Automated Estimation and Evaluation of SQL-injection Vulnerabilities Jonas Persson, Group 30 - Language based security 2006.

Slides:



Advertisements
Similar presentations
Module XIV SQL Injection
Advertisements

CC SQL Utilities.
Query Methods (SQL). What is SQL A programming language for databases. SQL (structured Query Language) It allows you add, edit, delete and run queries.
Module 8 Importing and Exporting Data. Module Overview Transferring Data To/From SQL Server Importing & Exporting Table Data Inserting Data in Bulk.
Moving Data Lesson 23. Skills Matrix Moving Data When populating tables by inserting data, you will discover that data can come from various sources.
Let’s try Oracle. Accessing Oracle The Oracle system, like the SQL Server system, is client / server. For SQL Server, –the client is the Query Analyser.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
SQL Injection and Buffer overflow
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Figure 1. Hit analysis in 2002 of database-driven web applications Hits by Category in 2002 N = 73,873 Results Reporting 27% GME 26% Research 20% Bed Availability.
SQL-Injection attacks Damir Lizdek & Dan Rundlöf Language-based security.
1 Chapter Overview Transferring and Transforming Data Introducing Microsoft Data Transformation Services (DTS) Transferring and Transforming Data with.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
Advance Computer Programming Java Database Connectivity (JDBC) – In order to connect a Java application to a database, you need to use a JDBC driver. –
MIS Week 11 Site:
CSCI 6962: Server-side Design and Programming JDBC Database Programming.
Database testing Prepared by Saurabh sinha. Database testing mainly focus on: Data integrity test Data integrity test Stored procedures test Stored procedures.
How to Hack a Database.  What is SQL?  Database Basics  SQL Insert Basics  SQL Select Basics  SQL Where Basics  SQL AND & OR Basics  SQL Update.
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.
Attacking Applications: SQL Injection & Buffer Overflows.
SQL/Lesson 4/Slide 1 of 45 Using Subqueries and Managing Databases Objectives In this lesson, you will learn to: *Use subqueries * Use subqueries with.
NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.
BA372 Stored Procedures and Triggers Lab. What needs to be done to change a customer’s credit limit? Who am I? May I? Do it Log it Display A database.
Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
1 Chapter Overview Preparing to Upgrade Performing a Version Upgrade from Microsoft SQL Server 7.0 Performing an Online Database Upgrade from SQL Server.
A Brief Documentation.  Provides basic information about connection, server, and client.
SQL Injection Jason Dunn. SQL Overview Structured Query Language For use with Databases Purpose is to retrieve information Main Statements Select Insert.
Sumanth M Ganesh B CPSC 620.  SQL Injection attacks allow a malicious individual to execute arbitrary SQL code on your server  The attack could involve.
Database Systems Design, Implementation, and Management Coronel | Morris 11e ©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or.
Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.
Construction Planning and Prerequisite
SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister.
Database Fundamental & Design by A.Surasit Samaisut Copyrights : All Rights Reserved.
The Problems HTTP is disconnected So many database vendors Create a simple consistent versatile interface on the data Look at ADO.NET classes OleDb SQL.
PowerBuilder Online Courses - by Prasad Bodepudi Database Painter Primary & Foreign Keys Extended Attributes PowerBuilder System Tables Database Profiles.
>> PHP: Insert Query & Form Processing. Insert Query Step 1: Define Form Variables Step 2: Make DB Connection Step 3: Error Handling Step 4: Define the.
Creating a simple database This shows you how to set up a database using PHPMyAdmin (installed with WAMP)
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Chapter 5 : Integrity And Security  Domain Constraints  Referential Integrity  Security  Triggers  Authorization  Authorization in SQL  Views 
Starting with Oracle SQL Plus. Today in the lab… Connect to SQL Plus – your schema. Set up two tables. Find the tables in the catalog. Insert four rows.
Ch 7. Working with relational data. Transactions Group of statements executed as a group. If all statements execute successfully, changes are committed.
Dynamic SQL Writing Efficient Queries on the Fly ED POLLACK AUTOTASK CORPORATION DATABASE OPTIMIZATION ENGINEER.
SQL Injection Attacks S Vinay Kumar, 07012D0506. Outline SQL Injection ? Classification of Attacks Attack Techniques Prevention Techniques Conclusion.
1 c6212 Advanced Database and Client Server MS SQL Server 2000 Stored Procedures and Parameters What ? Why ? How ?
©NIIT BCP and DTS Implementing Stored Procedures Lesson 2A / Slide 1 of 23 Objectives In this lesson, you will learn to: Perform bulk copy using the BCP.
Cosc 5/4765 Database security. Database Databases have moved from internal use only to externally accessible. –Organizations store vast quantities of.
Database and Cloud Security
Group 18: Chris Hood Brett Poche
Y.-H. Chen International College Ming-Chuan University Fall, 2004
Databases.
Dynamic SQL Writing Efficient Queries on the Fly
SQL and SQL*Plus Interaction
Database Systems: Design, Implementation, and Management Tenth Edition
Case Statements and Functions
Dynamic SQL Writing Efficient Queries on the Fly
Intro to Ethical Hacking
Using SQL*Plus.
SQL – Python and Databases (Continued)
Lecture Set 14 B new Introduction to Databases - Database Processing: The Connected Model (Using DataReaders)
Lecture 2 - SQL Injection
Web Programming Language
Using SQL*Plus.
Copyright © 2013 – 2018 by Curt Hill
CodePainter Revolution Trainer Course
Database Systems: Design, Implementation, and Management Tenth Edition
Intro to Ethical Hacking
Presentation transcript:

Automated Estimation and Evaluation of SQL-injection Vulnerabilities Jonas Persson, Group 30 - Language based security 2006

Contents  The impact of SQL-injection  Blindfolded SQL-injection  What has been done before  Automating the process  Results  Conclusions

Impact of SQL-injection  Sysobjects – stores info on all tables in the database  Sysdatabases – stores info on all databases on server  Xp_cmdshell – executes arbitrary commands  Bcp – write to arbitrary file  Openrowset – transfer data from/to remote SQL-server  Xp_regwrite – write arbitrary registry values  Bulk insert – insert from arbitrary file

Blindfolded SQL-injection  Should not rely on contents of error messages  The only relevant question is – did the query execute or not?  Procedure: Determine errorsDetermine errors Find format and query structureFind format and query structure ExploitExploit

What has been done before  Automated datamining using blindfolded SQL-injection (Absinthe by Cameron Hotchkies)  Vulnerability scanning tools with support for finding SQL-injections

Limitations  Absinthe only mines for data from existing injections, does not find the vulnerabilities  All vulnerability scanning tools I have tested only appends a single quote at the end of parameter values and report a vulnerability if the server returns a ”500 – internal server error”

Automating the process  Determine errors Appending ” AND ” should give incorrect syntax errorAppending ” AND ” should give incorrect syntax error Appending ” AND 1=0 ” should result in errorAppending ” AND 1=0 ” should result in error Appending ” AND 1=1 ” should not result in errorAppending ” AND 1=1 ” should not result in error  Comparing to these results will tell us wether appending ” AND (any sql) ” executed or not

Automating the process  Finding format Appending ” -- ” might remove necessary ending parenthesesAppending ” -- ” might remove necessary ending parentheses Breaking out of parentheses by trying to end them one by one until the query executesBreaking out of parentheses by trying to end them one by one until the query executes  More advanced formats does not require this procedure

Automating the process  Finding the query structure How many columns does the query select? Try ordering! ” ORDER BY 1 -- ”How many columns does the query select? Try ordering! ” ORDER BY 1 -- ” Which types does the selected columns have?Which types does the selected columns have? Three base types strings, ints and datesThree base types strings, ints and dates Append ” UNION ALL SELECT null -- ”Append ” UNION ALL SELECT null -- ” Append ” UNION ALL SELECT 1 -- ”Append ” UNION ALL SELECT 1 -- ” Append ” UNION ALL SELECT ’1’ -- ”Append ” UNION ALL SELECT ’1’ -- ”

Automating the process  Once you have found the format and structure, exploiting is easy! ” UNION ALL SELECT columns FROM table -- ”

Automating the process  Checking the impact Selecting from system tablesSelecting from system tables Running stored proceduresRunning stored procedures Connect to other servers through openrowsetConnect to other servers through openrowset Read files with bulk insertRead files with bulk insert Options are limitless!Options are limitless!

Results  A program that Evaluates a parameter and returns how likely it is that the parameter is vulnerable and exploitableEvaluates a parameter and returns how likely it is that the parameter is vulnerable and exploitable Finds format and query structureFinds format and query structure Estimates how vulnerable the parameter is on a scale from 1 to 10Estimates how vulnerable the parameter is on a scale from 1 to 10 Reports its findings to the user, detailing the vulnerability and its impactReports its findings to the user, detailing the vulnerability and its impact

Results

Conclusions  As we just have seen it is indeed possible to automate the search and exploitation of SQL-injection vulnerabilities  The example can be extended in many different ways to create either a versatile audit tool or a powerful hacking tool

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.