Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ - - PowerPoint PPT Presentation

1

Breaking Databases

via SQLi attacks

Azqa Nadeem

PhD Student @ Cyber Security Group

The Cyber Security lecture series

2

About Cyber Security lecture series

The Cyber Security lecture series

3

About Cyber Security lecture series

• A hot topic, a buzz term

The Cyber Security lecture series

4

About Cyber Security lecture series

• A hot topic, a buzz term
• Introducing the Cyber Security lecture series

– Cyber security topics in existing courses – First of the (hopefully) many to come

The Cyber Security lecture series

5

About Cyber Security lecture series

• A hot topic, a buzz term
• Introducing the Cyber Security lecture series

– Cyber security topics in existing courses – First of the (hopefully) many to come

• Announcements

– Assignment 3 – Exam questions – Feedback form for the course

The Cyber Security lecture series

6

Why would anyone ever hack a database?

The Cyber Security lecture series

7

… In the news

https://www.forbes.com/sites/davidvolodzko/2018/12/04/marriott-breach-exposes-far-more-than- just-data/#1f0d3c276297

8

… In the news

https://www.nbcnews.com/business/consumer/quora-hack-breach-crowdsourced-question-answer- site-exposes-100-million-n943496

9

… In the news

https://steemit.com/bitcoin/@hacker0/how-i-hacked-hundreds-of-bitcoins-ama

10

… In the news

https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

11

What went wrong?

12

What went wrong?

SQL Injection attack!

13

SQL Injection

• SQL Injection (SQLi) refers to an injection attack wherein

an attacker can execute malicious SQL statements that control a web application’s database server (also known as RDBMS).

https://www.acunetix.com/websitesecurity/sql-injection/

14

SQL Injection

• SQL Injection (SQLi) refers to an injection attack wherein

an attacker can execute malicious SQL statements that control a web application’s database server (also known as RDBMS).

• Look out if you have:

– Web application – SQL-based database – User-controlled query parameter

https://www.acunetix.com/websitesecurity/sql-injection/

15

Next up…

16

Next up…

• Quick recap of:

– Web application infrastructure – Who is to blame? – What can attackers do?

17

Next up…

• Quick recap of:

– Web application infrastructure – Who is to blame? – What can attackers do?

• Injecting SQL queries ← Hands-on!

18

Next up…

• Quick recap of:

– Web application infrastructure – Who is to blame? – What can attackers do?

• Injecting SQL queries ← Hands-on!
• What causes SQLi?

19

Next up…

• Quick recap of:

– Web application infrastructure – Who is to blame? – What can attackers do?

• Injecting SQL queries ← Hands-on!
• What causes SQLi?
• Best practices to avoid SQLi

– Input sanitization – Escaping input – Prepared statements

20

How does a typical web app work?

21

How does a typical web app work?

webshop.abc.xy

22

How does a typical web app work?

webshop.abc.xy

23

How does a typical web app work?

webshop.abc.xy

24

How does a typical web app work?

SQL database webshop.abc.xy

25

How does a typical web app work?

SQL database webshop.abc.xy

26

How does a typical web app work?

SQL database webshop.abc.xy

27

How does a typical web app work?

SQL database webshop.abc.xy

28

How does a typical web app work?

SQL database webshop.abc.xy

29

What can attackers do?

30

What can attackers do?

• Data Manipulation Language

31

What can attackers do?

• Data Manipulation Language

– INSERT INTO users (username, password) VALUES (‘attacker’, ‘youvebeenhacked’)

C

32

What can attackers do?

• Data Manipulation Language

– INSERT INTO users (username, password) VALUES (‘attacker’, ‘youvebeenhacked’) – SELECT * FROM users WHERE userType=‘admin’

C R

33

What can attackers do?

• Data Manipulation Language

– INSERT INTO users (username, password) VALUES (‘attacker’, ‘youvebeenhacked’) – SELECT * FROM users WHERE userType=‘admin’ – UPDATE users SET password=‘youvebeenhacked’ ;

C R U

34

What can attackers do?

• Data Manipulation Language

– INSERT INTO users (username, password) VALUES (‘attacker’, ‘youvebeenhacked’) – SELECT * FROM users WHERE userType=‘admin’ – UPDATE users SET password=‘youvebeenhacked’ ; – DELETE FROM users;

C R U D

35

What can attackers do?

• Data Manipulation Language

– INSERT INTO users (username, password) VALUES (‘attacker’, ‘youvebeenhacked’) – SELECT * FROM users WHERE userType=‘admin’ – UPDATE users SET password=‘youvebeenhacked’ ; – DELETE FROM users;

• And much, much more…

– Root access, Denial of Service attack, etc.

C R U D

36

Scenario…

webshop.abc.xy

37

Scenario…

webshop.abc.xy

Search for an item

Keyword

38

Scenario…

SQL database webshop.abc.xy

Search for an item

Keyword

39

Scenario…

SQL database webshop.abc.xy

Search for an item

Keyword

itemName itemPicture Shirt X Pen X Car X

Inventory

40

Scenario…

SQL database webshop.abc.xy

Search for an item

Keyword

itemName itemPicture Shirt X Pen X Car X

Inventory

41

Scenario…

SQL database webshop.abc.xy

Search for an item

car

Keyword

itemName itemPicture Shirt X Pen X Car X

Inventory

car

42

Scenario…

SQL database webshop.abc.xy

Search for an item

car

Keyword

itemName itemPicture Shirt X Pen X Car X

Inventory

car

43

Search for an item

??

Keyword

Task1: How to list all items?

SQL database webshop.abc.xy

itemName itemPicture Shirt X Pen X Car X

??

Inventory

44

Task1: How to list all items?

Search for an item

car’ OR 1 #

Keyword

SQL database webshop.abc.xy

itemName itemPicture Shirt X Pen X Car X

car’ OR 1 #

Inventory

45

Task1: How to list all items?

Search for an item

car’ OR 1 #

Keyword

SQL database webshop.abc.xy

itemName itemPicture Shirt X Pen X Car X

car’ OR 1 #

Inventory

46

Task1: How to list all items?

Search for an item

car’ OR 1 #

Keyword

SQL database webshop.abc.xy

itemName itemPicture Shirt X Pen X Car X

car’ OR 1 #

Inventory

→ Tautology

47

SQL database webshop.abc.xy

Log in Form

?? ??

Username Password

Go

?? ??

The login scenario…

48

Another Tautology-based SQLi

SQL database webshop.abc.xy

Log in Form Blah’ OR 1#

Blah

Username Password

Go

Blah Blah’ OR 1 #

49

Another Tautology-based SQLi

SQL database webshop.abc.xy

Log in Form Blah’ OR 1#

Blah

Username Password

Go

Blah Blah’ OR 1 #

50

Running multiple queries

51

Running multiple queries

• Useful keywords:

52

Running multiple queries

• Useful keywords:

– JOIN (Append horizontally)

53

Running multiple queries

• Useful keywords:

– JOIN (Append horizontally) – UNION (Append vertically)

54

Running multiple queries

• Useful keywords:

– JOIN (Append horizontally) – UNION (Append vertically)

55

Running multiple queries

• Useful keywords:

– JOIN (Append horizontally) – UNION (Append vertically)

• Fluffy

Bunny

56

Running multiple queries

• Useful keywords:

– JOIN (Append horizontally) – UNION (Append vertically)

• Fluffy

Bunny

57

Running multiple queries

• Useful keywords:

– JOIN (Append horizontally) – UNION (Append vertically)

• Fluffy

Bunny Fluffy Bunny 1 2

58

Task 2: How to dump user data?

SQL database webshop.abc.xy

Search for an item

??

Keyword

59

Task 2: How to dump user data?

SQL database webshop.abc.xy

Search for an item

??

Keyword

??

60

Task 2: How to dump user data?

username password fluffyBunny cArR0T admin admin123

SQL database webshop.abc.xy

Search for an item

??

Keyword

??

itemName itemPicture Shirt X Pen X Car X

Inventory Users

61

Task 2: How to dump user data?

SQL database webshop.abc.xy

Search for an item

car’ UNION SELECT password FROM users# Keyword

car’ UNION SELECT password FROM users# itemName itemPicture Shirt X Pen X Car X

Inventory Users

username password fluffyBunny cArR0T admin admin123

62

Task 2: How to dump user data?

SQL database webshop.abc.xy

Search for an item

car’ UNION SELECT password FROM users# Keyword

car’ UNION SELECT password FROM users# itemName itemPicture Shirt X Pen X Car X

Inventory Users

username password fluffyBunny cArR0T admin admin123

63

https://www.explainxkcd.com/wiki/index.php/327:_Exploits_of_a_Mom

64

https://www.explainxkcd.com/wiki/index.php/327:_Exploits_of_a_Mom

Piggy-backed query

65

Why is it happening?

• Mixing of code and data

66

Why is it happening?

• Mixing of code and data

SELECT profile FROM users WHERE uname= ‘Blah‘ AND pwd= ‘Blah‘

67

Why is it happening?

• Mixing of code and data

SELECT profile FROM users WHERE uname=‘Blah‘ OR 1=1 # ‘ AND pwd= ‘Blah‘ SELECT profile FROM users WHERE uname= ‘Blah‘ AND pwd= ‘Blah‘

68

Why is it happening?

• Mixing of code and data

SELECT profile FROM users WHERE uname= ‘Blah‘ AND pwd= ‘Blah‘ SELECT profile FROM users WHERE uname=‘Blah‘ OR 1=1 # ‘ AND pwd= ‘Blah‘

69

SQLi Avoidance

• Input sanitization

– Clean the input in order to use it

70

SQLi Avoidance

• Input sanitization

– Clean the input in order to use it

71

SQLi Avoidance

• Input sanitization

– Clean the input in order to use it

• Problem:

– Not all scenarios are known

72

SQLi Avoidance

• Escaping the input

– To avoid data being mistaken as code

73

SQLi Avoidance

• Escaping the input

– To avoid data being mistaken as code – Input:

74

SQLi Avoidance

• Escaping the input

– To avoid data being mistaken as code – Input: – Must be processed as:

75

SQLi Avoidance

• Escaping the input

– To avoid data being mistaken as code – Input: – Must be processed as:

• Problem:

– Possibly a 2nd Order SQLi attack

• Effect not seen immediately

76

SQLi Avoidance

• 2nd order SQLi

Users

username password fluffyBunny cArR0T admin admin123

77

SQLi Avoidance

• 2nd order SQLi

Robert’; Drop table users;# Blah

Username Password

Register

Users

username password fluffyBunny cArR0T admin admin123

1)

78

SQLi Avoidance

• 2nd order SQLi

Robert’; Drop table users;# Blah

Username Password

Register

Users

username password fluffyBunny cArR0T admin admin123

1)

79

SQLi Avoidance

• 2nd order SQLi

Robert’; Drop table users;# Blah

Username Password

Register

Users

username password fluffyBunny cArR0T admin admin123 Robert’; Drop table users;# Blah username password fluffyBunny cArR0T admin admin123

1)

80

SQLi Avoidance

• 2nd order SQLi

Robert’; Drop table users;# Blah

Username Password

Register

Users

username password fluffyBunny cArR0T admin admin123 Robert’; Drop table users;# Blah username password fluffyBunny cArR0T admin admin123

1) 2)

Robert’; Drop table users;# Blah

Username Password

Login

81

SQLi Avoidance

• 2nd order SQLi

Robert’; Drop table users;# Blah

Username Password

Register

Users

username password fluffyBunny cArR0T admin admin123 Robert’; Drop table users;# Blah username password fluffyBunny cArR0T admin admin123

1) 2)

Robert’; Drop table users;# Blah

Username Password

Login

82

SQLi Avoidance

• 2nd order SQLi

Robert’; Drop table users;# Blah

Username Password

Register

Users

username password fluffyBunny cArR0T admin admin123 Robert’; Drop table users;# Blah username password fluffyBunny cArR0T admin admin123

Welcome, Robert’; Drop table users;# 1) 2)

Robert’; Drop table users;# Blah

Username Password

Login

3)

83

SQLi Avoidance

• 2nd order SQLi

Robert’; Drop table users;# Blah

Username Password

Register

Users

username password fluffyBunny cArR0T admin admin123 Robert’; Drop table users;# Blah username password fluffyBunny cArR0T admin admin123

Welcome, Robert’; Drop table users;# 1) 2)

Robert’; Drop table users;# Blah

Username Password

Login

Blah2 Blah2

Password Confirm

Update password

3)

84

SQLi Avoidance

• 2nd order SQLi

Robert’; Drop table users;# Blah

Username Password

Register

Users

username password fluffyBunny cArR0T admin admin123 Robert’; Drop table users;# Blah username password fluffyBunny cArR0T admin admin123

Welcome, Robert’; Drop table users;# 1) 2)

Robert’; Drop table users;# Blah

Username Password

Login

Blah2 Blah2

Password Confirm

Update password

3)

85

SQLi Avoidance

• 2nd order SQLi

Robert’; Drop table users;# Blah

Username Password

Register

Users

username password fluffyBunny cArR0T admin admin123 Robert’; Drop table users;# Blah username password fluffyBunny cArR0T admin admin123

Welcome, Robert’; Drop table users;# 1) 2)

Robert’; Drop table users;# Blah

Username Password

Login

Blah2 Blah2

Password Confirm

Update password

3)

86

SQLi Avoidance

• Prepared statements

– Separation of concerns

Code Data Query

87

SQLi Avoidance

• Prepared statements

– Separation of concerns – Pre-compile legitimate query – Add placeholders for data

Code Data Query

88

SQLi Avoidance

• Prepared statements

– Separation of concerns – Pre-compile legitimate query – Add placeholders for data

Code Data Query

89

SQLi Avoidance

• Prepared statements

– Separation of concerns – Pre-compile legitimate query – Add placeholders for data

Code Data Query

90

Summary

91

Summary

• Executing SQL code on a data is called an SQL Injection

attack

92

Summary

• Executing SQL code on a data is called an SQL Injection

attack

– Tautology-based query – Union-based query – Piggy-backed query – 2nd Order attack

93

Summary

• Executing SQL code on a data is called an SQL Injection

attack

– Tautology-based query – Union-based query – Piggy-backed query – 2nd Order attack

• SQLi is caused by mixing of code and data

94

Summary

• Executing SQL code on a data is called an SQL Injection

attack

– Tautology-based query – Union-based query – Piggy-backed query – 2nd Order attack

• SQLi is caused by mixing of code and data
• Prepared statements are the most useful in avoiding SQLi

95

Summary

• Executing SQL code on a data is called an SQL Injection

attack

– Tautology-based query – Union-based query – Piggy-backed query – 2nd Order attack

• SQLi is caused by mixing of code and data
• Prepared statements are the most useful in avoiding SQLi
• However, user input must always be sanitized

96

Additional material

• https://codecurmudgeon.com/wp/sql-injection-hall-of-shame/
• https://www.youtube.com/watch?v=ciNHn38EyRc
• https://www.csoonline.com/article/2130877/data-breach/the-

biggest-data-breaches-of-the-21st-century.html

• A Classification of SQL Injection Attacks and Countermeasures:

https://www.cc.gatech.edu/fac/Alex.Orso/papers/halfond.viegas.o rso.ISSSE06.pdf

• Try it yourself:

– https://www.codingame.com/playgrounds/154/sql-injection- demo/sql-injection – http://leettime.net/sqlninja.com/ – https://www.veracode.com/security/sql-injection

97

Time for questions