SQL Injection Attacks John Sweetnam

35
SQL Injection Attacks SQL Injection Attacks John Sweetnam John Sweetnam

description

SQL Injection Attacks John Sweetnam. Introduction. What is an SQL injection attack What is SQL How an SQL injection works What can you do to databases with it Defenses Current real world examples. SQL Injection. - PowerPoint PPT Presentation

Transcript of SQL Injection Attacks John Sweetnam

SQL Injection AttacksSQL Injection Attacks

John SweetnamJohn Sweetnam

Introduction

What is an SQL injection attack What is SQL How an SQL injection works What can you do to databases with it Defenses Current real world examples

SQL Injection

The ability to inject SQL commands into the database engine through an existing application

Code injection technique Exploits vulnerability in the database

layer of web applications

SQL

Structured Query Language Database computer language Designed to manage data in relational

database management systems(RBMS)

Scope Data insertion, query, update and deletion Schema creation and modification Data access control

SQL examples

Similar to simple sentences Many versions of SQL All support several key words

SELECT, FROM, WHERE, AND, CREATE, DELETE, ALTER TABLE, ADD, DROP, AND, OR, ...

Follows simple grammatical rules that allow users to specify what information they are looking for

SQL Examples

SELECT lastName FROM nameTable WHERE firstName = 'Bob'

SELECT name, region, population FROM countriesTable

SELECT * FROM infoTable SELECT name FROM countriesTable

WHERE population > 20000000

SQL Examples

CREATE TABLE tableName (num INTEGER PRIMARY KEY, name VARCHAR(30))

DROP TABLE tableName ALTER TABLE tableName ADD

columnName INTEGER ALTER TABLE tableName DROP

COLUMN columnName

2 types of SQL vulnerability

1. Improper filtering of user input for string literal escape characters

2. User input isn't strongly typed

Vulnerable Login Query

An SQL injection has the potential to bypass login procedures

Common vulnerable query: SELECT * FROM users WHERE login =

'userInput1' AND pwd = 'userInput2' If something is returned from the users

table, then the user is allowed login

Line of code isStatement = “SELECT * FROM 'users' WHERE

login = ' ” + userInput1 + “ ' AND pwd = ' “ + userInput2 + “ ' ”

Bypass authentication

User input for login and pwd ' OR '1' = ' 1

Alters the condition of the SELECT statement to read:

SELECT * FROM users WHERE login = 'userInput1' OR '1' = '1' AND pwd = 'userInput2' OR '1' = '1'

Alternate Authentication

Bypass Other potential user inputs are:

' OR '1' = '1' -- ' ' OR '1' = '1' ({ ' ' OR '1' = '1' /* '

This changes the SQL query into:SELECT * FROM users WHERE login = '' OR '1' = '1'

These would only be put into the login field

The --, ({, and /* comment out the rest of the query, allowing you to remove some of the conditions

Table modification at login

It is also possible to not bypass authentication but still alter and obtain information from the tables

Exploit input: Whatever' ; DROP TABLE 'users'; SELECT *

FROM 'userInfo' WHERE '1' = '1

Leaving the apostrophe off the beginning and the end allow it to fit multiple commands seamlessly into what should be a single query

Incorrect Type Handling

User supplied fields are not checked properly for the type constraints.

Code: Statement = “SELECT * FROM 'userinfo'

WHERE 'idNumber' = “ + variable_x + “;”

variable_x is clearly intended to be a number

However... 1;DROP TABLE 'userinfo'

Blind SQL Injection

When there is a web application vulnerable to SQL injection but the attacker is unable to see the results of the injection

The page may not display data but the page itself will display differently based on the results of injected logical statements

Can be very time intensive New statements must be constantly

recrafted

Blind SQL Injection

3 Types of blind SQL injections1) Conditional Responses2) Conditional Errors3) Time Delays

Conditional Responses

Changes what the page displays the user upon evaluation of a logical statement

Inserting ' AND '1' = '1 Should lead to a normal page being

displayed

Inserting ' AND '1' = '2 Can only return false If the page displays differently than before,

then the web application is most likely vulnerable to SQL injection

Conditional Errors

Force an SQL error by making the database evaluate a faulty query if the WHERE condition is true

For example... SELECT 1/0 FROM 'users' WHERE 'username'

= 'Bob' Division of zero causes error, giving the

attacker info about the contents of the username column in the users table

Time Delays

Force database to execut long running queries or time delay statements

Amount of time required for the page to load allows the user to determine if the statement was true or not

Steps to Running a SQL Injection on

MySQL1. Check for vulnerability

Use a conditional response Or, simply insert a character that doesn't

belong, such as ', and see if an error is thrown for incorrect SQL syntax

2. Discover the number of columns Use the ORDER BY command to iterate

through all column numbers until an error is returned

3.Test the UNION function Allows you to combine SELECT queries and

pull more information

Steps to Running a SQL Injection on

MySQL4. Obtain the mySQL version number

Achievable using @@version or version()Based on the version number, there are two options

for proceeding

5.a) if mySQL version < 5 Table and column names must be guessed Brute force the most common names, varies

depending on what you are looking for, but looking for users or passwords could grant you access to others

5. b) if mySQL version > 5 There is an information_schema that can be used

to obtain table and column names

Steps to Running a blind SQL Injection on

MySQL1. Run a conditional response with a false

condition and see if the page changes If yes, the site is vulnerable

2.Obtain the version number Best way is to insert substring(@@version,1,1) = 4

or 5 Compares first character of version number until

page loads normally

3. Test out subselect and locate the users table

Subselecting is used to further isolate data when selecting it from the database

This can be used to determine what tables names are based on proper page loading

Steps to Running a blind SQL Injection on

MySQL4. Pull information from the database

Using substring() and subselecting, you can pull the first character of the username out of the user table

By converting this character to ascii, you can compare it against ascii values

Compare the ascii value as larger than a low ascii character number, and increment your way up until the page no longer returns normally

This lets you know what ascii value the character is

You can then iterate through until you have the username/password

Defenses

Essentially, all that is needed is some form of filtering or checking to sanitize inputs

Several types of possible filtering Parameterized Statements Enforcement at the database level Enforcement at the coding level Escaping Strong typing

Parameterized Statements

Works with parameters instead of embedding user input into the statement

Example:Statement stat = prepareStatement(“SELECT *

FROM users where username=? AND password=?”);

stat.setString(1,username);stat.setString(2,password);stat.executeQuery();

Enforcement at the database level

Some database engines come with the ability to enforce parameterization of query

Can cause issues

Enforcement at the coding level

Use object-relation mapping libraries Object oriented libraries can have

parameterization of SQL statements built into the code.

Escaping

Straightforward but fallible method of preventing injections

Simple escape out any characters that have special meaning in the version of SQL being run

Requires blacklist of every special character for SQL

Easy to forget

Strong Typing

Placing very severe restrictions on intermixing of types

Variety of definitions for it At compile or run time, all functions that

disregard types are cast as erroneous Any type-matching failures are immediately

flagged with errors during runtime

Defense summary

In the end, it all comes down to sanitizing inputs

There are a variety of ways to do it, but it is all just filtering of one kind or another

Very easy to forget As seen by how prevalent SQL

injection attacks have been and still are

Real World Examples

November, 2005: high school student in Taiwan broke into information security magazine's database and stole customer data

June, 2007: Microsoft's U.K. webpage is defaced

January, 2008: tens of thousands of computers are infected by automated SQL injection through Microsoft SQL Server

Real World Examples

April, 2008: Over 10,000 social security numbers are stolen from the Sexual and Violent Offender Registry of Oklahoma

April – August, 2008: around 500,000 websites were hit by a SQL injection attack that referenced a malware Java file and corrupted all text columns without having to guess names

September, 2010: someone attempts to hand write SQL injection onto a write in ballot in the Swedish general election

Real World Examples

November, 2010: British Royal navy's website is exploited

February, 2011: HBGary, a technology security firm, was broken into by Anonymous

March 27, 2011: MySQL.com is broken into via a blind SQL injection

Real World Example

Questions?

Sources

http://xkcd.com/327/ http://en.wikipedia.org/wiki/SQL_injec

tion http://thehackerlounge.blogspot.com/

2009/05/full-sql-injection-tutorial-mysql.html

http://www.hackingtricks.in/2011/03/mysqlcom-hacked-using-blind-sql.html