SQL-Injections
Attacks on data management
Daniel Schosser
Sept. 2012
- What is a SQL-Injection?
- How do they work?
- What damage can a SQL-Injection do?
- What counter-messures do we have?
What is a SQL-Injection?
What is SQL?
- Structured Query Language
- Based on SEQUEL (Structured English Query Language)
- Database language
- SQL1 used as standard since 1986
What is a SQL-Injection?
What can we use SQL for?
- right administration
- definition of database schema
- data manipulation (change, insert, delete)
What is a SQL-Injection?
How does SQL Statements look like?
SELECT *
FROM users
WHERE name="________" AND password="________";--
It consists of:
- SQL-Syntax
- Data
- Logic
- Metacharacters (*, %, ', --, #, ...)
What is a SQL-Injection?
Where do people use SQL?
- websites
- social networks
- games
- smartphones
- companies
- ...
What is a SQL-Injection?
Where are SQL-Injections possible?
- Whenever a user can influence requests the application sends to the database
What is a SQL-Injection?
Example SQL-Statement for a login-form
SELECT *
FROM users
WHERE name="________" AND password="________";--
- Attacker knows, there is a user with username "John"
- Attacker uses 'John";--' as username and enters no password
- What happens to the statement?
What is a SQL-Injection?
Example SQL-Statement for a login-form
SELECT *
FROM users
WHERE name="John";--" AND password="________";
- Password will be ignored in this request
- All the data from the user will be returned
What damage can a SQL-Injection do?
Insert unauthorized data
Password: foobar"; INSERT INTO users (name, passwort, email) VALUES ("anonymous", "secret", "anonymous@example.com")
SELECT *
FROM users
WHERE name="not important" AND password="foobar";
INSERT INTO users (name, passwort, email) VALUES
("anonymous", "secret", "anonymous@example.com")";--
What damage can a SQL-Injection do?
Avoid authorisation
Username: "John"
Password: foobar" OR WHERE 1=1
SELECT *
FROM users
WHERE name="John" AND password="foobar" OR WHERE 1=1";--
What damage can a SQL-Injection do?
Data manipulation
Username: "John"
Password: foobar"; UPDATE users SET password="helloWorld
SELECT *
FROM users
WHERE name="John" AND password="foobar";
UPDATE users SET password="helloWorld";--
What damage can a SQL-Injection do?
Delete data
Username: "John"
Password: foobar"; DELETE FROM users WHERE level="admin
SELECT *
FROM users
WHERE name="John" AND password="foobar";
DELETE FROM users WHERE level="admin";--
What damage can a SQL-Injection do?
GO EXEC cmdshell("shutdown /s");--
Robert"); DROP TABLE Students;--
Gathering Informations
SELECT * FROM users WHERE 1=1
Gathering Informations
Problem:
The application is waiting for a username, an email adress and the users password. But the sql-injection results in three differently named columns.
- UNION merges columns, if they have different names
UNION-Statement
We search for books:
2010
| title | price | published |
|---|---|---|
| SQL Injection | $29 | 2010 |
| Ethical Hacking | $26.99 | 2010 |
UNION-Statement
We search for books:
2010" UNION SELECT username, password, email FROM user#
| title | price | published |
|---|---|---|
| Administrator | secretPassword | admin@foobar.com |
| Developer | youWillNeverGuess | developer@foobar.com |
| SQL Injection | $29 | 2010 |
| Support | easyPassword | support@foobar.com |
| Ethical Hacking | $26.99 | 2010 |
What counter-messures do we have?
- Validation all data
- Casting value
- Define maximum inputs
- Prohibit certain characters
- Escape/Quote user-inputs
What counter-messures do we have?
- Prepared Statements
public function fetchAllByUserId( $uid )
{
return $this->fetchAllAbstract(
$this->getBaseSelect()
->where( "users.id = ?", $uid )
);
}
What counter-messures do we have?
- Restrict userrights
- different users for different tables
All input is evil, until proven otherwise!