[kerference] nefarious sql - 김동호(kert)
TRANSCRIPT
NEFARIOUS
SQL
일시: 2016-7-23장소:공대9호관 김동호
1Explaining what SQL injection really is in depth.
Moreover, why we need to know about SQL Injection
2
What is SQL Injection?
Variety of SQL
Injection Method
Table of
Contents
Explaining different types of SQL Injection method and
how it works.
3
4
5
We are going to go through SQL Injection war game to
explain how SQL injection really works in live
SQL Injection
Tutorial
Ways to prevent
SQL Injection
We will go through how we can prevent SQL Injection
happening to our website
We will just quickly review what we have learned today
Review
What is SQL?SQL Database & SQL Injection
What is
SQL?
• Structured Query Language (Standard Language)
• Proprietary extension standard language
• Function
• Select
• Insert
• update,
• Find
• Etc.…
• Variety of Dialects
• T-SQL
• PL/SQL
• JET SQL
• Many more
WHY SQL?
Reason Why
SQL
1 Allows users to access data
in relational database
management systems
2 Allows to embed within other
language using SQL
modules, libraries & pre-
compiers
3 Allows users to set
permissions on tables,
procedures, And views
4 Tons of more reason to use
SQL!!
Process of
SQL
• RDMBS
• SQL Engine
• Components
• Query Dispatcher
• Optimization Engines
• Classic Query Engine
• SQL Query Engine
• Etc.
• Classic Query Engine
• SQL Query Engine
History of
SQL
1970 1974 1978 1986
Dr. Edgar F. “Ted” Codd of
IBM is known as the father of
relational databases. He
described a relational model
for databases
Structured Query Language
appeared
IBM worked to develop
Codd’s ideas and released a
product named System/R
IBM developed the first
prototype of relational
database and standardized
by ANSI. The first relational
database was released by
Relational Software and its
later becoming Oracle
SQL DIAGRAM
Understanding SQL
query statements
Different types of
Query statements
1
2
3SELECT Statement
INSERT Statement
UPDATE Statement
SELECT
Statements
• Retrieving/selecting certain information from the database
• Commonly used with where statement as well
Update
Statements
• To modify one or more existing rows of data within a table
• Changing Value which it already exist(s)
• Similar to INSERT Statements but it usually contains WHERE statement
INSERT
Statements
• To create new row of data within a table
• Such as new account, audit log, etc….
Additional
Information
• Semicolon
• SQL comment syntax
http://mysite.com/color?colorid=4
Minimal Presentation
What is
SQL Injection?
• Injecting arbitrary pieces of malicious code
• Executed as a piece of code by the back end SQL server
• Giving undesired results
• Executing code through vulnerable input parameters
• Compromising the whole system
History of
SQL Injection
1999 2003 2013 cont
Common Vulnerabilities and
Exposures dictionary has
existed to keep track of and
alert consumers and
developers alike of known
software vulnerabilities
Structured Query Language
appeared on top 10 list of
Common Vulnerabilities and
Exposures dictionary
SQL Injection was top 1
vulnerability chosen by
OWASP
SQL Injection continues to be
on top of the list for
vulnerability on many
organizations
2014 WHS Web
Vulnerability Report
Richard Alan Clarke
If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve
to be hacked“ “
HOW SQL
INJECTION WORKS
Attacker Sends data containing SQL FragmentsCUSTOM CODE
Database
1
3 Attackers views unauthorized data
Example: $sql= “SELECT*FORM table WHERE id=‘”.$_REQUEST[‘id’].”’”;
Applications sends modified queries to get the database and query return values
2
Types of SQL Injection
Union Based
InclusiveError Based
Boolean
Executing
Time
Schema Discovery
Tautology
Single quote
Error Based SQL Injection
Single Character Injection Test
CarsByCylinders?Cylinders=V12
SELECTED Id, Name FROM Supercar WHERE Cylinders = ‘V12’
CarsByCylinders?Cylinders=V12
SELECTED Id, Name FROM Supercar WHERE Cylinders = ‘V12’‘
‘
‘
CarsByCylinders?Cylinders=V12
SELECTED Id, Name FROM Supercar WHERE Cylinders = ‘V12’‘
‘ or 1=1--
‘
CarsByCylinders?Cylinders=V12
SELECTED Id, Name FROM Supercar WHERE Cylinders = ‘V12’‘ or 1=1--
‘ or 1=1--
‘
TautologyA tautology is a formula that is true in every possible interpretation
Circumventing Access Controls
Circumventing Access ControlsUserName = johnsmithPassword = p@ssword
Circumventing Access Controls
UserName = johnsmithPassword = p@ssword
SELECT COUNT (*) FROM Users WHERE UserName=‘johnsmith’ AND Password=‘p@ssword’
Circumventing Access Controls
UserName = johnsmith’ or 1=1--Password = p@ssword
SELECT COUNT (*) FROM Users WHERE UserName=‘johnsmith’ or 1=1--’ AND Password=‘p@ssword’
Circumventing Access Controls
UserName = johnsmith’ and 1=1--Password = p@ssword
SELECT COUNT (*) FROM Users WHERE UserName=‘johnsmith’ and 1=1--’ AND
Password=‘p@ssword’
Circumventing Access Controls
UserName = johnsmith’--Password = p@ssword
SELECT COUNT (*) FROM Users WHERE UserName=‘johnsmith’--’ AND Password=‘p@ssword’
Modifying Data and DB Objects
UserName= johnsmith’;update users set password=‘foo’--
Modifying Data and DB Objects
UserName= johnsmith’;update users set password=‘foo’--
UserName= johnsmith’;update item set price=price-1--
Modifying Data and DB Objects
UserName= johnsmith’;update users set password=‘foo’--
UserName= johnsmith’;update item set price=price-1--
UserName= johnsmith’;insert into….
Modifying Data and DB Objects
UserName= johnsmith’;update users set password=‘foo’--
UserName= johnsmith’;update item set price=price-1--
UserName= johnsmith’;insert into….
UserName= johnsmith’;drop table users--
Modifying Data and DB Objects
UserName= johnsmith’;update users set password=‘foo’--
UserName= johnsmith’;update item set price=price-1--
UserName= johnsmith’;insert into….
UserName= johnsmith’;drop table users--
UserName= johnsmith’;create login…
Union Based SQL Injection
Understanding Union Operators
Executing Union SQL Injection
Querying System Objects for schema discovery
Extracting Schema Details with Union Injection
Blind Based SQL Injection
Basic Attack Success Criteria
Basic Attack Success Criteria
The app needs to return internal exceptions which bubble up from the underlying database
Basic Attack Success Criteria
The app needs to return internal exceptions which bubble up from the underlying database
The query structure needs to allow the union operator to be injected and the vector needs to return results to the app
Basic Attack Success Criteria
The command executed on the database can be manipulated by the attacker
Boolean SQL Injection
How to prevent SQL Injection
Ways to prevent
SQL Injection
1 2Implement Proper
Error Handling
Validating
Untrusted Data
Implementing Proper
Error Handling
Validating
Unstructured Data
More Prevention
Method
1
2
3
4
Query
Parameterization
Stored Procedures
Object Relational
Mappers
Using an IDS or
WAF
Questions?