25-04-2010, 09:13 PM
[attachment=3411]
SQL INJECTION
Presented By:
Nikita Dhurve
What is SQL
SQL stands for Structured Query Language.
Allows us to access a database.
Database is maintained in table form.
SQL can perform:
Execute queries against database.
Retrieve data from the database.
Insert new record in database.
Delete a record from database.
Update records in the database.
SQL QUERIES:-
SQL supports same major keywords in a similar manner such as (SELECT, UPDATE, DELETE, INSERT, WHERE and others).
With SQL, we can query a database and have result set returned.
Using a query as this:-
SELECT lastname
FROM users
WHERE userid=1;
¢ Will retrieve the lastname of from user table where id is 1.
WHAT IS SQL INJECTION
HOW COMMON IT IS
It is probably the most common Website vulnerability today!
It is a flaw in "web application" development,
it is not a DB or web server problem
Most programmers are still not aware of this problem
A lot of the tutorials & demo templates are vulnerable
Even worse, a lot of solutions posted on the Internet are not good enough
VULNERABLE APPLICATION
When the end user string input is not properly validated and is passed to a dynamic SQL statement without any such validation.
The string input is usually passed directly to the SQL statement.
Because of the stateless nature of many web applications, it is common to write data to the database or store it using some other means between web pages.
This indirect type of attack is much more complex and often requires in-depth knowledge of the application.
NOT VULNERABLE
SQL Statements using bind variables are generally protected from SQL Injection as the Oracle database will use the value of the bind variable exclusively and not interpret the contents of the variable in any way.
PL/SQL and JDBC allow for bind variables.
Bind variables should be extensively used for both security and performance reasons.
SQL INJECTION CHARACTER
' or " character String Indicators
-- or # single-line comment
/*¦*/ multiple-line comment
+ addition, concatenate (or space in url)
|| (double pipe) concatenate
% wildcard attribute indicator
Param1=foo&Param2=bar URL Parameters
PRINT useful as non transactional command
@variable local variable
@@variable global variable
waitfor delay '0:0:10' time delay
POWER OF ˜
In a SQL statement the user filled fields are enclosed by single quotation marks(').
A simple test would be to try using (') as the username.
The following error message will be displayed when a (') is entered into a form that is vulnerable to SQL injection:
WARNING:-Input validation attacks occur here on a website.
If this error is displayed then SQL injection
techniques can be tried.
USE OF %(WILDCARD ATTRIBUTE)
ORACLE provide us % for finding the information related to a particular field.
The attacker makes use of this to guess the username of an account by querying for similar user names (ex: Ëœad%â„¢ is used to query for admin).
The attacker can insert data by appending commands or
writing queries.
Also there are several extended stored procedures which can make direct calls to the operating systems and can cause permanent damage to the system.
HOW DOES SQL INJECTION WORKS
¢ Common vulnerable login query
SELECT * FROM users
WHERE login = 'victor'
AND password = '123'
(If it returns something then login!)
¢ ASP/MS SQL Server login syntax
var sql = "SELECT * FROM users
WHERE login = '" + formusr +
"' AND password = '" + formpwd + "'";
INJECTING THROUGH STRINGS
WEB APPLICATION FORM
formusr = ' or 1=1 “ “
formpwd = anything
Final query would look like this:
SELECT * FROM users
WHERE username = ' ' or 1=1
“ “ AND password = 'anything'
SIMPLE ATTACKS
Product Search:
This input is put directly into the SQL statement within the Web application:
$query = SELECT prodinfo FROM prodtable WHERE prodname = ˜ . $_POST[˜prod_search™] . ™;
Creates the following SQL:
SELECT prodinfo FROM prodtable WHERE prodname = ˜blah˜ OR ˜x™ = ˜x™
Attacker has now successfully caused the entire database to be returned.
MOST MALICIOUS ATTACK
What if the attacker had instead entered:
blah˜; DROP TABLE prodinfo; --
Results in the following SQL:
SELECT prodinfo FROM prodtable WHERE prodname = Ëœblahâ„¢; DROP TABLE prodinfo; --â„¢
Note how comment (--) consumes the final quote
Causes the entire database to be deleted
Depends on knowledge of table name
This is sometimes exposed to the user in debug code called during a database error.
Use non-obvious table names, and never expose them to user
DANGEROUS ATTACK
One of SQL Server's most powerful commands is:
SHUTDOWN WITH NOWAIT, which causes it to shutdown, immediately stopping the Windows service.
Username: ' ; shutdown with nowait; --
Password: [Anything]
This can happen if the script runs the following query:
select userName from users where
userName='; shutdown with nowait;-' and
user_Pass=' '
CATEGORIES OF SQL INJECTION
There are four main categories of SQL Injection attacks against Oracle databases “
SQL Manipulation.
Code Injection.
Function Call Injection
Buffer Overflows
SQL MANIPULATION.
MODIFYING OF SQL STATEMENT USING SET OPERATIONS LIKE UNION, INTERSECT,MINUS ETC.
DURING LOGGING AUTHENTICATION¦
SELECT * FROM users WHERE username=Ëœbobâ„¢ and PASSWORD=Ëœmypasswordâ„¢.
THE ATTACKER ATTEMPTS TO MANIPULATE SQL STATEMENT WILL EXECUTE.
SELECT * FROM users WHERE username=Ëœbobâ„¢ and PASSWORD=Ëœmypasswordâ„¢ OR Ëœaâ„¢=Ëœaâ„¢.
CODE INJECTION
Code injection attacks attempt to add additional SQL statements or commands to the existing SQL statement.
This type of attack is frequently used against Microsoft SQL Server applications, but seldom works with an Oracle database.
ERROR RESULTING QUERY:
SELECT * FROM users WHERE username = 'bob' and PASSWORD = 'mypassword'; DELETE FROM users WHERE username = 'admin';
The following is an example of a PL/SQL block executed in a web application “
BEGIN ENCRYPT PASSWORD('bob', 'mypassword'); END;
The above example PL/SQL block executes an application stored procedure that encrypts and saves the user™s password. An attacker will attempt to manipulate the PL/SQL block to execute as “
BEGIN ENCRYPT PASSWORD('bob', 'mypassword'); DELETE FROM users WHERE upper(username) = upper('admin'); END;
FUNCTION CALL INJECTION
Function call injection is the insertion of Oracle database functions or custom functions into a vulnerable SQL statement.
These function calls can be used to make operating system calls or manipulate data in the database.
Functions executed as part of a SQL SELECT statement cannot make any changes to the database unless the function is marked as PRAGMA TRANSACTION.
BUFFER OVERFLOW
A number of standard Oracle database functions are susceptible to buffer overflows, which can be exploited through a SQL injection attack in an un-patched database.
Known buffer overflows exist in the standard database packages as well as in standard database functions such as TZ_OFFSET, TO_TIMESTAMP_TZ, BFILENAME, FROM_TZ, NUMTOYMINTERVAL, and NUMTODSINTERVAL.
SQL INJECTION TESTING
ITâ„¢S NECESSARY TO CHECK FOR SQL INJECETION.
UNLESS WE DONâ„¢T GO FOR TEST WE WILL NOT BE ABLE TO PREVENT THE ATTACKS.
PREVENTION TECHNIQUES
The various techniques used to prevent SQL injections are:-
Parameterized query
Stored procedure
Regular expression to discard input string
Quote block function
Donâ„¢t show detailed error messages to the user.
Have a less privileged user/role of your application in database.
Automated SQL Injection Tools
Wpoison is a tool that find any strings potentially SQL Injection vulnerabilities in dynamic web documents.
Mieliekoek.pl is an SQL Injection crawler that will test all forms on a website for possible SQL injection problems.
ADVANTAGES
SQL INJECTION ATTACKS CAN BE HELPFUL FOR DEVELOPING APPLICATION WHICH IS NOT VULNERABLE TO THESE ATTACKS.
MANY PREVENTION TECHNIQUES ARE AVAILABLE FOR SQL INJECTION ATTACKS.
SECURITY TERM CAN BE IMPLEMENTED.
DISADVANTAGES
NO SYSTEM IS SECURED FROM SQL INJECTION.
THOUGH, THERE ARE MANY METHODS OF SQL INJECTION PREVENTION, NOT A SINGLE METHOD IS 100% FOOLPROOF.
CONFIDENTIAL INFORMATION CAN ALSO BE RETRIEVED BY USING A LOT OF INFORMATION.
APPLICATIONS
IT IS USED IN OWASP (OPEN WEB APPLICATION SECURITY PROJECT).
ALSO IT IS USED IN GREENSQL FIREWALL
CONCLUSION
SQL Injection is a fascinating and dangerous vulnerability.
All programming languages and all SQL databases are potentially vulnerable.
Protecting against it requires
strong design
correct input validation
hardening
This article is to make aware the people who are anyways related to database maintenance say DBA, Site owner, Computer science students involving in projects related to database and to general people who are launching their sites on internet.
Through this article one can know that what are the breaches that can be secured either code or protection security like firewalls.
REFERENCES
BOOKS
SQL Injection Defenses First Edition, by Martin Nystrom, release, date March 2007.
Web Hacking: Attacks and defenses By Stuart McClure, Saumil Shah, Shreeraj Shah,2008.
WEB SITES
SQL Injection http://spidynamicspapers/SQLInjectionWhitePaper.pdf
2. Threats and Countermeasures, MSDN, Microsoft http://msdn.microsoft.com
3. Advanced SQL Injection http://nextgensspapers/advanced_sql_injection.pdf
4. Detection techniques http://securiteam/papers/detection-techniques
ANY QUESTIONS