Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group The Cyber Security lecture series 1
About Cyber Security lecture series The Cyber Security lecture series 2
About Cyber Security lecture series • A hot topic, a buzz term The Cyber Security lecture series 3
About Cyber Security lecture series • A hot topic, a buzz term • Introducing the Cyber Security lecture series – Cyber security topics in existing courses – First of the (hopefully) many to come The Cyber Security lecture series 4
About Cyber Security lecture series • A hot topic, a buzz term • Introducing the Cyber Security lecture series – Cyber security topics in existing courses – First of the (hopefully) many to come • Announcements – Assignment 3 – Exam questions – Feedback form for the course The Cyber Security lecture series 5
Why would anyone ever hack a database? The Cyber Security lecture series 6
… In the news https://www.forbes.com/sites/davidvolodzko/2018/12/04/marriott-breach-exposes-far-more-than- 7 just-data/#1f0d3c276297
… In the news https://www.nbcnews.com/business/consumer/quora-hack-breach-crowdsourced-question-answer- 8 site-exposes-100-million-n943496
… In the news https://steemit.com/bitcoin/@hacker0/how-i-hacked-hundreds-of-bitcoins-ama 9
… In the news https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 10
What went wrong? 11
What went wrong? SQL Injection attack! 12
SQL Injection • SQL Injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a web application’s database server (also known as RDBMS ). https://www.acunetix.com/websitesecurity/sql-injection/ 13
SQL Injection • SQL Injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a web application’s database server (also known as RDBMS ). • Look out if you have: – Web application – SQL-based database – User-controlled query parameter https://www.acunetix.com/websitesecurity/sql-injection/ 14
Next up… 15
Next up… • Quick recap of: – Web application infrastructure – Who is to blame? – What can attackers do? 16
Next up… • Quick recap of: – Web application infrastructure – Who is to blame? – What can attackers do? • Injecting SQL queries ← Hands-on! 17
Next up… • Quick recap of: – Web application infrastructure – Who is to blame? – What can attackers do? • Injecting SQL queries ← Hands-on! • What causes SQLi? 18
Next up… • Quick recap of: – Web application infrastructure – Who is to blame? – What can attackers do? • Injecting SQL queries ← Hands-on! • What causes SQLi? • Best practices to avoid SQLi – Input sanitization – Escaping input – Prepared statements 19
How does a typical web app work? 20
How does a typical web app work? webshop.abc.xy 21
How does a typical web app work? webshop.abc.xy 22
How does a typical web app work? webshop.abc.xy 23
How does a typical web app work? SQL database webshop.abc.xy 24
How does a typical web app work? SQL database webshop.abc.xy 25
How does a typical web app work? SQL database webshop.abc.xy 26
How does a typical web app work? SQL database webshop.abc.xy 27
How does a typical web app work? SQL database webshop.abc.xy 28
What can attackers do? 29
What can attackers do? • Data Manipulation Language 30
What can attackers do? • Data Manipulation Language – INSERT INTO users (username, password) C VALUES (‘attacker’, ‘youvebeenhacked’) 31
What can attackers do? • Data Manipulation Language – INSERT INTO users (username, password) C VALUES (‘attacker’, ‘youvebeenhacked’) – SELECT * FROM users R WHERE userType=‘admin’ 32
What can attackers do? • Data Manipulation Language – INSERT INTO users (username, password) C VALUES (‘attacker’, ‘youvebeenhacked’) – SELECT * FROM users R WHERE userType=‘admin’ U – UPDATE users SET password=‘youvebeenhacked’ ; 33
What can attackers do? • Data Manipulation Language – INSERT INTO users (username, password) C VALUES (‘attacker’, ‘youvebeenhacked’) – SELECT * FROM users R WHERE userType=‘admin’ U – UPDATE users SET password=‘youvebeenhacked’ ; – DELETE FROM users; D 34
What can attackers do? • Data Manipulation Language – INSERT INTO users (username, password) C VALUES (‘attacker’, ‘youvebeenhacked’) – SELECT * FROM users R WHERE userType=‘admin’ U – UPDATE users SET password=‘youvebeenhacked’ ; – DELETE FROM users; D • And much, much more… – Root access, Denial of Service attack, etc. 35
Scenario… webshop.abc.xy 36
Scenario… webshop.abc.xy Search for an item Keyword 37
Scenario… webshop.abc.xy Search for an item Keyword SQL database 38
Scenario… webshop.abc.xy Search for an item Keyword SQL database itemName itemPicture Shirt X Pen X Car X Inventory 39
Scenario… webshop.abc.xy Search for an item Keyword SQL database itemName itemPicture Shirt X Pen X Car X Inventory 40
Scenario… webshop.abc.xy Search for an item car Keyword SQL database itemName itemPicture Shirt X Pen X Car X car Inventory 41
Scenario… webshop.abc.xy Search for an item car Keyword SQL database itemName itemPicture Shirt X Pen X Car X car Inventory 42
Task1: How to list all items? webshop.abc.xy Search for an item ?? Keyword SQL database itemName itemPicture Shirt X Pen X Car X ?? Inventory 43
Task1: How to list all items? webshop.abc.xy Search for an item car’ OR 1 # Keyword SQL database itemName itemPicture Shirt X Pen X Car X car’ OR 1 # Inventory 44
Task1: How to list all items? webshop.abc.xy Search for an item car’ OR 1 # Keyword SQL database itemName itemPicture Shirt X Pen X Car X car’ OR 1 # Inventory 45
Task1: How to list all items? webshop.abc.xy Search for an item car’ OR 1 # Keyword SQL database itemName itemPicture Shirt X Pen X Car X car’ OR 1 # → Tautology Inventory 46
The login scenario… webshop.abc.xy Log in Form ?? Username SQL database ?? Password Go ?? ?? 47
Another Tautology-based SQLi webshop.abc.xy Log in Form Blah’ OR 1# Username SQL database Password Blah Go Blah’ OR 1 # Blah 48
Another Tautology-based SQLi webshop.abc.xy Log in Form Blah’ OR 1# Username SQL database Password Blah Go Blah’ OR 1 # Blah 49
Running multiple queries 50
Running multiple queries • Useful keywords: 51
Running multiple queries • Useful keywords: – JOIN (Append horizontally) 52
Running multiple queries • Useful keywords: – JOIN (Append horizontally) – UNION (Append vertically) 53
Running multiple queries • Useful keywords: – JOIN (Append horizontally) – UNION (Append vertically) • 54
Running multiple queries • Useful keywords: – JOIN (Append horizontally) – UNION (Append vertically) • Fluffy Bunny 55
Running multiple queries • Useful keywords: – JOIN (Append horizontally) – UNION (Append vertically) • Fluffy Bunny • 56
Running multiple queries • Useful keywords: – JOIN (Append horizontally) – UNION (Append vertically) • Fluffy Bunny • Fluffy Bunny 1 2 57
Task 2: How to dump user data? webshop.abc.xy Search for an item ?? Keyword SQL database 58
Task 2: How to dump user data? webshop.abc.xy Search for an item ?? Keyword SQL database ?? 59
Task 2: How to dump user data? webshop.abc.xy Search for an item ?? Keyword SQL database Inventory itemName itemPicture Shirt X Pen X Car X Users ?? username password fluffyBunny cArR0T admin admin123 60
Task 2: How to dump user data? webshop.abc.xy Search for an item car’ UNION SELECT Keyword password FROM users# SQL database Inventory itemName itemPicture Shirt X Pen X Car X Users car’ UNION SELECT username password password FROM fluffyBunny cArR0T users# admin admin123 61
Task 2: How to dump user data? webshop.abc.xy Search for an item car’ UNION SELECT Keyword password FROM users# SQL database Inventory itemName itemPicture Shirt X Pen X Car X Users car’ UNION SELECT username password password FROM fluffyBunny cArR0T users# admin admin123 62
https://www.explainxkcd.com/wiki/index.php/327:_Exploits_of_a_Mom 63
Piggy-backed query https://www.explainxkcd.com/wiki/index.php/327:_Exploits_of_a_Mom 64
Why is it happening? • Mixing of code and data 65
Why is it happening? • Mixing of code and data SELECT profile FROM users WHERE uname= ‘Blah‘ AND pwd= ‘Blah‘ 66
Recommend
More recommend