tailieunhanh - Lecture SQL injection

Lecture SQL injection presentation of content: What are injection attacks, how SQL sql injection works, exploiting SQL injection bugs, mitigating SQL injection, other injection attacks. | SQL Injection CPSC 4670 Topics What are injection attacks? How SQL Injection Works Exploiting SQL Injection Bugs Mitigating SQL Injection Other Injection Attacks 2 Injection Injection attacks trick an application into including unintended commands in the data send to an interpreter. Interpreters Interpret strings as commands. Ex: SQL, shell (, bash), LDAP, XPath Key Idea Input data from the application is executed as code by the interpreter. 3 SQL Injection App sends form to user. Attacker submits form with SQL exploit data. Application builds string with exploit data. Application sends SQL query to DB. DB executes query, including exploit, sends data back to application. Application returns data to user. Web Server Attacker DB Server Firewall User Pass ‘ or 1=1-- Form 4 SQL Injection in PHP $link = mysql_connect($DB_HOST, $DB_USERNAME, $DB_PASSWORD) or die ("Couldn't connect: " . mysql_error()); mysql_select_db($DB_DATABASE); $query = "select count(*) from users where username | SQL Injection CPSC 4670 Topics What are injection attacks? How SQL Injection Works Exploiting SQL Injection Bugs Mitigating SQL Injection Other Injection Attacks 2 Injection Injection attacks trick an application into including unintended commands in the data send to an interpreter. Interpreters Interpret strings as commands. Ex: SQL, shell (, bash), LDAP, XPath Key Idea Input data from the application is executed as code by the interpreter. 3 SQL Injection App sends form to user. Attacker submits form with SQL exploit data. Application builds string with exploit data. Application sends SQL query to DB. DB executes query, including exploit, sends data back to application. Application returns data to user. Web Server Attacker DB Server Firewall User Pass ‘ or 1=1-- Form 4 SQL Injection in PHP $link = mysql_connect($DB_HOST, $DB_USERNAME, $DB_PASSWORD) or die ("Couldn't connect: " . mysql_error()); mysql_select_db($DB_DATABASE); $query = "select count(*) from users where username = '$username' and password = '$password‘ "; $result = mysql_query($query); 5 SQL Injection Attack #1 Unauthorized Access Attempt: password = ’ or 1=1 -- SQL statement becomes: select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 -- Checks if password is empty OR 1=1, which is always true, permitting access. 6 SQL Injection Attack #2 Database Modification Attack: password = foo’; delete from table users where username like ‘% DB executes two SQL statements: select count(*) from users where username = ‘user’ and password = ‘foo’ delete from table users where username like ‘%’ 7 Principle of Least Privilege likely violated as web server user needs privileges to do all operators permitted on users, including deleting them. Exploits of a Mom 8 Finding SQL Injection Bugs Submit a single quote as input. If an error results, app is vulnerable. If no error, check for any output changes. Submit two single quotes. Databases use ’’ to represent literal ’ If error .