EC500 Lecture Made By: Jiaxi Jin, Rashmi Shah, Ludovico Fontana Boston University.
-
Upload
agatha-pitts -
Category
Documents
-
view
221 -
download
0
Transcript of EC500 Lecture Made By: Jiaxi Jin, Rashmi Shah, Ludovico Fontana Boston University.
EC500 Lecture Made By:Jiaxi Jin, Rashmi Shah, Ludovico Fontana
Boston University
SQL BackgroundSQL Background SQL SyntaxSQL Syntax What is SQL Injection? (What?)What is SQL Injection? (What?) What kind of information can we get from it? What kind of information can we get from it?
(why?)(why?) Real world examplesReal world examples How does it work (How?)How does it work (How?)
SQL Injection TypesSQL Injection Types Scripts - ToolsScripts - Tools
Detection TechniquesDetection Techniques Prevention TechniquesPrevention Techniques
SQL stands for Structured Query Language a programming language designed for managing
data in relational database management systems (RDBMS).
Allows us to define and manipulate data in a database.
Used for relational databases. ANSI and ISO standard computer language
Although the standards have been enhanced several times, SQL portability between major RDBMs differ on implementation.
There are many different versions of the SQL language
They support the same major keywords in a similar manner (such as SELECT, UPDATE, DELETE, INSERT, WHERE, and others).
Most of the SQL database programs also have their own proprietary extensions in addition to the SQL standard!
• A database contains one or more tables
• Each table is identified by a name. E.g. customers, orders
• Table contains records (rows) with data
• Example of a table contains “customers” and passwords:
user first_name
last_name
password
johns john smith e99a18ac428cb38d5
administrator
admin admin f260853678922e034
Ken_87 ken anderson fg9a76518ac428cb3
• SELECT
• UPDATE
• DELETE
• INSERT INTO
• UNION
SELECT first_name, last_name FROM users
Users:
Result:
username
first_name
last_name
password
johns john smith e99a18ac428cb38d5
administrator
admin admin f260853678922e034
Ken_87 ken anderson fg9a76518ac428cb3
first_name
last_name
john smith
admin admin
ken anderson
SELECT * FROM users WHERE username = ‘johns’
Users:
Result:
username
first_name
last_name
password
johns john smith e99a18ac428cb38d5
administrator
admin admin f260853678922e034
Ken_87 ken anderson fg9a76518ac428cb3
username
first_name
last_name
password
johns john smith e99a18ac428cb38d5
Insert INTO orders VALUES (3, 67, ‘Kindle Touch’, 99)
orders:
Result:
Order_id Product_id
Product_name price
1 34 Back to basics: Java
50
2 15 Biography: Steve Jobs
15
Order_id Product_id
Product_name price
1 34 Back to basics: Java
50
2 15 Biography: Steve Jobs
15
3 67 Kindle Touch 99
Update users SET first_name = Kenneth, last_name = Lee
WHERE user_id = 3
Users:
Result:
User_id username first_name
last_name
password
1 johns john smith e99a18ac428cb38d5
2 administrator
admin admin f260853678922e034
3 Ken_87 ken Anderson fg9a76518ac428cb3User_id username first_na
melast_name
password
1 johns john smith e99a18ac428cb38d5
2 administrator
admin admin f260853678922e034
3 Ken_87 Kenneth Lee fg9a76518ac428cb3
DELETE FROM users WHERE user_id = 1
Users:
Result:
User_id username first_name
last_name
password
1 johns john smith e99a18ac428cb38d5
2 administrator
admin admin f260853678922e034
3 Ken_87 ken Anderson fg9a76518ac428cb3User_id username first_na
melast_name
password
2 administrator
admin admin f260853678922e034
3 Ken_87 Kenneth Lee fg9a76518ac428cb3
SELECT first_name, last_name FROM users WHERE user_id = 1
UNION
SELECT product_name, price FROM orders WHERE user_id = 1
Users:
Orders:
Result:
User_id username first_name
last_name
1 johns john smith
2 administrator admin admin
3 Ken_87 ken Anderson
First_name
last_name
john smith
Back to basics: Java
50
Order_id user_id Product_name price1 1 Back to basics:
Java50
2 2 Biography: Steve Jobs
15
Maintains header from first query but appends results from the second query.
COMMENTS: # or --Example: SELECT * FROM ‘table’ #selects everything
LOGIC: ‘a’=‘a’Example: SELECT * FROM ‘table’ WHERE ‘a’=‘a’
MULTI STATEMENTS: S1; S2Example: SELECT * FROM ‘table’; DROP TABLE ‘table’;
Code Injection TechniqueCode Injection Technique placing SQL codes in the user input
Exploits Security VulnerabilityExploits Security Vulnerability Website/server 's software is not safe
Targets User Input HandlersTargets User Input Handlers Incorrect type handling: supplied field is not strongly
typed / not checked for type constraints
We can execute queries against a database to:We can execute queries against a database to: retrieve data from a database update records in a database delete records from a database insert new records in a database
Attacker can then do through SQL Injection:Attacker can then do through SQL Injection: Reveal others' usernames and/or passwords Collect personal/corporate information (credit card,
etc.) Change/Delete information (sabotage) Gain access to the host Plant data/code Create backdoors
Product Search: blah‘ OR ‘x’ = ‘x
This input is put directly into the SQL
statement within the Web application: $query = “SELECT prodinfo FROM prodtable WHERE prodname
= ‘” . $_POST[‘prod_search’] . “’”;
Creates the following SQL: SELECT prodinfo FROM prodtable WHERE prodname = ‘blah‘ OR ‘x’ =
‘x’
Attacker has now successfully caused the entire database to be
returned.
What if the attacker had instead entered: blah‘; DROP TABLE prodinfo; #
Results in the following SQL: SELECT prodinfo FROM prodtable WHERE prodname = ‘blah’; DROP
TABLE prodinfo; --’ Note how comment (--) consumes the final quote
Causes the entire database to be deleted Depends on knowledge of table name This is sometimes exposed to the user in debug code called
during a database error Use non-obvious table names, and never expose them to user
Usually data destruction is not your worst fear, as there is low economic motivation
On August 17, 2009, the United States Justice Department charged an American citizen Albert Gonzalez and two unnamed Russians with the theft of 130 million credit card numbers using an SQL injection attack.
In 2008 a sweep of attacks began exploiting the SQL injection vulnerabilities of Microsoft's IIS web server and SQL database server. Over 500,000 sites were exploited.
More examples available at:http://en.wikipedia.org/wiki/SQL_injection#Known_real-world_examples
• First Order AttackFirst Order Attacko The attacker can simply enter a malicious
string and cause the modified code to be executed immediately.o Blind Attack When the attacker can't receive feedback of
his actions.o Error Based Attack When the attacker gets information through
the database error messages.
Ref: Oracle Learning Library - Defending Against SQL Injection Attacks
• Second Order AttackSecond Order Attack
o The attacker injects into persistent storage (such as a table row) which is deemed as a trusted source. An attack is subsequently executed by another activity.
o The attacker creates functions for later use.o The attacker creates functions that will execute when
a timer goes off.
Ref: Oracle Learning Library - Defending Against SQL Injection Attacks
• SQLMapSQLMapo Open source penetration testing tool, detecting and
exploiting SQL injection flaws. • SQLBruteSQLBrute
o Brute forcing data out of databases using blind SQL injection vulnerabilities. Time based and error based exploit, written in Python.
• SQLNinjaSQLNinjao Specifically targeted to Microsoft SQL Server.
• BSQL HackerBSQL Hackero Automatic deep blind time-based SQL injector.
• Mini Mysqlat0rMini Mysqlat0ro Written in Java.
SQL String EscapingSQL String Escaping
Many attacks can be thwarted by simply using
the SQL string escaping mechanism
‘ becomes \’ and “ becomes \”
mysql_real_escape_string() is a function that
does that for you.
Input ValidationInput Validation Many classes of input have fixed formats.
Email addresses, dates, part numbers, etc. Verify that the input is a valid string in the language
Sometime languages allow problematic characters (e.g., ‘*’ in email addresses); may decide to not allow these
Exclude quotes and semicolons. Not always possible: consider the name Shaq O’Neal Want to allow the use of single quotes in names
Use of Prepared statements Use of Prepared statements (Parametrized Queries)(Parametrized Queries) A function to tell the DBMS which part is fixed and
which part is an user input. That way commands from the input are ignore.
READ ONLY READ ONLY database access.
Configure different users in the DBMS.
Always enforce the strongest constraint at:
SERVER SIDE.SERVER SIDE.
Never trust any input from clients
Always Remember:
IT IS NOT SAFE OUT THERE!!!IT IS NOT SAFE OUT THERE!!!
THANK YOU
Oracle Learning Library: http://st-curriculum.oracle.com/tutorial/SQLInjection/html/lesson1/les01_tm_attacks.htm
SecuriTeam - SQL Injection Walkthrough : http://www.securiteam.com/securityreviews/5DP0N1P76E.html
Friedl, S. (2009, 10 26). SQL Injection Attacks by Example.
OWASP - SQL Injection: (https://www.owasp.org/index.php/SQL_Injection)
SQL Manipulation Modify the original SQL query by including
additional queries Inclusion of conditional statement in where
clause “Select * from Table where Username=’ ‘ and
password=’ ‘” “Select * from Table where Username=’ ‘or ‘c’=’c’
-- and password=’ ‘”
Use UNION, INTERSECT Select * from projects where projecttype=’ ‘ Select * from project where projecttype=’ ‘ UNION
Select * from school
Code Injection Insert new SQL commands into the original
SQL query Select * from users where username=’ ‘can be
modified to Select * from users where username =’ ‘; drop
table faculty
Incorrect Queries By inserting logical errors into the query,
attackers get hold of the error information The error information often reveal names of
the tables and columns that caused the error
”Microsoft OLE DB Provider for SQL Server (0x80040E07) Error converting nvarchar value ’CreditCards’ to a column of data type int.”
Function Call Injection An attacker can inject different database and
operating system functions in a SQL statement “Select * from Table where Username=’ ‘ and
password=’ ‘” can be modified to “Select * from Table where Username=’
‘shutdown with nowait; -- and password=’ ‘”
SHUTDOWN WITH NO WAIT causes SQL server to shut down, stopping Windows Service