Академический Документы
Профессиональный Документы
Культура Документы
Me (Satyaki De)
7+ Years Of experience Application Developer / Team Leader C, Pro*C Oracle 8i/9i/10g/11g Oracle Forms SAP Business Object Prelytis Unix/AIX Shell Training Community Contributor (OTN)
Agenda
Basic about SQL Injection
In 2008, this type of attack ranked second in prevalence (utilized in 16 breaches) and first in the amount of records compromised (79 percent of the aggregate 285 million).
Ref: http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
It can be of two types 1. User Supplied Column Comparison Value 2. User Supplied Table Name
set serveroutput on
create or replace procedure log_in( pv_mail emp.email%type default null, pv_last_name emp.last_name%type null ) is buff varchar2(1000); v_mail emp.email%type; begin buff := 'select email from emp where email = '''||pv_mail|| ''' and last_name = '''||pv_last_name||''''; dbms_output.put_line('Statement Execute: '||buff); execute immediate buff into v_mail; dbms_output.put_line('Successful Login.....'); exception when others then raise_application_error(-20001,'Failed Login.....'); end;
Presented By Satyaki De On April, 2011
exec log_in('satyaki.de@in.com',DE');
Statement Execute: select email from emp where email = 'satyaki.de@in.com' and last_name = DE' Successful Login..... PL/SQL procedure successfully completed.
Continue..
Presented By Satyaki De On April, 2011
Continue..
Presented By Satyaki De On April, 2011
N.B.: SQL Injection is successful, Check the statement interpreted By oracle compiler.
Continue..
Presented By Satyaki De On April, 2011
Continue..
Presented By Satyaki De On April, 2011
N.B.: SQL Injection is successful as the where clause trickily changed by the user.
set serveroutput on
create or replace procedure fetch_col_info( pv_col varchar2, pv_tab varchar2 ) is type arr is varray(200) of varchar2(40); cell_val arr; buff varchar2(1000); begin buff := 'select '||pv_col||' from '||pv_tab; dbms_output.put_line('Executed SQL :: '||buff); execute immediate buff bulk collect into cell_val; for i in 1..cell_val.count loop dbms_output.put_line(cell_val(i)); end loop; end;
exec fetch_col_info(email',emp');
Executed SQL :: select email from emp; satyaki.de@in.com arijit.bardhan@gmail.com pranab.paul@aol.in sagar.ghosh@yahoo.com promit.chowdhury@rediffmail.com banku.mondal@hotmail.com PL/SQL procedure successfully completed.
Continue..
Presented By Satyaki De On April, 2011
exec fetch_col_info(email',hr_detail');
Executed SQL :: select email from hr_detail; BEGIN fetch_col_info(email,hr_detail); END;
* ERROR at line 1 ORA-00942: table or view does not exist ORA-06512: at SCOTT.fetch_col_info, line 11 ORA-06512: at line 1
Continue..
Presented By Satyaki De On April, 2011
exec fetch_col_info(email', emp where 1=2 union all select username from all_users --');
Executed SQL :: select email from emp where 1 =2 union all select username from all_users --
N.B.: SQL Injection is successful, Check the statement interpreted By oracle compiler.
Continue..
Presented By Satyaki De On April, 2011
This block will return sensitive information Union all will append the result for the 2nd block supplied trickily by user This wont return any value to final output as 1=2 condition will fail N.B.: SQL Injection is successful as the where clause trickily changed by the user.
It can be of three types 1. First Order Attack 2. Second Order Attack 3. Lateral Injection
First Order Attack The attacker can simply enter malicious string and that
Acts like a modified condition interpreted by Oracle compiler. Hence, sensitive information Passed to unauthorized user/s. UNIONS added to an existing statement to execute the injected statement. Sub-query added to an existing statement. Using short circuit method by applying OR condition can bring back sensitive data.
- If the user XXX doesnt exists, Then sal of ARIJIT can be retrieved by attacker.
Attacker can create malicious database API such as function, procedure which contains SQL Injection code like 1=1 -- & can exploit DB security later.
Lateral Injection
Continue..
Presented By Satyaki De On April, 2011
It can be of three types 1. 2. 3. 4. Use Of Proper Invokers Right Strengthen DB Security Avoid Using Dynamic SQL Use Of Bind Variables
Procedure Created.
SQL> grant execute on alter_passwd to public; Grant succeeded.
SQL>conn scott Enter password: ****** Connected. SQL>set serveroutput on SQL>exec sys.alter_passwd(sys, oracle); PL/SQL procedure successfully completed. SQL>
N.B.: SQL Injection is successful as the where SCOTT is successful at changing SYSs password. Alter_Passwd procedure is owned by SYS and by default execute with SYSs privileges (definers right).
SQL>set serveroutput on
SQL>create or replace procedure alter_passwd( pv_usernm varchar2 default NULL, pv_pwd varchar2 default NULL ) authid current_user is v_sql varchar2(1000); begin v_sql := alter user '||pv_usernm|| identified by '||pv_pwd; execute immediate v_sql; end; / Procedure Created.
SQL>conn scott Enter password: ****** Connected. SQL>set serveroutput on SQL>exec sys.alter_passwd(sys, oracle); BEGIN sys.alter_passwd(sys, oracle) END; * ERROR at line 1 ORA-01031: insufficient privileges ORA-06512: at SYS.ALTER_PASSWD, line 10 ORA-06512: at line 1
N.B.: SQL Injection is unsuccessful as SCOTT now unable to alter password of SYS from its account .
SQL>set serveroutput on
SQL>exec sys.alter_passwd(scott, oracle); PL/SQL procedure successfully completed. SQL> exec sys.alter_passwd(scott, oracle quota unlimited on users); BEGIN sys.alter_passwd(sys, oracle quota unlimited on users) END; * ERROR at line 1 ORA-01031: insufficient privileges ORA-06512: at SYS.ALTER_PASSWD, line 10 ORA-06512: at line 1
N.B.: SQL Injection is unsuccessful due to proper invoker rights but SCOTT can alter its own Password .
Strengthen DB Security
Security Guidelines
Encrypt sensitive data so that can be viewed. Evaluate all public privs and revoke them where possible. Do not widely grant execute any procedure. Avoid granting privs WITH ADMIN option. Ensure that application users are granted minimum privs by default, make privs configurable if necessary. Carefully monitor Oracle directory objects. Run the database listener as a non privilege user. Ensure that password management is active. Lock & expire the default user accounts and change the default user password. Do not allow wide access to any Standard Oracle Packages that can operate on OS. Packages are UTL_HTTP, UTL_SMTP, UTL_TCP, DBMS_PIPE, UTL_MAIL & UTL_FTP.
Use Of Static SQL There are two dynamic SQL common situations, where
developers often use Static SQL, when it serves the purpose & is more secure:
Handle variable numbers of Input Argument in the query condition. Handle LIKE comparison operator in the query condition.
select deptno, loc from dept where LOC in ('DALLAS','CHICAGO','NEW YORK'); DEPTNO -----10 20 30 LOC -----------------DALLAS CHICAGO NEW YORK
N.B.: As here weve to pass different sets of argument in SQL. Generally, Application programmer tends to build more generic or dynamic PL/SQL solution.
Continue..
Presented By Satyaki De On April, 2011
Continue..
Presented By Satyaki De On April, 2011
/ Enter value for p_str: DALLAS, CHICAGO, NEW YORK DEPTNO -----10 20 30 LOC -----------------DALLAS CHICAGO NEW YORK
N.B.: As you can see no need to write generic or dynamic PL/SQL solution that may be subject to SQL Injection later.
2) v_match_str := %||pv_ename||%; select empno, ename from emp where ename like v_match_str ;
N.B.: Step 1) This piece of code are subjected to SQL Injection. Step 2) Immune to SQL injection.
Bind Variable
1) v_sql := select empno, ename from emp where ename = ||pv_ename||; 2) v_sql := select empno, ename from emp
where ename = :1; execute immediate v_sql using pv_ename;
Using clause securely receive input data from user & then validate SQL Injection & pass it to parser once this process is over.
N.B.: Step 1) This piece of code are subjected to SQL Injection. Step 2) Immune to SQL injection.
Summary
Basic about SQL Injection Types Of SQL Injection Use Of Dynamic PL/SQL prone to SQL Injection Use Of Static SQL are less prone Use Of Bind variables are good option Proper privileges of DB should always keep in close watch
- Thank You -