pubcon las vegas 2012 sql injection
DESCRIPTION
How to crack into a website using sql injection so you know how to stop it from happening to you. To see more on the topic you can review the 2011 presentation by Ralf Schwoebel and Todd Keup which includes this information on recognition, understanding and prevention but also monitoring and server setup best practices.TRANSCRIPT
Todd Keup :: magnifisites.com
What Every Webmaster Should Know About
Code Installation
Cracking and Hacking
Todd Keup@toddkeup
Todd Keup :: magnifisites.com
Cracker versus hacker
Todd Keup :: magnifisites.com
Overview
• Motivation• Tools of the trade• Common attacks• Defending yourself
Todd Keup :: magnifisites.com
Motivation• Drop links or cookies• Steal logins, blackmail people• Building botnets• Redirect advertising• Crush competition• Steal credit cards• Abuse your server (email, attacks, etc.)
Todd Keup :: magnifisites.com
Tools of the trade
• Basic hacking became easier• Portscanners, evil software suites
are available to the public• SARA, brutus, etc.: endless list
Todd Keup :: magnifisites.com
Common attacks
• SQL injection• Additional software problems• How to protect yourself• Your checklist
Todd Keup :: magnifisites.com
SQL Injection
• How it looks• What happens when it succeeds• Recovery
– Cleanup– Plugging the hole (prevention)
• Monitoring and discovery
Todd Keup :: magnifisites.com
SQL Injection
Todd Keup :: magnifisites.com
SQL Injection<form method="post" action="process">
Username: <input name="username" type="text" value="">
Password: <input name="password" type="password" value="">
<input name="submitform" type="submit" value="Submit">
</form>
Incorrectly filtered escape characters
query = "SELECT * FROM users WHERE
name = '" + username + "' AND pass = '" + password + "';"
Todd Keup :: magnifisites.com
SQL Injection
Incorrectly filtered escape characters
query = "SELECT * FROM users WHERE
name = '" + username + "' AND pass = '" + password + "';"
Renders:
query = "SELECT * FROM users WHERE
name = '' OR 1=1 -- '' AND pass = 'doesNotMatter';"
Todd Keup :: magnifisites.com
SQL Injection
Incorrectly filtered escape characters
<?php
$offset = $_GET['start'];
$query = "SELECT id, name FROM products ORDER BY name
LIMIT 20 OFFSET $offset;";
$result = pg_query($connection, $query);
?>
// cracker encodes the following into the "start" value of the url
0;
insert into pg_shadow(usename,usesysid,usesuper,usecatupd,passwd)
select 'cracker', usesysid, 'yes','yes','jack'
from pg_shadow where usename='postgres'; --
Todd Keup :: magnifisites.com
SQL InjectionIncorrectly filtered escape characters
query = "UPDATE users SET pwd='$pwd' WHERE uid='$uid';";
// user enters: ' OR name LIKE '%admin%'; -- ' and it renders:
UPDATE users SET pwd='abc' WHERE uid='me' OR name LIKE '%admin%'; -- ';
Incorrect type handling
query = "SELECT * FROM students WHERE id = " + expectedInteger + ";"
// user enters: 1;DROP TABLE students
SELECT * FROM students WHERE id = 1;DROP TABLE students;
Todd Keup :: magnifisites.com
SQL Injection
Image courtesy of http://xkcd.com/327/
Todd Keup :: magnifisites.com
SQL InjectionCleanup, aisle nine
Check your access logsCheck file modification timeRevert to backup?Change passwordsPatch the hole
Todd Keup :: magnifisites.com
SQL InjectionCasting a type value
$ticket = (integer) $_POST['ticketnumber'];
Properly filtering data
$query =
sprintf(
"SELECT * FROM Users WHERE user='%s' AND pass='%s'",
mysql_real_escape_string($user),
mysql_real_escape_string($pass)
);
mysql_query($query);
Todd Keup :: magnifisites.com
SQL InjectionMonitor and Discover
Audit your site regularly• Log form submissions• Monitor changes to user files• Use your system tools• Use the same tools crackers employ• Identify access patterns of automated
tools• Blacklist hosts that initiate attacks
Todd Keup :: magnifisites.com
SQL InjectionMonitor and Discover
• Never connect to the database as a superuser or as the database owner.
• Check expected data type• Escape user supplied values• Do not print out any database specific
information, especially about the schema
• Do not dump raw errors to the display
Todd Keup :: magnifisites.com
Botnets