Idaho1 - University of Tulsa
Download
Report
Transcript Idaho1 - University of Tulsa
SQL Injection Attacks
John Sweetnam
Introduction
What is an SQL injection attack
What is SQL
How an SQL injection works
What can you do to databases with it
Defenses
Current real world examples
SQL Injection
The ability to inject SQL commands into the
database engine through an existing
application
Code injection technique
Exploits vulnerability in the database layer of
web applications
SQL
Structured Query Language
Database computer language
Designed to manage data in relational
database management systems(RBMS)
Scope
Data insertion, query, update and deletion
Schema creation and modification
Data access control
SQL examples
Similar to simple sentences
Many versions of SQL
All support several key words
SELECT, FROM, WHERE, AND, CREATE, DELETE,
ALTER TABLE, ADD, DROP, AND, OR, ...
Follows simple grammatical rules that allow
users to specify what information they are
looking for
SQL Examples
SELECT lastName FROM nameTable
WHERE firstName = 'Bob'
SELECT name, region, population FROM
countriesTable
SELECT * FROM infoTable
SELECT name FROM countriesTable
WHERE population > 20000000
SQL Examples
CREATE TABLE tableName (num INTEGER
PRIMARY KEY, name VARCHAR(30))
DROP TABLE tableName
ALTER TABLE tableName ADD
columnName INTEGER
ALTER TABLE tableName DROP COLUMN
columnName
2 types of SQL
vulnerability
1. Improper filtering of user input for string
literal escape characters
2. User input isn't strongly typed
Vulnerable Login Query
An SQL injection has the potential to bypass
login procedures
Common vulnerable query:
SELECT * FROM users WHERE login = 'userInput1'
AND pwd = 'userInput2'
If something is returned from the users table, then the
user is allowed login
Line of code is
Statement = “SELECT * FROM 'users' WHERE login = ' ” +
userInput1 + “ ' AND pwd = ' “ + userInput2 + “ ' ”
Bypass authentication
User input for login and pwd
' OR '1' = ' 1
Alters the condition of the SELECT statement
to read:
SELECT * FROM users WHERE login = 'userInput1'
OR '1' = '1' AND pwd = 'userInput2' OR '1' = '1'
Alternate Authentication
Bypass
Other potential user inputs are:
' OR '1' = '1' -- '
' OR '1' = '1' ({ '
' OR '1' = '1' /* '
This changes the SQL query into:
SELECT * FROM users WHERE login = '' OR '1' = '1'
These would only be put into the login field
The --, ({, and /* comment out the rest of the
query, allowing you to remove some of the
conditions
Table modification at login
It is also possible to not bypass authentication
but still alter and obtain information from the
tables
Exploit input:
Whatever' ; DROP TABLE 'users'; SELECT * FROM
'userInfo' WHERE '1' = '1
Leaving the apostrophe off the beginning and
the end allow it to fit multiple commands
seamlessly into what should be a single query
Incorrect Type Handling
User supplied fields are not checked properly
for the type constraints.
Code:
Statement = “SELECT * FROM 'userinfo' WHERE
'idNumber' = “ + variable_x + “;”
variable_x is clearly intended to be a number
However...
1;DROP TABLE 'userinfo'
Blind SQL Injection
When there is a web application vulnerable to
SQL injection but the attacker is unable to see
the results of the injection
The page may not display data but the page
itself will display differently based on the
results of injected logical statements
Can be very time intensive
New statements must be constantly recrafted
Blind SQL Injection
3 Types of blind SQL injections
1) Conditional Responses
2) Conditional Errors
3) Time Delays
Conditional Responses
Changes what the page displays the user upon
evaluation of a logical statement
Inserting ' AND '1' = '1
Should lead to a normal page being displayed
Inserting ' AND '1' = '2
Can only return false
If the page displays differently than before, then the
web application is most likely vulnerable to SQL
injection
Conditional Errors
Force an SQL error by making the database
evaluate a faulty query if the WHERE
condition is true
For example...
SELECT 1/0 FROM 'users' WHERE 'username' = 'Bob'
Division of zero causes error, giving the attacker info
about the contents of the username column in the users
table
Time Delays
Force database to execut long running queries
or time delay statements
Amount of time required for the page to load
allows the user to determine if the statement
was true or not
Steps to Running a SQL
Injection on MySQL
1. Check for vulnerability
Use a conditional response
Or, simply insert a character that doesn't belong, such
as ', and see if an error is thrown for incorrect SQL
syntax
2. Discover the number of columns
Use the ORDER BY command to iterate through all
column numbers until an error is returned
3.Test the UNION function
Allows you to combine SELECT queries and pull more
information
Steps to Running a SQL
Injection on MySQL
4. Obtain the mySQL version number
Achievable using @@version or version()
Based on the version number, there are two options for
proceeding
5.a) if mySQL version < 5
Table and column names must be guessed
Brute force the most common names, varies depending on
what you are looking for, but looking for users or passwords
could grant you access to others
5. b) if mySQL version > 5
There is an information_schema that can be used to obtain
table and column names
Steps to Running a blind
SQL Injection on MySQL
1. Run a conditional response with a false
condition and see if the page changes
If yes, the site is vulnerable
2.Obtain the version number
Best way is to insert substring(@@version,1,1) = 4 or 5
Compares first character of version number until page
loads normally
3. Test out subselect and locate the users table
Subselecting is used to further isolate data when
selecting it from the database
This can be used to determine what tables names are
based on proper page loading
Steps to Running a blind
SQL Injection on MySQL
4. Pull information from the database
Using substring() and subselecting, you can pull the
first character of the username out of the user table
By converting this character to ascii, you can compare
it against ascii values
Compare the ascii value as larger than a low ascii
character number, and increment your way up until the
page no longer returns normally
This lets you know what ascii value the character is
You can then iterate through until you have the
username/password
Defenses
Essentially, all that is needed is some form of
filtering or checking to sanitize inputs
Several types of possible filtering
Parameterized Statements
Enforcement at the database level
Enforcement at the coding level
Escaping
Strong typing
Parameterized Statements
Works with parameters instead of embedding
user input into the statement
Example:
Statement stat = prepareStatement(“SELECT * FROM
users where username=? AND password=?”);
stat.setString(1,username);
stat.setString(2,password);
stat.executeQuery();
Enforcement at the
database level
Some database engines come with the ability
to enforce parameterization of query
Can cause issues
Enforcement at the coding
level
Use object-relation mapping libraries
Object oriented libraries can have
parameterization of SQL statements built into
the code.
Escaping
Straightforward but fallible method of
preventing injections
Simple escape out any characters that have
special meaning in the version of SQL being
run
Requires blacklist of every special character
for SQL
Easy to forget
Strong Typing
Placing very severe restrictions on
intermixing of types
Variety of definitions for it
At compile or run time, all functions that disregard
types are cast as erroneous
Any type-matching failures are immediately flagged
with errors during runtime
Defense summary
In the end, it all comes down to sanitizing
inputs
There are a variety of ways to do it, but it is
all just filtering of one kind or another
Very easy to forget
As seen by how prevalent SQL injection
attacks have been and still are
Real World Examples
November, 2005: high school student in
Taiwan broke into information security
magazine's database and stole customer data
June, 2007: Microsoft's U.K. webpage is
defaced
January, 2008: tens of thousands of computers
are infected by automated SQL injection
through Microsoft SQL Server
Real World Examples
April, 2008: Over 10,000 social security
numbers are stolen from the Sexual and
Violent Offender Registry of Oklahoma
April – August, 2008: around 500,000
websites were hit by a SQL injection attack
that referenced a malware Java file and
corrupted all text columns without having to
guess names
September, 2010: someone attempts to hand
write SQL injection onto a write in ballot in
the Swedish general election
Real World Examples
November, 2010: British Royal navy's website
is exploited
February, 2011: HBGary, a technology security
firm, was broken into by Anonymous
March 27, 2011: MySQL.com is broken into
via a blind SQL injection
Real World Example
Questions?
Sources
http://xkcd.com/327/
http://en.wikipedia.org/wiki/SQL_injection
http://thehackerlounge.blogspot.com/2009/05/f
ull-sql-injection-tutorial-mysql.html
http://www.hackingtricks.in/2011/03/mysqlcom
-hacked-using-blind-sql.html