docs: update SQLi lesson text (#928)
- corrected typos/grammar issues - restructured sentences for clarity
This commit is contained in:
Kelly Marchewa
GitHub
parent
b20f6492a3
commit
2e581d6bdb
@ -2,9 +2,9 @@
|
||||
|
||||
SQL is a standardized (ANSI in 1986, ISO in 1987) programming language which is used for managing relational databases and performing various operations on the data in them.
|
||||
|
||||
A database is a collection of data. Data is organized into rows, columns and tables, and it is indexed to make it easier to find relevant information.
|
||||
A database is a collection of data. The data is organized into rows, columns and tables, and indexed to make finding relevant information more efficient.
|
||||
|
||||
Example SQL table with employees, the name of the table is 'employees':
|
||||
Example SQL table containing employee data; the name of the table is 'employees':
|
||||
|
||||
Employees Table
|
||||
|===
|
||||
@ -18,20 +18,20 @@ Employees Table
|
||||
|
||||
|===
|
||||
|
||||
A company saves the following information of an employee in their databases:
|
||||
a unique employee number, the lastnname, the firstname, the department of the employee, the salary and an auth_tan.
|
||||
A company saves the following employee information in their databases:
|
||||
a unique employee number ('userid'), last name, first name, department, salary and a transaction authentication number ('auth_tan'). Each of these pieces of information is stored in a separate column and each row represents one employee of the company.
|
||||
|
||||
One row represents one employee of the company.
|
||||
SQL queries can be used to modify a database table and its index structures and add, update and delete rows of data.
|
||||
|
||||
By using SQL queries you can modify a database table and its index structures, add, update and delete rows of data.
|
||||
There are three main categories of SQL commands:
|
||||
|
||||
There are three types of SQL commands in the SQL database language:
|
||||
Each type of command carries the danger of violating different protection goals if an intruder attacks your database system.
|
||||
* Data Manipulation Language (DML)
|
||||
* Data Definition Language (DDL)
|
||||
* Data Control Language (DCL)
|
||||
|
||||
The 3 main protection goals in information security are confidentiality, integrity, and availability are considered the three most crucial components of information security.
|
||||
Go ahead to the next pages to get some details on the different types of commands and protections goals.
|
||||
Each of these command types can be used by attackers to compromise the confidentiality, integrity, and/or availability of a system. Proceed with the lesson to learn more about the SQL command types and how they relate to protections goals.
|
||||
|
||||
If you are still struggling with SQL and need more information or practice you can visit http://www.sqlcourse.com/ for an interactive and free online training.
|
||||
If you are still struggling with SQL and need more information or practice, you can visit http://www.sqlcourse.com/ for free and interactive online training.
|
||||
|
||||
=== It is your turn!
|
||||
Look at the example table.
|
||||
|
||||
@ -1,10 +1,10 @@
|
||||
== Compromising Availability
|
||||
After successfully compromising confidentiality and integrity in the previous lessons, we now are going to compromise the third element of the CIA triad: *availability*.
|
||||
After successfully compromising confidentiality and integrity in the previous lessons, we are now going to compromise the third element of the CIA triad: *availability*.
|
||||
|
||||
There are many different ways to violate availability.
|
||||
If an account is deleted or the password gets changed, the actual owner cannot access it anymore.
|
||||
Attackers could also try to delete parts of the database making it useless or even dropping the whole database.
|
||||
Another way to compromise availability would be to per example revoke access-rights from admins or any other users, so that nobody gets access to (specific parts of) the database.
|
||||
If an account is deleted or its password gets changed, the actual owner cannot access this account anymore.
|
||||
Attackers could also try to delete parts of the database, or even drop the whole database, in order to make the data inaccessible.
|
||||
Revoking the access rights of admins or other users is yet another way to compromise availability; this would prevent these users from accessing either specific parts of the database or even the entire database as a whdle.
|
||||
|
||||
=== It is your turn!
|
||||
Now you are the top earner in your company.
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
== Try It! String SQL injection
|
||||
|
||||
The query in the code builds a dynamic query as seen in the previous example. The query is build by concatenating strings making it susceptible to String SQL injection:
|
||||
The query in the code builds a dynamic query as seen in the previous example. The query is built by concatenating strings making it susceptible to String SQL injection:
|
||||
|
||||
------------------------------------------------------------
|
||||
"SELECT * FROM user_data WHERE first_name = 'John' AND last_name = '" + lastName + "'";
|
||||
------------------------------------------------------------
|
||||
|
||||
Using the form below try to retrieve all the users from the users table. You should not need to know any specific user name to get the complete list.
|
||||
Try using the form below to retrieve all the users from the users table. You should not need to know any specific user name to get the complete list.
|
||||
|
||||
@ -1,21 +1,21 @@
|
||||
=== Data Manipulation Language (DML)
|
||||
|
||||
As the name says data manipulation language deals with the manipulation of data and includes the most common SQL statements such as SELECT, INSERT, UPDATE, DELETE, etc., and it is used for requesting a result set of records from database tables (select), adding (insert), deleting and modifying (update) data in a database.
|
||||
As implied by the name, data manipulation language deals with the manipulation of data. Many of the most common SQL statements, including SELECT, INSERT, UPDATE, and DELETE, may be categorized as DML statements. DML statements may be used for requesting records (SELECT), adding records (INSERT), deleting records (DELETE), and modifying existing records (UPDATE).
|
||||
|
||||
If an attacker uses SQL injection of the DML type to manipulate your database, he will violate the following of the three protection goals in information security: confidentiality (…) & integrity (update) (Only people authorized to read the data can do so).
|
||||
If an attacker succeeds in "injecting" DML statements into a SQL database, he can violate the confidentiality (using SELECT statements), integrity (using UPDATE statements), and availability (using DELETE or UPDATE statements) of a system.
|
||||
|
||||
|
||||
* DML commands are used for storing, retrieving, modifying, and deleting data.
|
||||
* SELECT - retrieve data from a database
|
||||
* INSERT - insert data into a table
|
||||
* UPDATE - updates existing data within a table
|
||||
* DELETE - Delete all records from a database table
|
||||
* INSERT - insert data into a database
|
||||
* UPDATE - updates existing data within a database
|
||||
* DELETE - delete records from a database
|
||||
* Example:
|
||||
** Retrieve data:
|
||||
** SELECT phone +
|
||||
FROM employees +
|
||||
WHERE userid = 96134;
|
||||
** This statement delivers the phone number of the employee with the userid 96134.
|
||||
** This statement retrieves the phone number of the employee who has the userid 96134.
|
||||
|
||||
=== It is your turn!
|
||||
Try to change the department of Tobi Barnett to 'Sales'.
|
||||
|
||||
@ -1,12 +1,12 @@
|
||||
=== Data Definition Language (DDL)
|
||||
|
||||
Data definition language includes commands for defining data structures, especially database schemas which tell how the data should reside in the database.
|
||||
Data definition language includes commands for defining data structures. DDL commands are commonly used to define a database's schema. The schema refers to the overall structure or organization of the database and. in SQL databases, includes objects such as tables, indexes, views, relationships, triggers, and more.
|
||||
|
||||
If an attacker uses SQL injection of the DDL type to manipulate your database, he will violate the following of the three protection goals in information security: integrity (alter) & availability (drop). (Only people authorized to change/delete the data can do so.)
|
||||
If an attacker successfully "injects" DDL type SQL commands into a database, he can violate the integrity (using ALTER and DROP statements) and availability (using DROP statements) of a system.
|
||||
|
||||
|
||||
* DDL commands are used for creating, modifying, and dropping the structure of database objects.
|
||||
* CREATE - to create a database and its objects like (table, views, …)
|
||||
* CREATE - create database objects such as tables and views
|
||||
* ALTER - alters the structure of the existing database
|
||||
* DROP - delete objects from the database
|
||||
* Example:
|
||||
@ -20,5 +20,5 @@ If an attacker uses SQL injection of the DDL type to manipulate your database, h
|
||||
);
|
||||
** This statement creates the employees example table given on page 2.
|
||||
|
||||
Now try to modify the scheme by adding the column "phone" (varchar(20)) to the table "employees". :
|
||||
Now try to modify the schema by adding the column "phone" (varchar(20)) to the table "employees". :
|
||||
|
||||
|
||||
@ -1,18 +1,18 @@
|
||||
=== Data Control Language (DCL)
|
||||
|
||||
Data control language is used to create privileges to allow users to access and manipulate the database.
|
||||
Data control language is used to implement access control logic in a database. DCL can be used to revoke and grant user privileges on database objects such as tables, views, and functions.
|
||||
|
||||
If an attacker uses SQL injection of the DCL type to manipulate your database, he will violate the following of the three protection goals in information security: confidentiality (grant) & availability (revoke) (Unwanted people could grand themselves admin privileges or revoke the admin rights from an administrator)
|
||||
If an attacker successfully "injects" DCL type SQL commands into a database, he can violate the confidentiality (using GRANT commands) and availability (using REVOKE commands) of a system. For example, the attacker could grant himself admin privileges on the database or revoke the privileges of the true administrator.
|
||||
|
||||
|
||||
* DCL commands are used for providing security to database objects.
|
||||
* GRANT - allow users access privileges to the database
|
||||
* REVOKE - withdraw users access privileges given by using the GRANT command
|
||||
* DCL commands are used to implement access control on database objects.
|
||||
* GRANT - give a user access privileges on database objects
|
||||
* REVOKE - withdraw user privileges that were previously given using GRANT
|
||||
* Example:
|
||||
** GRANT CREATE TABLE +
|
||||
TO operator;
|
||||
** This statement gives all users of the operator-role the privilege to create new tables in the database.
|
||||
|
||||
|
||||
Try to grant the usergroup "UnauthorizedUser" the right to alter tables:
|
||||
Try to grant the user group "UnauthorizedUser" the right to alter tables:
|
||||
|
||||
|
||||
@ -1,10 +1,10 @@
|
||||
== Examples
|
||||
|
||||
Here are some examples of what a hacker could supply to the input field to perform actions on the database that go further than just reading the data of a single user:
|
||||
SQL injection can be used for far more than reading the data of a single of user. The following are just a few examples of data a hacker could input to a form field (or anywhere user input is accepted) in an attempt to exploit a SQL injection vulnerability:
|
||||
|
||||
* `+Smith’ OR '1' = '1+` +
|
||||
results in `+SELECT * FROM users WHERE name = 'Smith' OR TRUE;+` and that way will return all entries from the users table
|
||||
results in `+SELECT * FROM users WHERE name = 'Smith' OR TRUE;+` which will return all entries from the users table
|
||||
* `+Smith’ OR 1 = 1; --+` +
|
||||
results in `+SELECT * FROM users WHERE name = 'Smith' OR TRUE;--';+` and that way will return all entries from the users table
|
||||
results in `+SELECT * FROM users WHERE name = 'Smith' OR TRUE;--';+` which, like the first example, will also return all entries from the users table
|
||||
* `+Smith’; DROP TABLE users; TRUNCATE audit_log; --+` +
|
||||
chains multiple SQL-Commands and deletes the USERS table as well as entries from the audit_log
|
||||
chains multiple SQL-Commands in order to both DROP the users table and delete all entries from the audit_log table
|
||||
|
||||
@ -1,31 +1,29 @@
|
||||
== What is SQL injection?
|
||||
|
||||
SQL injections are the most common web hacking techniques. *A SQL injection attack consists of insertion or "injection" of malicious code via the SQL query input from the client to the application.* If not dealt with correctly, such an injection of code into the application can have a serious impact on e.g. data integrity and security.
|
||||
SQL injection (also called SQLi) is one of the most common web hacking techniques. *A SQL injection attack consists of insertion or "injection" of malicious code via the SQL query input from the client to the application.* If not dealt with correctly, SQL injection can seriously impact data integrity and security.
|
||||
|
||||
SQL injections can occur, when unfiltered data from the client, e.g. the input of a search field, gets into the SQL interpreter of the application itself. If the input from the client does not get checked for containing SQL commands, hackers can easily manipulate the underlying SQL statement to their advantage. +
|
||||
Per example if the input is not filtered for SQL metacharacters like *--* (comments out the rest of the line) or *;* (ends a SQL query and that way can be used to chain them).
|
||||
SQL injections can occur when unfiltered data from the client, such as input from a search field, gets into the SQL interpreter of the application itself. If an application fails to either correctly sanitize user input (using prepared statements or similar) or filter the input against special characters, hackers can manipulate the underlying SQL statement to their advantage. +
|
||||
For example, if the input is not filtered for SQL metacharacters like *--* (which comments out the rest of the line) or *;* (which ends a SQL query), SQL injection may result.
|
||||
|
||||
{nbsp} +
|
||||
|
||||
== Example of SQL injection
|
||||
|
||||
Think of a web application, that allows to display user information, by typing a username into an input field.
|
||||
For example, consider a web application that allows users to retrieve user information simply by inputting a username into a form field. The input from the user is sent to the server and gets inserted into a SQL query which then is processed by a SQL interpreter.
|
||||
|
||||
The input will then be sent to the server and gets inserted into a SQL query which then is processed by a SQL interpreter.
|
||||
|
||||
The SQL query to retrieve the user information from the database looks like that: +
|
||||
The SQL query to retrieve the user information from the database follows: +
|
||||
-------------------------------------------------------
|
||||
"SELECT * FROM users WHERE name = '" + userName + "'";
|
||||
-------------------------------------------------------
|
||||
|
||||
The variable *userName* holds the input from the client and “injects” it into the query. +
|
||||
If the input would be Smith the query then looks like that +
|
||||
If the input were Smith the query would then become +
|
||||
-------------------------------------------------------
|
||||
"SELECT * FROM users WHERE name = 'Smith'";
|
||||
-------------------------------------------------------
|
||||
and would retrieve all data for the user with the name Smith.
|
||||
|
||||
{nbsp} +
|
||||
But if an attacker supplies an unexpected input which could be part of a SQL query, the query itself can be modified and that way be used to perform other (malicious) actions on the database.
|
||||
If an attacker inputs data containing characters or strings that have a "special" meaning to the SQL interpreter (such as *;*, *--*, or *'*), and the data is not correctly sanitized or validated, the attacker can modify the intended behavior of the SQL query in order to perform other (malicious) actions on the database.
|
||||
|
||||
Here is an input field. Try typing some SQL in here to better understand how the query changes.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
=== A successful SQL injection exploit can:
|
||||
* Read and modify sensitive data from the database
|
||||
* Execute administration operations on the database
|
||||
* Execute administrative operations on the database
|
||||
** Shutdown auditing or the DBMS
|
||||
** Truncate tables and logs
|
||||
** Add users
|
||||
|
||||
@ -3,21 +3,21 @@ If a system is vulnerable to SQL injections, aspects of that system's CIA triad
|
||||
In the following three lessons you will learn how to compromise each aspect of the CIA triad using techniques like _SQL string injections_ or _query chaining_.
|
||||
|
||||
In this lesson we will look at *confidentiality*.
|
||||
Confidentiality can be easily compromised by an attacker using SQL injection to read sensitive data like credit card numbers from a database.
|
||||
Confidentiality can be easily compromised by an attacker using SQL injection; for example, successful SQL injection can allow the attacker to read sensitive data like credit card numbers from a database.
|
||||
|
||||
=== What is String SQL injection?
|
||||
If queries are built dynamically in the application by concatenating strings to it, this makes it very susceptible to String SQL injection. +
|
||||
If the input takes a string that gets inserted into a query as a string parameter, then you can easily manipulate the build query using quotation marks to form the string to your specific needs.
|
||||
If an application builds SQL queries simply by concatenating user supplied strings to the query, the application is likely very susceptible to String SQL injection. +
|
||||
More specifically, if a user supplied string simply gets concatenated to a SQL query without any sanitization or preparation, then you may be able to modify the query's behavior by simply inserting quotation marks into an input field.
|
||||
For example, you could end the string parameter with quotation marks and input your own SQL after that.
|
||||
|
||||
=== It is your turn!
|
||||
You are an employee named John *Smith* working for a big company.
|
||||
The company has an internal system that allows all employees to see their own internal data - like the department they work in and their salary.
|
||||
The company has an internal system that allows all employees to see their own internal data such as the department they work in and their salary.
|
||||
|
||||
The system requires the employees to use a unique _authentication TAN_ to view their data. +
|
||||
Your current TAN is *3SL99A*.
|
||||
|
||||
Since you always have the urge to be the most earning employee, you want to exploit the system and instead of viewing your own internal data, _you want to take a look at the data of all your colleagues_ to check their current salaries.
|
||||
Since you always have the urge to be the most highly paid employee, you want to exploit the system so that instead of viewing your own internal data, _you want to take a look at the data of all your colleagues_ to check their current salaries.
|
||||
|
||||
Use the form below and try to retrieve all employee data from the *employees* table. You should not need to know any specific names or TANs to get the information you need. +
|
||||
You already found out that the query performing your request looks like this:
|
||||
|
||||
@ -2,13 +2,12 @@
|
||||
After compromising the confidentiality of data in the previous lesson, this time we are gonna compromise the *integrity*
|
||||
of data by using SQL *query chaining*.
|
||||
|
||||
The integrity of any data can be compromised, if an attacker per example changes information that he should not even be
|
||||
If a severe enough vulnerability exists, SQL injection may be used to compromise the integrity of any data in the database. Successful SQL injection may allow an attacker to change information that he should not even be
|
||||
able to access.
|
||||
|
||||
=== What is SQL query chaining?
|
||||
Query chaining is exactly what it sounds like. When query chaining, you try to append one or more queries to the end of
|
||||
the actual query. You can do this by using the *;* metacharacter which marks the end of a query and that way allows to
|
||||
start another one right after it within the same line.
|
||||
Query chaining is exactly what it sounds like. With query chaining, you try to append one or more queries to the end of
|
||||
the actual query. You can do this by using the *;* metacharacter. A *;* marks the end of a SQL statement; it allows one to start another query right after the initial query without the need to even start a new line.
|
||||
|
||||
=== It is your turn!
|
||||
You just found out that Tobi and Bob both seem to earn more money than you!
|
||||
|
||||
@ -1,14 +1,14 @@
|
||||
== Concept
|
||||
|
||||
This lesson describes what is Structured Query Language (SQL) and how it can be manipulated to perform tasks that were not the original intent of the developer.
|
||||
This lesson describes what Structured Query Language (SQL) is and how it can be manipulated to perform tasks that were not the original intent of the developer.
|
||||
|
||||
=== Goals
|
||||
|
||||
* The user will have a basic understanding of how SQL works and what it is used for
|
||||
* The user will have a basic understanding of what SQL injections are and how they work
|
||||
* The user will have a basic understanding of what SQL injection is and how it works
|
||||
* The user will demonstrate knowledge on:
|
||||
** DML, DDL and DCL
|
||||
** String SQL injection
|
||||
** Numeric SQL injection
|
||||
** violation of the CIA triad
|
||||
** How SQL injection violates the CIA triad
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user