Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL Injection Attacks John Sweetnam

Published bySamuel Alain Modified over 5 years ago

Similar presentations

Presentation on theme: "SQL Injection Attacks John Sweetnam"— Presentation transcript:

1 SQL Injection Attacks John Sweetnam
1

2 Introduction What is an SQL injection attack What is SQL
How an SQL injection works What can you do to databases with it Defenses Current real world examples

3 SQL Injection The ability to inject SQL commands into the database engine through an existing application Code injection technique Exploits vulnerability in the database layer of web applications

4 SQL Structured Query Language Database computer language
Designed to manage data in relational database management systems(RBMS) Scope Data insertion, query, update and deletion Schema creation and modification Data access control

5 SQL examples Similar to simple sentences Many versions of SQL
All support several key words SELECT, FROM, WHERE, AND, CREATE, DELETE, ALTER TABLE, ADD, DROP, AND, OR, ... Follows simple grammatical rules that allow users to specify what information they are looking for

6 SQL Examples SELECT lastName FROM nameTable WHERE firstName = 'Bob'
SELECT name, region, population FROM countriesTable SELECT * FROM infoTable SELECT name FROM countriesTable WHERE population >

7 SQL Examples CREATE TABLE tableName (num INTEGER PRIMARY KEY, name VARCHAR(30)) DROP TABLE tableName ALTER TABLE tableName ADD columnName INTEGER ALTER TABLE tableName DROP COLUMN columnName

8 2 types of SQL vulnerability
1. Improper filtering of user input for string literal escape characters 2. User input isn't strongly typed

9 Vulnerable Login Query
An SQL injection has the potential to bypass login procedures Common vulnerable query: SELECT * FROM users WHERE login = 'userInput1' AND pwd = 'userInput2' If something is returned from the users table, then the user is allowed login Line of code is Statement = “SELECT * FROM 'users' WHERE login = ' ” + userInput1 + “ ' AND pwd = ' “ + userInput2 + “ ' ”

10 Bypass authentication
User input for login and pwd ' OR '1' = ' 1 Alters the condition of the SELECT statement to read: SELECT * FROM users WHERE login = 'userInput1' OR '1' = '1' AND pwd = 'userInput2' OR '1' = '1'

11 Alternate Authentication Bypass
Other potential user inputs are: ' OR '1' = '1' -- ' ' OR '1' = '1' ({ ' ' OR '1' = '1' /* ' This changes the SQL query into: SELECT * FROM users WHERE login = '' OR '1' = '1' These would only be put into the login field The --, ({, and /* comment out the rest of the query, allowing you to remove some of the conditions

12 Table modification at login
It is also possible to not bypass authentication but still alter and obtain information from the tables Exploit input: Whatever' ; DROP TABLE 'users'; SELECT * FROM 'userInfo' WHERE '1' = '1 Leaving the apostrophe off the beginning and the end allow it to fit multiple commands seamlessly into what should be a single query

13 Incorrect Type Handling
User supplied fields are not checked properly for the type constraints. Code: Statement = “SELECT * FROM 'userinfo' WHERE 'idNumber' = “ + variable_x + “;” variable_x is clearly intended to be a number However... 1;DROP TABLE 'userinfo'

14 Blind SQL Injection When there is a web application vulnerable to SQL injection but the attacker is unable to see the results of the injection The page may not display data but the page itself will display differently based on the results of injected logical statements Can be very time intensive New statements must be constantly recrafted

15 Blind SQL Injection 3 Types of blind SQL injections
1) Conditional Responses 2) Conditional Errors 3) Time Delays

16 Conditional Responses
Changes what the page displays the user upon evaluation of a logical statement Inserting ' AND '1' = '1 Should lead to a normal page being displayed Inserting ' AND '1' = '2 Can only return false If the page displays differently than before, then the web application is most likely vulnerable to SQL injection

17 Conditional Errors Force an SQL error by making the database evaluate a faulty query if the WHERE condition is true For example... SELECT 1/0 FROM 'users' WHERE 'username' = 'Bob' Division of zero causes error, giving the attacker info about the contents of the username column in the users table

18 Time Delays Force database to execut long running queries or time delay statements Amount of time required for the page to load allows the user to determine if the statement was true or not

19 Steps to Running a SQL Injection on MySQL
1. Check for vulnerability Use a conditional response Or, simply insert a character that doesn't belong, such as ', and see if an error is thrown for incorrect SQL syntax 2. Discover the number of columns Use the ORDER BY command to iterate through all column numbers until an error is returned 3.Test the UNION function Allows you to combine SELECT queries and pull more information

20 Steps to Running a SQL Injection on MySQL
4. Obtain the mySQL version number Achievable using or version() Based on the version number, there are two options for proceeding 5.a) if mySQL version < 5 Table and column names must be guessed Brute force the most common names, varies depending on what you are looking for, but looking for users or passwords could grant you access to others 5. b) if mySQL version > 5 There is an information_schema that can be used to obtain table and column names

21 Steps to Running a blind SQL Injection on MySQL
1. Run a conditional response with a false condition and see if the page changes If yes, the site is vulnerable 2.Obtain the version number Best way is to insert = 4 or 5 Compares first character of version number until page loads normally 3. Test out subselect and locate the users table Subselecting is used to further isolate data when selecting it from the database This can be used to determine what tables names are based on proper page loading

22 Steps to Running a blind SQL Injection on MySQL
4. Pull information from the database Using substring() and subselecting, you can pull the first character of the username out of the user table By converting this character to ascii, you can compare it against ascii values Compare the ascii value as larger than a low ascii character number, and increment your way up until the page no longer returns normally This lets you know what ascii value the character is You can then iterate through until you have the username/password

23 Defenses Essentially, all that is needed is some form of filtering or checking to sanitize inputs Several types of possible filtering Parameterized Statements Enforcement at the database level Enforcement at the coding level Escaping Strong typing

24 Parameterized Statements
Works with parameters instead of embedding user input into the statement Example: Statement stat = prepareStatement(“SELECT * FROM users where username=? AND password=?”); stat.setString(1,username); stat.setString(2,password); stat.executeQuery();

25 Enforcement at the database level
Some database engines come with the ability to enforce parameterization of query Can cause issues

26 Enforcement at the coding level
Use object-relation mapping libraries Object oriented libraries can have parameterization of SQL statements built into the code.

27 Escaping Straightforward but fallible method of preventing injections
Simple escape out any characters that have special meaning in the version of SQL being run Requires blacklist of every special character for SQL Easy to forget

28 Strong Typing Placing very severe restrictions on intermixing of types
Variety of definitions for it At compile or run time, all functions that disregard types are cast as erroneous Any type-matching failures are immediately flagged with errors during runtime

29 Defense summary In the end, it all comes down to sanitizing inputs
There are a variety of ways to do it, but it is all just filtering of one kind or another Very easy to forget As seen by how prevalent SQL injection attacks have been and still are

30 Real World Examples November, 2005: high school student in Taiwan broke into information security magazine's database and stole customer data June, 2007: Microsoft's U.K. webpage is defaced January, 2008: tens of thousands of computers are infected by automated SQL injection through Microsoft SQL Server

31 Real World Examples April, 2008: Over 10,000 social security numbers are stolen from the Sexual and Violent Offender Registry of Oklahoma April – August, 2008: around 500,000 websites were hit by a SQL injection attack that referenced a malware Java file and corrupted all text columns without having to guess names September, 2010: someone attempts to hand write SQL injection onto a write in ballot in the Swedish general election

32 Real World Examples November, 2010: British Royal navy's website is exploited February, 2011: HBGary, a technology security firm, was broken into by Anonymous March 27, 2011: MySQL.com is broken into via a blind SQL injection

33 Real World Example

34 Questions? 34

35 Sources http://xkcd.com/327/
ull-sql-injection-tutorial-mysql.html -hacked-using-blind-sql.html

Download ppt "SQL Injection Attacks John Sweetnam"

Similar presentations

Understand Database Security Concepts

Understand Database Security Concepts
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
Let’s try Oracle. Accessing Oracle The Oracle system, like the SQL Server system, is client / server. For SQL Server, –the client is the Query Analyser.

Let’s try Oracle. Accessing Oracle The Oracle system, like the SQL Server system, is client / server. For SQL Server, –the client is the Query Analyser.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.

1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.
Introduction to Structured Query Language (SQL)

Introduction to Structured Query Language (SQL)
Introduction to Structured Query Language (SQL)

Introduction to Structured Query Language (SQL)
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
SQL Injection Timmothy Boyd CSE 7330.

SQL Injection Timmothy Boyd CSE 7330.
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
Chapter 5 Introduction to SQL. Structured Query Language = the “programming language” for relational databases SQL is a nonprocedural language = the user.

Chapter 5 Introduction to SQL. Structured Query Language = the “programming language” for relational databases SQL is a nonprocedural language = the user.
ASP.NET Programming with C# and SQL Server First Edition

ASP.NET Programming with C# and SQL Server First Edition
SQL INJECTION COUNTERMEASURES &

SQL INJECTION COUNTERMEASURES &
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.

Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.

(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.
PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.

PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.
AL-MAAREFA COLLEGE FOR SCIENCE AND TECHNOLOGY INFO 232: DATABASE SYSTEMS CHAPTER 7 INTRODUCTION TO STRUCTURED QUERY LANGUAGE (SQL) Instructor Ms. Arwa.

AL-MAAREFA COLLEGE FOR SCIENCE AND TECHNOLOGY INFO 232: DATABASE SYSTEMS CHAPTER 7 INTRODUCTION TO STRUCTURED QUERY LANGUAGE (SQL) Instructor Ms. Arwa.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

Similar presentations

Ads by Google