![What about this?
$id = $_GET['id'];
$connection = mysqli_connect($dbhostname, $dbuser, $dbpassword,
$dbname);
$query = "SELECT Name, Description FROM Products WHERE ID='$id';";
$results = mysqli_query($connection, $query);
display_results($results);](https://image.slidesharecdn.com/a1-injectionattacks-190319015732/85/OWASP-Top-10-Day-1-A1-injection-attacks-12-320.jpg)
OWASP Top 10 - Day 1 - A1 injection attacks
- 1. A1 – Injection Attacks Mohamed Talaat Linkedin: https://www.linkedin.com/in/mtibrahim/ Twitter: https://twitter.com/t4144t E-mail: Mohamed.Talaat@owasp.org
- 2. Agenda • 1- SQL Injection • Demo • 2- Template Injection • Demo • 3- Broken Authentication • Demo • 4- Session Management • Demo
- 3. What’s OWASP? • Open Web Application Security Project aims to increase the awareness of the application security. • Everyone is free to participate in OWASP • We are OWASP Egypt – Cairo Chapter
- 4. OWASP Projects • OWASP Top 10 security vulnerabilities project • OWASP ZAP Project • OWASP Juice Shop • More on the following link: https://www.owasp.org/index.php/Category:OWASP_Project
- 5. OWASP Top 10 – Application Security Risks
- 6. How the web app works? • 3 Tiers Model:
- 7. Browser : Presentation Tier
- 8. PHP Code : Logic Tier
- 9. SQL Code: Storage Tier
- 10. SQL Queries Types • Static Query • Dymanic Query
- 11. What is the type of this query? • $dbhostname=‘127.0.0.1'; • $dbuser=‘admin'; • $dbpassword='password'; • $dbname='database'; • $connection = mysqli_connect($dbhostname, $dbuser, $dbpassword, $dbname); $query = "SELECT Name, Description FROM Products WHERE ID='3' UNION SELECT Username, Password FROM Accounts;";
- 12. What about this? $id = $_GET['id']; $connection = mysqli_connect($dbhostname, $dbuser, $dbpassword, $dbname); $query = "SELECT Name, Description FROM Products WHERE ID='$id';"; $results = mysqli_query($connection, $query); display_results($results);
- 13. A1 – SQL Injection • The first checked by hackers • Once found, ready to be exploited : )
- 14. Injection • What is the SQL & Types • Concept • Injection Issue • Attack • CRUD
- 15. Injection Concept • Identify injection point • Finding the best technique to attack • Data Exfiltration
- 16. SQLi Real World Scenarios
- 17. SQL Injection Scenario Yahoo! Sports blind injection • Stefano entered Yahoo! Web site with the following URL: http://sports.yahoo.com/nfl/draft?year=2010&type=20&round=2 • He tried to put a comment after the year 2010 and noticed what happen • So it will be like this: http://sports.yahoo.com/nfl/draft?year=2010--&type=20&round=2
- 18. SQL Injection Scenario Yahoo! Sports blind injection • Original Query: SELECT * FROM PLAYERS WHERE YEAR = 2010 AND TYPE = 20 AND ROUND = 2; • By inserting the dashes, Stefano essentially made it act like: SELECT * FROM PLAYERS WHERE YEAR = 2010;
- 19. SQL Injection Scenario Yahoo! Sports blind injection • Yahoo Sport Blind Injection – Before commenting
- 20. SQL Injection Scenario Yahoo! Sports blind injection • Yahoo Sport Blind Injection – After commenting
- 21. SQL Injection Scenario SQLi to RCE • Ibrahim Raafat (Egyptian Researcher) could exploit a SQLi vulnerability to have full control on the server. • He was doing purchase when he noticed the following URL and tried to inject it with SQLi payload in each parameter until one succeeded. • Union based SQL injection in order_id parameter POST: order_id=-116564954 union select 1337,2,3,4,5,6,7,8,9,10,11,12,13,14,15– – &first_name=aaaa&last_name=sssss&street1=ddddddddddd&street2=ddddddd&city=fffffff&state=ff&postal _code=12547&country_code=US&phone=45454545457&method=flickr.products.orders.setShippingAddress &csrf=1365645560%3Acmj2m0s5jvyrpb9%kld65d65d54d54d55d45dsq&api_key=3c7ab2846f4183ecg56s96 d5d5w4e644268&format=json&hermes=1&hermesClient=1&reqId=q3oovqa&nojsoncallback=1
- 22. SQL Injection Scenario SQLi to RCE • He was able to read sensitive files from the web server
- 23. SQL Injection Scenario SQLi to RCE • And also write files to the server!
- 24. SQL Injection Scenario SQLi to RCE • Aaaaand the RCE
- 25. SQL Injection Scenario SQLi to RCE • After that he got 15K bounty
- 26. So how they did it?
- 27. Exploiting SQLi SELECT Name, Description FROM Products WHERE ID='$id‘ and PASSWORD=‘$password’; Attacker input: ‘ or ‘a’=‘a # SELECT Name, Description FROM Products WHERE ID='' OR 'a'='a#‘and PASSWORD=‘$password’;
- 28. SQL Injection Types • Inband:- • Error Based Injection • Blind Injection • Time Based • Boolean Based (True/false) • Out-Of-Band
- 29. SQL Injection Types • Error Based SQLi
- 30. SQL Injection Types • Blind SQLi
- 31. Injection Points • GET Parameters • POST Parameters • Headers • COOKIES
- 32. What can be done with SQLi? • Authentication Bypass • Read file systems? • Run system commands? • Dump all the data?
- 33. SQL Injection Scenario • Yahoo Sport Blind Injection
- 34. SQL Injection Prevention • Prepared Statement Or Parameterized Query • Stored Procedure • Input Validation (Blacklisting or whitelisting)
- 35. SQL Injection Prevention • Prepared Statement Or Parameterized Query
- 36. SQL Injection Prevention • Stored Procedure
- 37. SQL Injection Prevention • Input Validation: (Escaping) – PHP
- 38. SQL Injection Prevention • Input Validation: Type Casting $user_id = (int) $user_id;
- 39. Code & Command Injection • OS Command Injection • Code Injection
- 40. OS Command Injection - Case
- 41. OS Command Injection - Vulnerable
- 42. OS Command Injection - Protection
- 43. Code injection – case
- 44. Code Injection - Vulnerable
- 45. Code Injection - Protection
- 46. Demo – SQLi in request headers • Perform full scan on the victim • Finding the injection point • Exfiltration • Get the reassure : )
- 47. SQLmap • A tool used to automate SQLi slow exfiltration and to identify potential SQLi injection points. • Ready with a great number of scripts to be executed • Could be integrated with other tools such as Burpsuite, Metasploit
- 48. SQLmap Basics • -u : pass a URL to SQLmap • --dbs: sort all the databases in the system • --banner: Grap the database banner • --threads 7: increase the number of threads in blind injections • --tables: grap the db tables • -T table: choose table • --dump: dump all the data in a table of db • --level: sets a level from 1 to 5 for the number of injection points (headers and parameters) • --risk: sets a level from 1 to 3 for the type of test made • --batch: run sqlmap defaults
- 49. SQLmap Basics • Basic Scan: • sqlmap -u http://192.168.203.139 - - batch • Intense Scan (Not Recommended on production): • sqlmap -u "http://192.168.203.139" --level 5 --risk 3 --threads 7 --batch
Editor's Notes
- #7: Presentation Tier: View to the user Translates the user requests to HTTP request – sends it to the logic tier Rendering HTML Code to graphical view Logic Tier: Web server which stores the code of the app Middleware which makes the processing tasks Loads, compiles, executes scripts Translates the HTTP request to Database query and sends it to the storage tier Storage: Execute database query Then the logic tier pulls the result back, formats it, sends it back to the presentation tier
- #15: The injection issue is the lack of the sanitization for user input (Much confidence) The attack leverages from the ability of an attacker to inject a malicious SQL/ database queries to the logic tier in order to execute it at the database and returns the result to the attacker. CRUD: Create, Read, Update, Delete