Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
14 views

SQL Injection

Uploaded by

R
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
14 views

SQL Injection

Uploaded by

R
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 22

SQL Injection

Bisha University
What is SQL Injection ?
• SQL injection is a code injection technique that might destroy your database.

• SQL injection is one of the most common web hacking techniques.

• SQL injection is the placement of malicious code in SQL statements, via web page

input.
How SQL Injection works?
Impact of SQL Injection
• There are a number of things an attacker can do when exploiting an SQL injection on
a vulnerable website. Usually, it depends on the privileges of the user the web
application uses to connect to the database server. By exploiting an SQL injection
vulnerability, an attacker can:
• Add, delete, edit or read content in the database
• Read source code from files on the database server
• Write files to the database server
Real World Examples
• On August 17, 2009, the United States Justice Department charged an American
citizen Albert Gonzalez and two unnamed Russians with the theft of 130 million
credit card numbers using an SQL injection attack.

• In 2008 a sweep of attacks began exploiting the SQL injection vulnerabilities of


Microsoft's IIS web server and SQL database server. Over 500,000 sites were
exploited.
Types of SQL Injection

1) In-band SQLi

2) Inferential SQLi

3) Out-of-band SQLi
In-band SQLi

• In-band SQL Injection occurs when an attacker is able to use the same
communication channel to both launch the attack and gather results.
• The two most common types of in-band SQL Injection are Error-based
SQLi and Union-based SQLi.
In-band SQLi

Error-based SQLi :
is an in-band SQL Injection technique that relies on error messages thrown by
the database server to obtain information about the structure of the
database.
Union-based SQLi:
is an in-band SQL injection technique that leverages the UNION SQL operator
to combine the results of two or more SELECT statements into a single result
Inferential SQLi

• In an inferential SQLi attack, no data is actually transferred via the web application
and the attacker would not be able to see the result of an attack in-band.

• Instead, an attacker is able to reconstruct the database structure by sending


payloads, observing the web application’s response and the resulting behavior of the
database server.
• The two types of inferential SQL Injection are Blind-boolean-based SQLi and Blind-
time-based SQLi.
Out-of-band SQLi
• Out-of-band SQL Injection occurs when an attacker is unable to use the same channel
to launch the attack and gather results.
• Out-of-band techniques, offer an attacker an alternative to inferential time-based
techniques, especially if the server responses are not very stable (making an
inferential time-based attack unreliable).
• Out-of-band SQLi techniques would rely on the database server’s ability to make DNS
or HTTP requests to deliver data to an attacker
Important Syntax
LOGIC: ‘a’=‘a’
Example: SELECT * FROM `table` WHERE ‘a’=‘a’

MULTI STATEMENTS: S1; S2


Example: SELECT * FROM `table`; DROP TABLE `table`;
Examples
• SQL Injection Based on 1=1 is Always True
• If there is nothing to prevent a user from entering "wrong" input, the user
can enter some "smart" input like this:
• UserId: 100 or 1=1
• Then, the SQL statement will look like this:
• SELECT * FROM Users WHERE UserId = 105 OR 1=1;
• The SQL above is valid and will return ALL rows from the "Users" table,
since OR 1=1 is always TRUE.
• A hacker might get access to all the user names and passwords in a
database, by simply inserting 105 OR 1=1 into the input field.
Examples
• SQL Injection Based on ""="" is Always True
• SELECT * FROM Users WHERE Name =“Ali Anwar" AND Pass =“account1!"

• A hacker might get access to user names and passwords in a database by simply inserting
" OR ""=" into the user name or password text box:

• User Name: " or ""="

• Password: " or ""="

• The code at the server will create a valid SQL statement like this:
• SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""=""
• The SQL above is valid and will return all rows from the "Users" table, since OR ""="" is
always TRUE.
Examples
• SQL Injection Based on Batched SQL Statements
• A batch of SQL statements is a group of two or more SQL statements,
separated by semicolons.
• Example:
• SELECT * FROM Users; DROP TABLE Suppliers
• Look at the following example:
• Example
• txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;
• And the following input:
• User id: 105; DROP TABLE Suppliers
• The valid SQL statement would look like this:
• SELECT * FROM Users WHERE UserId = 105; DROP TABLE
Suppliers;
Example Website
Example Website

timbo317
cse7330

SELECT * FROM `login` WHERE `user`=‘timbo317’ AND `pass`=‘cse7330’


Login Database Table
user pass
timbo317 cse7330

What Could Go Wrong??


Example Hack

’ OR ‘a’=‘a
’ OR ‘a’=‘a

SELECT * FROM `login` WHERE `user`=‘’ OR ‘a’=‘a’ AND


`pass`=‘’ OR ‘a’=‘a’
It Gets Worse!

’; DROP TABLE `login`; --

SELECT * FROM `login` WHERE `user`=‘’; DROP TABLE `login`; --’ AND
`pass`=‘’
SQL Injection Prevention
• 1. Employ comprehensive data sanitization. Websites must filter all user
input. Ideally, user data should be filtered for context. For example, email
addresses should be filtered to allow only the characters allowed in an e-
mail address, phone numbers should be filtered to allow only the characters
allowed in a phone number, and so on.

• 2. Use a web application firewall. A popular example is the free, open


source module ModSecurity which is available for Apache, Microsoft IIS.
ModSecurity provides a sophisticated and ever-evolving set of rules to filter
potentially dangerous web requests. Its SQL injection defenses can catch
most attempts to sneak SQL through web channels.
SQL Injection Prevention
3. Limit database privileges by context.
Create multiple database user accounts with the minimum levels of privilege for
their usage environment. For example, the code behind a login page should
query the database using an account limited only to the relevent credentials
table.

4. Avoid constructing SQL queries with user input.


Even data sanitization routines can be flawed. Ideally, using SQL variable binding
with prepared statements or stored procedures is much safer than constructing
full queries.
SQL Injection Prevention
Regularly apply software patches.
Because SQL injection vulnerabilities are regularly identified in commercial
software, it is important to stay up to date on patching.

6. Continuously monitor SQL statements from database-connected


applications
This will help identify rogue SQL statements and vulnerabilities. Monitoring tools
that utilize machine learning and/or behavioral analysis can be especially useful..

You might also like