Advanced SQL Injection, Lecture notes of Logic

The following presentation shows everything from simple statements to complex queries… Page 18. 18. Red-Database-Security GmbH. SQL Basics.

Typology: Lecture notes

2021/2022

Uploaded on 09/07/2022

nabeel_kk
nabeel_kk 🇸🇦

4.6

(65)

1.3K documents

1 / 138

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
Red-Database-Security GmbH
SQL Injection
Bochum
Alexander Kornbrust
10-Nov-2009
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download Advanced SQL Injection and more Lecture notes Logic in PDF only on Docsity!

SQL Injection

Bochum

Alexander Kornbrust

10-Nov-

Table of Content

! Introduction ! Architecture ! Typical Attackers ! Tools ! SQL Basics ! SQL Injection Basics

The ivory tower solution

Classic solution:

  • Clients accessing a database via application server
  • No direct access to the database
  • Security and business rules are enforced in the application server Security and Business Rules

The ivory tower solution in the real world

Final solution

  • Complex architecture
  • All types of clients are accessing the database
  • Security and business rules only enforced in the first application server S&B rules We need a reporting solution Some people must connect with TOAD New project You have nice data, we will use it We just do a database link Another project Yet another project

Attacker

Attackers

Introduction – Simplified Company Environment

Prod

Dev Staging

Cloned DB

Backup

Enduser

Developer

DBA

Classification Attackers – Curious DBA or Employee

Type: Curious DBA or employee Scenario: Interested in private/sensitive information. Samples:

  • Looking up for salary of colleagues, private numbers, emails, account status of politician,…
  • Supporting private investigators (PI) Known incidents: Miles & More (Employee was looking up what politicians Identification: Mostly select statements, Few/No traces without audit, Difficult to spot

Classification Attackers – DBA covering it's own fault

Type: DBA covering it's own fault Scenario: Try to remove evidence about a (serious) fault. Probably it's not a good approach to ask the DBA to do the forensics Samples:

  • Deleted the wrong user, killed the wrong database session, changed the wrong password… Identification: Easier because timeframe is defined, backups / archive logs disappear, Modification of audit-Table, …

Classification Attackers – Leaving Employees

Type: Leaving employees Scenario: Get as much data/information for the new job as possible. Most common attack Samples:

  • Export the production database
  • Get customer reports, pricelists, … Identification: Longer timeframe (1-3 month before they left the company), no/little experience in removing traces

Classification Attackers – External Hacker

Type: External Hacker Scenario: Steal interesting stuff. Samples:

  • Steal data for a competitor
  • Steal credit card information
  • Steal Source Code
  • Break in just for fun Known Incidents:
  • TJX, Cardsystems, Cisco Sourcecode, … Identification: Many traces on the way into the system, attackers often lazy

10 years of SQL Injection…

Introduction

SQL Injection is still the biggest security problem in web applications. This year we can celebrate it's the 10 th anniversary of SQL Injection. Even if the problem is know since 10 years the knowledge especially for exploiting Oracle databases is poor. Most example and tutorials are only for MySQL and SQL Server. Detailed explanations for SQL Injection in web apps with Oracle databases are rare and often buggy. That's why SQL Injection in Oracle is often not exploited… The following presentation shows everything from simple statements to complex queries…

 Netsparker (Web)  Matrixay (Web)  HP Webinspect (Web)  IBM Rational AppScan (Web)  Pangolin (Web)  SQLMap (Web)  Fuzzer (PL/SQL)  Source code scanner Repscan (PL/SQL)  Source code scanner Fortify (PL/SQL) Many custom tools are used by hacker groups / security consultants

Tools to find SQL Injection

Tools / Google

[...]

Search for Oracle Error Message ORA-01756 and PHP