Download presentation
Presentation is loading. Please wait.
Published byEdwina Eaton Modified over 9 years ago
1
SQL Injection Anthony Brown March 4, 2008 IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions
2
Outline Background of SQL Injection Background of SQL Injection Techniques and Examples Techniques and Examples Preventing SQL Injection Preventing SQL Injection Demo Demo Wrap-Up Wrap-Up Questions Questions IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions
3
Background of SQL Injection IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions
4
Databases: Where are they now? Fat Server Fat Client Fat Server & Fat Client MainframesX Desktop Apps X Web Apps X IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions
5
Why is SQL a standard? Relational Database Platform Independence Loose Semantics Runtime Interpretation IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions
6
Flexibility = Vulnerability Simple Injection Simple Injection Decoding Error Messages Decoding Error Messages Blind Injection Blind Injection Encoding Exploits Encoding Exploits Stored Procedures Stored Procedures - - - Programmer Error (Faulty Logic) Programmer Error (Faulty Logic) IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions
7
SQL Injection Techniques IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions
8
Important Symbols ‘ “Hack” -- “Comment Out” ; “End Statement” %, * “Wildcards”
9
SQL Injection Definition The input field is modified in such a way that the Database returns unintended data. Sql: SELECT FROM WHERE
10
Example: Database Schema Table Users Table Users –Has columns “username” and “password” –Accessed when users log in Table Customers Table Customers –Has column “phone” –Users can look up other customer phone numbers by name Application does no input validation Application does no input validation IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions
11
Returning Extra Rows with “union” Query: SELECT phone Query: SELECT phone FROM Customers WHERE last_name = ‘ ’ Input: x ’ UNION SELECT username FROM users WHERE ‘ x ’ = ‘ x Input: x ’ UNION SELECT username FROM users WHERE ‘ x ’ = ‘ x IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions
12
Modifying Records Application has password changing page Application has password changing page SQL: UPDATE users SQL: UPDATE users SET password = ‘ ’ WHERE username = ‘ ’ SET password = ‘ ’ WHERE username = ‘ ’ Input: Input: newpassword’ WHERE username LIKE ‘%admin%’ -- IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions
13
MS SQL Server Default SQL Server setup Default SQL Server setup –Default system admin account “sa” enabled –No password!!! Supports multiple queries Supports multiple queries “Extended stored procedures”: C/C++ DLL files “Extended stored procedures”: C/C++ DLL files –Read/write external files –Access command line IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions
14
Exploiting SQL Server Use phone look-up query again: Use phone look-up query again: SELECT phone FROM customers WHERE last_name = ‘ ’ Input: '; exec master..xp_cmdshell 'iisreset'; -- Input: '; exec master..xp_cmdshell 'iisreset'; -- IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions
15
IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions Preventing SQL Injection
16
Input Validation Input Validation Input Checking Functions Input Checking Functions Access Rights Access Rights User Permissions User Permissions Variable Placeholders Variable Placeholders Stored Procedures Stored Procedures IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions
17
Input Validation Checks Checks –Type –Size –Format –Range Replace quotation marks Replace quotation marks “All input is wrong and dangerous” IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions
18
Input Checking Functions Built in character rejection Built in character rejection $sql = “SELECT * FROM Users WHERE ID = ‘”. $_GET[‘id’]. “’”; $sql = “SELECT * FROM Users WHERE ID =”. mysql_real_escape_string($_GET[‘id’]); $result = mysql_query($sql); IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions
19
Access Rights Web User vs. System Administrator – ‘sa’ IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions
20
User Permissions Limit query access rights Limit query access rights –SELECT –UPDATE –DROP Restricted statement access Restricted statement access –Global-specific –Database-specific –Table-specific IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions
21
Variable Placeholders (?) Defense from String Concatenation Defense from String Concatenation Enforcing database data types Enforcing database data types PreparedStatement prep = conn.prepareStatement("SELECT * FROM USERS WHERE PASSWORD=?"); prep.setString(1, pwd); prep.setString(1, pwd); IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions
22
Stored Procedures Use error checking variables Use error checking variables Buffer direct database access Buffer direct database access IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions
23
Demonstration IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions
24
Conclusions SQL Injection continues to evolve with new technologies SQL Injection continues to evolve with new technologies Dangerous Effects Dangerous Effects –Access to critical information –Updating data not meant to be updated –Exploiting DBMS to directly affect the server and its resources Prevention of SQL Injection Prevention of SQL Injection –Input Validation and Query Building –Permissions and Access Rights –Variable Placeholders (Prepare) and Stored Procedures IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions
25
Questions 1) What could prevent the ‘Students’ table from being dropped? 1) What could prevent the ‘Students’ table from being dropped? 2) What is another way to prevent Injection? 2) What is another way to prevent Injection? IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions
26
Questions? IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions
27
References Achour, Mehdi, Friedhelm Betz, Antony Dovgal, et al. "Chapter 27. Database Security." PHP Manual. 13 January 2005. PHP Documentation Group. 07 Apr. 2005. Achour, Mehdi, Friedhelm Betz, Antony Dovgal, et al. "Chapter 27. Database Security." PHP Manual. 13 January 2005. PHP Documentation Group. 07 Apr. 2005. Dewdney, A. K. The New Turing Omnibus. New York: Henry Holt, 1989. 427-433. Dewdney, A. K. The New Turing Omnibus. New York: Henry Holt, 1989. 427-433. "Exploits of a Mom." xkcd.com. 4 Mar. 2008. "Exploits of a Mom." xkcd.com. 4 Mar. 2008. Finnigan, Pete. " SQL Injection and Oracle, Part One." SecurityFocus 21 November 2002. 07 Apr 2005. Finnigan, Pete. " SQL Injection and Oracle, Part One." SecurityFocus 21 November 2002. 07 Apr 2005. Harper, Mitchell. "SQL Injection Attacks: Are You Safe?." Dev Articles. 29 May. 2002. 07 Apr. 2005. Harper, Mitchell. "SQL Injection Attacks: Are You Safe?." Dev Articles. 29 May. 2002. 07 Apr. 2005. IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions Questions
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.