NEFARIOUS

SQL

일시: 2016-7-23장소:공대9호관 김동호

1Explaining what SQL injection really is in depth.

Moreover, why we need to know about SQL Injection

2

What is SQL Injection?

Variety of SQL

Injection Method

Table of

Contents

Explaining different types of SQL Injection method and

how it works.

3

4

5

We are going to go through SQL Injection war game to

explain how SQL injection really works in live

SQL Injection

Tutorial

Ways to prevent

SQL Injection

We will go through how we can prevent SQL Injection

happening to our website

We will just quickly review what we have learned today

Review

What is SQL?SQL Database & SQL Injection

What is

SQL?

• Structured Query Language (Standard Language)

• Proprietary extension standard language

• Function

• Select

• Insert

• update,

• Find

• Etc.…

• Variety of Dialects

• T-SQL

• PL/SQL

• JET SQL

• Many more

WHY SQL?

Reason Why

SQL

1 Allows users to access data

in relational database

management systems

2 Allows to embed within other

language using SQL

modules, libraries & pre-

compiers

3 Allows users to set

permissions on tables,

procedures, And views

4 Tons of more reason to use

SQL!!

Process of

SQL

• RDMBS

• SQL Engine

• Components

• Query Dispatcher

• Optimization Engines

• Classic Query Engine

• SQL Query Engine

• Etc.

• Classic Query Engine

• SQL Query Engine

History of

SQL

1970 1974 1978 1986

Dr. Edgar F. “Ted” Codd of

IBM is known as the father of

relational databases. He

described a relational model

for databases

Structured Query Language

appeared

IBM worked to develop

Codd’s ideas and released a

product named System/R

IBM developed the first

prototype of relational

database and standardized

by ANSI. The first relational

database was released by

Relational Software and its

later becoming Oracle

SQL DIAGRAM

Understanding SQL

query statements

Different types of

Query statements

1

2

3SELECT Statement

INSERT Statement

UPDATE Statement

SELECT

Statements

• Retrieving/selecting certain information from the database

• Commonly used with where statement as well

Update

Statements

• To modify one or more existing rows of data within a table

• Changing Value which it already exist(s)

• Similar to INSERT Statements but it usually contains WHERE statement

INSERT

Statements

• To create new row of data within a table

• Such as new account, audit log, etc….

Additional

Information

• Semicolon

• SQL comment syntax

http://mysite.com/color?colorid=4

Minimal Presentation

What is

SQL Injection?

• Injecting arbitrary pieces of malicious code

• Executed as a piece of code by the back end SQL server

• Giving undesired results

• Executing code through vulnerable input parameters

• Compromising the whole system

History of

SQL Injection

1999 2003 2013 cont

Common Vulnerabilities and

Exposures dictionary has

existed to keep track of and

alert consumers and

developers alike of known

software vulnerabilities

Structured Query Language

appeared on top 10 list of

Common Vulnerabilities and

Exposures dictionary

SQL Injection was top 1

vulnerability chosen by

OWASP

SQL Injection continues to be

on top of the list for

vulnerability on many

organizations

2014 WHS Web

Vulnerability Report

Richard Alan Clarke

If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve

to be hacked“ “

HOW SQL

INJECTION WORKS

Attacker Sends data containing SQL FragmentsCUSTOM CODE

Database

1

3 Attackers views unauthorized data

Example: $sql= “SELECT*FORM table WHERE id=‘”.$_REQUEST[‘id’].”’”;

Applications sends modified queries to get the database and query return values

2

Types of SQL Injection

Union Based

InclusiveError Based

Boolean

Executing

Time

Schema Discovery

Tautology

Single quote

Error Based SQL Injection

Single Character Injection Test

CarsByCylinders?Cylinders=V12

SELECTED Id, Name FROM Supercar WHERE Cylinders = ‘V12’

CarsByCylinders?Cylinders=V12

SELECTED Id, Name FROM Supercar WHERE Cylinders = ‘V12’‘

‘

‘

CarsByCylinders?Cylinders=V12

SELECTED Id, Name FROM Supercar WHERE Cylinders = ‘V12’‘

‘ or 1=1--

‘

CarsByCylinders?Cylinders=V12

SELECTED Id, Name FROM Supercar WHERE Cylinders = ‘V12’‘ or 1=1--

‘ or 1=1--

‘

TautologyA tautology is a formula that is true in every possible interpretation

Circumventing Access Controls

Circumventing Access ControlsUserName = johnsmithPassword = p@ssword

Circumventing Access Controls

UserName = johnsmithPassword = p@ssword

SELECT COUNT (*) FROM Users WHERE UserName=‘johnsmith’ AND Password=‘p@ssword’

Circumventing Access Controls

UserName = johnsmith’ or 1=1--Password = p@ssword

SELECT COUNT (*) FROM Users WHERE UserName=‘johnsmith’ or 1=1--’ AND Password=‘p@ssword’

Circumventing Access Controls

UserName = johnsmith’ and 1=1--Password = p@ssword

SELECT COUNT (*) FROM Users WHERE UserName=‘johnsmith’ and 1=1--’ AND

Password=‘p@ssword’

Circumventing Access Controls

UserName = johnsmith’--Password = p@ssword

SELECT COUNT (*) FROM Users WHERE UserName=‘johnsmith’--’ AND Password=‘p@ssword’

Modifying Data and DB Objects

UserName= johnsmith’;update users set password=‘foo’--

Modifying Data and DB Objects

UserName= johnsmith’;update users set password=‘foo’--

UserName= johnsmith’;update item set price=price-1--

Modifying Data and DB Objects

UserName= johnsmith’;update users set password=‘foo’--

UserName= johnsmith’;update item set price=price-1--

UserName= johnsmith’;insert into….

Modifying Data and DB Objects

UserName= johnsmith’;update users set password=‘foo’--

UserName= johnsmith’;update item set price=price-1--

UserName= johnsmith’;insert into….

UserName= johnsmith’;drop table users--

Modifying Data and DB Objects

UserName= johnsmith’;update users set password=‘foo’--

UserName= johnsmith’;update item set price=price-1--

UserName= johnsmith’;insert into….

UserName= johnsmith’;drop table users--

UserName= johnsmith’;create login…

Union Based SQL Injection

Understanding Union Operators

Executing Union SQL Injection

Querying System Objects for schema discovery

Extracting Schema Details with Union Injection

Blind Based SQL Injection

Basic Attack Success Criteria

Basic Attack Success Criteria

The app needs to return internal exceptions which bubble up from the underlying database

Basic Attack Success Criteria

The app needs to return internal exceptions which bubble up from the underlying database

The query structure needs to allow the union operator to be injected and the vector needs to return results to the app

Basic Attack Success Criteria

The command executed on the database can be manipulated by the attacker

Boolean SQL Injection

How to prevent SQL Injection

Ways to prevent

SQL Injection

1 2Implement Proper

Error Handling

Validating

Untrusted Data

Implementing Proper

Error Handling

Validating

Unstructured Data

More Prevention

Method

1

2

3

4

Query

Parameterization

Stored Procedures

Object Relational

Mappers

Using an IDS or

WAF

Questions?