How Did I Steal Your Database
Download
Report
Transcript How Did I Steal Your Database
How Did I Steal Your Database
Mostafa Siraj
@mostafasiraj
Agenda
Noooo, it kills suspense
DISCLAIMER
Hacking websites is ILLEGAL
This presentation is meant for educational purposes
ONLY
Only use this stuff on YOUR website and YOUR
account
SQL Injection
What is it?
The application dynamically
generates an SQL query based on user input,
but it does not sufficiently prevent that
input from modifying the intended structure
of the query.
SQL Injection Example, Bypassing Logon
• Original SQL Query
String sqlQuery = "SELECT * FROM user WHERE name = '" + username +"' AND
pass='" + password + "'“
…..
• Setting username to Mostafa & password to ' OR '1'= '1 produces
SELECT * FROM user WHERE name = 'Mostafa' AND pass='' OR '1'='1'
• Attacker is logged on without Authentication
Not only your web app and DB are at risk
• Depending on the DB, an attacker can access the operating system
• MS SQL Server: Execute OS command xp_cmdshell
• Set username to '; exec master.dbo.xp_cmdshell "dir";-- produces
SELECT * FROM user WHERE
name=''; exec master.dbo.xp_cmdshell "dir"; -Note: dir list directory content
Let's play Hide and Seek
Original: SELECT * FROM user WHERE name=''; exec
master.dbo.xp_cmdshell "dir"; -Defender: Disallow double quotes:
Attacker: SELECT * FROM user WHERE name=''; exec master.dbo.xp_cmdshell dir; --
Defender: Filter out string “xp_cmdshell”
Attacker: ';declare @a varchar(1000);
set @a = 'master.dbo.xp_' + 'cmdshell dir';
exec (@a);--
Defender: Filter out “xp”, “cmd”, “shell”, ….
Attacker: ';declare @a varchar(1000);
set @a = reverse('rid llehsdmc_px.obd.retsam');
exec (@a);--
Finding SQL Injection Bugs
Finding SQL Injection Bugs
• Submit single quotation mark and observe the result
• Submit two single quotation and observe the result
• Identify the database (e.g.
Oracle: ‘||’FOO
MS-SQL: ‘+’FOO
MySQL: ‘ ‘FOO
[note the space btw the 2 quotes]
Finding SQL Injection Bugs
• For multistate processes, complete all the states before
observing the results
• For search fields try using the wildcard character %
Finding SQL Injection Bugs
• For numeric data, if the original value was 2 try
submitting
1+1 or 3-1
• If successful try using SQL-specific keywords, e.g.
67-ASCII(‘A’)
• If single quotes are filtered try
51-ASCII(1) [note ASCII(1)=49]
Inject into different statement types
• You can do the same for all SQL statements (INSERT,
UPDATE or DELETE)
• Watch out when injecting in UPDATE or DELETE
Demo
WebGoat
Demo
HacmeBank
Demo
Using UNION Operator
Demo
MS-SQL Error
Solution
• Validate the input -accept only known good• Process SQL queries using prepared statements, parameterized
queries, or stored procedures.
• Enforce least privilege
• Avoid detailed error messages
• Show care when using stored procedures (e.g. exec)
Thank You
@mostafasiraj