Presentation is loading. Please wait.

Presentation is loading. Please wait.

How Did I Steal Your Database Mostafa

Published byTodd Maurice Henry Modified over 9 years ago

Similar presentations

Presentation on theme: "How Did I Steal Your Database Mostafa"— Presentation transcript:

1 How Did I Steal Your Database Mostafa Siraj @mostafasiraj

2 Agenda Noooo, it kills suspense

3 DISCLAIMER Hacking websites is ILLEGAL This presentation is meant for educational purposes ONLY Only use this stuff on YOUR website and YOUR account

4 What is it? The application dynamically generates an SQL query based on user input, but it does not sufficiently prevent that input from modifying the intended structure of the query. SQL Injection

5 SQL Injection Example, Bypassing Logon Original SQL Query String sqlQuery = "SELECT * FROM user WHERE name = '" + username +"' AND pass='" + password + "'“ ….. Setting username to Mostafa & password to ' OR '1'= '1 produces SELECT * FROM user WHERE name = 'Mostafa' AND pass='' OR '1'='1' Attacker is logged on without Authentication

6 Not only your web app and DB are at risk Depending on the DB, an attacker can access the operating system MS SQL Server: Execute OS command xp_cmdshell Set username to '; exec master.dbo.xp_cmdshell "dir";-- produces SELECT * FROM user WHERE name=''; exec master.dbo.xp_cmdshell "dir"; -- Note: dir list directory content

7 Let's play Hide and Seek Original: SELECT * FROM user WHERE name=''; exec master.dbo.xp_cmdshell "dir"; -- Defender: Disallow double quotes: Attacker: SELECT * FROM user WHERE name=''; exec master.dbo.xp_cmdshell dir; -- Defender: Filter out string “xp_cmdshell” Attacker: ';declare @a varchar(1000); set @a = 'master.dbo.xp_' + 'cmdshell dir'; exec (@a);-- Defender: Filter out “xp”, “cmd”, “shell”, …. Attacker: ';declare @a varchar(1000); set @a = reverse('rid llehsdmc_px.obd.retsam'); exec (@a);--

8 Finding SQL Injection Bugs

9 Submit single quotation mark and observe the result Submit two single quotation and observe the result Identify the database (e.g. Oracle: ‘||’FOO MS-SQL: ‘+’FOO MySQL: ‘ ‘FOO [note the space btw the 2 quotes]

10 Finding SQL Injection Bugs For multistate processes, complete all the states before observing the results For search fields try using the wildcard character %

11 Finding SQL Injection Bugs For numeric data, if the original value was 2 try submitting 1+1 or 3-1 If successful try using SQL-specific keywords, e.g. 67-ASCII(‘A’) If single quotes are filtered try 51-ASCII(1)[note ASCII(1)=49]

12 Inject into different statement types You can do the same for all SQL statements (INSERT, UPDATE or DELETE) Watch out when injecting in UPDATE or DELETE

13 Demo WebGoat

14 Demo HacmeBank

15 Demo Using UNION Operator

16 Demo MS-SQL Error

17 Solution Validate the input -accept only known good- Process SQL queries using prepared statements, parameterized queries, or stored procedures. Enforce least privilege Avoid detailed error messages Show care when using stored procedures (e.g. exec)

18 Thank You @mostafasiraj

Download ppt "How Did I Steal Your Database Mostafa"

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Oracle PL/SQL Injection David Litchfield. What is PL/SQL? Procedural Language / Structured Query Language Oracle’s extension to standard SQL Programmable.

Oracle PL/SQL Injection David Litchfield. What is PL/SQL? Procedural Language / Structured Query Language Oracle’s extension to standard SQL Programmable.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Sql Server Advanced Features MIS 424 Professor Sandvig.

Sql Server Advanced Features MIS 424 Professor Sandvig.
{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.

{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
Session 5: Working with MySQL iNET Academy Open Source Web Development.

Session 5: Working with MySQL iNET Academy Open Source Web Development.

Similar presentations

Ads by Google