb, the application performs the following query: SELECT author, title, year FROM books WHERE publisher = ‘Al’ Qutb’ • In this case, the query interpreter obtains the value Al and generates SQL syntax error for Qutb’. Incorrect syntax near ‘Qutb’’. Server: Msg 105, Level 15, State 1, Line 1 Unclosed quotation mark before the character string ‘ • When an application behaves this way, it is wide open to SQL injection. An attacker can supply input containing a quotation mark to terminate the string that he controls, and can then write arbitrary SQL statements to modify the query that the developer intended the application to execute.
SQL Injection Case 3: If the user enters the search term Iqbal’ OR 1=1--, The query will be SELECT author, title, year FROM books WHERE publisher = ‘Iqbal’ OR 1=1--‘ • This will return every single book in the retailer’s catalog. • In this case, a second condition has been added to the WHERE clause of the developer’s query. The database will extract each record where the publisher column has the value Iqbal or where 1 is equal to 1. Because 1 is always equal to 1, the database will return every record within the books table. • -- double hyphen tells the query interpreter that the remainder of the line is a comment and should be ignored “
SQL Injection Case 4: If the user enters the search term Iqbal’ OR ‘a’ = ‘a, The query will be Query: SELECT author, title, year FROM books WHERE publisher = ‘Iqbal’ OR ‘a’=’a’ • This example balances the trailing quotation mark without using the comment symbol by concluding the injected input with an item of string data that requires a trailing quote to encapsulate it.
SQL Injection (Login Pages) Case 1: User inputs his username ABC and password XYZ on the login page, the SQL query for this will be SELECT * FROM users WHERE username = ‘ABC’ AND password = ‘XYZ’ • This query causes the database to check every row within the users table and extract each record where the username column has the value ABC and the password column has the value XYZ • If a user’s details are returned to the application, then the login attempt is successful, and the application creates an authenticated session for that user
SQL Injection (Login Pages) Case 2: Suppose the attacker knows the username of a real user, then he can type username’-- to bypass the password check altogether. The SQL query for this will be SELECT * FROM users WHERE username = ‘username’--’ AND password = ‘XYZ’ • The above query because of the comment symbol is equivalent to: SELECT * FROM users WHERE username = ‘username’ Demo
Vulnerable Websites inurl:admin/login.php • http://www.i2t2.com/admin/login.php • http://www.ketheyo.gr/online-test/admin/login.php • http://lapiazzauk.com/admin/login.php • http://www.ldrcapitalmgmt.com/admin/login.php inurl:adminlogin.php • http://shoppurplehaze.com/giftloyalty/admin/adminlogin.php • http://www.apponnto.com/admin/adminlogin.php • http://library.pcbc.org.nz/adminlogin.php • http://www.opjsrgh.in/Online/adminlogin.php • http://jamiazargari.com/AdminLogin.php • http://stthereseps.org/adminlogin.php
Preventing SQL Injection • Validate and sanitize user inputs passed to the DB – Validation checks if the input meets a set of criteria - length, format, range, and allowable characters etc. (such as a string contains no standalone single quotation marks). At this point, you can reject or sanitize. – Sanitization modifies the input to ensure that it is valid (such as doubling single quotes or if you want a zipcode, you can remove any character that’s not [0-9]). • sanitize_email – firstname.lastname@example.org //Output “email@example.com"
SQLmap • Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. • Steps – Find any SQL vulnerable page with dork like php?id= and quotation mark trick – Go to terminal and type • Sqlmap –u website --dbs • Sqlmap –u website –D database --tables • Sqlmap –u website –D database –T table --columns • Sqlmap –u website –D database –T table –C column,column --dump Demo