Sql Injection
Download as PPT, PDF0 likes88 views
SQL injection is a code injection technique that exploits security vulnerabilities in web applications. It works by inserting malicious SQL statements into entry fields for execution by the backend database, allowing an attacker to retrieve hidden data, subvert application login, retrieve data from other database tables, and examine the database structure. SQL injection vulnerabilities occur when user input is not sanitized and is used to construct SQL queries through string concatenation. The impact can include unauthorized access to sensitive data and damage to the application's reputation. Proper use of parameterized queries can prevent SQL injection by separating user input from the SQL query structure.
Sql Injection
- 1. 1 / GROUP – 01 SQL INJECTION
- 2. 2 / Topics….●What is SQL injection (SQLi) ? ●What is the impact of a successful SQL injection attack ? ●How SQL injection works? ●SQL injection examples ●Retrieving hidden data ●Subverting application login ●Retrieving data from other database tables ●Examining the database ●Blind SQL vulnerabilities ●How to detect SQL injection vulnerabilities ●SQL injection in different parts of the query ●Second-order SQL injection ●Database-specific factors
- 3. 3 / What is SQL injection (SQLi)? ●SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. 2015ICT08
- 4. 4 / What is the impact of a successful SQL injection attack? ●Unauthorized access to sensitive data, such as –Passwords –Credit card details –Personal user information ●Leading to Reputational damage and Regulatory fines. ●Leading to a long-term compromise that can go unnoticed for an extended period. 2015ICT08
- 5. 5 / How SQL injection works? 1) App sends form to user 2) Attacker submits form with SQL exploit data 3) Application builds string with exploit data 4) Application sends SQL query to database 5) Database executes query, including exploit, sends data back to application 6) Application returns data to user 2015ICT41
- 7. 7 / SQL injection examples ●Retrieve hidden data, where you can modify an SQL query to return additional results. ●Subverting application logic, where you can change a query to interfere with the application’s logic. ●UNION attacks, where you can retrieve data from different database tables. ●Examining the database, where you can extract information about the version and structure of the database. ●Blind SQL injection, where the result of a query you control are not returned in the application’s responses. 2015ICT41
- 8. 8 / Retrieving hidden data ●https://insecure-website.com/products?category=Gifts –SELECT * FROM products WHERE category=’Gifts’ AND released=1; –Attacker can construct an attack like : ●http://insecure-website.com/product?category=Gifts’-- –SELECT * FROM products WHERE category=’Gifts’--’ AND released=1; ●All products are displayed, including unreleased products. ●http://insecure-website.com/product?category=Gifts’+OR+1=1-- –SELECT * FROM products WHERE category=’Gifts’ OR 1=1--’ AND released=1; ●All items will return. 2015ICT85
- 9. 9 / Subverting application logic ●Username – Admin, Password – Admin –SELECT * from users WHERE username=’Admin’ AND password=’Admin’; ●Attacker can login as any user without password : ●SELECT * FROM users WHERE username=’Admin’--’ AND password=‘ ’; ●Returns the user whose username is Admin and successfully logs the attacker in as that user. 2015ICT85
- 10. 10/ Retrieving data from other database tables ●This is done using UNION keyword, which lets you execute an additional SELECT query and append the results to the query. ●For example, If an application executes the following query containing the user input ‘Gifts’ –SELECT name,description FROM products WHERE category=’Gifts’; ●then an attacker can submit the input: –UNION SELECT username,password FROM users-- ●Return all usernames and passwords along with the names and descriptions of products. 2015ICT48
- 11. 11/ SQL injection UNION attacks ●When an application is vulnerable to SQL injection and the results of the query are returned within the application’s responses, the UNION keyword can be used to retrieve data from other tables within the database. This results in an SQL injection UNION attack. –SELECT a,b FROM table1 UNION SELECT c,d FROM table2; ●For a UNION query to work, 2 key requirements must be met : –The individual queries must return the same number of columns. –The data types in each columns must be compatible between the individual queries. 2015ICT48
- 12. 12/ Examining the database ●It is generally useful to obtain some information can often pave the way for further exploitation ●Can query the version details for the database. The way that this is done depends on the database type, so you can infer the database type from whichever technique works. –For example, on Oracle you can execute: – SELECT * FROM v$version ●Can also determine what database tables exist, and which columns they contain. –For example, on most databases you can execute the following query to list the tables: –SELECT * FROM information_schema.tables 2015ICT42
- 13. 13/ Blind SQL vulnerabilities ●Blind SQL injection is a type of SQL injection attack that asks the database true or false questions and determines the answer based on the applications responses. ●Techniques can be used to exploit blind SQL injection vulnerabilities: –You can change the logic of the query –You can conditionally trigger a time delay in the processing of the query –You can trigger an out-of-band network interaction 2015ICT42
- 14. 14/ How to detect SQL injection vulnerabilities ●SQL injection can be detected manually by using a systematic set of tests against every entry point in the application. ● This typically involves: –Submitting the single quote character ‘ and looking for errors or other anomalies. –Submitting some SQL-specific syntax that evaluates to the base (original) value of the entry point, and to a different value, and looking for systematic differences in the resulting application responses. –Submitting Boolean condition such as OR 1=1 and OR 1=2, and looking for differences in the application’s responses. –Submitting payloads designed to trigger time delays when executed within an SQL query, and looking for differences in the time taken to respond. –Submitting OAST payloads designed to trigger an out-of-band network interaction when executed within an SQL query, and monitoring for any resulting interactions. 2015ICT01
- 15. 15/ SQL injection in different parts of the query ●In UPDATE statement, within the updated values or the WHERE clause ●In INSERT statement, within the inserted values ●In SELECT statement, within the table or column name ●In SELECT statement, within the ORDER BY clause 2015ICT79
- 16. 16/ Second-order SQL injection ●In second-order SQL injection(also known as stored SQL injection),the application takes user input from an HTTP request and stores for future use. ●This is usually done by placing the input into a database, but no vulnerability arises at the point where the data is stored. ●When handling a different HTTP request, the application retrieves the stored data and incorporates it into SQL query in an unsafe way. ●When the data is later processed, it is deemed to be safe, since it was previously placed into the database safely. 2015ICT79
- 17. 17/ Database specific factors ●Some Core Features of the SQL language are implemented in the same way across popular database platforms, and so many ways of detecting and exploiting SQL injection vulnerabilities work identically on different type database. ●There also many differences between common databases. These mean that some techniques for detecting and exploiting SQL injection work differently on different platforms. ●Example –Syntax for string Concentration. –Comments. –Batched. 2015ICT59
- 18. 18/ How to prevent SQL injection ●Most instances of sql injection can be prevented by using parameterized queries instead of string concatenation with in the query. ●The following code vulnerable to SQL injection because the user input is concatenated directly in to the query. ●String query= “SELECT * FROM products WHERE category =' "+ input +“ ' " ; ●Statement statement =connection.createStatement() ; ●ResultSet resultSet =statement.executeQuery(query); ●This is the way that prevents the user input from interfering with the query structure. ●PreparedStatement statement = connection.prepareStatement("SELECT *FROM products Where category = ?“ ); 2015ICT02
- 19. 19/ ●Parameterized queries can be used for any situation where untrusted input appears as data within the query, Including the WHERE clause and values in an INSERT OR UPDATE statement. ●They can’t be used to handle untrusted input in other parts of the query such as table or column names ,or the order by clause. ●Parameterized query to be effective in preventing SQL injection the String that is used in the query must always be a hard-coded constant, and must never contain any variable data from any origin. 2015ICT02
- 20. 20/ THANK YOU