SQL Injection Attacks

Size: px

Start display at page:

Download "SQL Injection Attacks"

Violet Rice
6 years ago
Views:

1 SQL Injection Attacks & Some Tips On How To Prevent Them SQL Server User Group Edinburgh 29 th June 2011

2 Code Examples All the code examples can be found on my blog: /blog/category/ sql-injection-attack-talk/

3 What is a SQL Injection Attack? Manipulative user input Tricks application First order Immediate activation of payload Second order Delayed activation of payload

4 A warning from history Vendor spent $83K on firewall products App connected to SQL Server as sa Attack retrieved results via Was also able to shut down the SQL Server

5 Securing your database Multifaceted approach Firewall settings are not enough! Application interaction Code that communicates with the DB Database protection Setting security on the database "Security is a process, not a product." -- Bruce Schneier, Secrets and Lies.

6 An example SELECT ProductName, QuantityPerUnit, UnitPrice FROM Products WHERE ProductName LIKE 'G%' string sql = "SELECT ProductName, QuantityPerUnit, UnitPrice "+ "FROM Products " + "WHERE ProductName LIKE '"+this.search.text+"%'; SqlDataAdapter da = new SqlDataAdapter(sql, DbCommand); da.fill(productdataset);

7 An example ' UNION SELECT TABLE_NAME, 1, 1 FROM INFORMATION_SCHEMA.TABLES;-- string sql = "SELECT ProductName, QuantityPerUnit, UnitPrice "+ "FROM Products " + "WHERE ProductName LIKE '"+this.search.text+"%'; SqlDataAdapter da = new SqlDataAdapter(sql, DbCommand); da.fill(productdataset); SELECT ProductName, QuantityPerUnit, UnitPrice FROM Products WHERE ProductName LIKE '' UNION SELECT TABLE_NAME, 1, 1 FROM INFORMATION_SCHEMA.TABLES;--%'

8 DEMO Example web application ASP.NET MVC But could be any framework Web / Windows / Services / WPF / Silverlight / etc. Or OS Windows / Linux / ios / MacOS / Android / etc. SQL Server 2008 But could be any RDBMS really Oracle / MySQL / etc.

9 Prevention Tips Lock down access to xp (external Procedures) Run SQL service under least privilege So, if the xp is run it can t do to much damage Minimised possibility of damage beyond SQL Server

10 Escaping key characters e.g. ' becomes '' User types O'Brien SQL is O''Brien Don t trust myself to always remember Can be differences between databases Can be easy to get it wrong

11 Prevention Tip Use parameterised queries Separates the data from the command Cuts out most of the ability to attack Nothing being injected any more Not a complete defence! Good first step tho

12 Second Order Attacks Malicious user hides payload Possibly in a trusted area Payload is then detonated later More difficult to detect

13 Demo Second Order Attack User creates a favourite Favourite contains the payload Payload activated later

14 Prevention Tip Trust NOTHING! Well, almost nothing

15 Stored Procedures Provide an extra level of security Revoke access to tables, grant to sprocs Allow programmatic checks Data validation

16 Prevention Tip Don t connect as a user in the sysadmin role e.g. The sa user You know who else connected as the sa user? Godwin Approved

17 Stored Procedure Caveat Can still access sprocs and be vulnerable SqlCommand cmd = new SqlCommand("EXECUTE mystoredproc '" + mytextbox.text + "'"); It could create its own injection scenario

18 Demo Second order attack using Stored Procedure

19 Dynamic SQL in sproc Sometimes it IS necessary Not often, tho Dynamic tables or columns SQL Server 2000 requires it for varying SELECT TOP values Can use sp_executesql Built in Stored Proc Allows parameters to be passed

20 Dynamic SQL in sproc Validate inputs INFORMATION_SCHEMA.TABLES INFORMATION_SCHEMA.COLUMNS Use QUOTENAME to escape names properly

sp_executesql Example CREATE PROCEDURE GetData @Id INT, @TableName sysname, @ColumnName sysname AS BEGIN SET NOCOUNT ON; IF EXISTS (SELECT * FROM INFORMATION_SCHEMA.

21 sp_executesql Example CREATE PROCEDURE sysname AS BEGIN SET NOCOUNT ON; IF EXISTS (SELECT * FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME AND COLUMN_NAME BEGIN nvarchar(max) = 'SELECT ' + QUOTENAME(@ColumnName) + ' FROM ' + QUOTENAME(@TableName) + ' WHERE Id EXEC N'@Identifier END END GO

22 O/RM Abstracts away the persistence layer Will generate correct (safe) SQL Still a need to understand database And the implications of actions on the DB Need to shape the access to the tables

23 Error Messages Hide error messages from the user They can contain details about your system

24 Error Messages Log the errors NLog Elmah log4net Display a friendly message to the user

25 SQL Injection Attacks Question Time /blog/category/sql-injection-attack-talk/

WEB SECURITY p.1

WEB SECURITY p.1 WEB SECURITY 101 - p.1 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All information presented here has the only purpose to teach how vulnerabilities work. Use them to win CTFs and