SQL injection
Download as PPTX, PDF1 like382 views
SQL injection is a technique that exploits applications that use relational databases by allowing SQL statements to pass through user input and directly query the database. It occurs when untrusted data enters an application and is used to dynamically construct SQL queries without proper sanitization. Susceptible locations include login pages, form fields, search pages, and query strings. There are two categories - passive SQL injection reveals database information through errors or blind techniques, while active SQL injection can alter database information by exploiting stored procedures. Blind SQL injection retrieves data without errors by writing queries after the "AND" clause.
SQL injection
- 2. What is an SQL Injection? • SQL injection is a technique for exploiting applications that use relational databases as their back end. • SQL Injection arises because the fields available for user input allow SQL statements to pass through and query the database directly. • SQL injection use the fact that many of these applications concatenate the fixed part of SQL statement with user-supplied data that forms WHERE predicates or additional sub-queries.
- 3. How and where a SQL injection occurs? • SQL injection errors occur when: – Data enters a program from an untrusted source. – The data used to dynamically construct a SQL query. • In most cases, SQL injection is detected by placing meta characters in data inputs used by web applications. • Susceptible locations are – login pages, – form fields, – search pages, – shopping carts and – query string parameter values.
- 4. SQL injection categories • Two categories: – Depending on the exposure of database information (passive) • SQL errors • Blind SQL injection for excessive data retrieval – The alteration of the database information • Exploiting default stored procedures used by different backend database servers • Modification of backend database is possible
- 5. SQL Query Poisoning • How the database query is processed in the backend? – URL: http://www.example.com/product.php?id= 9 – Database query: SELECT * FROM product_detail WHERE id = 9 • Root cause of all SQL query poisoning is lack of input sanitization
- 6. Detecting SQL errors • Inject meta characters like ' , " , ; in parameters
- 7. • Query gets terminated prematurely … Detecting SQL errors
- 8. Detecting SQL errors • Try and force error messages from backend database servers • This gives us an idea how query is being created and used • Change data type of the value passed in parameter • Inject meta characters to check for premature query termination
- 9. Extending SQL queries • Retrieve all rows “ OR 1=1” • Use multiple / stacked / batched queries “;SELECT …” • Execute stored procedures “;EXEC” – Stored procedures, if known, and accessible, can also be invoked. – For example Microsoft SQL Server’s extended stored procedures.
- 10. Information retrieval using SQL queries
- 11. Information retrieval using SQL queries
- 12. Information retrieval using SQL queries
- 13. Information retrieval using SQL queries
- 14. Blind SQL injection • If the application does not return error messages, it may still be susceptible to “blind” SQL injection. • Application is sending custom error page which is not revealing any signature by which we can deduce potential SQL flaw. • Nearly identical to the normal SQLi, the only difference being the way the data is retrieved from the database. • Can be exploited by writing queries after “AND” clause
- 15. SQL injection – Checks • 1’ OR ‘1’=‘1 – to retrieve all rows • 1’ AND ‘1’=‘1 true, 1’ AND ‘1’=‘2 false in case of blind SQL injection • http://www.thecompany.com/pressRelease.jsp?pressRel easeID=5 AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 2, 1))) > 109 - to retrieve table name character by character • 1 AND SELECT @@version – database version • 1 AND ExtractValue(1, CONCAT(0x5c, (SELECT @@datadir))) – useful to overcome MySQL error messages
Editor's Notes
- #3: Various backend databse servers used by the application – MySQL, MSSQL, Oracle, Postgre, Sybase, Informix etc.
- #13: The UNION operator is used in SQL injections to join a query, purposely forged by the tester, to the original query. The result of the forged query will be joined to the result of the original query, allowing the tester to obtain the values of fields of other tables