SQL-Injection attacks
Download
Report
Transcript SQL-Injection attacks
SQL-Injection attacks
Damir Lizdek & Dan Rundlöf
Language-based security
What is an SQL-injection attack?
• It is an attack that is performed on an SQL
database.
• It abuses the fact that some
implementations do not check for special
characters in the input.
• Different types of attacks possible.
The goals of the project
• Learn about SQL-injection attacks.
• Present how an attack is performed.
• Present some protective measures.
What we have done
• Read up on SQL injection attacks.
• Determined the steps needed to perform
an attack.
• Written a guide for the simplest attacks.
• Presented some protective measures that
can be taken to prevent injection attacks.
Different types of attacks
• Bypassing authentication
• Abusing SELECT queries
• Abusing INSERT queries
• Smashing the database
SQL attacks
• The first thing to try is to enter a single
quote as part of the data.
• If an SQL error is produced the server
does not sanitize the input.
• This means that the server might be
vulnerable to injection attacks.
Bypassing authentication
SELECT * FROM users
WHERE username= ’".$_POST[’username’]."’
AND pwd= ’".$_POST[’password’]."’
SELECT * FROM users
WHERE username=’kalle’
AND pwd=’secret’
Bypassing authentication
Now the user enters kalle’-- instead of kalle as
username.
SELECT * FROM users WHERE
username=’kalle’--’ AND pwd=’secret’
SELECT * FROM users WHERE
username=’kalle’--’ AND pwd=’secret’
Bypassing authentication
If a username is not known it might still be
possible to bypass a login form.
Suppose you write the following as username:
’ OR 1=1-SELECT Name FROM Users WHERE Name =
’’ OR 1=1-- AND Password = ’’
Abusing SELECT queries
• Can be used to determine the structure of
the database.
• Used to gather secret information.
Sample SELECT query
SELECT FirstName, LastName, Title FROM
Employees
WHERE City = ‘" & strCity & "‘
‘ UNION ALL SELECT OtherField FROM
OtherTable WHERE ‘‘=‘
SELECT FirstName, LastName, Title FROM
Employees WHERE City = ‘‘
UNION ALL SELECT OtherField FROM OtherTable
WHERE ‘‘=‘‘
Protection techniques
• Work around the problem in the
programming language that use SQL.
• Setting security privileges on the database
to the least-required.
DEMO TIME
Conclusions
• We achieved our goals
• We learned a lot about SQL injection
attacks.
SQL injection attacks are rather easy to protect
aginst…
BUT, many servers are still vulnerable to SQL
injection attacks. Therefore it is important to know
about them and how to protect against them.
Questions/applauds
;-)