Malware Trojan.Mebromi

Download Report

Transcript Malware Trojan.Mebromi 

(CPSC620)
Sanjay Tibile
Vinay Deore
Agenda

Database and SQL

What is SQL Injection?

Types

Example of attack

Prevention

References
Database :
A database is an organized collection of data for one or more
purposes in digital form.
SQL :
It is a programming language designed for managing data
in relational database management systems (RDBMS).
SQL Injection:
SQL injection is an attack in which malicious code is inserted
into strings that are later passed to an instance of SQL Server
for parsing and execution.
A SQL injection is often used to attack the security of a
website by inputting SQL statements in a web form to get a
badly designed website to dump the database content to the
attacker.
Many web applications take user input from a form, Often
this user input is used literally in the construction of a SQL
query submitted to a database.
Examples :
Brute-force password guessing
SELECT email, passwd, login_id, full_name FROM members WHERE email =
'[email protected]' AND passwd = 'hello123';
The database isn't readonly
SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; DROP
TABLE members;
Adding a new member
SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; INSERT
INTO members ('email','passwd','login_id','full_name') VALUES
('[email protected]','hello','steve','Steve Friedl');
Mail me a password
SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; UPDATE
members SET email = '[email protected]' WHERE email = '[email protected]';
Types

Incorrect Type Handling

Poorly Filtered Strings

White Space Multiplicitytackers
error information
get hold of the
Using SQL injections, attackers can
 Add new data to the database
Could be embarrassing to find yourself selling some
inappropriate items on your site
Perform an INSERT in the injected SQL
 Modify data currently in the databaseCould be
very costly to have an expensive item suddenly be
deeply ‘discounted’Perform an UPDATE in the injected
SQL
 Often can gain access to other user’s system
capabilities by obtaining their password
Examples:




In January 2008, tens of thousands of PCs were infected
by an automated SQL injection attack that exploited a
vulnerability in application code that uses Microsoft
SQL Server as the database store.
On March 27, 2011 mysql.com, the official homepage
for MySQL, was compromised by TinKode using SQL
blind injection.
In August, 2011, Hacker Steals User Records From
Nokia Developer Site using "SQL injection“.
Sony Playstation user data compromised.
DefensesPrivilege Restrictions
 Restrict functions that are not necessary for the
application
 Use stored procedures for database access
 use stored procedures for performing access on
the application's behalf, which can eliminate SQL
entirely.
More Defenses


Check syntax of input for validity
Many classes of input have fixed languages
Email addresses, dates, part numbers, etc.
Verify that the input is a valid string in the language
Sometime languages allow problematic characters
(e.g., ‘*’ in email addresses); may decide to not
allow these
If you can exclude quotes and semicolons that’s
good
Have length limits on input
 Many SQL injection attacks depend on entering long
strings

Limit database permissions and segregate
users


Even a "successful" SQL injection attack is going to
have much more limited success.
Isolate the webserver

For instance, putting the machine in a DMZ with
extremely limited pinholes.
Configure database error reporting
Default error reporting often gives away information that
is valuable for attackers (table name, field name, etc.)
Configure so that this information is never exposed to a
user
If possible, use bound variables
Some libraries allow you to bind inputs to variables inside
a SQL statement
PERL example (from
http://www.unixwiz.net/techtips/sql-injection.html)
$sth = $dbh->prepare("SELECT email, userid FROM members
WHERE email = ?;");
$sth->execute($email);
References:



http://www.unixwiz.net/techtips/sqlinjection.html
http://msdn.microsoft.com/enus/library/ms161953.aspx
http://php.net/manual/en/security.databa
se.sql-injection.php
http://en.wikipedia.org/wiki/SQL_injectio
n