Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL Injection Anthony Brown March 4, 2008 IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions.

Published byEdwina Eaton Modified over 8 years ago

Similar presentations

Presentation on theme: "SQL Injection Anthony Brown March 4, 2008 IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions."— Presentation transcript:

1 SQL Injection Anthony Brown March 4, 2008 IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

2 Outline Background of SQL Injection Background of SQL Injection Techniques and Examples Techniques and Examples Preventing SQL Injection Preventing SQL Injection Demo Demo Wrap-Up Wrap-Up Questions Questions IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

3 Background of SQL Injection IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

4 Databases: Where are they now? Fat Server Fat Client Fat Server & Fat Client MainframesX Desktop Apps X Web Apps X IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

5 Why is SQL a standard? Relational Database Platform Independence Loose Semantics Runtime Interpretation IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

6 Flexibility = Vulnerability Simple Injection Simple Injection Decoding Error Messages Decoding Error Messages Blind Injection Blind Injection Encoding Exploits Encoding Exploits Stored Procedures Stored Procedures - - - Programmer Error (Faulty Logic) Programmer Error (Faulty Logic) IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

7 SQL Injection Techniques IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

8 Important Symbols ‘  “Hack” --  “Comment Out” ;  “End Statement” %, *  “Wildcards”

9 SQL Injection Definition The input field is modified in such a way that the Database returns unintended data. Sql: SELECT FROM WHERE

10 Example: Database Schema Table Users Table Users –Has columns “username” and “password” –Accessed when users log in Table Customers Table Customers –Has column “phone” –Users can look up other customer phone numbers by name Application does no input validation Application does no input validation IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

11 Returning Extra Rows with “union” Query: SELECT phone Query: SELECT phone FROM Customers WHERE last_name = ‘ ’ Input: x ’ UNION SELECT username FROM users WHERE ‘ x ’ = ‘ x Input: x ’ UNION SELECT username FROM users WHERE ‘ x ’ = ‘ x IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

12 Modifying Records Application has password changing page Application has password changing page SQL: UPDATE users SQL: UPDATE users SET password = ‘ ’ WHERE username = ‘ ’ SET password = ‘ ’ WHERE username = ‘ ’ Input: Input: newpassword’ WHERE username LIKE ‘%admin%’ -- IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

13 MS SQL Server Default SQL Server setup Default SQL Server setup –Default system admin account “sa” enabled –No password!!! Supports multiple queries Supports multiple queries “Extended stored procedures”: C/C++ DLL files “Extended stored procedures”: C/C++ DLL files –Read/write external files –Access command line IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

14 Exploiting SQL Server Use phone look-up query again: Use phone look-up query again: SELECT phone FROM customers WHERE last_name = ‘ ’ Input: '; exec master..xp_cmdshell 'iisreset'; -- Input: '; exec master..xp_cmdshell 'iisreset'; -- IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

15 IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions Preventing SQL Injection

16 Input Validation Input Validation Input Checking Functions Input Checking Functions Access Rights Access Rights User Permissions User Permissions Variable Placeholders Variable Placeholders Stored Procedures Stored Procedures IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

17 Input Validation Checks Checks –Type –Size –Format –Range Replace quotation marks Replace quotation marks “All input is wrong and dangerous” IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

18 Input Checking Functions Built in character rejection Built in character rejection $sql = “SELECT * FROM Users WHERE ID = ‘”. $_GET[‘id’]. “’”; $sql = “SELECT * FROM Users WHERE ID =”. mysql_real_escape_string($_GET[‘id’]); $result = mysql_query($sql); IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

19 Access Rights Web User vs. System Administrator – ‘sa’ IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

20 User Permissions Limit query access rights Limit query access rights –SELECT –UPDATE –DROP Restricted statement access Restricted statement access –Global-specific –Database-specific –Table-specific IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

21 Variable Placeholders (?) Defense from String Concatenation Defense from String Concatenation Enforcing database data types Enforcing database data types PreparedStatement prep = conn.prepareStatement("SELECT * FROM USERS WHERE PASSWORD=?"); prep.setString(1, pwd); prep.setString(1, pwd); IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

22 Stored Procedures Use error checking variables Use error checking variables Buffer direct database access Buffer direct database access IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

23 Demonstration IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

24 Conclusions SQL Injection continues to evolve with new technologies SQL Injection continues to evolve with new technologies Dangerous Effects Dangerous Effects –Access to critical information –Updating data not meant to be updated –Exploiting DBMS to directly affect the server and its resources Prevention of SQL Injection Prevention of SQL Injection –Input Validation and Query Building –Permissions and Access Rights –Variable Placeholders (Prepare) and Stored Procedures IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

25 Questions 1) What could prevent the ‘Students’ table from being dropped? 1) What could prevent the ‘Students’ table from being dropped? 2) What is another way to prevent Injection? 2) What is another way to prevent Injection? IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

26 Questions? IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

27 References Achour, Mehdi, Friedhelm Betz, Antony Dovgal, et al. "Chapter 27. Database Security." PHP Manual. 13 January 2005. PHP Documentation Group. 07 Apr. 2005. Achour, Mehdi, Friedhelm Betz, Antony Dovgal, et al. "Chapter 27. Database Security." PHP Manual. 13 January 2005. PHP Documentation Group. 07 Apr. 2005. Dewdney, A. K. The New Turing Omnibus. New York: Henry Holt, 1989. 427-433. Dewdney, A. K. The New Turing Omnibus. New York: Henry Holt, 1989. 427-433. "Exploits of a Mom." xkcd.com. 4 Mar. 2008. "Exploits of a Mom." xkcd.com. 4 Mar. 2008. Finnigan, Pete. " SQL Injection and Oracle, Part One." SecurityFocus 21 November 2002. 07 Apr 2005. Finnigan, Pete. " SQL Injection and Oracle, Part One." SecurityFocus 21 November 2002. 07 Apr 2005. Harper, Mitchell. "SQL Injection Attacks: Are You Safe?." Dev Articles. 29 May. 2002. 07 Apr. 2005. Harper, Mitchell. "SQL Injection Attacks: Are You Safe?." Dev Articles. 29 May. 2002. 07 Apr. 2005. IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions Questions

Download ppt "SQL Injection Anthony Brown March 4, 2008 IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
SQL Injection Stephen Frein Comcast.

SQL Injection Stephen Frein Comcast.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 13 Introduction to SQL Programming Techniques.

Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 13 Introduction to SQL Programming Techniques.
Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 14 Web Database Programming Using PHP.

Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 14 Web Database Programming Using PHP.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
A Guide to SQL, Eighth Edition Chapter Three Creating Tables.

A Guide to SQL, Eighth Edition Chapter Three Creating Tables.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
CSCI 6962: Server-side Design and Programming JDBC Database Programming.

CSCI 6962: Server-side Design and Programming JDBC Database Programming.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.

Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.

(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Similar presentations

Ads by Google