Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL Injection Jason Dunn. SQL Overview Structured Query Language For use with Databases Purpose is to retrieve information Main Statements Select Insert.

Published byPriscilla Fleming Modified over 8 years ago

Similar presentations

Presentation on theme: "SQL Injection Jason Dunn. SQL Overview Structured Query Language For use with Databases Purpose is to retrieve information Main Statements Select Insert."— Presentation transcript:

1 SQL Injection Jason Dunn

2 SQL Overview Structured Query Language For use with Databases Purpose is to retrieve information Main Statements Select Insert Update Drop

3 SQL Statement Format Select * From [Table] where [ conditions ] Eg. Select grade From Students where pid=‘1234’ Selects the grade field value from the Students table from every entry where the corresponding pid = 1234 Update [Table] where [column name 1 = value 1] set [column name 2 = value 2] Updates the specified table – all records where a value 1 is found in column 1, it will replace column 2’s value with value 2 Drop Table [Table] Deletes the given table

4 Database Basics Definitions Table – Collection of records Column – Specifies a value which will be present in all records Value – The contents of a specific column in a specific record Record – One row in the table Used for storing/organizing data Used by most businesses in some degree Typical applications customer data, banking data, health data, orders, inventory

5 Example Table NameGradePID BobC1234 CraigF1235 DanB+1236 LindsayA1237 Record Column Field Value

6 SQL Injection Overview Causes Basics Dangers Detection Hardening Applications Implementation Differences Demo

7 Causes Failure to Sanitize Input Don’t Trust user input User can put special characters or statements into fields SQL supports multiple statements per query Though some connection drivers don’t

8 Basics Add in logic to passed parameter If you have the statement: Select * from Students where password=‘$pass’ And your user submits $pass = 1’ or 1=1 Your statement becomes Select * from Students where password=‘1’ or 1=1 Your statement now always resolves to true and every record is displayed Disclosure of extra data

9 Dangers Authentication Bypass Someone could see data they aren’t authorized to see Disclosures Again, you could see all the information in a database Modification Students could modify their grade in the computer system Deletion Someone could delete a company’s customer records Execution A hacker could force your computer to run any program they want it to

10 Authentication Bypass Can bypass authentication by changing the statement to always return true Use the same or similar options as disclosure 1’ or 1=1 etc.

11 Modification Uses the ability to chain multiple statements in a single request If you have the statement: Select * from Students where password=‘$pass’ And your user submits $pass=1’; Update Students where name=you set grade=100 If the input is not sanitized you have remotely changed your grade ( or any random value on the server, account balance, passwords, etc)

12 Deletion If you have the statement: Select * from Students where password=‘$pass’ And your user submits $pass=1’; Delete Table Students If the input is not sanitized you have remotely deleted all records in the Students table

13 Execution (Specific to certain implementations) If you have the statement: Select * from Students where password=‘$pass’ And your user submits $pass=1’ ;exec master.dbo.xp_cmdshell [some command] If the input is not sanitized and the exec command is enabled you can run commands at whatever level the servers permission is Server often runs at admin privilige level Use exec to download backdoor Use exec to execute backdoor

14 Detection Automated Tools Manual Testing Code Review Hand testing statements

15 Automated Tools HP WebInspect Rational AppScan SQL Power Injector Absinthe Sqlninja

16 Hardening Applications Update software If you are using PHP5 it automatically tries to escape single quotes Escape the strings manually mysql_real_escape_string() or other similar methods Manually check for compound statements Do not generate statements from the user input, use prepared statements Check input against result of prepared statements

17 Implementation Differences MySQLOracleDB2PostgresMS SQL Union Possible YYYYY Subselects Possible NYYYY Multiple Statements NNNYY Stored Procedures N/A Many (utf_file) N/A Many (command shell)

18 Real Life Example (Her daughters name is help I am trapped in a drivers license factory)

19 Demo

20 Sources www.w3schools.com www.freewebmasterhelp.com/tutorials/phpmy sql Carey, Mark. Nessus Network Auditing. Burlington, MA. 2008 McClure, Stuart. Hacking Exposed: 6. McGraw Hill. Chicago, IL. 2009 Skoudis, Ed. Counter Hack Reloaded. Prentice Hall. Indianapolis, IN. 2002

21 Questions ?

Download ppt "SQL Injection Jason Dunn. SQL Overview Structured Query Language For use with Databases Purpose is to retrieve information Main Statements Select Insert."

Similar presentations

CC SQL Utilities.

CC SQL Utilities.
Understand Database Security Concepts

Understand Database Security Concepts
2010/11 : [1]Building Web Applications using MySQL and PHP (W1)MySQL Recap.

2010/11 : [1]Building Web Applications using MySQL and PHP (W1)MySQL Recap.
How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.

ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.
Concepts of Database Management Sixth Edition

Concepts of Database Management Sixth Edition
Database Updates Made Easy In WebFocus Using SQL And HTML Painter Sept 2011 Lender Processing Services 1.

Database Updates Made Easy In WebFocus Using SQL And HTML Painter Sept 2011 Lender Processing Services 1.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
With Microsoft Office 2007 Intermediate© 2008 Pearson Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Office 2007 Intermediate.

With Microsoft Office 2007 Intermediate© 2008 Pearson Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Office 2007 Intermediate.
CPS120: Introduction to Computer Science Information Systems: Database Management Nell Dale John Lewis.

CPS120: Introduction to Computer Science Information Systems: Database Management Nell Dale John Lewis.
With Microsoft Access 2007 Volume 1© 2008 Pearson Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Access 2007 Volume 1 Chapter.

With Microsoft Access 2007 Volume 1© 2008 Pearson Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Access 2007 Volume 1 Chapter.
Advanced Database Management System Lab no. 11. SQL Commands (for MySQL) –Update –Replace –Delete.

Advanced Database Management System Lab no. 11. SQL Commands (for MySQL) –Update –Replace –Delete.
Database Programming in Java Corresponds with Chapter 32, 33.

Database Programming in Java Corresponds with Chapter 32, 33.
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.

Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.

PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.
Tom Castiglia Hershey Technologies

Tom Castiglia Hershey Technologies
Attacking Applications: SQL Injection & Buffer Overflows.

Attacking Applications: SQL Injection & Buffer Overflows.

Similar presentations

Ads by Google