Web Security -Part 3:SQL Injection Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University
Web Security – Part 3: SQL Injection Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University
SQL Injection and XSS are top 2 attacks Web Vulnerabilities by Class Q1-Q22009 2% 3% 49% 79% 259% SQL Injection Cross-Site Scripting Code Injection 89% Authentication Information Leak/Disclosure Authorization Cross-Site Request Forgery Buffer Errors Web Server 8% Path(Directory) Traversal Web Browser 129% 149% Source:http://media.smashingmagazine.com/cdn smash/wp- content/uploads/2010/01/4239939571 b7d3cddc83 o.gif 2
2 SQL Injection and XSS are top 2 attacks Source: http://media.smashingmagazine.com/cdn_smash/wpcontent/uploads/2010/01/4239939571_b7d3cddc83_o.gif
Normal SQL Queries on Web Most web applications involve database queries. Phonebook Record Manager SQL:Structured Query Language. Used for query,delete,insert,and Username John update database records. Password abcd SELECT FROM phonebook WHERE Submit username John AND password abcd' Application Server Web browser Database User Input SQL Query Web Page Result Set John's phonebook entries are displayed 3
3 Normal SQL Queries on Web Most web applications involve database queries. John’s phonebook entries are displayed Web browser Application Server Database User Input SQL Query Web Page Result Set SQL: Structured Query Language. Used for query, delete, insert, and update database records. SELECT * FROM phonebook WHERE username = ‘John’ AND password = `abcd’ Phonebook Record Manager John abcd Username Password Submit
SQL Injection Malicious query input: Phonebook Record Manager SELECT FROM phonebook WHERE Username John’0R1=1 username John OR 1=1-'AND password ='not needed' Password not needed Submit Everything after--is ignored! Application Server Web browser Database User Input SQL Query Web Page Result Set All phonebook entries are displayed 4
4 SQL Injection Malicious query input: All phonebook entries are displayed Web browser Application Server Database User Input SQL Query Web Page Result Set SELECT * FROM phonebook WHERE username = ‘John’ OR 1=1 --’ AND password = ‘not needed’ Everything after -- is ignored! Phonebook Record Manager John ’ OR 1=1 -- not needed Username Password Submit
Exploits of a mum HI,THIS IS OH,DEAR-DID HE DID YOU REALLY WELL,WEVE LOST THIS YOUR SON'S SCHOOL BREAK SOME THING? NAME YOUR SON YEAR'S STUDENT R在CORDS. WE'RE HAVING 50ME IN A WAY- Robert);DROP I HOPE YOURE HAPPY. COMPUTER TROUBLE. TABLE Students;--? AND I HOPE OH,YES.LITTLE YOUVE LEARNED BOBBY TABLES, TO SANITIZE YOUR WE CALL HIM. DATABASE INPUTS. Source:http://imgs.xkcd.com/comics/exploits_of_a_mom.png 5
5 Exploits of a mum Source: http://imgs.xkcd.com/comics/exploits_of_a_mom.png
Another SQL Injection Example (1/2) Member Login "; SSoL mysql_query(Squery); /If user pass combo found,grant access if(mysql_num_rows(SSQL)>0) grant_access(); /Otherwise deny access else deny_access(); } 2> 6
6 Another SQL Injection Example (1/2)
Another SQL Injection Example(2/2) SQL injection for querying data: SELECT FROM login WHERE'user`=”OR‘a'=‘a'AND`pass="ORa'='a Member Login Username 'OR'a'='a Password 'OR'a'='a Login SQL injection for deleting data: SELECT FROM login WHERE 'user=";DROP TABLE login';-'AND pass'=" Member Login Username 'DROP TABLE 'login';- Password Login 7
7 Another SQL Injection Example (2/2) SQL injection for querying data: SELECT * FROM `login` WHERE `user`=‘’ OR ‘a’=‘a’ AND `pass`=‘’ OR ‘a’=‘a’ `pass`=‘’ OR ‘a’=‘a’ SQL injection for deleting data: SELECT * FROM `login` WHERE `user`=‘’; DROP TABLE `login`; --’ AND `pass`=‘’
All Queries are Possible in SQL Injection Insert record: SELECT FROM login WHERE 'user'=; INSERT INTO 'login'('user','pass')VALUES ('haxor','whatever); -'AND 'pass= Update record: SELECT FROM login WHERE 'user'="; UPDATE 'login'SET pass'=pass123'WHERE user='timbo317'; -AND 'pass'= 8
8 All Queries are Possible in SQL Injection Insert record: SELECT * FROM `login` WHERE `user`=‘’; INSERT INTO `login` ('user','pass') VALUES ('haxor','whatever'); --’ AND `pass`=‘’ Update record: SELECT * FROM `login` WHERE `user`=‘’; UPDATE `login` SET `pass`=‘pass123’ WHERE `user`=‘timbo317’; --’ AND `pass`=‘’
SQL Injection Insertion of SQL statements into application inputs to corrupt, exploit,or otherwise damage an application database. Most commonly done directly through web forms,but can be directed through URL hacking,request hacking using debugging tools,or using bots that emulate browsers and manipulate web requests. 9
9 SQL Injection Insertion of SQL statements into application inputs to corrupt, exploit, or otherwise damage an application database. Most commonly done directly through web forms, but can be directed through URL hacking, request hacking using debugging tools, or using bots that emulate browsers and manipulate web requests
SQL Injection in Real-life (1/2) On October 31,2004,After being linked from Slashdot,the Dremel site was changed to a Goatse pumpkin On October 26,2005,Unknown Heise readers replaced a page by the German TV station ARD which advertised a pro-RIAA sitcom with Goatse using SQL injection On January 13,2006,Russian hackers broke into a Rhode Island government web site and allegedly stole credit card data from individuals who have done business online with state agencies. ■ On November 01,2005,A high school student used SQL injection to break into the site of a Taiwanese information security mazagine from the Tech Target group and steal customer's information. 10
10 SQL Injection in Real-life (1/2) On October 31, 2004, After being linked from Slashdot, the Dremel site was changed to a Goatse pumpkin On October 26, 2005, Unknown Heise readers replaced a page by the German TV station ARD which advertised a pro-RIAA sitcom with Goatse using SQL injection On January 13, 2006, Russian hackers broke into a Rhode Island government web site and allegedly stole credit card data from individuals who have done business online with state agencies. On November 01, 2005, A high school student used SQL injection to break into the site of a Taiwanese information security mazagine from the Tech Target group and steal customer's information