SQL Injection Attacks John Sweetnam 1
Introduction What is an SQL injection attack What is SQL How an SQL injection works What can you do to databases with it Defenses Current real world examples
SQL Injection The ability to inject SQL commands into the database engine through an existing application Code injection technique Exploits vulnerability in the database layer of web applications
SQL Structured Query Language Database computer language Designed to manage data in relational database management systems(RBMS) Scope Data insertion, query, update and deletion Schema creation and modification Data access control
SQL examples Similar to simple sentences Many versions of SQL All support several key words SELECT, FROM, WHERE, AND, CREATE, DELETE, ALTER TABLE, ADD, DROP, AND, OR, ... Follows simple grammatical rules that allow users to specify what information they are looking for
SQL Examples SELECT lastName FROM nameTable WHERE firstName = 'Bob' SELECT name, region, population FROM countriesTable SELECT * FROM infoTable SELECT name FROM countriesTable WHERE population > 20000000
SQL Examples CREATE TABLE tableName (num INTEGER PRIMARY KEY, name VARCHAR(30)) DROP TABLE tableName ALTER TABLE tableName ADD columnName INTEGER ALTER TABLE tableName DROP COLUMN columnName
2 types of SQL vulnerability 1. Improper filtering of user input for string literal escape characters 2. User input isn't strongly typed
Vulnerable Login Query An SQL injection has the potential to bypass login procedures Common vulnerable query: SELECT * FROM users WHERE login = 'userInput1' AND pwd = 'userInput2' If something is returned from the users table, then the user is allowed login Line of code is Statement = “SELECT * FROM 'users' WHERE login = ' ” + userInput1 + “ ' AND pwd = ' “ + userInput2 + “ ' ”
Bypass authentication User input for login and pwd ' OR '1' = ' 1 Alters the condition of the SELECT statement to read: SELECT * FROM users WHERE login = 'userInput1' OR '1' = '1' AND pwd = 'userInput2' OR '1' = '1'
Alternate Authentication Bypass Other potential user inputs are: ' OR '1' = '1' -- ' ' OR '1' = '1' ({ ' ' OR '1' = '1' /* ' This changes the SQL query into: SELECT * FROM users WHERE login = '' OR '1' = '1' These would only be put into the login field The --, ({, and /* comment out the rest of the query, allowing you to remove some of the conditions
Table modification at login It is also possible to not bypass authentication but still alter and obtain information from the tables Exploit input: Whatever' ; DROP TABLE 'users'; SELECT * FROM 'userInfo' WHERE '1' = '1 Leaving the apostrophe off the beginning and the end allow it to fit multiple commands seamlessly into what should be a single query
Incorrect Type Handling User supplied fields are not checked properly for the type constraints. Code: Statement = “SELECT * FROM 'userinfo' WHERE 'idNumber' = “ + variable_x + “;” variable_x is clearly intended to be a number However... 1;DROP TABLE 'userinfo'
Blind SQL Injection When there is a web application vulnerable to SQL injection but the attacker is unable to see the results of the injection The page may not display data but the page itself will display differently based on the results of injected logical statements Can be very time intensive New statements must be constantly recrafted
Blind SQL Injection 3 Types of blind SQL injections 1) Conditional Responses 2) Conditional Errors 3) Time Delays
Conditional Responses Changes what the page displays the user upon evaluation of a logical statement Inserting ' AND '1' = '1 Should lead to a normal page being displayed Inserting ' AND '1' = '2 Can only return false If the page displays differently than before, then the web application is most likely vulnerable to SQL injection
Conditional Errors Force an SQL error by making the database evaluate a faulty query if the WHERE condition is true For example... SELECT 1/0 FROM 'users' WHERE 'username' = 'Bob' Division of zero causes error, giving the attacker info about the contents of the username column in the users table
Time Delays Force database to execut long running queries or time delay statements Amount of time required for the page to load allows the user to determine if the statement was true or not
Steps to Running a SQL Injection on MySQL 1. Check for vulnerability Use a conditional response Or, simply insert a character that doesn't belong, such as ', and see if an error is thrown for incorrect SQL syntax 2. Discover the number of columns Use the ORDER BY command to iterate through all column numbers until an error is returned 3.Test the UNION function Allows you to combine SELECT queries and pull more information
Steps to Running a SQL Injection on MySQL 4. Obtain the mySQL version number Achievable using @@version or version() Based on the version number, there are two options for proceeding 5.a) if mySQL version < 5 Table and column names must be guessed Brute force the most common names, varies depending on what you are looking for, but looking for users or passwords could grant you access to others 5. b) if mySQL version > 5 There is an information_schema that can be used to obtain table and column names
Steps to Running a blind SQL Injection on MySQL 1. Run a conditional response with a false condition and see if the page changes If yes, the site is vulnerable 2.Obtain the version number Best way is to insert substring(@@version,1,1) = 4 or 5 Compares first character of version number until page loads normally 3. Test out subselect and locate the users table Subselecting is used to further isolate data when selecting it from the database This can be used to determine what tables names are based on proper page loading
Steps to Running a blind SQL Injection on MySQL 4. Pull information from the database Using substring() and subselecting, you can pull the first character of the username out of the user table By converting this character to ascii, you can compare it against ascii values Compare the ascii value as larger than a low ascii character number, and increment your way up until the page no longer returns normally This lets you know what ascii value the character is You can then iterate through until you have the username/password
Defenses Essentially, all that is needed is some form of filtering or checking to sanitize inputs Several types of possible filtering Parameterized Statements Enforcement at the database level Enforcement at the coding level Escaping Strong typing
Parameterized Statements Works with parameters instead of embedding user input into the statement Example: Statement stat = prepareStatement(“SELECT * FROM users where username=? AND password=?”); stat.setString(1,username); stat.setString(2,password); stat.executeQuery();
Enforcement at the database level Some database engines come with the ability to enforce parameterization of query Can cause issues
Enforcement at the coding level Use object-relation mapping libraries Object oriented libraries can have parameterization of SQL statements built into the code.
Escaping Straightforward but fallible method of preventing injections Simple escape out any characters that have special meaning in the version of SQL being run Requires blacklist of every special character for SQL Easy to forget
Strong Typing Placing very severe restrictions on intermixing of types Variety of definitions for it At compile or run time, all functions that disregard types are cast as erroneous Any type-matching failures are immediately flagged with errors during runtime
Defense summary In the end, it all comes down to sanitizing inputs There are a variety of ways to do it, but it is all just filtering of one kind or another Very easy to forget As seen by how prevalent SQL injection attacks have been and still are
Real World Examples November, 2005: high school student in Taiwan broke into information security magazine's database and stole customer data June, 2007: Microsoft's U.K. webpage is defaced January, 2008: tens of thousands of computers are infected by automated SQL injection through Microsoft SQL Server
Real World Examples April, 2008: Over 10,000 social security numbers are stolen from the Sexual and Violent Offender Registry of Oklahoma April – August, 2008: around 500,000 websites were hit by a SQL injection attack that referenced a malware Java file and corrupted all text columns without having to guess names September, 2010: someone attempts to hand write SQL injection onto a write in ballot in the Swedish general election
Real World Examples November, 2010: British Royal navy's website is exploited February, 2011: HBGary, a technology security firm, was broken into by Anonymous March 27, 2011: MySQL.com is broken into via a blind SQL injection
Real World Example
Questions? 34
Sources http://xkcd.com/327/ http://en.wikipedia.org/wiki/SQL_injection http://thehackerlounge.blogspot.com/2009/05/f ull-sql-injection-tutorial-mysql.html http://www.hackingtricks.in/2011/03/mysqlcom -hacked-using-blind-sql.html