460 likes | 804 Views
????? ?????. ????? SQLIA????? ????? SQLIA??? ??? ???? ?? ????? SQLIA???????? ????? ? ??????? SQLIA?????? ??? ??????? SQLIA ?? ?????? ???? ??? ???. 3. ????? SQLIA. ????? ????????? ??? ?????? ?? ????? ???? ?????? ??? ???? ?? ??????? ????? ?? ?????? ????. 4. ????? ????? SQLIA. Tautologies Il
E N D
1. 1
3. ????? ????? ????? SQLIA
????? ????? SQLIA
??? ??? ???? ?? ????? SQLIA
???????? ????? ? ??????? SQLIA
?????? ??? ??
????? SQLIA ?? ?????? ???? ??? ???
3
4. ????? SQLIA ????? ????????? ??? ??
???? ?? ????? ????
?????? ??? ???? ?? ??????? ????? ?? ?????? ???? 4
5. ????? ????? SQLIA Tautologies
Illegal/Logically Incorrect Queries
Union Query
Piggy- Backed Queries
Stored Procedures
Inference
Alternate Encodings 5
6. Tautologies attack ????? ???? ?? ?? ???? ??? ????
??? : ???? ?? ????? ???? ? ??????? ????
????: ???? ???? ????? ’ or 1=1 - - ???? ??? ?????? ?? ?????:
SELECT accounts FROM users WHERE
login=’’ or 1=1 -- AND pass=’’ AND pin=
6
7. Tautologies
Illegal/Logically Incorrect Queries
Union Query
Piggy- Backed Queries
Stored Procedures
Inference
Alternate Encodings 7
8. Illegal/Logically Incorrect Queries attack: ???? ???? ? ??????? ?????????? ???? ???? ?????? ????
?????? ????? ? ????? ??? ??? ???? ?? ? ???? ??
?????? ????? ??? ? ???? ????? ??? ???? ?? ???? ??? ?? ??????? ????
????: ?????convert (int,(select top 1 name from sysobjects where xtype=’u’)) ?? ???? pin :
SELECT accounts FROM users WHERE login=’’ AND pass=’’ AND pin= convert (int,(select top 1 name from sysobjects where xtype=’u’))
????? ??? ?? sql:
"Microsoft OLE DB Provider for SQL Server (0x80040E07) Error converting nvarchar value ’CreditCards’ to a column of data type int."
???? ????? ??? ?????? ???? ? ??? ???? ? ??? ???? ?? ?? ???? 8
9. Tautologies
Illegal/Logically Incorrect Queries
Union Query
Piggy- Backed Queries
Stored Procedures
Inference
Alternate Encodings 9
10. Union Query attack ????? ???? Union ?? query ????
??? : ????? ???????? ?????? ?? ?????? ???? ???? ???? ?? ????? ???? ?? ??????? ????
????: ?????? ? ??????? ???? ???? ? ???? ???? ??? ???? ???? ????? ?? ???? union? ?? ???? ???? ???? ????? ??? ?? ???? login:
“’ UNION SELECT cardNo from CreditCards where acctNo=10032 - -”
SELECT accounts FROM users WHERE login=’’ UNION SELECT cardNo from CreditCards where acctNo=10032 -- AND pass=’’ AND pin=
??????? ???? ??? ??? ???? ??? ???? ??? ????? ???? ?? ???
10
11. Tautologies
Illegal/Logically Incorrect Queries
Union Query
Piggy- Backed Queries
Stored Procedures
Inference
Alternate Encodings 11
12. Piggy- Backed Queries attack ????? ???? query ??? ????? ?? query ????
??? ??? ????? ? ????? ???? ? ??????? ???? ? ????? ??????? ??? ???.
????: ???? ???? ????? ??? ?? ???? pass :
“’; drop table users - -”
SELECT accounts FROM users
WHERE login=’doe’ AND pass=’’; drop table users -- ’ AND pin=123
??? ??? ???? ???? ??? ????? 12
13. Tautologies
Illegal/Logically Incorrect Queries
Union Query
Piggy- Backed Queries
Stored Procedures
Inference
Alternate Encodings 13
14. Stored Procedures attack ??? : ??? ????? ?? ????? ??????? ?? ??? ???
????: ??? Stored Procedure ???:
CREATE PROCEDURE DBO.isAuthenticated
@userName varchar2, @pass varchar2, @pin int AS
EXEC("SELECT accounts FROM users
WHERE login=’" +@userName+ "’ and pass=’" +@password+ "’ and pin=" +@pin);
GO
?? ???? ???? “ ’ ; SHUTDOWN; - -” ?? ???? pass:
SELECT accounts FROM users WHERE
login=’doe’ AND pass=’ ’; SHUTDOWN; -- AND pin=
????? ??? ?????? ???? ? ??? ???? ???? ???? ?? ?? ??????? ???.
14
15. Tautologies
Illegal/Logically Incorrect Queries
Union Query
Piggy- Backed Queries
Stored Procedures
Inference
Alternate Encodings 15
16. Inference attack ??????? ??????? ??? ???? ???? ? ??? ??????? ?? ???? ???? ???? ??????? ????? ? ????? ???? ??. ??? ???? ???? ?? ??? ???? ?? ????:
Blind Injection : ??????? ??????? ?? ???? ?? ????? ???? .
????: ???? ???? “legalUser’ and 1=0 - -” ? “legalUser’ and 1=1 - -” ?? ?? ???? login ?? ?? ????? :
SELECT accounts FROM users WHERE login=’legalUser’and 1=0 -- ’ AND pass=’’ AND pin=0
SELECT accounts FROM users WHERE login=’legalUser’ and 1=1 -- ’ AND pass=’’ AND pin=0
???? ??? ???? ? ???? ???? ??????? ???? login ? ??????? login ???? ???? ?????
???? ?? ??? ???? ? ??? query ??? ???? ??? ???? ??? ? ??????? login ???? ???? ???. 16
17. 17
18. Tautologies
Illegal/Logically Incorrect Queries
Union Query
Piggy- Backed Queries
Stored Procedures
Inference
Alternate Encodings 18
19. Alternate Encodings attack ????? ???? ????? ???? ???? ????? ??? ???? ?? ??? ??? ??????? ? ???? ???? ???? ???? ???? ????? ??? ????? .
????: ???? ???? ????? “legalUser’; exec(0x73687574646f776e) - - ” ?? ???? login
SELECT accounts FROM users WHERE login=’legalUser’; exec(char(0x73687574646f776e)) -- AND pass=’’ AND pin=
????? ??? ?????? ???? 19
20. Prepared statement
Stored Procedure
Escaping All User Supplied Input
Least Privilege
White List Input Validation
20 ?????? ???? ?? ????? SQLIA
21. ???????? ???? query
????? ???? ?? sql ???? ???? ?????? ?????????
????? type checking ??? ??? ????????? ? ?? ????? ??? ???? ??????? ??query
??????? ?? ?????? ????? ??? ???? ????? ‘ or 1=1 –
??????? ?? ?? ?? ???? ??? ????? :
??????? ?? preparedstatement ?? javaEE
??????? ?? sqlcommand ?? OleDbCommand ?? .Net
??????? ?? PDO ?? PHP (????? ???)
??????? ?? CreateQuery ?? Hibernate
? .....
????: ??????? ?? preparedstatement ?? ???? :
String custname = request.getParameter("customerName");
SELECT account_balance FROM user_data WHERE user_name = ? ";
PreparedStatement pstmt = connection.prepareStatement( query );
pstmt.setString( 1, custname);
ResultSet results = pstmt.executeQuery( );
21 Prepared statement
22. 22 ?? ???? ????? ???? ??? (??????? ?? ????? query ???????? ?? ???? ????)
????? ???? ?? ?????? ???? (?? ???? preparedStatement)
????? :
???? ?????? : ????? ???? ?????? ??????? ?? ??????? ?? stored procedure (??? ????? ????? query ????????)
???? ??? ?????? : ??? ???? ?? ??? sql ?? ?? ???? ? ??????? ???? ??? ?? ????? ???????
????: ??????? ?? stored procedure ?? ???? ??? ?? ???? :
String custname = request.getParameter("customerName");
CallableStatement cs = connection.prepareCall("{call sp_getAccountBalance(?)}");
cs.setString(1, custname);
ResultSet results = cs.executeQuery(); Stored procedure
23. 23 Escaping User Input ????? ?? blacklist ?? ??????????? ?? ???? ????? ????.
????? ?????????? ?? ???? ?? query (????????( ‘ ) ?? (‘ ‘) )
???? : ??????? ?? ???? () mysql_real_escape_string ?? PHP :
$query = sprintf("SELECT * FROM `Users` WHERE UserName='%s' AND Password='%s'",
mysql_real_escape_string($Username), mysql_real_escape_string($Password));
mysql_query($query);
????? ????( ???? ??? ?? ??? ??????? ?????? ???)
??????? ?? ??? ??? ?? oracle ? my sql ? sql server
24. 24 Least privilege ???? ??? SQLIA ?? ???? ????? privilege ???? ?? ??????? ?????? ????
???? ?????? read ?? ?????? ?? ??? ?? read ????.
??????? ?? view ???? ???????? ?? ?? ????? ?? ?? ???? ???? ?????? ????? ?????.
??? ?????? ?????? ??????? ?? ?????? ???? ?? ??????? ?? stored procedure
??? ????? DBMS ?? ????? root ?? system
???? : MySql ?? ???? ??? ??? ?? ???? system ??? windows ???? ?? ???.
25. 25 White List Input Validation ????? ???? ????? ??? ?????
?????? ???? ????? ??? ?? ??????? ?? ?? query
????? ?????? ?????????? ??? ?? ???? regular expression ?? ???? ????? ???? ?? ???? ???? ????? ????? ???? email ? zipcode ??????
?????? ??? ?? ?????? ?? ????? ??? ???? ????? ???? ??
????? ??? text free (???? ???? ????)
????? ???? ??? ????? ?? ??? ??????? ?? ?????????? non printable
??????? ?? ????? ?????????? ????? ESAPI ????? :
getValidDate()
getValidCreditCard()
getValidSafeHTML()
getValidInput()
getValidNumber()
getValidFileName()
getValidRedirectLocation()
26. 26 (?????)White List Input Validation
27. ???????? ??????? SQLIA WAVES:
????? ??? ???? ????
??????? ???? ???? ???? ??? SQLIA
????? ???? ?? ??????? ?? ????? ??????? ?????
????? ????? ?????? ?? ????? ?????
???? ????
DBC-Checker :
??? ????? ?????? ??
????? ??? query ??? ????????
??????? ????? ?????? ?? ???? ??
WebSSARI :
???????? ?? PHP
?????????? ???? ??? ???? ???? ?? (runtime guard)
????? ??????? ??????? ?? ???? ???? ????? ??????? ?????? ??? ???? ????.
27
28. ???????? ??????? SQLIA(?????)
Java Static Tainting:
??????? ?? ????? ??? ????? ????? ?? ??? ??????(taint)
????? ?? ?? ??? ????? ??? ???? ???? taint
????? ????? ???????? ??? ??????? ???? ??????? ? ????? taint ?? ?????? query.
????? ??? :
??????? ????????? ?????? ??? SQLIA
????? false positive ????
SecuriFly:
??????? ?? ???? PQL
????? ????? ???? ?? ?? ??????
??????? ????? ??? taint ??? ?? ???? ???? ????? ???? ?????
??????? ?? ???? ?? ?? ??? ?? ????
SQL DOM:
?????? ???? ?????? ????
??????? ?? API ??? ????? query ?? ??? ????? query ???? ????? ?? ??? ????.
??????? ?? type checking ???? ????? ????? ?? API
28
29. 29 ?????? ???????? ???????
30. ???????? ????? SQLIA SQL Guard :
????? ????? ????? ? ????
????? ??? ???? ????? ??? ????
?????? ????? ????? ?? ???
?? ???? ??? ??? ???? ???? ??? ??? .
SQL Check :
????? ??? ???
????? : ????? ??? ?? ??? ????? ???? ????
Proxy filtering :
????? ??????? ???? ???? ????? ?? ??? ?????? (SPDL) ?? ?????????? ???????? ??? ?? ????? ???? ?? ????.
????? ???: ?????? ???? ?????? ??? ?? ???? ?? ? ?? ?? ??????? ???????? ???? ????? ????.
SQLrand:
??????? ?? ?????????? ?????? ?? ??? ????? ????? sql ? ????? ???? ?? ?????? ???? ???? proxy filter? ?? ????? ????? sql.
????? ???: ??????? ?? ???? ???? ????? ???????? ????? ???? ????? ??????? ?? proxy.
SAFELI:
???? ??? ????? ???? ????? ?? ?? ???? ???????.
????? ???? ????? ??? ?????? ???? ???? ???? ????
????? ???: ??? ???? ?????????? ?? ????.
30
31. ???????? ????? SQLIA (?????) Java Dynamic Tainting:
????? ?? ??? ???? ???? taint ?? ???? ????
??????? ?? flag ???? ????? ????? ????? taint
??????? ?? untainting ???? ???? ??? ????? ??? ?? taint
SWaddler :
?? ??? ????? ????? ?? ??? ??? ????? ????? ??? ????????? ??
???? ???? ????? ? ??? ???? ?????? ????? ?????? ? ????? ????? ?????? ??? ????? ????.
Tautology Checker:
???? ??? ????? ???? ? tautology .
AMNESIA:
???? ????? ?? ??? ? ????? ????? ????? ? ????
????? ????? : ????? ??? ???? ????? query ??? ????? ?? ????? ?? ????? ???? ???
????? ???? : ?????? query ????? ?? ???
????? ??? ?? ????? ????? SQLI
?????? ?? ????? ????? ??? ?????
CANDID:
???? ???? ????
????? ?????? query ?? ??? dynamic candidate evolution
????? ???? ?? ?????? query ????? ?? ?????? ???? ??? ?????? ????.
????? ????? ??? ????? ????? sql.
31
32. ?????? ??? ??? ????? 32
33. ??? ????? ?? ??????? stored procedure ?? ???? ???????
????? ? ??????? tautology attack ?? ???? ??????? 33 ????? ?????? ??? ??
34. ????? SQLIA ?? ?????? ???? ??? ??? Oracle SQL injection in webapps
SQL injection in postgresql
SQL Injection in SQL Server
SQL injection in DB2
SQL injection in MySQL 34
35. Sql injection in postgresql Sleep function: 35
36. Exploiting Blind SQL Injection in PostgreSQL:
37. 37
38. SQL Injection in SQL Server: ?????? ?? account ?? ?? ???? ???? ????? 'OPENROWSET‘ ????? ???? ? ????? ??? ?????
????? 'OPENROWSET‘ ?? ????????? ODBC ???? ?????? ?????? ????? ?????? ? Excel? local MS Access databases ? ???? ??? ???? ???????.
Timing attack: waitfor delay '0:0:5'
??? ??:
??????? ?? parameterised API ( ????????? ????? ????)
??????? ?? registry patch ??? ??? ???? ???? ?????? ?? ??? ? ?? ??? 'ad-hoc' ???? OPENROWSET .
????? ? ????? ??? ? ????? ??????? ???? ???? ???????? ?? ?????.
???? ?? ???????? ???? ? ????? ? ?????? ??? ??????? ????? ??? ????? ?????? ?????
38
39. SQL injection in DB2 database ?? ??? ???? ???? detailed error messages:
??? Username = ‘ or 1=1— ?????? ? ???? ?? ????: Welcome Bob
??? Username = ‘ group by 1—? (??? ???? ????? ???? ???? ??)
An expression starting with "NAME" specified in a SELECT clause<snip>
??? Username = ‘ group by name—
An expression starting with "SOCIAL_SECURITY_NO" specified in a SELECT clause<snip>
????? ??? ???? ?? ??????? ?? brute force attack:
Username = ‘ or ‘ ‘ or ; 9,9,9
An unexpected token "from applogin where name = '' OR" was found<snip>
??????? ????? ???? ?? :
Username = ' union all select concat(name,password) as name ,'a','a','a' from applogin where name > 'c';
?????? ???? ?? ????: Welcome joeqwerty 39
40. MySQL :MySQL.com Victim of SQL Injection Attack ?? ??????? ??URL ??? ? ??????? ?? id ??? ?????? ?? ???? ?? Customer View ??? ????? ??? ????? ?????? ???? ???. 40
41. 41
42. ??? ??: ??????? ?? Mysql_escape_string ???? ???? sql query ???
??????? ?? bind variable ? ??????? ?? parametrized sql statement ??? ??????? ?? string concatenation?
??????? ?? ???????? ???.
????? ???? ????? ?? ?? ?????
???? ????? ?? ???? ?? ?? ???? ? application ??? ?????
??? ??? ????? ??????? ?????? ?????? ? ???????? ???.
42
43. William G.J. Halfond, Jeremy Viegas, and Alessandro Orso , “A Classification of SQL Injection Attacks and Countermeasures “, College of Computing Georgia Institute of Technology,IEEE ,2006 , Pages:1-11
S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL Injection Attacks. In Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference, pages 292-302. June 2004.
Atefeh Tajpour , Maslin Massrum , Mohammad zaman Heydari ,” Comparison of SQL Injection Detection and Prevention Techniques”, 2nd International Conforence on Education Technology and Computer (ICETC) , 2010 , Pages : 1-6
Prithvi Bisht, P. Madhusudan. CANDID: Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks.Proceedings of the 14th ACM Conference on Computer and Communications Security. 2007. USA: ACM, Pages 3-4.
V. Haldar, D. Chandra, and M. Franz. Dynamic Taint Propagation for Java. In Proceedings 21st Annual Computer Security Applications Conference, Dec. 2005 .
M. Martin, B. Livshits, and M. S. Lam. Finding Application Errors and Security Flaws Using PQL: A Program Query Language. In Proceedings of the 20th Annual ACM SIGPLAN conference on Object oriented programming systems languages and applications (OOPSLA 2005).
Y. Huang, F. Yu, C. Hang, C. H. Tsai, D. T. Lee, and S. Y. Kuo. Securing Web Application Code by Static Analysis and Runtime Protection. In Proceedings of the 12th International World Wide Web Conference (WWW 04), May 2004.
Marco Cova, Davide Balzarotti. Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications. In Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID), (Queensland, Australia), September 5-7, 2007.
“SQL Injection in Oracle Forms V1.01 from “Red-Database-Security GmbH, 2005.
Cyrus Peikari, Seth Fogie, “Guarding Against SQL Server Attacks:Hacking, cracking, and protection techniques”, AirScanner, 2003.
Chris Anley, “Advanced SQL Injection “, An NGSSoftware Insight Security Research (NISR), 2002.
Atefeh Tajpour , Maslin Massrum , Mohammad zaman Heydari, Suhaimi Ibrahim, SQL Injection Detection and Prevention Tools Assessment, IEEE,2010,Pages 1-5
J. Pullicino,” MySQL.com Victim of SQL Injection Attack, April 2011.
L. Juranic, “Advanced PostgreSQL SQL Injection and Filter Bypass Techniques”,INFIGO-TD, 2009.
S. Kost,”An Introduction to SQL Injection Attacks for Oracle Developers”, March 2009.
“How to mine data from a DB2 database with SQL injection”, archives.neohapsis.com.
43 ?????
45. 45